Malware Analysis Report

2025-01-03 09:41

Sample ID 241017-tyepfsvakf
Target 529eff5edd9594d6ca4cb18f765d08b9_JaffaCakes118
SHA256 dde4fa3e7f74545ade6d40517754be781da68c97c0eed870197a3608aee7d237
Tags
discovery bootkit persistence upx adware stealer qr link
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dde4fa3e7f74545ade6d40517754be781da68c97c0eed870197a3608aee7d237

Threat Level: Shows suspicious behavior

The file 529eff5edd9594d6ca4cb18f765d08b9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery bootkit persistence upx adware stealer qr link

Loads dropped DLL

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Installs/modifies Browser Helper Object

Writes to the Master Boot Record (MBR)

Checks computer location settings

UPX packed file

Drops file in Program Files directory

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

One or more HTTP URLs in qr code identified

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 16:27

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ApkInstallerFrame.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ApkInstallerFrame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ApkInstallerFrame.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ApkInstallerFrame.exe"

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240903-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\openWithQQPhoneManager\ = "使用应用宝安装" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\openWithQQPhoneManager\command C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\ = "Android 程序安装包 (.apk)" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_49_\\$_49_\\Image\\ApkIcon.ico" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$_49_\\$_49_\\ApkInstallerFrame.exe\" -RunType=QQPhoneManager -ApkLocalPath=\"%1\"" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\open\command C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\open C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\openWithQQPhoneManager\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$_49_\\$_49_\\ApkInstallerFrame.exe\" -RunType=QQPhoneManager -ApkLocalPath=\"%1\"" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.apk C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.apk\ = "TencentAndroidAssistant" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\DefaultIcon C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\openWithQQPhoneManager C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 1904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 1904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 1904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 2096 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 2096 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 2096 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 2096 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 2096 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe
PID 2096 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe
PID 2096 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe
PID 2096 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe
PID 2096 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2096 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 2012 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe
PID 2012 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe
PID 2012 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe
PID 2012 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe
PID 2012 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe
PID 2012 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe
PID 2012 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe"

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe" -nochksupdate

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe" -add_asso

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe -check

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe" -libcef3check -silent

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe" -checkcondition -redirect -curversion=5.6.1.5056 -runningpath=C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ -autocheck -color=0xFF237DED

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe" -checkcondition -curversion=5.6.1.5056 -runningpath=C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ -autocheck -color=0xFF237DED -hasredirect

Network

Country Destination Domain Proto
CN 14.17.41.155:8080 tcp
US 8.8.8.8:53 ws.sj.qq.com udp
CN 14.17.41.155:8080 tcp
US 8.8.8.8:53 masterconn11.qq.com udp
US 8.8.8.8:53 m4.qq.com udp
US 8.8.8.8:53 m2.app.qq.com udp
CN 157.255.4.39:443 masterconn11.qq.com tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
US 8.8.8.8:53 m5.qq.com udp
US 8.8.8.8:53 m5.qq.com udp
HK 43.135.106.184:80 ws.sj.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
HK 101.32.212.216:80 m5.qq.com tcp
HK 43.135.105.195:80 m5.qq.com tcp
HK 43.135.105.195:80 m5.qq.com tcp
HK 43.135.105.195:80 m5.qq.com tcp
US 8.8.8.8:53 agent.sj.qq.com udp
HK 101.32.212.216:80 m5.qq.com tcp
HK 101.32.212.216:80 m5.qq.com tcp
HK 43.135.105.195:80 m5.qq.com tcp
US 8.8.8.8:53 t.sj.qq.com udp
US 8.8.8.8:53 agent.sj.qq.com udp
HK 101.32.212.216:80 m5.qq.com tcp
HK 43.135.105.195:80 m5.qq.com tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 101.32.212.216:80 m5.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
CN 163.177.71.158:8080 tcp
CN 61.151.166.229:8080 t.sj.qq.com tcp
US 8.8.8.8:53 androidpc.app.qq.com udp
HK 101.32.212.216:80 androidpc.app.qq.com tcp
HK 43.135.105.195:80 androidpc.app.qq.com tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
CN 61.151.166.229:8080 t.sj.qq.com tcp
CN 182.254.104.121:8080 tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
CN 120.198.203.149:8080 tcp
CN 163.177.71.158:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 182.254.104.121:8080 tcp
CN 14.17.41.155:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 182.254.104.121:8080 tcp
CN 14.17.41.155:8080 tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 120.198.203.149:8080 tcp
CN 113.105.95.120:443 tcp
CN 163.177.71.158:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 163.177.71.158:8080 tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
CN 120.198.203.149:8080 tcp
CN 182.254.1.166:8080 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 125.39.120.82:443 tcp
CN 120.198.203.149:8080 tcp
CN 14.17.41.155:8080 tcp
CN 113.105.95.120:443 tcp
CN 163.177.71.158:8080 tcp
CN 120.198.203.149:8080 tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 116.57.254.108:8080 tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
CN 125.39.120.82:443 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 61.151.166.229:8080 t.sj.qq.com tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
CN 61.151.166.229:8080 t.sj.qq.com tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 14.17.41.155:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 163.177.71.158:8080 tcp
CN 14.17.41.155:8080 tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
CN 14.17.41.155:8080 tcp
CN 182.254.104.121:8080 tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp

