Analysis Overview
SHA256
f68339263c85ea443eb8601ae02c614bd235b086b3491b6a427a98273e518e4f
Threat Level: Shows suspicious behavior
The file 763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Installs/modifies Browser Helper Object
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
Program crash
NSIS installer
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:30
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 436 wrote to memory of 2360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 436 wrote to memory of 2360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 436 wrote to memory of 2360 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2360 -ip 2360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:28
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ffTrustMediaViewerV1alpha6139chaction.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:28
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
137s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffTrustMediaViewerV1alpha6139.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:27
Platform
win7-20241010-en
Max time kernel
14s
Max time network
18s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib\ = "{b2b48c07-0fd4-4374-80f2-bfa407c71319}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\ | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\TrustMediaViewerV1alpha6139x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version\ = "1.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\ = "TrustMediaViewerV1alpha6139Lib" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\TrustMediaViewerV1alpha6139x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\ | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\TrustMediaViewerV1alpha6139x64.dll
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:27
Platform
win7-20240903-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2532 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2532 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2532 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
Files
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 8ef2ee0bd9eb868dee5a7c7f2de749bc |
| SHA1 | c5657bffd61edf7b1d36a225ffc3dbf44d8f2f32 |
| SHA256 | ce885aa22707ec497138942e7f006c9bfd00fa330189fefc7cd1e4a2ae0f4cc4 |
| SHA512 | 856060d36cda5fcbfc0e4df9f7676986ef1e72256b863fad2f5fff7e996bd166cfd7c7f87e3a3a85d4d3e04ae9b856088341ec46885b4d4e3440123e5879cb75 |
\Users\Admin\AppData\Local\Temp\nsyA93B.tmp\aminsis.dll
| MD5 | f346047b13f37f79c462e59a6319faa1 |
| SHA1 | ce9e7cb9719000a69b463fe024c81229e322279f |
| SHA256 | e78e0e61707cabec8383f1e74da9db8e0fa123a3a7b36f0080d70fbaed6f7453 |
| SHA512 | 429209cc489ba9ac2d62055b128efb3cded3e31f966c7cdb1aee592ec7a54ab090526705fa2519498d92eb4bc2efa141cd83adc6c251b793388ad1208b172167 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:32
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 836 wrote to memory of 4776 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 836 wrote to memory of 4776 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 836 wrote to memory of 4776 | N/A | C:\Users\Admin\AppData\Local\Temp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 8ef2ee0bd9eb868dee5a7c7f2de749bc |
| SHA1 | c5657bffd61edf7b1d36a225ffc3dbf44d8f2f32 |
| SHA256 | ce885aa22707ec497138942e7f006c9bfd00fa330189fefc7cd1e4a2ae0f4cc4 |
| SHA512 | 856060d36cda5fcbfc0e4df9f7676986ef1e72256b863fad2f5fff7e996bd166cfd7c7f87e3a3a85d4d3e04ae9b856088341ec46885b4d4e3440123e5879cb75 |
C:\Users\Admin\AppData\Local\Temp\nswBE01.tmp\aminsis.dll
| MD5 | f346047b13f37f79c462e59a6319faa1 |
| SHA1 | ce9e7cb9719000a69b463fe024c81229e322279f |
| SHA256 | e78e0e61707cabec8383f1e74da9db8e0fa123a3a7b36f0080d70fbaed6f7453 |
| SHA512 | 429209cc489ba9ac2d62055b128efb3cded3e31f966c7cdb1aee592ec7a54ab090526705fa2519498d92eb4bc2efa141cd83adc6c251b793388ad1208b172167 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:27
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3832 wrote to memory of 812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3832 wrote to memory of 812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3832 wrote to memory of 812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 812 -ip 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 220
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:27
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffTrustMediaViewerV1alpha6139.js
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:30
Platform
win7-20240903-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffTrustMediaViewerV1alpha6139ffaction.js
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:29
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 220
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:30
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2312 wrote to memory of 2968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2312 wrote to memory of 2968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2312 wrote to memory of 2968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2968 -ip 2968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:30
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4808 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4808 wrote to memory of 4288 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4288 -ip 4288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:31
Platform
win10v2004-20241007-en
Max time kernel
134s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffTrustMediaViewerV1alpha6139ffaction.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\ = "TrustMediaViewerV1alpha6139Lib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\TrustMediaViewerV1alpha6139.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version\ = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\TrustMediaViewerV1alpha6139.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib\ = "{b2b48c07-0fd4-4374-80f2-bfa407c71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2744 wrote to memory of 2768 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2744 wrote to memory of 2768 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2744 wrote to memory of 2768 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2744 wrote to memory of 2768 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2744 wrote to memory of 2768 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2744 wrote to memory of 2768 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2744 wrote to memory of 2768 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\TrustMediaViewerV1alpha6139.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ie\TrustMediaViewerV1alpha6139.dll
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:28
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib\ = "{b2b48c07-0fd4-4374-80f2-bfa407c71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version\ = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\ = "TrustMediaViewerV1alpha6139Lib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\TrustMediaViewerV1alpha6139.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\TrustMediaViewerV1alpha6139.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4284 wrote to memory of 2568 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4284 wrote to memory of 2568 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4284 wrote to memory of 2568 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\TrustMediaViewerV1alpha6139.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ie\TrustMediaViewerV1alpha6139.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:28
