Malware Analysis Report

2024-10-16 05:22

Sample ID 240724-dag7nstgkl
Target Executor.rar
SHA256 575705c528670f20553d58f176ac0b78db137d53b779628c350113128213dbc1
Tags
cryptone packer credential_access discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

575705c528670f20553d58f176ac0b78db137d53b779628c350113128213dbc1

Threat Level: Known bad

The file Executor.rar was found to be: Known bad.

Malicious Activity Summary

cryptone packer credential_access discovery spyware stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

CryptOne packer

Credentials from Password Stores: Credentials from Web Browsers

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates processes with tasklist

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 02:48

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 02:48

Reported

2024-07-24 02:53

Platform

win11-20240709-en

Max time kernel

145s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2748 created 3264 N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif C:\Windows\Explorer.EXE

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1132 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1132 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1132 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1132 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1132 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1132 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 3208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1132 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif
PID 1132 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif
PID 1132 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif
PID 1132 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1132 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1132 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2748 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe
PID 2748 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe
PID 2748 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe
PID 2748 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe
PID 2748 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Evaluating Evaluating.cmd & Evaluating.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 487900

C:\Windows\SysWOW64\findstr.exe

findstr /V "discussingexaminationflipaustin" Imported

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Js + Foot + Soc + Paradise + Employers + Washington 487900\h

C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif

487900\Farmer.pif 487900\h

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
CH 185.196.9.6:43164 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\Evaluating

MD5 d1e3442a9836366b4f1dd6a77d0d7d01
SHA1 927e318cd2d986090fcd1d8bb16de6be7b41aee6
SHA256 a48ca469a26cc4439cdacae6bd253a3df7609b729b779b80a06f0b3c15ac1101
SHA512 f267920a84147f13bb12da47e9e6e04aee18b2bf7fb2d2e3decae1c4f860d15d1c7201c321b8e0a761d5b903e0f8982b6c6c102caa54f24b46e5c74daf77d010

C:\Users\Admin\AppData\Local\Temp\Imported

MD5 a36aeb18de6b30a3a834416db7a9c027
SHA1 e3a71b4d28707fbdbb280e033aef29c83b8fb243
SHA256 e0cf5832b40e6fc76fa36f2a160dd1a704063f76ff1ec09cd83a8d6f723872da
SHA512 e8deb5c8050d0674238814af9e66dd8cb5e4fe8384aff689fc4b70a2aad97bb147ba36bdde9a515323dbdedb17fb8135133603e15234610a5a07192056ee2d07

C:\Users\Admin\AppData\Local\Temp\Recommendations

MD5 61a35ac7c1a965787efdef04fd38561d
SHA1 fae2d051585b526065cb1200449c1a47ed28cd1b
SHA256 802fcd9d2b80b0ffe9add6288e0340e00d5632c02a0573426229e7d455fc5177
SHA512 e1de88a31580681f85bf7ee47f8957db09d4d4ff17465880bb65fa5fb19a688d9867210f6590c51975b5b5ddc125b2a12864549e41d15bf9e4c17a06531d3ef0

C:\Users\Admin\AppData\Local\Temp\Bit

MD5 be525bd3d1248e2c79861bd00f603925
SHA1 ef2fe1e8931aeb22a3bba6abd77f89a4ed66e77e
SHA256 41c7d076aa4e6f67171abe38fdfef927ba46a5518f283d5c795a62fb9c31b0af
SHA512 1fd36900e52ba8dc186c1df3c1408af493be5f1057a4caa5e7814f7c1404ef885967feeb706739c9ff3b6540ef2000c40fced3b31ebe222c8749389689f7dbae

C:\Users\Admin\AppData\Local\Temp\Caroline

MD5 e9e05ed84183a2a9e87768828b7ad824
SHA1 a8b9b26f901f2159f0b2c2450357d2e66570efb6
SHA256 8cb165a075a45a05cdd9d4963f4a10bf2337e48e720411eb135483952b0d14ca
SHA512 899c801947fab2d4a26c914281cca618849283dd3ed78af717ef4b5ffae4067746eb46873b8403e2408b0c9d6d45efb15697365854732ae7dc2f668e1b2d936d