Files

memory/2096-0-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2096-1-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Setting.ini

MD5 7be7ef36f31d41b1063430c0cb6c65c5
SHA1 1fd4f770ee7dd6fe7c613172a0bd6872a939acf6
SHA256 ac0066120e034ffbfbc75676f3b44ddddb53475723e0db4ae758d424fecb0969
SHA512 ad668a697c4d88909c162d517f465c9b76b49cf0f4077fccf471d09db09cf05a7df67db522c92335c5eef79ecd596c1aab2c82efef40fea0b7eb49227c095825

memory/756-83-0x000000006FFF0000-0x0000000070000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Setting.ini

MD5 904b3245aa9f3063bc58e48fc36b3816
SHA1 7e66a75cb6958a7a6bcc7058210b0a92f5cd90a8
SHA256 50bebb70776bc85d6993c37ba82c473ca48b8ae55db0813069d55e4f9701845f
SHA512 f5d2240d6b2557a05afb6488fd970b3f9594004fd770a20a20f3f02d50e2daa01becb85bf59f33bf4355c6506f84ae05e3b6b9c2605b43d9e7d372c75fe74bae

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Update_main.log.xml

MD5 b68b1a4235914b36337d6216885c0f37
SHA1 44b1bd6354ae4be6f24514d59d568d81ee28c0f6
SHA256 a0783486d1dc4da121b81a7d1406f604d81064c62c7238c9b4dc15e855baae51
SHA512 74e61cd2a145b6449a24ef4957b426e51b6033e4b80e81a7364753b65c34209d334a358045adb52434b94210aa426cf25178a01c71561fb6bdf27bd8ed08593b

C:\ProgramData\Application Data\Tencent\QQPCMgr\dr.ini

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe

MD5 f1d14c8be022a4990cd43bc6845aba95
SHA1 bd7bd09576cd026f040d46adffe534de6f30474e
SHA256 2e4ec327dacf1783fa2671fe0a1ed1553ccd87faf858a1d7c672613daf6d5bd2
SHA512 29f2b098fe77b71d9da440347fb26d1af132f6a7e6f8ac52400310674cd94bf918c3036d255aaa719f56c9febdd7025e97ae5de07147d745028e930f31989b0f

memory/2012-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2012-115-0x0000000074A00000-0x0000000074A35000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Update_main.log.xml

MD5 12ca8446557bb513ca435a4c8819e82d
SHA1 822cb61ce8ea06df16477a8f0979558b67ed9d28
SHA256 b1994cde280e96a3a1be60d53cce212bdca66ec05c3feb1fb50f7dd9659f5292
SHA512 746bafb57ff18528c57c0272cdfc39c7ab54de5e3b4dee2dedbd3099bd59084bd8603cdb5053ac349d744d6d1ce37036683440f51166244b4cbe6e6346d70b63

memory/2528-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\dr.dll

MD5 b67ebd8c21a828b127cb14a27c4870e4
SHA1 79a954afe5e29f1490d121ec895d367009955c79
SHA256 4966dee8c4008788e5e70bc20098fc8abfd4a3d7ca02d3e8d726684f8afc924f
SHA512 b741b51cfc3429fc638c71d7b1541f2690dcd02c30253551cafdf71f40423944de3d254c0629d7da5466db87c97139c6196716c7f560fe273728df4825ee3879

memory/756-128-0x0000000074A00000-0x0000000074A35000-memory.dmp

memory/2096-144-0x0000000074A00000-0x0000000074A35000-memory.dmp

memory/2096-145-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2528-149-0x0000000074A00000-0x0000000074A35000-memory.dmp

memory/2096-158-0x0000000074A00000-0x0000000074A35000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Setting.ini

MD5 b38900495382b1370779c08032f96b64
SHA1 f5037f7dcd162d257073433cef9411b33d221ef4
SHA256 593f59a441f89f3c6049651a23dec133ce33d1d9d615ab4a850fae3543629d00
SHA512 0a0fb9fddcb9b1c4223122ba23a8669569d81fe1c95bf31cface9c87ed6b64aa07594573abb87f787923843b2f98dabdd81b8b2502b211c85773e2e7e8d825f6

