Malware Analysis Report

2025-03-15 05:48

Sample ID 240623-25ayva1ajp
Target 03c2731984c9baf48b28f3df4814e4a4_JaffaCakes118
SHA256 938e2be7f11645ffc60f7ed1d13680c77eda2c2bf5c18a2183d1e529e6f561b4
Tags
aspackv2 upx evasion trojan persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

938e2be7f11645ffc60f7ed1d13680c77eda2c2bf5c18a2183d1e529e6f561b4

Threat Level: Shows suspicious behavior

The file 03c2731984c9baf48b28f3df4814e4a4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 upx evasion trojan persistence

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

UPX packed file

ASPack v2.12-2.42

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 23:09

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03c2731984c9baf48b28f3df4814e4a4_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03c2731984c9baf48b28f3df4814e4a4_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03c2731984c9baf48b28f3df4814e4a4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03c2731984c9baf48b28f3df4814e4a4_JaffaCakes118.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MP3Source.dll

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\FriendlyName = "File Source (MP3)" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\FilterData = 02000000000040000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000006175647300001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\ = "File Source (MP3)" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\CLSID = "{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MP3Source.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.mp3 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 452 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1884 wrote to memory of 452 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1884 wrote to memory of 452 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MP3Source.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\MP3Source.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/452-1-0x00000000006A0000-0x00000000006CD000-memory.dmp

memory/452-0-0x00000000006A0000-0x00000000006CD000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bass.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 2796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1304 wrote to memory of 2796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1304 wrote to memory of 2796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1304 wrote to memory of 2796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1304 wrote to memory of 2796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1304 wrote to memory of 2796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1304 wrote to memory of 2796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bass.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bass.dll,#1

Network

N/A

Files

memory/2796-0-0x0000000010000000-0x0000000010041000-memory.dmp

memory/2796-4-0x0000000010040000-0x0000000010041000-memory.dmp

memory/2796-3-0x0000000010000000-0x0000000010041000-memory.dmp

memory/2796-2-0x0000000010000000-0x0000000010041000-memory.dmp

memory/2796-1-0x0000000010000000-0x0000000010041000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\chatServer.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\chatServer.exe