C:\Users\Admin\AppData\Local\Temp\Indicator

MD5 154aec7ec759c5ea16fd12a1e6f8f96d
SHA1 25db1888d50adfdb9dfa40dadaaed213a6c49d9d
SHA256 87edadb4ab8bc98a6ad1640cc179a297a6f026fbc6f73a8bbc4182362a27b932
SHA512 3407dc4f7a056398159719a3d610fa1431a6b43747c75fe2ec9751f64ac53ff3829c45c81797a547a753ae99b84e7dca658d47ef2925a8cd7224dff9e08117fe

C:\Users\Admin\AppData\Local\Temp\Defined

MD5 b80de1c01a032d5eaffc0a9697751f46
SHA1 1d12cfccf36b05e40085fc0614f5db305bdc73ce
SHA256 690d3aae936bce6cbcfac12f9f4b02c500841f5164d62e9564c08fdc84b227d6
SHA512 9af50d02a25d05d9baa16caa8d8eda1a99fcd7cad08017662ba79dd75ba9a64342ab2e18890c023c6292a327e6969f390bf06918991a0ddb6c83e75ea35fb316

C:\Users\Admin\AppData\Local\Temp\Bullet

MD5 e60b36e796f96acdfd7f7d219abc24e5
SHA1 99c0599b6a262486560678b6cfa9681751610299
SHA256 af258cc2a98b9ee2de3d8eadd37e0d46a4377ed6c621907b7351ddd419ac52dd
SHA512 a957abef76c7dfc3846739cfbfeb1142426e294c6d1b0c84fc68646e7689d24da2e34cdea2ef83cd9c6b103f94a23f248e4bc565b4a9b3e5bef809312a69542f

C:\Users\Admin\AppData\Local\Temp\Dealer

MD5 7eb0f3f517d9599ec2b05fefa3e80639
SHA1 0b0cd46f01321bcf021666133548568a615d6e78
SHA256 20bb93c06302cfb6b53421ed0c97e7a669ca9ba94f437a5a4249f668d8dbf009
SHA512 2a15cdfcd0a142b33613c30406746f9e23a7ec29929e7b02771018b7ae5ef0a734113a62622230bdbcc278ef2d987ea225881adb7e2afbe61dc3fbb8ab41ce7a

C:\Users\Admin\AppData\Local\Temp\Applied

MD5 83df4f8bd0635083123563713a33bcb9
SHA1 77bc47050fd8a4d5ba231c66e22738faffd1f724
SHA256 1c8d5895a671f0099f651875b4ac2d341668a2d1730849a8e18c6e862d788cf2
SHA512 07e387e685fa5ec081a6628baff533b3c8a654a4c9d2b6e407ae37e1e46db9e91815b65e76edee78227ed81ec96ee645a9d4feff70904478b88a7c3f5e3fc104

C:\Users\Admin\AppData\Local\Temp\Balloon

MD5 29ffef867beec3a1e9c4e82c52f87786
SHA1 7ccc503bc68dd94afd8ce5d0f911cff9fd399d19
SHA256 6d49de580fa9b7f932377f13a9480162a9289033ff0b8b57a65f53dccc7b82e3
SHA512 fcb7c579999bd1bc0c361a0bba0f4bb847b89d25c592eb10298eb7cb17f023c2ce21832b164ddb626278ec54123893d51ea0552d19f84d57a7efb89f43553610

C:\Users\Admin\AppData\Local\Temp\Patio

MD5 0a6da5fadd18b0496f1395ef3a27f4cb
SHA1 a362e37c651726437c2d47d43e40d0427d682ac0
SHA256 6572bfc1cf1ef8821e337b495318e01155f707290f2189495655c0794322443b
SHA512 46144c81d2f82310d31d46250fef7a7a9d2eb5796b2458bacd12f043ea0de19b3f11d9a6066cbf0542d87747423b8125d419fea1d376ca0b5c2f20764f1ca39d