C:\Users\Admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db

MD5 a9f4cc4849e4d1f8b322e6966554f478
SHA1 5c568de23f7aef12496f56bfca9e8be411fe0afb
SHA256 cada83d4dd164a153989b3264abc50f4a7f1a93af94ee58b985535cf68d0ec5f
SHA512 6248cd693de02e7e4d0f93a60f97f38e73e0dcb1427232980ca59bf84421861b3c0f92bcf884754f4e2c136288211dcf27615b9b2accaad920da930b76053e9f

memory/2096-170-0x0000000074A00000-0x0000000074A35000-memory.dmp

memory/2528-173-0x0000000074A00000-0x0000000074A35000-memory.dmp

memory/2096-176-0x0000000074A00000-0x0000000074A35000-memory.dmp

memory/2096-202-0x0000000074A00000-0x0000000074A35000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppCore.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEE392C9-C604-428B-A718-8C2DDF6053AB}\1.0\ = "AppCore 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEE392C9-C604-428B-A718-8C2DDF6053AB}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDA00962-A712-42C3-903D-A4E9FD08D387}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\ = "IMOLOBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8895C04-25EA-4A92-BDEF-50AD52947B7E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64106C0A-8F34-411B-83AC-690F8019F387}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BB6DB30-AA33-4942-91AE-13007779C845}\ = "IMOLOArray" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDA00962-A712-42C3-903D-A4E9FD08D387}\ = "_IHomePageBackGroundEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDA00962-A712-42C3-903D-A4E9FD08D387}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\ = "ISmallFileCache" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{254CE297-AF6F-4D6B-A716-8F0FD95330BF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B}\ = "_IRecommendedHomePageEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA62B3D2-8837-45F7-A58D-46F0F162EAF5}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\ = "IMOLOBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{254CE297-AF6F-4D6B-A716-8F0FD95330BF}\ = "_ISmallFileCacheEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA5302EA-1F1A-4209-B9B3-58941751CC63} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40}\ = "IHomePageBackGround" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA62B3D2-8837-45F7-A58D-46F0F162EAF5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8895C04-25EA-4A92-BDEF-50AD52947B7E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDA00962-A712-42C3-903D-A4E9FD08D387}\ = "_IHomePageBackGroundEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{254CE297-AF6F-4D6B-A716-8F0FD95330BF}\ = "_ISmallFileCacheEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA5302EA-1F1A-4209-B9B3-58941751CC63}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64106C0A-8F34-411B-83AC-690F8019F387}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BB6DB30-AA33-4942-91AE-13007779C845}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDA00962-A712-42C3-903D-A4E9FD08D387} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEE392C9-C604-428B-A718-8C2DDF6053AB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{254CE297-AF6F-4D6B-A716-8F0FD95330BF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8895C04-25EA-4A92-BDEF-50AD52947B7E}\ = "IMOLOEnumData" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA62B3D2-8837-45F7-A58D-46F0F162EAF5}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA5302EA-1F1A-4209-B9B3-58941751CC63}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64106C0A-8F34-411B-83AC-690F8019F387} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BB6DB30-AA33-4942-91AE-13007779C845}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEE392C9-C604-428B-A718-8C2DDF6053AB}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22175D97-8428-4EA0-8C16-5B0C35B701C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8895C04-25EA-4A92-BDEF-50AD52947B7E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22175D97-8428-4EA0-8C16-5B0C35B701C4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA5302EA-1F1A-4209-B9B3-58941751CC63}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8895C04-25EA-4A92-BDEF-50AD52947B7E}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64106C0A-8F34-411B-83AC-690F8019F387}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64106C0A-8F34-411B-83AC-690F8019F387}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1904 wrote to memory of 2028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1904 wrote to memory of 2028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppCore.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppCore.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISCommon.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4400 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4400 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISCommon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISCommon.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240729-en

Max time kernel

13s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsThread.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsThread.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsThread.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 220

Network

N/A

Files

memory/2324-1-0x0000000074F20000-0x0000000074F29000-memory.dmp

memory/2324-2-0x0000000075150000-0x0000000075159000-memory.dmp

memory/2324-0-0x0000000075150000-0x0000000075159000-memory.dmp

memory/2324-3-0x0000000074F20000-0x0000000074F29000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcp100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 4512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4864 wrote to memory of 4512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4864 wrote to memory of 4512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcp100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcp100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4512 -ip 4512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ApkInstallerFrame.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ApkInstallerFrame.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ApkInstallerFrame.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ApkInstallerFrame.exe"

Network

Country Destination Domain Proto
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240903-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISAppUpdater.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISAppUpdater.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISAppUpdater.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 680 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 680 -ip 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240708-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe"