"C:\Users\Admin\AppData\Local\Temp\chatServer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.208:443 www.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
CL 186.9.13.252:37291 udp
US 8.8.8.8:53 208.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 252.13.9.186.in-addr.arpa udp
CL 190.164.105.23:16881 udp
US 8.8.8.8:53 23.105.164.190.in-addr.arpa udp
GB 86.20.50.0:54321 udp
IT 151.51.13.132:15544 udp
US 8.8.8.8:53 0.50.20.86.in-addr.arpa udp
VE 190.142.165.73:10985 udp
US 8.8.8.8:53 132.13.51.151.in-addr.arpa udp
US 8.8.8.8:53 73.165.142.190.in-addr.arpa udp
MX 189.180.165.97:950 udp
AR 201.254.61.106:5000 udp
US 8.8.8.8:53 97.165.180.189.in-addr.arpa udp
US 8.8.8.8:53 106.61.254.201.in-addr.arpa udp
MY 121.120.37.226:49273 udp
MA 196.217.199.234:15402 udp
US 8.8.8.8:53 226.37.120.121.in-addr.arpa udp
US 66.215.154.157:32779 udp
US 8.8.8.8:53 234.199.217.196.in-addr.arpa udp
AR 201.255.50.173:11394 udp
US 8.8.8.8:53 157.154.215.66.in-addr.arpa udp
US 38.114.67.69:42187 udp
US 8.8.8.8:53 173.50.255.201.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 69.67.114.38.in-addr.arpa udp
MX 189.220.40.92:45827 udp
US 8.8.8.8:53 92.40.220.189.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BR 189.124.4.28:6855 udp
AR 190.50.203.237:5000 udp
US 8.8.8.8:53 28.4.124.189.in-addr.arpa udp
US 8.8.8.8:53 237.203.50.190.in-addr.arpa udp
US 68.93.141.173:21783 udp
US 8.8.8.8:53 173.141.93.68.in-addr.arpa udp
US 69.245.15.118:63218 udp
US 8.8.8.8:53 118.15.245.69.in-addr.arpa udp
SG 117.20.130.249:60959 udp
US 8.8.8.8:53 249.130.20.117.in-addr.arpa udp
MX 189.140.91.123:5000 udp
US 8.8.8.8:53 123.91.140.189.in-addr.arpa udp
AR 190.16.122.134:64846 udp
US 8.8.8.8:53 134.122.16.190.in-addr.arpa udp
ES 83.33.111.59:5454 udp
US 8.8.8.8:53 59.111.33.83.in-addr.arpa udp
US 98.200.248.108:44761 udp
US 8.8.8.8:53 108.248.200.98.in-addr.arpa udp
MX 201.143.71.222:32479 udp
US 8.8.8.8:53 222.71.143.201.in-addr.arpa udp
CA 24.201.83.251:26452 udp
AR 190.17.247.97:16246 udp
US 8.8.8.8:53 251.83.201.24.in-addr.arpa udp
US 8.8.8.8:53 97.247.17.190.in-addr.arpa udp
TR 78.182.70.56:12867 udp
US 8.8.8.8:53 56.70.182.78.in-addr.arpa udp
US 98.193.86.98:15783 udp
US 8.8.8.8:53 98.86.193.98.in-addr.arpa udp
BS 24.231.33.24:18561 udp
US 8.8.8.8:53 24.33.231.24.in-addr.arpa udp
RO 95.76.2.96:22772 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 96.2.76.95.in-addr.arpa udp
US 67.159.144.95:5000 udp
US 8.8.8.8:53 95.144.159.67.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
ES 213.37.185.30:42684 udp
US 8.8.8.8:53 30.185.37.213.in-addr.arpa udp
AR 190.107.103.232:27706 udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
TR 81.214.57.154:11453 udp
US 8.8.8.8:53 232.103.107.190.in-addr.arpa udp
US 8.8.8.8:53 154.57.214.81.in-addr.arpa udp
PL 83.230.16.7:36280 udp
US 8.8.8.8:53 7.16.230.83.in-addr.arpa udp
MX 189.164.241.108:5000 udp
US 8.8.8.8:53 108.241.164.189.in-addr.arpa udp
ES 88.22.132.218:5500 udp
US 8.8.8.8:53 218.132.22.88.in-addr.arpa udp
BR 201.29.96.217:35008 udp
US 8.8.8.8:53 217.96.29.201.in-addr.arpa udp
PE 190.42.114.239:44844 udp
US 8.8.8.8:53 239.114.42.190.in-addr.arpa udp
TR 85.107.184.194:44507 udp
US 8.8.8.8:53 194.184.107.85.in-addr.arpa udp
GB 86.130.181.175:5631 udp
US 8.8.8.8:53 175.181.130.86.in-addr.arpa udp
MX 189.154.49.63:5500 udp
US 8.8.8.8:53 63.49.154.189.in-addr.arpa udp
AR 190.55.35.191:8000 udp
AR 190.51.62.226:49780 udp
US 8.8.8.8:53 226.62.51.190.in-addr.arpa udp
US 8.8.8.8:53 191.35.55.190.in-addr.arpa udp
AR 201.250.63.45:25000 udp
US 8.8.8.8:53 45.63.250.201.in-addr.arpa udp
TR 88.237.139.152:12867 udp
US 8.8.8.8:53 152.139.237.88.in-addr.arpa udp
BR 187.20.32.220:30865 udp
US 8.8.8.8:53 220.32.20.187.in-addr.arpa udp
TR 81.213.65.180:19050 udp
US 8.8.8.8:53 180.65.213.81.in-addr.arpa udp
IT 79.30.46.253:38761 udp
FI 80.221.22.81:9857 udp
US 8.8.8.8:53 253.46.30.79.in-addr.arpa udp
US 8.8.8.8:53 81.22.221.80.in-addr.arpa udp
AR 190.51.102.42:7777 udp
US 8.8.8.8:53 42.102.51.190.in-addr.arpa udp
TR 78.183.200.108:12867 udp
US 8.8.8.8:53 108.200.183.78.in-addr.arpa udp
IT 151.57.26.38:15020 udp
US 8.8.8.8:53 38.26.57.151.in-addr.arpa udp
SE 83.251.1.222:44154 udp
US 8.8.8.8:53 222.1.251.83.in-addr.arpa udp
AR 201.253.228.115:32049 udp
US 8.8.8.8:53 115.228.253.201.in-addr.arpa udp
US 71.197.217.156:5000 udp
US 8.8.8.8:53 156.217.197.71.in-addr.arpa udp
VE 200.109.77.24:5000 udp
US 8.8.8.8:53 24.77.109.200.in-addr.arpa udp
BR 201.13.187.250:10861 udp
US 8.8.8.8:53 250.187.13.201.in-addr.arpa udp
ES 88.148.44.179:39360 udp
US 8.8.8.8:53 179.44.148.88.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
ES 79.144.230.224:5999 udp
US 8.8.8.8:53 224.230.144.79.in-addr.arpa udp
US 98.148.203.147:62971 udp
US 8.8.8.8:53 147.203.148.98.in-addr.arpa udp
PL 91.189.34.197:14603 udp
US 8.8.8.8:53 197.34.189.91.in-addr.arpa udp
ES 79.155.52.154:14203 udp
US 8.8.8.8:53 154.52.155.79.in-addr.arpa udp
CL 200.104.117.114:5000 udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 114.117.104.200.in-addr.arpa udp
MA 81.192.127.180:6620 udp
US 8.8.8.8:53 180.127.192.81.in-addr.arpa udp
AR 190.179.151.123:55960 udp
US 8.8.8.8:53 123.151.179.190.in-addr.arpa udp
AR 201.254.59.151:52594 udp
US 8.8.8.8:53 151.59.254.201.in-addr.arpa udp
PL 79.162.207.129:35741 udp
US 8.8.8.8:53 129.207.162.79.in-addr.arpa udp
AR 190.226.141.83:16358 udp
US 8.8.8.8:53 83.141.226.190.in-addr.arpa udp
US 74.186.117.227:39212 udp
