Malware Analysis Report

2024-09-23 11:47

Sample ID 240614-m6qclaxgqd
Target a95775e31b53698f64755d7fe8eb7200_JaffaCakes118
SHA256 eb617697bea0fe01a81fafa0f9841eb203c45aff510da2597c4ff5d990c19cc1
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

eb617697bea0fe01a81fafa0f9841eb203c45aff510da2597c4ff5d990c19cc1

Threat Level: Shows suspicious behavior

The file a95775e31b53698f64755d7fe8eb7200_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

NSIS installer

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SendNotifyMessage

Modifies registry class

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 11:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 3848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1192 wrote to memory of 3848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1192 wrote to memory of 3848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

memory/3848-0-0x0000000000010000-0x0000000000011000-memory.dmp

memory/3848-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/3848-2-0x0000000000030000-0x0000000000031000-memory.dmp

memory/3848-3-0x0000000000040000-0x0000000000041000-memory.dmp

memory/3848-4-0x0000000000050000-0x0000000000051000-memory.dmp

memory/3848-5-0x0000000000060000-0x0000000000061000-memory.dmp

memory/3848-6-0x0000000000070000-0x0000000000071000-memory.dmp

memory/3848-7-0x0000000000080000-0x0000000000081000-memory.dmp

memory/3848-8-0x0000000000090000-0x0000000000091000-memory.dmp

memory/3848-9-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/3848-10-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/3848-11-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/3848-12-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/3848-13-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/3848-14-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/3848-15-0x0000000000100000-0x0000000000101000-memory.dmp

memory/3848-16-0x0000000000110000-0x0000000000111000-memory.dmp

memory/3848-18-0x0000000000130000-0x0000000000131000-memory.dmp

memory/3848-17-0x0000000000120000-0x0000000000121000-memory.dmp

memory/3848-19-0x0000000000140000-0x0000000000141000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gamebox.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\gamebox.exe

"C:\Users\Admin\AppData\Local\Temp\gamebox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ptres.37.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 socks.landers.37.com udp
CN 121.201.30.249:80 socks.landers.37.com tcp
US 8.8.8.8:53 landers.37.com udp
CN 175.178.207.44:80 landers.37.com tcp
GB 138.113.101.20:80 ptres.37.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 20.101.113.138.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CN 109.244.130.16:80 socks.landers.37.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
CN 121.201.30.249:80 socks.landers.37.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 109.244.130.16:80 socks.landers.37.com tcp
CN 121.201.30.249:80 socks.landers.37.com tcp
CN 109.244.130.16:80 socks.landers.37.com tcp
US 8.8.8.8:53 gamebox.clickdata.37wan.com udp
CN 159.75.141.43:80 gamebox.clickdata.37wan.com tcp
CN 106.55.79.146:80 gamebox.clickdata.37wan.com tcp

Files

memory/4940-0-0x0000000000010000-0x0000000000011000-memory.dmp

memory/4940-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/4940-2-0x0000000000030000-0x0000000000031000-memory.dmp

memory/4940-3-0x0000000000040000-0x0000000000041000-memory.dmp

memory/4940-4-0x0000000000050000-0x0000000000051000-memory.dmp

memory/4940-5-0x0000000000060000-0x0000000000061000-memory.dmp

memory/4940-6-0x0000000000070000-0x0000000000071000-memory.dmp

memory/4940-7-0x0000000000080000-0x0000000000081000-memory.dmp

memory/4940-8-0x0000000000090000-0x0000000000091000-memory.dmp

memory/4940-9-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/4940-10-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/4940-11-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/4940-12-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/4940-13-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/4940-14-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/4940-15-0x0000000000100000-0x0000000000101000-memory.dmp

memory/4940-16-0x0000000000110000-0x0000000000111000-memory.dmp

memory/4940-17-0x0000000000120000-0x0000000000121000-memory.dmp

memory/4940-18-0x0000000000130000-0x0000000000131000-memory.dmp

memory/4940-19-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Roaming\37games\gamebox\Lander.ini