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{50F4150A-48B2-417A-BE4C-C83F580FB904} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{50F4150A-48B2-417A-BE4C-C83F580FB904}\ = "QPMIEHelper" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{50F4150A-48B2-417A-BE4C-C83F580FB904}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\TempFile\QQPhonemanagerBrowserUtil.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\BrowserPluginAgency.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\DownloadAssist.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\npQQPhoneManagerExt.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\npQQPhoneManagerExt.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{50F4150A-48B2-417A-BE4C-C83F580FB904}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B5D5DBD-C857-4377-A755-06E50B4AC2B0} C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B5D5DBD-C857-4377-A755-06E50B4AC2B0}\AppName = "DownloadAssist.exe" C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{50F4150A-48B2-417A-BE4C-C83F580FB904}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qqapp C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qqapp\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qqpro C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qqpro\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B5D5DBD-C857-4377-A755-06E50B4AC2B0}\AppPath = "C:\\Program Files (x86)\\Common Files\\Tencent\\QQPhoneManager\\2.0.201.3192" C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B5D5DBD-C857-4377-A755-06E50B4AC2B0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib\ = "{6E1533F0-E0B5-465A-9F16-98FF0C76D493}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid\CurVer\ = "QQAppIEAgentEx.AgentForAndroid.1" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid\CLSID\ = "{50F4150A-48B2-417A-BE4C-C83F580FB904}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ = "IAgentForAndroid" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib\ = "{6E1533F0-E0B5-465A-9F16-98FF0C76D493}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\TypeLib\ = "{6E1533F0-E0B5-465A-9F16-98FF0C76D493}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{970B2630-7162-4D8B-A1C0-0EE7B21CEB3D} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\VersionIndependentProgID\ = "QQAppIEAgentEx.AgentForAndroid" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Tencent\\QQPhoneManager\\2.0.201.3192\\npQQPhoneManagerExt.dll" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\ = "QQAppIEAgentLib" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ = "_IAgentForAndroidEvents" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\QQAppIEAgentEx.DLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib\ = "{6E1533F0-E0B5-465A-9F16-98FF0C76D493}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid.1\ = "Ó¦Óñ¦Ò»¼ü°²×°²å¼þ" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid.1\CLSID C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid\CLSID C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid.1 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\Programmable C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ = "IAgentForAndroid" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\Tencent\\QQPhoneManager\\2.0.201.3192" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid\CurVer C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\ = "Ó¦Óñ¦Ò»¼ü°²×°²å¼þ" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\0 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{970B2630-7162-4D8B-A1C0-0EE7B21CEB3D}\ = "QQAppIEAgentEx" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid.1\CLSID\ = "{50F4150A-48B2-417A-BE4C-C83F580FB904}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\ProgID\ = "QQAppIEAgentEx.AgentForAndroid.1" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ = "_IAgentForAndroidEvents" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\QQAppIEAgentEx.DLL\AppID = "{970B2630-7162-4D8B-A1C0-0EE7B21CEB3D}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid\ = "Ó¦Óñ¦Ò»¼ü°²×°²å¼þ" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\ProgID C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\Tencent\\QQPhoneManager\\2.0.201.3192\\npQQPhoneManagerExt.dll" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib\ = "{6E1533F0-E0B5-465A-9F16-98FF0C76D493}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe
PID 1704 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe

"C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe" te

C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe

"C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe" te "C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\DownloadAssist.exe" {1B5D5DBD-C857-4377-A755-06E50B4AC2B0}

C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe

"C:\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe" savebrowsers

Network

N/A

Files

\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\npQQPhoneManagerExt.dll

MD5 3b91bd8cdda20f8c7f57ff3d0680a8c2
SHA1 9bb43e113cd59c6528818b116521c97ffaa092e1
SHA256 602d5bdfcabd73fc0683d68e9950a1f644d3f674d1c695959721b4c401808da5
SHA512 ceab5bd410767395a468d142780abba467146775401b528cb54ce3e756cfc2c8702c7a87de5e89ca45ce9f80c9efe40ffc4ce100dbbd42c2ce20dd81ea56dbdc

\Users\Admin\AppData\Local\Temp\nsjA315.tmp\QQPhonemanagerBrowserUtil.exe

MD5 14f5286a979ff49f7af1e4c6f60f9380
SHA1 bb0792980d279d706ed464eda328a39e445cb221
SHA256 746ad402532131153d2fe9bfe10368d353431bf8deb78f988771d4a42432ae69
SHA512 74fb5913c4e76eeebfc564155504641d2196de27a1576fb7a4962140c2ebf923953a80208c7f9115e205b442429cc01b558c7a480c33b79894d32cbe24a08e83

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2936 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2936 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3548 -ip 3548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AndroidAssistHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AndroidAssistHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AndroidAssistHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 220

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\529eff5edd9594d6ca4cb18f765d08b9_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\529eff5edd9594d6ca4cb18f765d08b9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\529eff5edd9594d6ca4cb18f765d08b9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\529eff5edd9594d6ca4cb18f765d08b9_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20241010-en

Max time kernel

119s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 224

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240903-en

Max time kernel

117s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppTools.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3004 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppTools.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppTools.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20241010-en

Max time kernel

119s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISCommon.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISCommon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISCommon.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 224