C:\Users\Admin\AppData\Local\Temp\Leaf

MD5 ce269f1dac18a627fd9ccfefe5cccaef
SHA1 fb048109bbbec9b8088bde438eea31efaa4bde75
SHA256 c8dfd99c4184246654663c7735f3c947f9ac71fc0b7adc68edd26db2f8c3f74d
SHA512 5e86d106f58d06241304b363b112257285862966fdd06eaa34384edf8d07b50ab5ef06509ac5bc73dae1d4f3c0e9c076fbfefd12444914e5f6eb6873f7ac4226

C:\Users\Admin\AppData\Local\Temp\Reprint

MD5 d016144cf1f6b2f941625f8c91bc9edb
SHA1 0ee03e7f332c3effe2e1038053ad408055c7393a
SHA256 9b6766e3ddfa832cc61176bf1639537135c3bb4c642cb961884aeda1f925052c
SHA512 3c801c68ce1d2531fdbf66ed2261323801bd5cf5beab6fda01e8d670384d8eb1a01401ec01875fd8f19aacb0f5d15e1310c5055bc6a4d7cbf4354c9f3e82bd35

C:\Users\Admin\AppData\Local\Temp\Ashley

MD5 b9c506f811477178e35be383068361d4
SHA1 24680f4b574b7c17b18456cb31029a5625798577
SHA256 0cfc60c38e068415847709d791a5a609514808d6fe2f7be126cc40a6063adfe5
SHA512 df50a99357ff1c31b2bd3f9bb29354b52548a4dc5bac984c93e51699f978cab77c1ca5f0387fac34093c994f59835a40227311c606a8b71eb926746335891a4d

C:\Users\Admin\AppData\Local\Temp\Loving

MD5 723718b9c1abae54d8430a4bbacadcee
SHA1 83251b891e725bf5ae6bf39598e772cd1f8a9728
SHA256 cd0c2b57e820fcb23af85421597f1ca5963cdfc1fb4b396f061d2f52614ae574
SHA512 a57f49690691a1a9c89fa67bd007549bec74ba60097e2733326cbd6f4a0f1d52ee38d455d147760d0a9fe51e8142d77307e878f404dc2502d84bbb24ccac99db

C:\Users\Admin\AppData\Local\Temp\Affordable

MD5 4c5e799c621196dc4fc6771e3c96cbd5
SHA1 a4a90c95754467e1813f9783a6951d6a0f8a1e0e
SHA256 dc177e37606aa508cb6d96a44a5fda2be6fd4d28cce22ce1b2ef6bc11802e3aa
SHA512 159b29f8d01f757022cb4e340856e6113148067a6429737686f575fa9c944da7e47ff221a30b8442cf007143443e180d5433e966b2e5d484eb71ad119f487a11

C:\Users\Admin\AppData\Local\Temp\Corner

MD5 f3877643d1a9f1c8022f263103529cb4
SHA1 9715c267cfac9bbb6886679ebe4694199d7e6837
SHA256 3efb51463c9d2cb5562e735886316f7a1a8d47b030730e1e623c72c3abf67f94
SHA512 28bbbdfbca4449643b396da1eae81c9c0cf9b30d99b18c32f79c094826527f049a65daba4432891439387f68acd86808e085edf639263c462d3297f5a2d20268

C:\Users\Admin\AppData\Local\Temp\Bookmark

MD5 3e8505364dc3304bc70311c32bf9f128
SHA1 cb63c5ffad496bb7713585b44b67605ffe91cc14
SHA256 a66cdd730dd24656f98d96365101a48937c748bc171a52cbdb1635835580fb35
SHA512 a47dd4650e553be791ec2f68a8539625a988aad13bb93f073d57e46d05e3f14f470a2cf826956c9a0046f5546336d89c619ee19880732a8563ea31d521a9f24f

C:\Users\Admin\AppData\Local\Temp\Bidding

MD5 5e30e1aba7f9211cce8638fc8692de5f
SHA1 dd8b8770e859b740cccd60307ea202555c985d5f
SHA256 b8ed3590e7a6d1f1ee89ef95f9f35eb7a913ab633f457456fa94fed1647b5809
SHA512 e3a8056b087e668b08b94bc1b8042dd5b355434482e063fb46e40816534db6f96c9c29880573016a12e217607e1352f09e139a85ea3118da25fc49f7b3f95014