US 8.8.8.8:53 227.117.186.74.in-addr.arpa udp
BR 189.82.248.102:31708 udp
US 8.8.8.8:53 102.248.82.189.in-addr.arpa udp
BR 201.68.168.97:62207 udp
US 8.8.8.8:53 97.168.68.201.in-addr.arpa udp
TR 88.229.128.50:10101 udp
US 8.8.8.8:53 50.128.229.88.in-addr.arpa udp
BR 189.55.113.33:7537 udp
US 8.8.8.8:53 33.113.55.189.in-addr.arpa udp
US 24.171.73.69:32074 udp
US 8.8.8.8:53 69.73.171.24.in-addr.arpa udp
AU 122.148.206.228:1157 udp
US 8.8.8.8:53 228.206.148.122.in-addr.arpa udp
AR 190.188.130.192:26211 udp
US 8.8.8.8:53 192.130.188.190.in-addr.arpa udp
ES 85.52.161.153:10000 udp
US 8.8.8.8:53 153.161.52.85.in-addr.arpa udp
ES 87.111.4.140:59237 udp
US 8.8.8.8:53 140.4.111.87.in-addr.arpa udp
AR 190.191.243.179:8000 udp
US 8.8.8.8:53 179.243.191.190.in-addr.arpa udp
CA 68.146.158.183:22049 udp
US 8.8.8.8:53 183.158.146.68.in-addr.arpa udp
BR 189.4.55.33:26824 udp
US 8.8.8.8:53 33.55.4.189.in-addr.arpa udp
US 98.213.179.235:59534 udp
US 8.8.8.8:53 235.179.213.98.in-addr.arpa udp
BR 189.101.1.231:11159 udp
US 8.8.8.8:53 231.1.101.189.in-addr.arpa udp
US 98.215.7.172:5256 udp
US 8.8.8.8:53 172.7.215.98.in-addr.arpa udp
TR 78.164.188.194:47891 udp
US 8.8.8.8:53 194.188.164.78.in-addr.arpa udp
AR 201.250.41.115:5000 udp
US 8.8.8.8:53 115.41.250.201.in-addr.arpa udp
US 24.165.127.70:40498 udp
US 8.8.8.8:53 70.127.165.24.in-addr.arpa udp
GB 82.27.179.152:6411 udp
US 8.8.8.8:53 152.179.27.82.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
ES 88.10.130.237:50000 udp
US 8.8.8.8:53 237.130.10.88.in-addr.arpa udp
ES 84.120.96.24:58770 udp
US 8.8.8.8:53 24.96.120.84.in-addr.arpa udp
MX 189.133.212.8:31696 udp
US 8.8.8.8:53 8.212.133.189.in-addr.arpa udp
CL 201.222.198.136:40417 udp
US 8.8.8.8:53 136.198.222.201.in-addr.arpa udp
MX 187.134.32.254:5005 udp
US 8.8.8.8:53 254.32.134.187.in-addr.arpa udp
CA 74.58.161.8:63082 udp
US 8.8.8.8:53 8.161.58.74.in-addr.arpa udp
ES 77.208.131.157:20679 udp
US 8.8.8.8:53 157.131.208.77.in-addr.arpa udp
AR 190.176.11.4:56656 udp
US 8.8.8.8:53 4.11.176.190.in-addr.arpa udp
MX 189.159.20.144:3427 udp
US 8.8.8.8:53 144.20.159.189.in-addr.arpa udp
PL 89.77.43.65:5726 udp
US 8.8.8.8:53 65.43.77.89.in-addr.arpa udp
TR 78.162.21.111:10907 udp
US 8.8.8.8:53 111.21.162.78.in-addr.arpa udp
CA 96.30.154.105:61544 udp
US 8.8.8.8:53 105.154.30.96.in-addr.arpa udp
UY 200.108.219.169:40072 udp
US 8.8.8.8:53 169.219.108.200.in-addr.arpa udp
ES 217.216.97.44:7203 udp
AR 190.51.93.87:1152 udp
US 8.8.8.8:53 44.97.216.217.in-addr.arpa udp
MA 81.192.195.195:17155 udp
US 8.8.8.8:53 87.93.51.190.in-addr.arpa udp
US 8.8.8.8:53 195.195.192.81.in-addr.arpa udp
AR 190.174.143.68:19580 udp
US 8.8.8.8:53 68.143.174.190.in-addr.arpa udp
VE 190.39.222.173:5000 udp
US 8.8.8.8:53 173.222.39.190.in-addr.arpa udp
TR 78.171.193.34:25580 udp
VE 200.109.207.66:11112 udp
US 8.8.8.8:53 34.193.171.78.in-addr.arpa udp
US 8.8.8.8:53 66.207.109.200.in-addr.arpa udp
CO 190.1.134.111:39505 udp
US 8.8.8.8:53 111.134.1.190.in-addr.arpa udp
MX 189.159.102.129:45727 udp
US 8.8.8.8:53 129.102.159.189.in-addr.arpa udp
AR 190.225.113.18:33863 udp
US 8.8.8.8:53 18.113.225.190.in-addr.arpa udp
MX 189.176.136.62:50650 udp
US 8.8.8.8:53 62.136.176.189.in-addr.arpa udp
US 66.79.171.222:8082 udp
US 8.8.8.8:53 222.171.79.66.in-addr.arpa udp
AR 190.1.51.12:5000 udp
US 97.84.168.211:24915 udp
US 8.8.8.8:53 211.168.84.97.in-addr.arpa udp
AR 200.115.215.83:12867 udp
US 8.8.8.8:53 83.215.115.200.in-addr.arpa udp
ES 213.254.81.201:23433 udp
US 8.8.8.8:53 201.81.254.213.in-addr.arpa udp
TR 78.171.224.136:50731 udp
US 8.8.8.8:53 136.224.171.78.in-addr.arpa udp
ES 81.203.218.10:7000 udp
US 8.8.8.8:53 10.218.203.81.in-addr.arpa udp
US 97.92.171.5:21499 udp
US 8.8.8.8:53 5.171.92.97.in-addr.arpa udp
ES 88.28.233.9:38176 udp
ES 84.121.54.252:17573 udp
US 8.8.8.8:53 9.233.28.88.in-addr.arpa udp
VE 190.38.113.25:62197 udp
US 8.8.8.8:53 252.54.121.84.in-addr.arpa udp
US 8.8.8.8:53 25.113.38.190.in-addr.arpa udp
ES 88.148.22.143:30413 udp
AR 201.255.187.99:39221 udp
US 8.8.8.8:53 99.187.255.201.in-addr.arpa udp
US 69.93.181.146:5000 udp
US 8.8.8.8:53 146.181.93.69.in-addr.arpa udp
BR 189.44.230.94:16986 udp
US 8.8.8.8:53 94.230.44.189.in-addr.arpa udp
MX 189.171.14.50:5001 udp
US 8.8.8.8:53 50.14.171.189.in-addr.arpa udp
MX 189.136.185.200:5000 udp
US 8.8.8.8:53 200.185.136.189.in-addr.arpa udp
PR 24.171.224.20:5000 udp
US 8.8.8.8:53 20.224.171.24.in-addr.arpa udp
BR 200.164.21.105:13413 udp
US 8.8.8.8:53 105.21.164.200.in-addr.arpa udp
ES 80.39.70.242:5000 udp
US 8.8.8.8:53 242.70.39.80.in-addr.arpa udp
PL 87.105.100.71:44635 udp
US 8.8.8.8:53 71.100.105.87.in-addr.arpa udp
MX 189.174.38.211:12867 udp
US 8.8.8.8:53 211.38.174.189.in-addr.arpa udp
AR 190.51.159.138:59506 udp
US 8.8.8.8:53 138.159.51.190.in-addr.arpa udp
ES 77.225.151.74:5000 udp
US 8.8.8.8:53 74.151.225.77.in-addr.arpa udp
VE 190.207.150.213:1111 udp
US 8.8.8.8:53 213.150.207.190.in-addr.arpa udp
AR 190.49.61.107:61702 udp
US 8.8.8.8:53 107.61.49.190.in-addr.arpa udp
BR 201.37.247.91:39939 udp
US 8.8.8.8:53 91.247.37.201.in-addr.arpa udp
MX 189.176.238.152:5771 udp
US 8.8.8.8:53 152.238.176.189.in-addr.arpa udp
MX 201.170.93.4:5000 udp
US 8.8.8.8:53 4.93.170.201.in-addr.arpa udp
CO 200.118.239.181:6000 udp
US 8.8.8.8:53 181.239.118.200.in-addr.arpa udp
MX 189.174.128.104:5000 udp
US 8.8.8.8:53 104.128.174.189.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
ES 85.137.49.160:51064 udp