MD5 6832e111ab8307200d3f8a2be76d5d35
SHA1 b5a52bccaf4fcd11318d5646f122e08b2490e5e2
SHA256 529bc745f6eee989b0b9a031d602e676a91df2974fe02d1940e46f3e67c880c0
SHA512 ec5089cb6e1177f42541c4f9cf58db88c64126fb4ee8d24d2731d386e1eb0cef778c46eefe95e6ea4a48a55485ec796456ccf3e1d464a320a178a7efa9490d96

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3232 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3232 wrote to memory of 4984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4532,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4984-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4984-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 3904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3904 -ip 3904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 57.82.21.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1196 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1196 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1196 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1196 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1196 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1196 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Socks.dll,#1

Network

N/A

Files

memory/2184-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2184-2-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2184-1-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2184-5-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2184-4-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2184-3-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2184-6-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2184-7-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2184-8-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2184-9-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2184-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2184-11-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2184-12-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2184-13-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2184-14-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2184-15-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2184-16-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2184-17-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2184-18-0x0000000000490000-0x0000000000491000-memory.dmp

memory/2184-19-0x00000000004A0000-0x00000000004A1000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 3484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 3484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 3484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3484 -ip 3484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

55s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 3076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 764 wrote to memory of 3076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 764 wrote to memory of 3076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3076-0-0x00000000004B0000-0x0000000000505000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240508-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe

"C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 base.landers.37.com udp
US 8.8.8.8:53 www.37.com udp

Files

memory/2060-0-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2060-1-0x0000000000130000-0x0000000000131000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

63s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 5016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1016 wrote to memory of 5016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1016 wrote to memory of 5016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 4656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5064 wrote to memory of 4656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5064 wrote to memory of 4656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4656 -ip 4656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4656-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4656-1-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 3132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3132 -ip 3132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 612

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240611-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 244

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1920 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1920 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 600

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BoxDoctor.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BoxDoctor.exe

"C:\Users\Admin\AppData\Local\Temp\BoxDoctor.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.82.21.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\KillProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 224

Network

N/A

Files

memory/2144-1-0x0000000010001000-0x0000000010002000-memory.dmp

memory/2144-0-0x0000000010000000-0x0000000010003000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinProgress.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240220-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WndProc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 224

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240220-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\License.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\License.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2216-0-0x000000002F8D1000-0x000000002F8D2000-memory.dmp

memory/2216-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2216-2-0x000000007102D000-0x0000000071038000-memory.dmp

memory/2216-14-0x000000007102D000-0x0000000071038000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 98dc7a7676d195ebaa0d2677b1cb4b14
SHA1 69e85004fde42f734254fd49036057e8c857c7fb
SHA256 bbc87900c3189c72fd1448e1895f99e5d5fda5d45c6100f3dc2ad81defb5df92
SHA512 614cce0eddd20e28222f3632e31624c7bcc7676dd5b8d43f5c45d7af3f0ebf5b8ace34df4612630e4e7774358aac1f073f00ce271fba39a8f857425b0641872f

memory/2216-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2296 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2296 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1044 -ip 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 620

Network

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240611-en

Max time kernel

121s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BoxDoctor.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BoxDoctor.exe

"C:\Users\Admin\AppData\Local\Temp\BoxDoctor.exe"

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240508-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MouseHook.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FindProcDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 224

Network

N/A

Files

memory/2544-0-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2544-1-0x0000000010001000-0x0000000010002000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe

"C:\Users\Admin\AppData\Local\Temp\Basicsurvey.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 base.landers.37.com udp
CN 42.194.172.182:80 base.landers.37.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.37.com udp
US 8.8.8.8:53 g.bing.com udp
GB 138.113.101.20:80 www.37.com tcp
GB 138.113.101.20:443 www.37.com tcp
US 8.8.8.8:53 20.101.113.138.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/2220-0-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/2220-7-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240508-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SkinBtn.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 228