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\open\command C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\open C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$_49_\\$_49_\\ApkInstallerFrame.exe\" -RunType=QQPhoneManager -ApkLocalPath=\"%1\"" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\openWithQQPhoneManager C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\DefaultIcon C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_49_\\$_49_\\Image\\ApkIcon.ico" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.apk C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\ = "Android 程序安装包 (.apk)" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\openWithQQPhoneManager\ = "使用应用宝安装" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.apk\ = "TencentAndroidAssistant" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\openWithQQPhoneManager\command C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TencentAndroidAssistant\shell\openWithQQPhoneManager\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$_49_\\$_49_\\ApkInstallerFrame.exe\" -RunType=QQPhoneManager -ApkLocalPath=\"%1\"" C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 1908 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 1908 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 4780 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 4780 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 4780 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe
PID 4780 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe
PID 4780 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe
PID 4780 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe
PID 4780 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 4780 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 4780 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 4780 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 4780 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 4780 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe
PID 3760 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe
PID 3760 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe
PID 3760 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppAssistant.exe"

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe" -nochksupdate

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPhoneManager.exe" -add_asso

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\QQPmSrv.exe -check

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe" -libcef3check -silent

C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe

"C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Update.exe" -checkcondition -redirect -curversion=5.6.1.5056 -runningpath=C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ -autocheck -color=0xFF237DED

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe" -checkcondition -curversion=5.6.1.5056 -runningpath=C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\ -autocheck -color=0xFF237DED -hasredirect

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
CN 14.17.41.155:8080 tcp
US 8.8.8.8:53 ws.sj.qq.com udp
CN 14.17.41.155:8080 tcp
US 8.8.8.8:53 masterconn11.qq.com udp
US 8.8.8.8:53 m4.qq.com udp
US 8.8.8.8:53 m2.app.qq.com udp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
US 8.8.8.8:53 m5.qq.com udp
US 8.8.8.8:53 agent.sj.qq.com udp
HK 101.32.212.216:80 m5.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
HK 43.135.105.195:80 m5.qq.com tcp
HK 101.32.212.216:80 m5.qq.com tcp
HK 43.135.105.195:80 m5.qq.com tcp
US 8.8.8.8:53 117.106.135.43.in-addr.arpa udp
US 8.8.8.8:53 216.212.32.101.in-addr.arpa udp
CN 157.255.4.39:443 masterconn11.qq.com tcp
HK 43.135.105.195:80 m5.qq.com tcp
HK 43.135.105.195:80 m5.qq.com tcp
HK 101.32.212.216:80 m5.qq.com tcp
HK 101.32.212.216:80 m5.qq.com tcp
US 8.8.8.8:53 195.105.135.43.in-addr.arpa udp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
US 8.8.8.8:53 t.sj.qq.com udp
HK 43.135.106.184:80 ws.sj.qq.com tcp
CN 163.177.71.158:8080 tcp
US 8.8.8.8:53 androidpc.app.qq.com udp
HK 43.135.105.195:80 androidpc.app.qq.com tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 101.32.212.216:80 androidpc.app.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
HK 43.135.105.195:80 androidpc.app.qq.com tcp
CN 61.151.166.229:8080 t.sj.qq.com tcp
HK 101.32.212.216:80 androidpc.app.qq.com tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
HK 43.135.106.117:80 ws.sj.qq.com tcp
HK 43.135.106.184:80 ws.sj.qq.com tcp
CN 61.151.166.229:8080 t.sj.qq.com tcp
CN 182.254.104.121:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
CN 120.198.203.149:8080 tcp
CN 163.177.71.158:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 182.254.104.121:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 14.17.41.155:8080 tcp
CN 182.254.104.121:8080 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CN 14.17.41.155:8080 tcp
US 8.8.8.8:53 27.117.19.2.in-addr.arpa udp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 120.198.203.149:8080 tcp
CN 113.105.95.120:443 tcp
CN 163.177.71.158:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 163.177.71.158:8080 tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
CN 120.198.203.149:8080 tcp
CN 182.254.1.166:8080 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 125.39.120.82:443 tcp
CN 120.198.203.149:8080 tcp
CN 14.17.41.155:8080 tcp
CN 113.105.95.120:443 tcp
CN 163.177.71.158:8080 tcp
CN 120.198.203.149:8080 tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 116.57.254.108:8080 tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
CN 182.254.104.121:8080 tcp
CN 120.198.203.149:8080 tcp
CN 125.39.120.82:443 tcp
CN 182.254.104.121:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
CN 120.198.203.149:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 61.151.166.229:8080 t.sj.qq.com tcp
CN 14.17.41.155:8080 tcp
CN 163.177.71.158:8080 tcp
CN 61.151.166.229:8080 t.sj.qq.com tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
CN 182.254.104.121:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 14.17.41.155:8080 tcp
CN 157.255.4.39:443 masterconn11.qq.com tcp
CN 163.177.71.158:8080 tcp
CN 14.17.41.155:8080 tcp
CN 120.198.203.149:8080 tcp
CN 182.254.104.121:8080 tcp
CN 14.17.41.155:8080 tcp
CN 182.254.104.121:8080 tcp
CN 14.17.41.155:8080 tcp

Files

memory/4780-0-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/4780-1-0x0000000002F80000-0x0000000002F81000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Setting.ini