C:\Users\Admin\AppData\Local\Temp\Unemployment

MD5 791f43fafd1d17814e5a78cecc930cd5
SHA1 989e7be42c91fed863c35d53800c15d4dec33955
SHA256 532ce73c0827ec4805aa118408bf3ce80e73799ec84801e22096418e7712b059
SHA512 980803cabab98432ac2099ad4f2ddc7c65c5b70cd95bb3ab2728d44616de5a87fc95cac47f73f09f01b27cb693c108f0e0e4a1204c5db183370fd464c2c32e13

C:\Users\Admin\AppData\Local\Temp\Ahead

MD5 fe2129cb507ce88c7ea4590fe8f2f678
SHA1 a4847d7660db6164f4e3388fe4bcf2d701db7aa5
SHA256 d5d4d1a7b0c763cc5f3387f479eb82db66fcfccbd46f4cbb1848c3653100ffa3
SHA512 a363b6d6bc11d7a9a61dbc2a0c4cf88558beeacbaf1d3429c66d4fcd6f341bcdd05dd3918763eaa2717b67b8dcada9d179d34628bfc058925a31d36dcecefb3e

C:\Users\Admin\AppData\Local\Temp\Analyses

MD5 3d08380d63d91de97e76917f6a44a637
SHA1 ecbd4a14a9065c69778d1dc3d1b68a7664e03b46
SHA256 ed127a64c552448825e755a6ff1c29b6e564fbb80230d0020a860efda257ea77
SHA512 51f6b45efa17b359e51eae4349f8dc612054d7d2bd84cbb1916d24edd74a038eff08eba7798189c2f27fa452c9c6c40b507ecff865d997344173c84c392c3ee0

C:\Users\Admin\AppData\Local\Temp\Building

MD5 b49876ab1eff8b2df02e9b787006f0ff
SHA1 ffd86bd490b819e08c8091508cce46fb8a387763
SHA256 c29a5c2fdd4d4e3fb210b461c86f936df956bca635a9b7b16e57f93186712eca
SHA512 4f102dad1a070afa36a38db47aafcc152a6a10e4a014400dc0345ceddbfb8220ed2a5c1beb3863768fb11b2fe1927d03a9d43dc678a2fe4b20b877fc5ae86c52

C:\Users\Admin\AppData\Local\Temp\Js

MD5 a3a8188db0e2036fd9e654c29b29ff89
SHA1 6e3cd9fb1b1d04b1169d598b351ea5ecfe074ced
SHA256 b56f3e3a9b0a9c29fa4d25f64882433729d2ae8d55c0e5fe1616949cea22a904
SHA512 68784f2580e4f59251f40e9ec66e7b5603ef6d8ffe211d506b8aa6db76b6d3dbd37bb95cb7f41e9317480657b1317e8c58fdf77f4ad63badf6faa9e48efdaac2

C:\Users\Admin\AppData\Local\Temp\Foot

MD5 228bbd79fbde000d23b9d086c9fafb75
SHA1 a15ab7e57f56e02c31cc3034b670b5aadfcd474c
SHA256 eb944e498977d237eb5823d9170301adbdf82032819c542c5ffdf362cafe6855
SHA512 029bb3dbb148eb00969b6bc4914525466605f40141dd40e8446acf434480bcaace629f8320fd0112bdf7636ca609fd34de2a288a41f7ea911fb6ce4f105ccfc7

C:\Users\Admin\AppData\Local\Temp\Washington

MD5 f85fff598c3fe45a3c11d6165e71daee
SHA1 50b2f42bc38fffaaaf57855145fd3b63f52dbcad
SHA256 729c4e1677fdd373a9ada950c37a80a1adc0621e1a70bd9f10c59c9b8b5408bf
SHA512 b56e045e6ecb301670942701199ca7a08210b867d70dc432c57c9911d3669afb6bd9d353fdf0e4ec4a54285035135b3d4932fb1f84daa01b7187629fa2206a6d