Files

memory/4680-0-0x0000000002520000-0x0000000002521000-memory.dmp

memory/4680-2-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-3-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-4-0x0000000002520000-0x0000000002521000-memory.dmp

memory/4680-5-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-6-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-7-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-8-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-9-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-10-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-11-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-12-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-13-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-14-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-15-0x0000000000400000-0x0000000000522000-memory.dmp

memory/4680-16-0x0000000000400000-0x0000000000522000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win7-20240221-en

Max time kernel

140s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libfaad2.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libfaad2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libfaad2.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 228

Network

N/A

Files

memory/2220-0-0x0000000010000000-0x000000001003F000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win7-20240611-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 81b6cd95eacc91c3502779b1dd82b794
SHA1 a0b5b12ed0e2d9a6bc7706c0138820b6c8eed4bb
SHA256 b5437d283a259e19afbdf7484bf84d645829030d9248ded1b048933bdcc0e8b3
SHA512 3e21328831226c17c45f53807a61cae2f2cbe66dc9a9f432ab1484a00672769a6bc883e3c838d9bf31247533e66ff58245aab08bea86ea9a79fcc7c99196be1b

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:11

Platform

win7-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\data\Homepage.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000007994c32b75b6dc25c8c8511aee44a785a898536d0737a240b9f333c39c71cda1000000000e8000000002000020000000c45773fe395bdb4de89360b05bca5131140c63bb6fccea1e47cbff3cb4ba7767200000002b847e6f5312b53bc923cbea7bb1ac4339b92c6fdabb591b4ba446b6bf042f8240000000911d1f181242e4d8ebe9d66df248554b2ac46de93c4f17d94d7bcf7779590ed254cb69524ca75b8d1ab16a230fa1666332ab309453cfa11ac8a760fd53665055 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A394F2C1-31B5-11EF-AC6D-CE8752B95906} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10761979c2c5da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425346035" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000c3a6b586d0793f3d7fc39a46eac9d2c418ae515e7fe1cb3ed4b35328bfaa806c000000000e8000000002000020000000d4cfb4d685032ddc16a7f41f4ca2d2fac3c68aecbcc9a7459ce83ebf3b1d01bb90000000491db2de0f811fc06b04a5b76c21b73db6a86f2e20bafce3e4855cc0cf2bac3d0b8e3dc877ea61d1421342d8e6118aa55b6ecff07d3f1d3d2d7d2267650b5161c24fe0f37a0f190f42f2e5706c9c29dac90c14aa7377287868f76a6c957359e00f66e2ec3a85e6f46dc3b8f3fb1ee5e3f84a25da422a9e2f009fe42a5d28530872c04c4b23509d4e2a138beeaed4bd6640000000aea2786c7f9cc677020287e2b226b1e59e5882677074aaf08748f42f402b6648a3b1a27d05779982951ee7b0c9e6eea4282419cb5220b0bc9353cc6cb144599b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\data\Homepage.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2796 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 aresgalaxy.sourceforge.net udp
US 172.64.150.145:80 aresgalaxy.sourceforge.net tcp
US 172.64.150.145:80 aresgalaxy.sourceforge.net tcp
US 172.64.150.145:443 aresgalaxy.sourceforge.net tcp
US 8.8.8.8:53 aresgalaxy.io udp
US 172.234.222.143:80 aresgalaxy.io tcp
US 172.234.222.143:80 aresgalaxy.io tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1936-0-0x00000000001D0000-0x00000000001E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab19AA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar19BD.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1a7c93bd2b9e276f7f1c69f81c82570
SHA1 9667aba2596d1c237846e417441f329df696df54
SHA256 9923c2e34b1d578d0fbf794c1786c380e4d4672a58414574df8d235a8604b380
SHA512 36cfcda1ff22f9d32d64a6c25507b1b62201b5720a1defc648556cada3f446bd24ddb905fd8f47fd753916935335c9e65a4ce83494326df965a27c3edf565d76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7df024eac9bf552feba6e11c8d980abb
SHA1 27c13b2c96477430b7c1d4361d1929623c39d0c5
SHA256 63f681e0c84b307a8bb4b75170b4cf20eb69eafd342c9c839f703bdd5607badd
SHA512 1a263b097974459451742336f594f355b2098833a73566462a4942c012bba8e0aac02f56228cb17c9138d0b448e3ab34800d2854feffa6bb50a1f0ab2e0521b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35bf0cd4065cec8cfd9b7ad6c2e2b115
SHA1 136c75ded89e7db92e693d52eba3cd578b99255b
SHA256 2a936f2c6b6ee6dbece1647f16d8724f6061ef70d91e37d8e632e685552a6d8f
SHA512 c573f9e41b0743eeadbef32b4d5f1b2408ac230a840fed05d0c70ac43f0fbb2b59db6cc9b670180744b2e95a6bdae52a41a34f699792715413927e9df7567e14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbef0c2f0490c2702347960897c4449e
SHA1 13dbcdf6203b8e703c30a48ad182679ad6ebb0ec
SHA256 d2099c53fbb2a6091d8b4c6eb856476dfa04b4ea1bd7ca623236e7a71ba32e03
SHA512 120203477cc3554b3576e76e368858d04bdb9727a5047927f711d5b774e826f44691e6fb3cc35950d85a9a26a9518c2242a78dd4beeff9550cdbe77ce14e0e79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a00ed9de4db304720bf651d322d83df
SHA1 f2b68bc2d8a91f70f2bf9d417964bd4f4189ca6a
SHA256 849f9e7a7bc9dd183daade616746dd337b8a4ac054ec944d13b1efe355a7fdcc
SHA512 a405469da9ac8b173560daabfe40cc4d2ce1600945e2c5613353ee654d9f840362e18b4f2491bca5e6771960c9c8fd5675b4c4f843a65f243f5c5430f9825fb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 984dc42ffb8f1b8cc1fa14ca25d8518b
SHA1 41fee8f88cbf520803dbbef8a4d3ecae6b3e5da2
SHA256 7749a92a5fa4ada7b8dff202fd98786f93f4cb8eb6d9260b1227efd476baa6e5
SHA512 1af529b248d408e78d929d23a3edb45dcb486e88379a90f1f459eeb1af3e4c941531124027df33904d2323fc2c3ce156cd1c8757420ccfaed373a6fb7e14244c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ff8f0bc519c1102be8e2b565b2e15d0
SHA1 de24c369652a05eaa53cbbd475e88c48269eaeff
SHA256 8a3fe2c0adbfe3d00d4f25e260bb4a2e6abb0b168ddfae2e1dc099152ef56428
SHA512 706e1fa1862b578fd3b3f690e1703b9602c7863c29eb2099d68947ee0321ae803628aafd0d5fb423c136fe3399d2f03c90ad740e44dc6f35fb2eb106e37bce30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b55e0f4d23981f5720725439468dc640
SHA1 f5779a678a3760602ed3b281f95c2eb25b103ebb
SHA256 6ee37b5c3763192ae7cc5d7d21bf308e8037cef6c38f954e19c84cbcf8868606
SHA512 d604306d514953e9b813d85138182732edaf0d1d56dde9b371784c54293f7f01b900d8ad9c2c08146aa295acb2bdea38fd56d8c3a9dfda61cbb877e8014a9d3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50594ef7119658f6d1f9f3d7694a6828
SHA1 1f5ad33881552b2c213f94326f6ee16c84e269f9
SHA256 f2eb97f80064d01190c0abce409e5ec087cd14863f30c1ba461da04598ea8541
SHA512 19ea429b5bf05c26c0126ea111f515601459e1b187863d9a934928d47a5fd47d7c984448922323b070c61d6d311bdf70f936c710fa8bd2fdcdbe7c10efda4467