MD5 7be7ef36f31d41b1063430c0cb6c65c5
SHA1 1fd4f770ee7dd6fe7c613172a0bd6872a939acf6
SHA256 ac0066120e034ffbfbc75676f3b44ddddb53475723e0db4ae758d424fecb0969
SHA512 ad668a697c4d88909c162d517f465c9b76b49cf0f4077fccf471d09db09cf05a7df67db522c92335c5eef79ecd596c1aab2c82efef40fea0b7eb49227c095825

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Setting.ini

MD5 904b3245aa9f3063bc58e48fc36b3816
SHA1 7e66a75cb6958a7a6bcc7058210b0a92f5cd90a8
SHA256 50bebb70776bc85d6993c37ba82c473ca48b8ae55db0813069d55e4f9701845f
SHA512 f5d2240d6b2557a05afb6488fd970b3f9594004fd770a20a20f3f02d50e2daa01becb85bf59f33bf4355c6506f84ae05e3b6b9c2605b43d9e7d372c75fe74bae

memory/3508-97-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/3508-101-0x000000006FFF0000-0x0000000070000000-memory.dmp

C:\ProgramData\Application Data\Tencent\QQPCMgr\dr.ini

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

memory/3508-103-0x0000000076430000-0x0000000076493000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Setting.ini

MD5 b38900495382b1370779c08032f96b64
SHA1 f5037f7dcd162d257073433cef9411b33d221ef4
SHA256 593f59a441f89f3c6049651a23dec133ce33d1d9d615ab4a850fae3543629d00
SHA512 0a0fb9fddcb9b1c4223122ba23a8669569d81fe1c95bf31cface9c87ed6b64aa07594573abb87f787923843b2f98dabdd81b8b2502b211c85773e2e7e8d825f6

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Update_main.log.xml

MD5 ca90a9e24527c351aae4182758fc4055
SHA1 ecfd63a39e8d40348eae75dd74da4b7817ece4ea
SHA256 704b8fd6cb0e43954333914b9699047e2081690c135a9840ced11e3fe6d10afb
SHA512 b24735aa7beaa23cb0dafb9de834f7c65e7eaf58e459d302a8e8233354847f6baae9332933ce754d0ef3bf8719158e0455fa569aa704f7accb66e70b9604f53f

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\Update.exe

MD5 f1d14c8be022a4990cd43bc6845aba95
SHA1 bd7bd09576cd026f040d46adffe534de6f30474e
SHA256 2e4ec327dacf1783fa2671fe0a1ed1553ccd87faf858a1d7c672613daf6d5bd2
SHA512 29f2b098fe77b71d9da440347fb26d1af132f6a7e6f8ac52400310674cd94bf918c3036d255aaa719f56c9febdd7025e97ae5de07147d745028e930f31989b0f

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Components\Update\dr.dll

MD5 b67ebd8c21a828b127cb14a27c4870e4
SHA1 79a954afe5e29f1490d121ec895d367009955c79
SHA256 4966dee8c4008788e5e70bc20098fc8abfd4a3d7ca02d3e8d726684f8afc924f
SHA512 b741b51cfc3429fc638c71d7b1541f2690dcd02c30253551cafdf71f40423944de3d254c0629d7da5466db87c97139c6196716c7f560fe273728df4825ee3879

memory/4308-128-0x000000006FFF0000-0x0000000070000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\QQPhoneManager\Update_main.log.xml

MD5 20bb16a173b5787127da144b145ba3c2
SHA1 92cbc008e4bf50ef33b3b1632d5a59cb3fb6fabf
SHA256 b33e0542ea781c4b30e2db5939adee8694efd4fd77e2b65b05a93c5eeaec0085
SHA512 34883d5518cc227442353dffe615cc389bd9bba4a23bf3adaa04a94640032a1a2e4d3704a8de30f30238d76ff4d3f4a367283111801b6c98121001096d4cd4f4

memory/3760-144-0x0000000076430000-0x0000000076493000-memory.dmp

memory/4780-190-0x0000000076430000-0x0000000076493000-memory.dmp

memory/4780-191-0x0000000002F80000-0x0000000002F81000-memory.dmp

memory/4308-193-0x0000000076430000-0x0000000076493000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db

MD5 bdbe56d4f880610840d0fc75fb2565e6
SHA1 2adc9889a9d48ad318cc46630cf0db343fe27f87
SHA256 48355fa9559572b75407dcfdaa60c3b27994d31d281951983d36941917bc4ef5
SHA512 fd2c5ad01c55f5ed0976c2329992a3c4cce68b683849ee9b6ebd67585cbc582b47ca4c2b97ecc2bc7a98b5ef719affb680713ffec4513f5cbdee108ba35b2a99

memory/4308-198-0x0000000076430000-0x0000000076493000-memory.dmp

memory/4780-201-0x0000000076430000-0x0000000076493000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppTools.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 3524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4284 wrote to memory of 3524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4284 wrote to memory of 3524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppTools.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppTools.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20241010-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Android.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2100 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Android.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Android.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240903-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 220