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20231129-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$_47_\Web\error.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c459c64abeda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1CD1641-2A3D-11EF-B69B-6AA5205CD920} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b1b223dde1b4b84c99ad4a9fb34195060000000002000000000010660000000100002000000095e36f8d02e812acef70d1949e229f516d28640fcfa3c0baaea2de671797f689000000000e800000000200002000000053484e1eda84e17ff9ca25d4d1900632b09d670c86a48b127565812163df33ce9000000049a93115721664fff30a430a8e91a37f5cceab596c13422ad1581a39b6b2a9ef2843fd927886f79ed40d6be1777a1f9684db94aede0e62eec7d318397a5c374255e97a3d0e9a6218f3beede0ada9079442fa69f4cd7545f2cade20d83d87569b3359eb35b83145a74633a4d31481ecd38a178158a7b3b6f33f9d69fd0df863a73219096c70730b4baa81e2d4a3a3101040000000a57627501dce2c096050f8b09ff67c80ea9df3c39cada26f819583e63b9f50cb07d2651413327fd219eef8facded317aaa989752c15ddb9680a92642f3f0db41 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424524968" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b1b223dde1b4b84c99ad4a9fb3419506000000000200000000001066000000010000200000005857e3a634ce7df8919e2e7d2cc90ede2b28f0dc2e7903184a055ca70afc34ef000000000e8000000002000020000000ae8963602ca9c342b80cd244f2929115765a767ac4dc2bb4eb1ca435517aeead20000000dc8c6d2654718cc8045aff1edef7950082eff8db410ac062bc4948138b761cac400000008eae8edca0fffb5a2632373c653285cc4ccdb3e441b2ce3501f902f3340a23cc972a40e8b6d8a5c0d224e77019440ce58f7aedc4d9913f277768db954c08e334 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$_47_\Web\error.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.62.61.113:80 www.bing.com tcp
NL 23.62.61.113:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar373C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63996fc7be9a8c25323d621efc66dde7
SHA1 7ab46b6af2fec3167e14c8adeebdc594e92a52f8
SHA256 47d1051b1ebf7e258ca11844f8dca43c517ef7a0b5425789d5c4c82639890eb0
SHA512 e53e4e905ebaef2b6520a8a9f7187714c4a8397ba157b89dc4a31c80680ad2e1b46f4915e604def695ea1da7a4a163fad7ace7bd913dcf8c3bb4b50ec41a9c1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 d56b6abac5ecc1038438cb1e1fe04e36
SHA1 8c5e99e0be872e8085236bd06fa4fc803c346a7b
SHA256 679f2cd15a05ff90fe87d8ce9280054f02e22f7424758dea3e0ec738a63cbd13
SHA512 342c20e93d6b6c1c234fc7ad967c58ad9958d45c19863573185892ac43baac43377be80b0b1a390d1036f573afd48af7f5e026ad46eed4631bb961f585fa646f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7b6fd001b8cf53ff749d1d71d4f366a
SHA1 4c68d7f1ebe8fe45579e179f7cf30991946567f5
SHA256 7fcc6d53812d5e87115878b4db853685d8dd924abeddaa4b1669458611fcfa08
SHA512 1fd320c6619763a5fd17cbf61518efce38c5bf2eb370c2f6e014f362e05fb83e4aa7fe603f97ce0c9a21193e1ded0daa89479e849785825a3b05288371011c9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76b3bf110d9c58a37d15b3a56cc7d721
SHA1 57609d9061b2988ccafb88869bd8ed5495a78830
SHA256 0d9a7f8a091ca53e263128c21da972273e7a526d08b38ed7e8eb592c80f229d6
SHA512 9b12027d3f093b5727a544e6296d544a82240c6356b77bdaed4439dc80d3b7a95951f5e23022e661fcc4bdfbd2a07d754af84a47b23e472960cc5b7a971694fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c02beda2806bd564104614e11ef7409
SHA1 000a169327fca32d7a68660af2a0ea45ef689cf7
SHA256 21ddd997b578104fdbec4b9a891656d8287448cd402c95a87536abe245583af9
SHA512 7d4a705c7231f76af8ee5047a35ebc78222a99a92f9949b8f003648ae36712ce18e7ed48b21d8901a982e5dd6dae45df88a6f72825eca62de2ba3d798e36bedd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f87dd5153cd5dacb34d7f4fbf495ca6
SHA1 697766a413082feb6b72ba6e1f53ce35f2118428
SHA256 504004b1b6257350ed76bed6c1bf94fc72d8b08b41bbe898adaa941a19b056c5
SHA512 3e4922552fa7ea56d2c49ba4f320b4c758f97e3eeb56d0f6012b140625f1e1518a407bc8692a0e4c7acc4a33d3f9aea117af29839d4339683ffd49708fe4d827