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 883ebdd19de1ae54eee4ddb76a45173a
SHA1 49ef929a0be824dc4ef64ab52f5448a42cd98423
SHA256 fc212bbd7a15f2adf506d1d73fdf0f9664626547b419e5506ce541fac0d57e89
SHA512 4c98c17af4b877097d709fea8f27a2a77fc7a16681a7576e19df1a3e5353d4e379d14630ce608dd77e9c6dab50823a50dc3d7f9494228a65fb3369d47d79e01a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4e641f07c89c3d177bb3992ce8c52bd
SHA1 79737a99cda586a7fe3233f002839cd2833f00c0
SHA256 1c22f0afccb4713b5e69e19b07409d028d6c44df9aec3bc6957ce92203fda091
SHA512 a404b900e57e77b7ed13b1d2f957a174fe981598514f256975a4b02824d1cad000c40387a4f03958395ceb88410df6a90ba53f242069cf86bb2c77a24b8795e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a1b381712fb100f189ef0ee66d844f5
SHA1 a4edaee7ceec11763e189c1f2ac1cb6cc6976779
SHA256 18d17c3978fb81d8c20548dc2b124cf22f7287fedf82f274c1c007d5e01144d0
SHA512 aef5cfc6f8cc960b5ad6188c9c75217c531fd180ac1574cfe62289253e47b75be2a30e3279a55d7ad214200e581f26e71afdd5a225af25196fceab7601a6e120

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89bdb95a8ace7b724dcf58903a0ce8ab
SHA1 60ce981ec47d9b0c672f44bbf66ab2ae51a65533
SHA256 59dd0a661e23f71b19f823bd330b4c4efa40b2ae1465250e1fd93885aed163da
SHA512 e554bfd2e208249c99a646d55d32680a6e0cd82b9a08fe19a609ecb442a88efd10e69e570d06e644540d7b3969db730834502352a0f2db36a1744bd5a164df2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 752bdb1c7e9f340ab22d70299b2ed4f7
SHA1 6a554b56af7d7663483f12ef5e1dd9af1eb3d000
SHA256 928f87d9710e68b007053442d457a6fd708209d49064f6153b90c72dd15bd807
SHA512 c01d9e2e0ef76f5d18d32d0d157ebd3f0b72f6cdd6d808ba2c1d8093dd67b0cf14513c96c259cb4be19655e87a9c08df7b339f2242a9384147a4ae21ebdaf3fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bac642ddbce4a0a2fb7a0c86fdf6dcd
SHA1 9ff0f17a0a32559c00aa962eb2344d938fc038e2
SHA256 70beb5b5fe0baf71bbdec34403c7bb524bf6942bc02bbfb0be95b15f194bd1f5
SHA512 89cc00005f926cbf2fc5f1382acc7d4fddf206865b0136ff449f46f3a62e205e013b57538091c13571c9fbfdc8775298da86ecc296c4994f4c5dda00629b01d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a18af7529108eaa9f0c34a8a6d44b3b3
SHA1 9f1c99d6f24cd0b956961f788d5443d3a6382d9a
SHA256 37fb0d934233cd1d800f0deb6a982f676b549cdfa4755c642234867497f9fbd6
SHA512 94182a1fcdb478c6ecac176f981afb3876ae47ffaf97fddbcd400da10ce2b3099a17a4b6a7d10a5274a0e25987225c716c35ddbdf6bdc0bd17532a8179cae045

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0191dc2c511af93788f3ff99ef55ad9
SHA1 3ea095fae2d5cbf31abe5591b367fbef4f308e8b
SHA256 0fb50ed7deefabca7fce8864e305afc2c642da3d7cf073bffb87e77d7b7ee1ce
SHA512 a10eb33044f02571217c308a0c23f71a54f331a8a1052658b563c6a72577355003db4e6bed6029922a6a6fb1c0e0e71261b85ffababe0aa8022f9b4cc910f259