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Android.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Android.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\Android.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2840 -ip 2840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 720

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AndroidAssistHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3752 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3752 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3752 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AndroidAssistHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AndroidAssistHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20241010-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\529eff5edd9594d6ca4cb18f765d08b9_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\529eff5edd9594d6ca4cb18f765d08b9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\529eff5edd9594d6ca4cb18f765d08b9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\529eff5edd9594d6ca4cb18f765d08b9_JaffaCakes118.exe"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsThread.dll,#1

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1660 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1660 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsThread.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsThread.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3028 -ip 3028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3028-0-0x0000000075430000-0x0000000075439000-memory.dmp

memory/3028-1-0x0000000075430000-0x0000000075439000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{50F4150A-48B2-417A-BE4C-C83F580FB904} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{50F4150A-48B2-417A-BE4C-C83F580FB904}\ = "QPMIEHelper" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{50F4150A-48B2-417A-BE4C-C83F580FB904}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\npQQPhoneManagerExt.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\npQQPhoneManagerExt.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\TempFile\QQPhonemanagerBrowserUtil.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\BrowserPluginAgency.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\DownloadAssist.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B5D5DBD-C857-4377-A755-06E50B4AC2B0} C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B5D5DBD-C857-4377-A755-06E50B4AC2B0}\AppName = "DownloadAssist.exe" C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B5D5DBD-C857-4377-A755-06E50B4AC2B0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qqpro C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qqpro\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B5D5DBD-C857-4377-A755-06E50B4AC2B0} C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1B5D5DBD-C857-4377-A755-06E50B4AC2B0}\AppPath = "C:\\Program Files (x86)\\Common Files\\Tencent\\QQPhoneManager\\2.0.201.3192" C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{50F4150A-48B2-417A-BE4C-C83F580FB904}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{50F4150A-48B2-417A-BE4C-C83F580FB904}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qqapp C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qqapp\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid.1\CLSID\ = "{50F4150A-48B2-417A-BE4C-C83F580FB904}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid\ = "Ó¦Óñ¦Ò»¼ü°²×°²å¼þ" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\Programmable C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\Tencent\\QQPhoneManager\\2.0.201.3192" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib\ = "{6E1533F0-E0B5-465A-9F16-98FF0C76D493}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid.1 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\ = "QQAppIEAgentLib" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ = "IAgentForAndroid" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid\CurVer C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ = "_IAgentForAndroidEvents" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\ProgID\ = "QQAppIEAgentEx.AgentForAndroid.1" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ = "IAgentForAndroid" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid.1\CLSID C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\VersionIndependentProgID\ = "QQAppIEAgentEx.AgentForAndroid" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\TypeLib\ = "{6E1533F0-E0B5-465A-9F16-98FF0C76D493}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid.1\ = "Ó¦Óñ¦Ò»¼ü°²×°²å¼þ" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid\CLSID\ = "{50F4150A-48B2-417A-BE4C-C83F580FB904}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{970B2630-7162-4D8B-A1C0-0EE7B21CEB3D} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Tencent\\QQPhoneManager\\2.0.201.3192\\npQQPhoneManagerExt.dll" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9543B5C6-937E-434E-946E-ABCC15698373} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib\ = "{6E1533F0-E0B5-465A-9F16-98FF0C76D493}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\ = "Ó¦Óñ¦Ò»¼ü°²×°²å¼þ" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid\CurVer\ = "QQAppIEAgentEx.AgentForAndroid.1" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\ProgID C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9543B5C6-937E-434E-946E-ABCC15698373}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\QQAppIEAgentEx.DLL\AppID = "{970B2630-7162-4D8B-A1C0-0EE7B21CEB3D}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\Tencent\\QQPhoneManager\\2.0.201.3192\\npQQPhoneManagerExt.dll" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\QQAppIEAgentEx.DLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50F4150A-48B2-417A-BE4C-C83F580FB904} C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQAppIEAgentEx.AgentForAndroid\CLSID C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\0 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib\ = "{6E1533F0-E0B5-465A-9F16-98FF0C76D493}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ = "_IAgentForAndroidEvents" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib\ = "{6E1533F0-E0B5-465A-9F16-98FF0C76D493}" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{970B2630-7162-4D8B-A1C0-0EE7B21CEB3D}\ = "QQAppIEAgentEx" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1669F28B-E15E-4899-AF84-7D8AD839C0BF}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6E1533F0-E0B5-465A-9F16-98FF0C76D493}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe
PID 2072 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe
PID 2072 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe
PID 2072 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe
PID 2072 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe
PID 2072 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe
PID 2072 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe
PID 2072 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe
PID 2072 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\PluginInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe

"C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe" te

C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe

"C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe" te "C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\DownloadAssist.exe" {1B5D5DBD-C857-4377-A755-06E50B4AC2B0}