C:\Users\Admin\AppData\Local\Temp\Employers

MD5 f990d43ddabb564a6465719a1dd05ef9
SHA1 2f558bff6ca8bc44ed32fbb020c8f9bcb16ef870
SHA256 936b1b8516c6810ee1d9f5f35b1139bb0f944bf22bc2a313bbb009c7848a4195
SHA512 dc642de864ec790b54ed0d23f6d6a0b762dfe45e3f3cb8808acb3d5e3d39de76fa3994429f08dec4660ddc125a302facfb25d90acd935e5bc16cf0b7ab9425b6

C:\Users\Admin\AppData\Local\Temp\Paradise

MD5 ff64a9d30d418064fc7798cae526541a
SHA1 9866355bc15c9176e6df38d4c1e5fe1a0d5a4045
SHA256 a890b8ed6900c6734ddef25384d5eced8bbbcd6e3c3a817398a35b48f16aad94
SHA512 9ee06257bf3088ed4579153d3ab22c50da26e46a127db19a266ced5fbd29fe976f29a9a025e4cc3bfef1329739de16cd09b07cdcf6f1abbec962ccec08d95682

C:\Users\Admin\AppData\Local\Temp\Soc

MD5 5a36ac52e28bcc95c836123134df3aa8
SHA1 6ce5eb4373b54fdeca672976ecd340fbdc6b5de7
SHA256 f8ffae60f3d2933499e151329156b52c3d722196d5f29e161711e76a9c92f6d3
SHA512 166412f994daa938e89fd366a5822edf03406306cbb4943fce3e7a9e0ce6e7e7e8f9b0e0115118a8f323c635861daba9f2032826718a70913eff6172557134bd

C:\Users\Admin\AppData\Local\Temp\487900\Farmer.pif

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Temp\487900\h

MD5 68256667ad889c2b18bbfac6a4dcde3c
SHA1 ac84058d95406c5a7613708a69fec0a382035082
SHA256 3fb33770893d0c484b6b70f69702d85c614ee4c0334a5f169298f8ddc80240fc
SHA512 b85dc88a65489de7364532195cfc0de34ea982ee03f790e128e8e7ee66669b4dccd475638ff687e354e35294c5ace4d8e219d2a189b9792b3647f5fb2316932d

memory/2804-345-0x0000000001010000-0x0000000001084000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\487900\RegAsm.exe

MD5 42ab6e035df99a43dbb879c86b620b91
SHA1 c6e116569d17d8142dbb217b1f8bfa95bc148c38
SHA256 53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b
SHA512 2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

memory/2804-348-0x0000000005CF0000-0x0000000006296000-memory.dmp

memory/2804-349-0x0000000005820000-0x00000000058B2000-memory.dmp

memory/2804-350-0x0000000005790000-0x000000000579A000-memory.dmp

memory/2804-351-0x0000000008DF0000-0x0000000009408000-memory.dmp

memory/2804-352-0x0000000008930000-0x0000000008A3A000-memory.dmp

memory/2804-353-0x0000000008870000-0x0000000008882000-memory.dmp

memory/2804-354-0x00000000088D0000-0x000000000890C000-memory.dmp

memory/2804-355-0x0000000008A40000-0x0000000008A8C000-memory.dmp

memory/2804-358-0x0000000009780000-0x00000000097E6000-memory.dmp

memory/2804-359-0x0000000009AB0000-0x0000000009B26000-memory.dmp

memory/2804-360-0x0000000009A80000-0x0000000009A9E000-memory.dmp

memory/2804-361-0x000000000A4F0000-0x000000000A6B2000-memory.dmp

memory/2804-362-0x000000000ABF0000-0x000000000B11C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 02:48

Reported

2024-07-24 02:53

Platform

win11-20240709-en

Max time kernel

90s

Max time network

94s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bin\api.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\NAVIGATORPLUGINSLIST\SHOCKWAVE FLASH C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bin\\api.dll\\2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{31CAF6E4-D6AA-4090-A050-A5AC8972E9EF} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.spl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bin\\api.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.22\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 1132 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1164 wrote to memory of 1132 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1164 wrote to memory of 1132 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bin\api.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\bin\api.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A