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 0dc0651f0e357aca8bcf6b5159b4df04
SHA1 6f7ede9b62ff4a50ce5156681a533e3ddddbc0d8
SHA256 6b19624d81aaaad5f7bc4e83c0d5f541d6da1af2549df56057be62b20ee08fa6
SHA512 68dbbd8833eedb6a82fe9a22cab2f3596193167dc9e2b1346fe4e4b7976ba0806cccadd7bbb316b3ddec62dbf26ecb1dee7f98985f2d675f5e7ae3b5792ede30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bef6c0041e22641f81656b4621c7827d
SHA1 09f6517c6426aee9a827b96699aaccc068acc572
SHA256 a45ddaf5cca9558e697ec1ca9399d8231b0bf975c9fde4e60b6e55d165ff4616
SHA512 29839b430d982909b978e00bccb36cc2f0e3457c3a66ddb78ae1a4953569cb4018a9cd04ee1a2c8c1f4932a4d75955cae6c3caa3a0cb821b36e1bf7e2405066d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6301abcc0f510eed9d87af1f81774df
SHA1 2139d64c170708b3046b21047ae117c5ba3e6951
SHA256 ebd72d1e6b2e8366eff6f9be7d7a9892c8bb51560a6ad0cc449a6494207597ff
SHA512 733c66159b590656931e70b080cec0b8bd8096de678f950f4e91dee50647a16a7a337e39c7c3bea832815909d9cf8c6bada290ab0d964b9ca120ebef83c6e563

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51effa6a817113967ed4a404620a431f
SHA1 d003dc91cf39252824374a37e758600e75d100d8
SHA256 da224e939c4a88229413d0ee2e5daeecacd29949f91c75f9067758ad2ea7a8a6
SHA512 eb617a22396365427cce39a0a841a4c4cae99dbaa6bdbd999253c2396b6647a7a97d9e80e903ceb4a40bb8c9c8c3e9f8aae698a83929e3706c1deb9db08cab3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2060c0414ff338add211786eb3fc689f
SHA1 141376dbbfd33ccfd29e7b459c77d17f999f52be
SHA256 81943318ecb2f96156880765457bf72043ea6a0619d03921683ed5bd7155d12d
SHA512 398739fed7860d8d9ecc8a1ce6c316e945efd43b9b417bc8cb494eea1535084e34da6cdbeb72e4f1bde60beec411c028260b399631ee6a0cc2a78674a9647e9e