C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe

"C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe" savebrowsers

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3192\npQQPhoneManagerExt.dll

MD5 3b91bd8cdda20f8c7f57ff3d0680a8c2
SHA1 9bb43e113cd59c6528818b116521c97ffaa092e1
SHA256 602d5bdfcabd73fc0683d68e9950a1f644d3f674d1c695959721b4c401808da5
SHA512 ceab5bd410767395a468d142780abba467146775401b528cb54ce3e756cfc2c8702c7a87de5e89ca45ce9f80c9efe40ffc4ce100dbbd42c2ce20dd81ea56dbdc

C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\QQPhonemanagerBrowserUtil.exe

MD5 14f5286a979ff49f7af1e4c6f60f9380
SHA1 bb0792980d279d706ed464eda328a39e445cb221
SHA256 746ad402532131153d2fe9bfe10368d353431bf8deb78f988771d4a42432ae69
SHA512 74fb5913c4e76eeebfc564155504641d2196de27a1576fb7a4962140c2ebf923953a80208c7f9115e205b442429cc01b558c7a480c33b79894d32cbe24a08e83

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20241010-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\atl100.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\atl100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\atl100.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\atl100.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4484 wrote to memory of 3160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4484 wrote to memory of 3160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4484 wrote to memory of 3160 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\atl100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\atl100.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240708-en

Max time kernel

14s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcp100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcp100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcp100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 220

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2352 -ip 2352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win7-20240708-en

Max time kernel

122s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppCore.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA5302EA-1F1A-4209-B9B3-58941751CC63}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDA00962-A712-42C3-903D-A4E9FD08D387} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDA00962-A712-42C3-903D-A4E9FD08D387}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22175D97-8428-4EA0-8C16-5B0C35B701C4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA62B3D2-8837-45F7-A58D-46F0F162EAF5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA5302EA-1F1A-4209-B9B3-58941751CC63}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\ = "IMOLOBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8895C04-25EA-4A92-BDEF-50AD52947B7E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEE392C9-C604-428B-A718-8C2DDF6053AB}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B}\ = "_IRecommendedHomePageEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA5302EA-1F1A-4209-B9B3-58941751CC63}\ = "IMOLODataRead" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA5302EA-1F1A-4209-B9B3-58941751CC63}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BB6DB30-AA33-4942-91AE-13007779C845}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEE392C9-C604-428B-A718-8C2DDF6053AB} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDA00962-A712-42C3-903D-A4E9FD08D387}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8895C04-25EA-4A92-BDEF-50AD52947B7E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDA00962-A712-42C3-903D-A4E9FD08D387}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22175D97-8428-4EA0-8C16-5B0C35B701C4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA62B3D2-8837-45F7-A58D-46F0F162EAF5} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA5302EA-1F1A-4209-B9B3-58941751CC63}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64106C0A-8F34-411B-83AC-690F8019F387}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA5302EA-1F1A-4209-B9B3-58941751CC63}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64106C0A-8F34-411B-83AC-690F8019F387}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{254CE297-AF6F-4D6B-A716-8F0FD95330BF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BB6DB30-AA33-4942-91AE-13007779C845}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8895C04-25EA-4A92-BDEF-50AD52947B7E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{254CE297-AF6F-4D6B-A716-8F0FD95330BF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEE392C9-C604-428B-A718-8C2DDF6053AB}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{254CE297-AF6F-4D6B-A716-8F0FD95330BF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22175D97-8428-4EA0-8C16-5B0C35B701C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64106C0A-8F34-411B-83AC-690F8019F387}\ = "IMOLOArrayRead" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CEE392C9-C604-428B-A718-8C2DDF6053AB}\1.0\ = "AppCore 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA62B3D2-8837-45F7-A58D-46F0F162EAF5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1BF28410-414E-4D2B-B1FB-C7919D96ADA4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64106C0A-8F34-411B-83AC-690F8019F387}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8C68087-14F4-428E-812D-D78A23D7DB40} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDA00962-A712-42C3-903D-A4E9FD08D387} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22175D97-8428-4EA0-8C16-5B0C35B701C4}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA62B3D2-8837-45F7-A58D-46F0F162EAF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8895C04-25EA-4A92-BDEF-50AD52947B7E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22175D97-8428-4EA0-8C16-5B0C35B701C4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\ = "ISmallFileCache" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52E80AB3-2A10-403C-84DD-567BE0DD956F}\TypeLib\ = "{CEE392C9-C604-428B-A718-8C2DDF6053AB}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22175D97-8428-4EA0-8C16-5B0C35B701C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62CFF1E3-0543-490B-8E0A-EEFAAEE8D72B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppCore.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_49_\$_49_\AppCore.dll

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-17 16:27

Reported

2024-10-17 16:30

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISAppUpdater.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4304 wrote to memory of 232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4304 wrote to memory of 232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4304 wrote to memory of 232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISAppUpdater.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISAppUpdater.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 232 -ip 232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A