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff477d7366df1d94ad4fdb9b3df3a789
SHA1 c3106948690cba0aa755e943efd00f8a0dd1989e
SHA256 461bbf2a4446d83f4a4d77a4b4d1808a3d3401f1690a5e9bfbb48cbe28137d3b
SHA512 9eaaa28d56e2c0665aec1bce2b1f776fe8bdb1e8caf43206b361b4c71ddf09ed4e33b6d4eb37d053cf800b4ec410c2a499cee6f2228aa59b11f5ad3819a1fd64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fd05b7a80d67e993ccda84ab071696d
SHA1 3bde3184994975721fa94b8510168ff65607ad18
SHA256 e42eaaa6c95362a30075d74281b052735363b28772b102732549aec63256f169
SHA512 6ac048226520b8748048633bf510b1f9399bdd20b54182730544454de9839ec75b1b187be14417d4df08ee8518788ce65363de74f755a52021c134f9ee8dde0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ecc40c4ae8acfb410379ae99b5dbd79f
SHA1 39e25450738416b7507937d8cecae2c151cef767
SHA256 55e9cdf3e835ca298f95cd3ab9901228218ac23410578dff3e1e628c7e8b5c7f
SHA512 5413de284a572656b67c7dee27181d7ecb42a68b6fb887826e7e79220c5f12447618124a2d806881d3412a6abac5f9393a7d6cc975447c3a35a229ee28ec3bfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7a6eb7d6bcb5b3d45a6c3e737c3512d
SHA1 ca843b8fc02e379e036f5ce44a5a6050ea9f9647
SHA256 86efc5bc9e5a2cabb00a75dc59aecfeb0e37a5e24ece4aba8646b59e52a350ff
SHA512 c20e7f04026712b7829530d117383edca1db6d1079e61ee6c37c6c6b1ceea9c2eb7bac5d100d645076fe9e4c0970fdd48015d75892d42b0f8b51d46367437f53

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03c2731984c9baf48b28f3df4814e4a4_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\03c2731984c9baf48b28f3df4814e4a4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03c2731984c9baf48b28f3df4814e4a4_JaffaCakes118.exe"

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win7-20240611-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ares.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\ares = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" -h" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\Content Type\ = "application/x-ares" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.arescol C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.m3u C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Play\ = "&Play in Ares" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Enqueue\ = "&Enqueue in Ares" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\ = "URL:Ares protocol" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\ = "URL:Ares protocol" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.CollectionList\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.torrent C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\Content Type\ = "application/x-bittorrent" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.arlnk\ = "Ares.Arlnk" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\shell C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.CollectionList\Content Type C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "Ares.Torrent" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.Torrent\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.arlnk C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\ = "Ares playlist file" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Open\ C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Play C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\shell C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.Torrent\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\ = "Play" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\URL Protocol C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.arescol\ = "Ares.CollectionList" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.torrent C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Open C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\Content Type C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\shell C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Enqueue\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" /ADD \"%1\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\URL Protocol C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\shell\open C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.m3u\ = "Ares.Playlist" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\",0" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Enqueue C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\shell\open C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\",0" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.Torrent\Content Type C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.arescol C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\Content Type C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wax C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pls\ = "Ares.Playlist" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\shell C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\shell\open C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\",0" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pls C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Play\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.CollectionList\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wax\ = "Ares.Playlist" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ares.exe

"C:\Users\Admin\AppData\Local\Temp\Ares.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lan6.startvg.com udp
US 207.244.76.130:80 lan6.startvg.com tcp
US 207.244.76.130:80 lan6.startvg.com tcp
US 8.8.8.8:53 ww1.startvg.com udp
US 199.59.243.226:80 ww1.startvg.com tcp

Files

memory/2020-0-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2020-17-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2020-18-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-19-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-20-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-21-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-22-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-23-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-25-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-26-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-27-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-28-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-29-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-30-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-31-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/2020-32-0x0000000000400000-0x00000000006FE000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AsyncEx.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3E0FA044-926C-42D9-BA12-EF16E980913B}\FriendlyName = "AsyncEx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3E0FA044-926C-42D9-BA12-EF16E980913B}\FilterData = 020000000000200001000000000000003070693308000000000000000100000000000000000000003074793300000000380000000000000083eb36e44f52ce119f530020af0ba770 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\ = "AsyncEx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3E0FA044-926C-42D9-BA12-EF16E980913B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AsyncEx.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3E0FA044-926C-42D9-BA12-EF16E980913B}\CLSID = "{3E0FA044-926C-42D9-BA12-EF16E980913B}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 1952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 1952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 1952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 1952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 1952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 1952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 1952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AsyncEx.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AsyncEx.dll

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AsyncEx.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3E0FA044-926C-42D9-BA12-EF16E980913B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3E0FA044-926C-42D9-BA12-EF16E980913B}\FriendlyName = "AsyncEx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\ = "AsyncEx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3E0FA044-926C-42D9-BA12-EF16E980913B}\CLSID = "{3E0FA044-926C-42D9-BA12-EF16E980913B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{3E0FA044-926C-42D9-BA12-EF16E980913B}\FilterData = 020000000000200001000000000000003070693308000000000000000100000000000000000000003074793300000000380000000000000083eb36e44f52ce119f530020af0ba770 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E0FA044-926C-42D9-BA12-EF16E980913B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AsyncEx.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 4564 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3928 wrote to memory of 4564 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3928 wrote to memory of 4564 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AsyncEx.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AsyncEx.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MP3Source.dll

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\FilterData = 02000000000040000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000006175647300001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\ = "File Source (MP3)" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MP3Source.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.mp3 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\FriendlyName = "File Source (MP3)" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}\CLSID = "{422A3AF6-0B1D-42CB-AAF9-7DFD8EB2FCEF}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 1928 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 1928 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 1928 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 1928 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 1928 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 1928 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 1928 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MP3Source.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\MP3Source.dll

Network

N/A

Files

memory/1928-0-0x0000000000210000-0x000000000023D000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 81b6cd95eacc91c3502779b1dd82b794
SHA1 a0b5b12ed0e2d9a6bc7706c0138820b6c8eed4bb
SHA256 b5437d283a259e19afbdf7484bf84d645829030d9248ded1b048933bdcc0e8b3
SHA512 3e21328831226c17c45f53807a61cae2f2cbe66dc9a9f432ab1484a00672769a6bc883e3c838d9bf31247533e66ff58245aab08bea86ea9a79fcc7c99196be1b

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libfaad2.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libfaad2.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libfaad2.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1628 -ip 1628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 604

