Malware Analysis Report

2025-03-15 04:39

Sample ID 241027-1knhrstana
Target 761408a59417fe3bcb2898973899a629_JaffaCakes118
SHA256 9299bd0531371eb3640c6a82af6278829139d2f6a9dfa4571a3f4751e922b86b
Tags
adware discovery spyware stealer execution
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9299bd0531371eb3640c6a82af6278829139d2f6a9dfa4571a3f4751e922b86b

Threat Level: Shows suspicious behavior

The file 761408a59417fe3bcb2898973899a629_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer execution

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

NSIS installer

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 21:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win7-20241010-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\ = "MediaWatchV1home215" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons\default\MediaWatchV1home215_32.png C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons\default\MediaWatchV1home215_32.png C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ch\MediaWatchV1home215.crx C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\ffMediaWatchV1home215ffaction.js C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\ffMediaWatchV1home215ffaction.js C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\ffMediaWatchV1home215.js C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\ffMediaWatchV1home215.js C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\uninstall.exe C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ie\MediaWatchV1home215.dll C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ch\MediaWatchV1home215.crx C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\gpupdate.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} = 51667a6c4c1d3b1b86e8fa1a45d96b069f17037dff8ab35a C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home215\\ie\\MediaWatchV1home215.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\ = "MediaWatchV1home215Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\ = "{AB72EC61-719D-4179-8B6E-C8D892E47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ = "IMediaWatchV1home215BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\ = "{AB72EC61-719D-4179-8B6E-C8D892E47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ = "IMediaWatchV1home215BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home215\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\ = "MediaWatchV1home215" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\TypeLib\ = "{ab72ec61-719d-4179-8b6e-c8d892e47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home215\\ie\\MediaWatchV1home215.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2132 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ie\MediaWatchV1home215.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsz8C3A.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ie\MediaWatchV1home215.dll

MD5 bcc3189e4925a8105b5e243695182939
SHA1 5dfd8aa736a51526d971c2a962c06b6277d765fa
SHA256 a9c1359a429eee53d45408509b01c2eab512c43dbc20d230730b3d3cb6bd0b56
SHA512 5fd675f5cf23d2905f5b4ac937f5051d5c67e971297d48884daccd24edde70efda81c438d4a6c76c4812ac4f435574400fd878823e3b05960270791dfb153ecc

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win7-20240708-en

Max time kernel

122s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home215ffaction.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home215ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 4376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3536 wrote to memory of 4376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3536 wrote to memory of 4376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4376 -ip 4376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home215.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\ = "MediaWatchV1home215" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ = "IMediaWatchV1home215BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\ = "{AB72EC61-719D-4179-8B6E-C8D892E47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home215.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\TypeLib\ = "{ab72ec61-719d-4179-8b6e-c8d892e47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home215.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\ = "MediaWatchV1home215" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\ = "MediaWatchV1home215Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\ = "{AB72EC61-719D-4179-8B6E-C8D892E47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ = "IMediaWatchV1home215BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1732 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1732 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1732 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1732 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1732 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1732 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home215.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home215.dll

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 220

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 220

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win7-20241010-en

Max time kernel

15s

Max time network

20s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home215chaction.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home215chaction.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:46

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

140s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home215chaction.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home215chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home215ffaction.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home215ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 81.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4280 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4280 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4280 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2224 -ip 2224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 78.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\ = "MediaWatchV1home215" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ch\MediaWatchV1home215.crx C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons\default\MediaWatchV1home215_32.png C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\ffMediaWatchV1home215ffaction.js C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\ffMediaWatchV1home215ffaction.js C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ch\MediaWatchV1home215.crx C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\ffMediaWatchV1home215.js C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\ffMediaWatchV1home215.js C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons\default\MediaWatchV1home215_32.png C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ie\MediaWatchV1home215.dll C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\uninstall.exe C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\gpupdate.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} = 51667a6c4c1d3b1b86effc1647da650793120f7dfa8fbb54 C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\TypeLib\ = "{ab72ec61-719d-4179-8b6e-c8d892e47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home215\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ = "IMediaWatchV1home215BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\ = "MediaWatchV1home215" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home215\\ie\\MediaWatchV1home215.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home215\\ie\\MediaWatchV1home215.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ = "IMediaWatchV1home215BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\ = "MediaWatchV1home215Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\ = "{AB72EC61-719D-4179-8B6E-C8D892E47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\ = "{AB72EC61-719D-4179-8B6E-C8D892E47596}" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\761408a59417fe3bcb2898973899a629_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ie\MediaWatchV1home215.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsbBB62.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home215\ie\MediaWatchV1home215.dll

MD5 bcc3189e4925a8105b5e243695182939
SHA1 5dfd8aa736a51526d971c2a962c06b6277d765fa
SHA256 a9c1359a429eee53d45408509b01c2eab512c43dbc20d230730b3d3cb6bd0b56
SHA512 5fd675f5cf23d2905f5b4ac937f5051d5c67e971297d48884daccd24edde70efda81c438d4a6c76c4812ac4f435574400fd878823e3b05960270791dfb153ecc

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home215.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home215.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home215.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home215.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:46

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

139s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home215.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\ = "MediaWatchV1home215" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\ = "MediaWatchV1home215Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ = "IMediaWatchV1home215BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home215.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home215.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\ = "{AB72EC61-719D-4179-8B6E-C8D892E47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB72EC61-719D-4179-8B6E-C8D892E47596}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ = "IMediaWatchV1home215BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\ = "{AB72EC61-719D-4179-8B6E-C8D892E47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\ = "MediaWatchV1home215" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\TypeLib\ = "{ab72ec61-719d-4179-8b6e-c8d892e47596}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A63D08D8-3886-4AE0-8B8B-12CE670B98ED}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0aeef596-8c70-4203-8a1f-443dfbc9f74f}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 4444 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4932 wrote to memory of 4444 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4932 wrote to memory of 4444 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home215.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home215.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:46

Platform

win7-20241023-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 d0a7bde00870c48c3d1cc4fa99152936
SHA1 0cef0f7e625876e5d917d0dfdcdd9faae2307805
SHA256 d71e73614d8f63d710fe60a553779b96f72069fc034eaa0209f7b862a78ab561
SHA512 e3933dc97b18bf8769b0be2541124778005d75eb00565ff51022c7d3eace16c8271680579c01e3bf9721b37b9e35a6b32df8ee2847a2b72fc459715684e1e290

\Users\Admin\AppData\Local\Temp\nsjCAFE.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-27 21:42

Reported

2024-10-27 21:45

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 d0a7bde00870c48c3d1cc4fa99152936
SHA1 0cef0f7e625876e5d917d0dfdcdd9faae2307805
SHA256 d71e73614d8f63d710fe60a553779b96f72069fc034eaa0209f7b862a78ab561
SHA512 e3933dc97b18bf8769b0be2541124778005d75eb00565ff51022c7d3eace16c8271680579c01e3bf9721b37b9e35a6b32df8ee2847a2b72fc459715684e1e290

C:\Users\Admin\AppData\Local\Temp\nsrCAA4.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361