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 436adac7badeb4e713781e3cd9870c73
SHA1 fb0c9cafa68b3a3fe311c42eb618fb473aea7aca
SHA256 6a9fd82638ffa3b20def60d736aeb33144961ae2e36e49bf2649c6a5d6277b78
SHA512 014e143e965fedc1c1e75af83e66ded193c53f6e04bd16dc3c6af6456ac2477bddbded6b0709b5e00faf7d285c05fba3b7c0ba1f305c9f447fb9fbea6777cad2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7a924b72223f43ee1e8669f9f15cd61
SHA1 d241ac027310fada05ad8be775049f22218e4b07
SHA256 0f7e3b97cac4050c392513168fd85f8f333d38fdfebc7c23cbb4794b10d26ac5
SHA512 e9acb049074f6b99f88825fede180fa0c8620ed04ec3b77422b14a8a24775358325141ccae17cd64fe72e13ca16acf664e1889116d95b8f79d6a3a5365092f37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 882424a9a4f863503203ba908f7d3df4
SHA1 4ae39c33df0fe2dd956543ce6a94363ae017e7fc
SHA256 af2a74c15c54a1a00ffc4b7aa943291596694060764681065aa0b8c5a35d9b4b
SHA512 cb3b930c2733c4c411d7905cf94b6043736340fb509df9e1be0a05a6d907ffe9450267a159622dfcb06bfa7e3e54602a37a7d9e0b6adc1fabfa6acc22ed404a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74f051e7f7cb9d7a93d7d7737264acd0
SHA1 073af7614e76206f5d29b945c2da50180cbaf46c
SHA256 008e708b0c034f3c1d502233dc68ae57666230df9b40d0b8a1d9295f349c4017
SHA512 518724cff7e40b7f72077ece8007e6b07f366d204f34c06ee4006c1c41f388be48f5357d0f05afd9a74e82b9a1cdc4ad1c9c5114e06dcbfc1b4240dbf05e3181

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a35d9decf109c733955969d49a1c8e0
SHA1 840b9763d1cb2042d2a5763ff4b398b7a76569b7
SHA256 f207f2aa4f38a6fb518ba4bc33e11407825f0c169ff7ab0f0c4d841560def866
SHA512 54b47be5a0115e02f901e54f0b188b696aa2d7ba43f52c4b2c72637ad85b7decab40685682c95c74e58a9b645e58c9a7b27a24dad74225981323036534465aa8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a127a0ce616d5762a1f48e8a187edf4
SHA1 32bb7fe2ba1dbb0d82b4796c529da40f41bf1ca2
SHA256 f959965cea9e7bdb0a6d4f4d6a544d883514a42b0fd332a957925e5c1b8d6573
SHA512 d3eab54b9af08dbf5826b13194c5eac356cba113343ab1189a26a7c991c3efa3501b3510b4ea4596023eef6d98172315a741b072cc3e2e7c735478aa1eca600f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 084ebb6eb5ceb3b89c93a418a09a8e3e
SHA1 2234f6ce688d81b86ca52b78626251efb045e377
SHA256 bdff6f5834406a638bc4bcc4d497e10d39f2bd33da81c79b105b853399d843dc
SHA512 7c2dbdddf26f1ece7ebe0922ecf32dde31e27725fe3649b5bd38e6481267e3240cfc71651f3fcf351840b551d385e9547f11c80522e415ab419b13a186b1e6fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 317a926899bb7354f7b88479bff852f9
SHA1 687e1e6c221c8f7d472e47fb63ca982404bae2a3
SHA256 50625e5c825369b4b3eee15628c4e8fdb1b2dc1e2c00c6d9e29526422c96a810
SHA512 89220d616468c803d013c052a820e51fcbfd948b5bc78538e74f76c1c795dbc6a11eb9a1271d2eb3a317b761fdb821106de792926e711ab644a2e29f27ba5e48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 119dd954221530d818ad6e75621fd39b
SHA1 5d211984fd9e6fb2af9825e3dd64688416f45f35
SHA256 ea328d5773d6772a121f8397b233178ad56cedc15221cc534312706428dc786f
SHA512 dad0c7431a4289bd4f6123826defa4198102118e2f2a3528729512b83a3e360bb77c6c67fff1579ceafced6d96bf0a570e080d2983bf8a5d886aeffd06698ba9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e215b3899f4a98d74330d0cdde046ef
SHA1 20e50b54e5b7d2e872cc9a69a1de234f1e78956e
SHA256 4debe2ea564ac4eb91c33182251b5c3cb4f2a7509d75fe5fd41a9c0ccbf2a3b9
SHA512 1e3674f6169a9f95454ddc195e11cac8a39214ba65c7bb05d87b096282225e1f2cb231dfbfa47db110b196fbd442d96a88cf989a3756f0fecaa1c0e4fc4f0dc4