Network

Files

memory/1628-0-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1628-1-0x0000000010000000-0x000000001003F000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ares.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ares = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" -h" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\shell\open C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.m3u\ = "Ares.Playlist" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wax C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\ = "Play" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\shell C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.Torrent\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\shell C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\shell C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Play\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.CollectionList\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.torrent C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Enqueue\ = "&Enqueue in Ares" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\shell\open C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.CollectionList\Content Type C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pls C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\",0" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\shell\open C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.arescol\ = "Ares.CollectionList" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.arescol C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.m3u C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Enqueue C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.CollectionList\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.torrent C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\",0" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pls\ = "Ares.Playlist" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.arescol C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "Ares.Torrent" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\URL Protocol C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\ = "URL:Ares protocol" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk\URL Protocol C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\shell\open\command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.Torrent\Content Type C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wax\ = "Ares.Playlist" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Open C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.arlnk\ = "Ares.Arlnk" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Arlnk C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Enqueue\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" /ADD \"%1\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Play\Command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\Content Type C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Ares.Torrent\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.arlnk C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Open\ C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Arlnk\ = "URL:Ares protocol" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Torrent\Content Type C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\",0" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.CollectionList\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ares.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\ = "Ares playlist file" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Enqueue\Command C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ares.Playlist\Shell\Play\ = "&Play in Ares" C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ares.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ares.exe

"C:\Users\Admin\AppData\Local\Temp\Ares.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 lan1.startvg.com udp

Files

memory/3084-0-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/3084-1-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/3084-3-0x00000000025F0000-0x00000000025F1000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bass.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4680 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4680 wrote to memory of 1532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bass.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bass.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1532-0-0x0000000010000000-0x0000000010041000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win7-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\chatServer.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\chatServer.exe

"C:\Users\Admin\AppData\Local\Temp\chatServer.exe"

Network

Country Destination Domain Proto
CL 186.9.13.252:37291 udp
CL 190.164.105.23:16881 udp
GB 86.20.50.0:54321 udp
IT 151.51.13.132:15544 udp
VE 190.142.165.73:10985 udp
MX 189.180.165.97:950 udp
AR 201.254.61.106:5000 udp
MY 121.120.37.226:49273 udp
MA 196.217.199.234:15402 udp
US 66.215.154.157:32779 udp
AR 201.255.50.173:11394 udp
US 38.114.67.69:42187 udp
MX 189.220.40.92:45827 udp
BR 189.124.4.28:6855 udp
AR 190.50.203.237:5000 udp
US 68.93.141.173:21783 udp
US 69.245.15.118:63218 udp
SG 117.20.130.249:60959 udp
MX 189.140.91.123:5000 udp
AR 190.16.122.134:64846 udp
ES 83.33.111.59:5454 udp
US 98.200.248.108:44761 udp
MX 201.143.71.222:32479 udp
CA 24.201.83.251:26452 udp
AR 190.17.247.97:16246 udp
TR 78.182.70.56:12867 udp
US 98.193.86.98:15783 udp
BS 24.231.33.24:18561 udp
RO 95.76.2.96:22772 udp
US 67.159.144.95:5000 udp
ES 213.37.185.30:42684 udp
AR 190.107.103.232:27706 udp
TR 81.214.57.154:11453 udp
PL 83.230.16.7:36280 udp
MX 189.164.241.108:5000 udp
ES 88.22.132.218:5500 udp
BR 201.29.96.217:35008 udp
PE 190.42.114.239:44844 udp
TR 85.107.184.194:44507 udp
GB 86.130.181.175:5631 udp
MX 189.154.49.63:5500 udp
AR 190.55.35.191:8000 udp
AR 190.51.62.226:49780 udp
AR 201.250.63.45:25000 udp
TR 88.237.139.152:12867 udp
BR 187.20.32.220:30865 udp
TR 81.213.65.180:19050 udp
IT 79.30.46.253:38761 udp
FI 80.221.22.81:9857 udp
AR 190.51.102.42:7777 udp
TR 78.183.200.108:12867 udp
IT 151.57.26.38:15020 udp
SE 83.251.1.222:44154 udp
AR 201.253.228.115:32049 udp
US 71.197.217.156:5000 udp
VE 200.109.77.24:5000 udp
BR 201.13.187.250:10861 udp
ES 88.148.44.179:39360 udp
ES 79.144.230.224:5999 udp
US 98.148.203.147:62971 udp
PL 91.189.34.197:14603 udp
ES 79.155.52.154:14203 udp
CL 200.104.117.114:5000 udp
MA 81.192.127.180:6620 udp
AR 190.179.151.123:55960 udp
AR 201.254.59.151:52594 udp
PL 79.162.207.129:35741 udp
AR 190.226.141.83:16358 udp
US 74.186.117.227:39212 udp
BR 189.82.248.102:31708 udp
BR 201.68.168.97:62207 udp
TR 88.229.128.50:10101 udp
BR 189.55.113.33:7537 udp
US 24.171.73.69:32074 udp
AU 122.148.206.228:1157 udp
AR 190.188.130.192:26211 udp
ES 85.52.161.153:10000 udp
ES 87.111.4.140:59237 udp
AR 190.191.243.179:8000 udp
CA 68.146.158.183:22049 udp
BR 189.4.55.33:26824 udp
US 98.213.179.235:59534 udp
BR 189.101.1.231:11159 udp
US 98.215.7.172:5256 udp
TR 78.164.188.194:47891 udp
AR 201.250.41.115:5000 udp
US 24.165.127.70:40498 udp
GB 82.27.179.152:6411 udp
ES 88.10.130.237:50000 udp
ES 84.120.96.24:58770 udp
MX 189.133.212.8:31696 udp
CL 201.222.198.136:40417 udp
MX 187.134.32.254:5005 udp
CA 74.58.161.8:63082 udp
ES 77.208.131.157:20679 udp
AR 190.176.11.4:56656 udp
MX 189.159.20.144:3427 udp
PL 89.77.43.65:5726 udp
TR 78.162.21.111:10907 udp
CA 96.30.154.105:61544 udp
UY 200.108.219.169:40072 udp
ES 217.216.97.44:7203 udp
AR 190.51.93.87:1152 udp
MA 81.192.195.195:17155 udp
AR 190.174.143.68:19580 udp
VE 190.39.222.173:5000 udp
TR 78.171.193.34:25580 udp
VE 200.109.207.66:11112 udp
CO 190.1.134.111:39505 udp
MX 189.159.102.129:45727 udp
AR 190.225.113.18:33863 udp
MX 189.176.136.62:50650 udp
US 66.79.171.222:8082 udp
AR 190.1.51.12:5000 udp
US 97.84.168.211:24915 udp
AR 200.115.215.83:12867 udp
ES 213.254.81.201:23433 udp
TR 78.171.224.136:50731 udp
ES 81.203.218.10:7000 udp
US 97.92.171.5:21499 udp
ES 88.28.233.9:38176 udp
ES 84.121.54.252:17573 udp
VE 190.38.113.25:62197 udp
ES 88.148.22.143:30413 udp
AR 201.255.187.99:39221 udp
US 69.93.181.146:5000 udp
BR 189.44.230.94:16986 udp
MX 189.171.14.50:5001 udp
MX 189.136.185.200:5000 udp
PR 24.171.224.20:5000 udp
BR 200.164.21.105:13413 udp
ES 80.39.70.242:5000 udp
PL 87.105.100.71:44635 udp
MX 189.174.38.211:12867 udp
AR 190.51.159.138:59506 udp
ES 77.225.151.74:5000 udp
VE 190.207.150.213:1111 udp
AR 190.49.61.107:61702 udp
BR 201.37.247.91:39939 udp
MX 189.176.238.152:5771 udp
MX 201.170.93.4:5000 udp
CO 200.118.239.181:6000 udp
MX 189.174.128.104:5000 udp
ES 85.137.49.160:51064 udp
N/A 76.203.202.46:12345 udp