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240221-en

Max time kernel

118s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 1656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 1656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 1656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 1656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 1656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 1656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 1656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Accelerator.dll,#1

Network

N/A

Files

memory/1656-0-0x0000000000350000-0x00000000003A5000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240508-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gamebox.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamebox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\gamebox.exe

"C:\Users\Admin\AppData\Local\Temp\gamebox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ptres.37.com udp
US 8.8.8.8:53 socks.landers.37.com udp
US 8.8.8.8:53 landers.37.com udp
US 8.8.8.8:53 socks.landers.37.com udp
US 8.8.8.8:53 socks.landers.37.com udp
US 8.8.8.8:53 gamebox.clickdata.37wan.com udp
US 8.8.8.8:53 d.wanyouxi7.com udp
US 8.8.8.8:53 d.wanyouxi7.com udp
US 8.8.8.8:53 d.wanyouxi7.com udp
US 8.8.8.8:53 d.wanyouxi7.com udp
US 8.8.8.8:53 d.wanyouxi7.com udp
US 8.8.8.8:53 landers.37.com udp

Files

memory/1856-7-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1856-6-0x0000000000160000-0x0000000000161000-memory.dmp

memory/1856-8-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1856-5-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1856-4-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1856-3-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1856-2-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1856-1-0x0000000000110000-0x0000000000111000-memory.dmp

memory/1856-0-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1856-10-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1856-9-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1856-11-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1856-12-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1856-13-0x0000000000210000-0x0000000000211000-memory.dmp

memory/1856-14-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1856-15-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1856-16-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1856-17-0x0000000000350000-0x0000000000351000-memory.dmp

memory/1856-18-0x0000000000360000-0x0000000000361000-memory.dmp

memory/1856-19-0x0000000000370000-0x0000000000371000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a95775e31b53698f64755d7fe8eb7200_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a95775e31b53698f64755d7fe8eb7200_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a95775e31b53698f64755d7fe8eb7200_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsp4587.tmp\SkinBtn.dll

MD5 e4ec95271ff1bcebab49bdfed6817a22
SHA1 2c03e97f4773aea80ecdb98a1482e5896fe4677b
SHA256 ee1c06692a757473737b0ebdef16f77b63afac864d0890022d905e4873737dd6
SHA512 771a527133806307a1b17b7e956d6a3c16e9bc675bf084b43204ae784a057dac2726dbf90645692876043a4e7365ba8825c167621fde4760c79cd84679e2aa3d

C:\Users\Admin\AppData\Local\Temp\nsp4587.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsp4587.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsp4587.tmp\WndProc.dll

MD5 f0cb331dd4bd92a6ebce45e7cd1cf5ef
SHA1 b66ea0c10b08750295f2dc7c170b370402393214
SHA256 e7b3115fa2ce4a8fa09beeefa4fb634a474197f38a2854ce9be60d0a26016458
SHA512 7c33418f39b91ae0d4cc8b560f516bac293593eef539832815028878c2058bf1691c2d767a039cf312989839071f2f6f0b6d9d59835acdfff6b448bf1ffea271

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240611-en

Max time kernel

123s

Max time network

134s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\License.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\License.rtf" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2564,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
GB 23.73.137.235:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 235.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/3280-0-0x00007FFC5E0B0000-0x00007FFC5E0C0000-memory.dmp

memory/3280-1-0x00007FFC5E0B0000-0x00007FFC5E0C0000-memory.dmp

memory/3280-4-0x00007FFC9E0CD000-0x00007FFC9E0CE000-memory.dmp

memory/3280-3-0x00007FFC5E0B0000-0x00007FFC5E0C0000-memory.dmp

memory/3280-5-0x00007FFC5E0B0000-0x00007FFC5E0C0000-memory.dmp

memory/3280-2-0x00007FFC5E0B0000-0x00007FFC5E0C0000-memory.dmp

memory/3280-6-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-7-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-10-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-11-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-9-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-13-0x00007FFC5BA10000-0x00007FFC5BA20000-memory.dmp