Files

memory/2412-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2412-2-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-3-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-4-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2412-5-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-6-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-7-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-8-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-9-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-10-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-11-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-12-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-13-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-14-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-15-0x0000000000400000-0x0000000000522000-memory.dmp

memory/2412-16-0x0000000000400000-0x0000000000522000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-23 23:09

Reported

2024-06-23 23:12

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\data\Homepage.url

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1228 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1056 wrote to memory of 1228 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 2256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 2256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1228 wrote to memory of 776 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\data\Homepage.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://aresgalaxy.sourceforge.net/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba56646f8,0x7ffba5664708,0x7ffba5664718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,11989135475685922784,1532517401609803443,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6132 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 aresgalaxy.sourceforge.net udp
US 104.18.37.111:80 aresgalaxy.sourceforge.net tcp
US 104.18.37.111:80 aresgalaxy.sourceforge.net tcp
US 104.18.37.111:443 aresgalaxy.sourceforge.net tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 111.37.18.104.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 aresgalaxy.io udp
US 172.234.222.138:80 aresgalaxy.io tcp
US 8.8.8.8:53 ww99.aresgalaxy.io udp
US 72.52.179.174:80 ww99.aresgalaxy.io tcp
US 8.8.8.8:53 ww7.aresgalaxy.io udp
US 199.59.243.226:80 ww7.aresgalaxy.io tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 174.179.52.72.in-addr.arpa udp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 www.adsensecustomsearchads.com udp
GB 142.250.187.238:443 www.adsensecustomsearchads.com tcp
US 8.8.8.8:53 partner.googleadservices.com udp
GB 142.250.178.2:443 partner.googleadservices.com tcp
GB 142.250.187.238:443 www.adsensecustomsearchads.com udp
US 8.8.8.8:53 parking3.parklogic.com udp
US 8.8.8.8:53 afs.googleusercontent.com udp
US 45.79.244.209:443 parking3.parklogic.com tcp
GB 172.217.16.225:443 afs.googleusercontent.com tcp
GB 172.217.16.225:443 afs.googleusercontent.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 209.244.79.45.in-addr.arpa udp
US 45.79.244.209:443 parking3.parklogic.com tcp
US 8.8.8.8:53 www.afternic.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eaa3db555ab5bc0cb364826204aad3f0
SHA1 a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256 ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512 e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

\??\pipe\LOCAL\crashpad_1228_AHDKZIIKDDFTHSNC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4b4f91fa1b362ba5341ecb2836438dea
SHA1 9561f5aabed742404d455da735259a2c6781fa07
SHA256 d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512 fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 84f454282c3898d09038d7c9a9932be0
SHA1 40f3bbd0aa2e9ff3c49cbacfff2e9e9f05bcb66a
SHA256 6451eff50ac1d61f44f76c4fe37f9f1ace02afc9ead78761b7d5702a68003f50
SHA512 f2e298ed1d63baee1af179a6d87a556ab81467c737f3f31728d389c09db8127636acf9b7d413ccb36c3477620d8514c38470285ecdec3a5e9bcb35b3049ff646

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d62fc284a7d3466c5683428994fd34c0
SHA1 41209b3a54117998dd71b2d0bb61d6308014c0fb
SHA256 7c14d2946bdc8a782e50903145a8712b60d7249227146ef92ce675c3a7204204
SHA512 75a39fed413684aef5b8fee5fdcdc974994a2e28929675ca668648bf740f92a0001ab577db55a30967b94f8b5e7743667e6ace3f94512e10c4b95c8bc8b9580e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 80672aff2468b99414674d5f492f57d6
SHA1 aa38835f0de8b1254870f121cdd3ac74912f3dc6
SHA256 ad13218b4cc3d6435672998046b9e87cccedb31a77ad5b9f37ad2850f2741fc2
SHA512 7e3b83d3a41f7dba3430e68fa50dbf19af22d5c1700813e63c4f1185db33e8716ddee48dcd058f0ecccdda35cbbabe95e85bd7ba7bef39dc10f4191d8f688c20

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7519ce20ccde74c1bb131dbe4c50dc72
SHA1 cf4d8ddf7c8edbcdf182f6aba0c3fae65531b9c1
SHA256 0e1ded09211c871a425efd1bb0089fc3459325078d61f1a013d80976a654e457
SHA512 8617afa84fabd55e4ba3c6e75833ca64f94f753b1e4569c056ef519ee52ab9a71318568d863334c93a5ce4f5588d7cdc9f731af37b0c81d1e2605f1b62e9b245

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4561609ce8304357a6573e65dc1f2e37
SHA1 8dba6422e047ad33959344e8590ddc7e60480e93
SHA256 6fac5b84a7b18257e5dde6263fc3a237796207beaca1c7d63a66b2418312434a
SHA512 c50e0ddf8cd76f53400c7abe8d8958791e8a90e9c3d6e0908afa73cb4e018ec2b89e50ff7a994ed8a365b2e72efa0e0b06379ebec52d4f01706b202111e08856