memory/3280-12-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-8-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-15-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-16-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-14-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-19-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-17-0x00007FFC5BA10000-0x00007FFC5BA20000-memory.dmp

memory/3280-21-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-20-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-18-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD35CE.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/3280-513-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

memory/3280-534-0x00007FFC5E0B0000-0x00007FFC5E0C0000-memory.dmp

memory/3280-535-0x00007FFC5E0B0000-0x00007FFC5E0C0000-memory.dmp

memory/3280-533-0x00007FFC5E0B0000-0x00007FFC5E0C0000-memory.dmp

memory/3280-536-0x00007FFC5E0B0000-0x00007FFC5E0C0000-memory.dmp

memory/3280-537-0x00007FFC9E030000-0x00007FFC9E225000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240611-en

Max time kernel

121s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 228

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a95775e31b53698f64755d7fe8eb7200_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a95775e31b53698f64755d7fe8eb7200_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a95775e31b53698f64755d7fe8eb7200_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst24E1.tmp\SkinBtn.dll

MD5 e4ec95271ff1bcebab49bdfed6817a22
SHA1 2c03e97f4773aea80ecdb98a1482e5896fe4677b
SHA256 ee1c06692a757473737b0ebdef16f77b63afac864d0890022d905e4873737dd6
SHA512 771a527133806307a1b17b7e956d6a3c16e9bc675bf084b43204ae784a057dac2726dbf90645692876043a4e7365ba8825c167621fde4760c79cd84679e2aa3d

\Users\Admin\AppData\Local\Temp\nst24E1.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nst24E1.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nst24E1.tmp\WndProc.dll

MD5 f0cb331dd4bd92a6ebce45e7cd1cf5ef
SHA1 b66ea0c10b08750295f2dc7c170b370402393214
SHA256 e7b3115fa2ce4a8fa09beeefa4fb634a474197f38a2854ce9be60d0a26016458
SHA512 7c33418f39b91ae0d4cc8b560f516bac293593eef539832815028878c2058bf1691c2d767a039cf312989839071f2f6f0b6d9d59835acdfff6b448bf1ffea271

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-14 11:04

Reported

2024-06-14 11:07

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

130s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$_47_\Web\error.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2940 wrote to memory of 1204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$_47_\Web\error.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9eea46f8,0x7fff9eea4708,0x7fff9eea4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4108 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4108 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16499976587051601333,12552237244961207338,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 /prefetch:2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 52.111.227.14:443 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_2940_RFNKABKNMRFVRYIH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 202e08083e9eca7d0ac660a927930f5f
SHA1 c517ad36211141b6c9db6c1db8c33c57930dcd47
SHA256 3416a460a39278dc80bf42a28b93657e7f72b4a9c5d162a1a5dd175fc513e534
SHA512 625711b8fc1ad099df6de6070fa895134e91706b8c7babfe0f66073282854e938c75e861668198fe73be2975917a691b0b25b1353bb077b8314abbc4ef4e4f04

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 45c8dbe3d7c0b230c20e0fd5fec41c7f
SHA1 cf099e5ae2c24382846f8c33ba45da9972bd71f6
SHA256 9e670083bf765cf5c37905639ccd5fa5a4bfecbce4d317c941fde4613577bedf
SHA512 6c5be06eecec94dd020102fab2da2c03766b5749269dd7d5156339aa04f37a55465b2ffc2e810f9ea51fdb88ead4e94ecbe069bfc5714ca70fa594a8f1a0cd27

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f8b21ef77e80dd3c641684055d66e25d
SHA1 e9c2284b1525ccf970137e7aa9ce837e8356e096
SHA256 a2c27045d2bf295d6ec2a68432065642d42267b00a5b1364018801c2fbb3c3aa
SHA512 1a65519edb2a7f18457a81f9ce63724e94a8a45e597890cac2080e1377d7ffb2a4c696aeda41d7404bda8b61ff6b65deb99b4ed2da75fe80ebf2aec492faba54