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib\ = "{b2b48c07-0fd4-4374-80f2-bfa407c71319}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\ | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\ = "TrustMediaViewerV1alpha6139Lib" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\TrustMediaViewerV1alpha6139x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\ | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version\ = "1.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\TrustMediaViewerV1alpha6139x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\TrustMediaViewerV1alpha6139x64.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:30
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons\Thumbs.db | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons\default | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons\default\TrustMediaViewerV1alpha6139_32.png | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ch\TrustMediaViewerV1alpha6139.crx | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\ffTrustMediaViewerV1alpha6139.js | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\ffTrustMediaViewerV1alpha6139.js | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\ffTrustMediaViewerV1alpha6139ffaction.js | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons\default\TrustMediaViewerV1alpha6139_32.png | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139.dll | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\install.rdf | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ch\TrustMediaViewerV1alpha6139.crx | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\ffTrustMediaViewerV1alpha6139ffaction.js | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\overlay.xul | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\overlay.xul | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons\Thumbs.db | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139x64.dll | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\install.rdf | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\gpupdate.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Approved Extensions | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} = 51667a6c4c1d3b1bf8597f23a6b7020489f4d356ab4d56b4 | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha6139\\ie" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib\ = "{b2b48c07-0fd4-4374-80f2-bfa407c71319}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version\ = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib\ = "{b2b48c07-0fd4-4374-80f2-bfa407c71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha6139\\ie\\TrustMediaViewerV1alpha6139x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\ | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\ = "TrustMediaViewerV1alpha6139Lib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha6139\\ie\\TrustMediaViewerV1alpha6139.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha6139\\ie\\TrustMediaViewerV1alpha6139.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "Trust Media Viewer" | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\ | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win64\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha6139\\ie\\TrustMediaViewerV1alpha6139x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version\ = "1.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139x64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139x64.dll"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe" /force
Network
Files
\Users\Admin\AppData\Local\Temp\nsyDF29.tmp\aminsis.dll
| MD5 | f346047b13f37f79c462e59a6319faa1 |
| SHA1 | ce9e7cb9719000a69b463fe024c81229e322279f |
| SHA256 | e78e0e61707cabec8383f1e74da9db8e0fa123a3a7b36f0080d70fbaed6f7453 |
| SHA512 | 429209cc489ba9ac2d62055b128efb3cded3e31f966c7cdb1aee592ec7a54ab090526705fa2519498d92eb4bc2efa141cd83adc6c251b793388ad1208b172167 |
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139.dll
| MD5 | 2250175d281eda6183b9376bb27fb889 |
| SHA1 | 1990befbfde155c502c1a2acf888807df0ba9ffe |
| SHA256 | 5d40312a771802eec3a428e5ba60df2f22fffca1593f5b7b73503c9943b63ce3 |
| SHA512 | 01cd5bcae658cd2f77ea033e4dbafe48d350aeb89de1e43b8a0fbd4005e1d6913e1c8534e1539e68412621490a0fa65167089008bab901b0bcb9567665a69651 |
\Users\Admin\AppData\Local\Temp\nsyDF29.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139x64.dll
| MD5 | ba711a3398a46e9bac670817f8d3cf2c |
| SHA1 | dd08bd5516b883eb499df0e90db96fbf04cd0108 |
| SHA256 | 5f54c1a1f9acc11d656497fd2fdd6b7a02e59bf81a6842c41382b4a97e0c1f81 |
| SHA512 | 4edd4cdb65998c95a6d94f30b4f6f03c529544753e78b297e89e3561fa60dbd34051b3d7a07569f2b6ac0123c1f9310b94eb0b4e1c77fcbcf62320d20aa6b43b |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:27
Platform
win7-20241010-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 228
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:27
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ffTrustMediaViewerV1alpha6139chaction.js
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:30
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 224
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:23
Reported
2024-10-27 22:28
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
139s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\system32\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\ffTrustMediaViewerV1alpha6139.js | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\ffTrustMediaViewerV1alpha6139.js | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\ffTrustMediaViewerV1alpha6139ffaction.js | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons\default\TrustMediaViewerV1alpha6139_32.png | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139x64.dll | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ch\TrustMediaViewerV1alpha6139.crx | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\install.rdf | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\install.rdf | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\overlay.xul | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139.dll | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons\default\TrustMediaViewerV1alpha6139_32.png | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons\default | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons\Thumbs.db | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\overlay.xul | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\ffTrustMediaViewerV1alpha6139ffaction.js | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ff\chrome\content\icons\Thumbs.db | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ch\TrustMediaViewerV1alpha6139.crx | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\gpupdate.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Approved Extensions | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} = 51667a6c4c1d3b1bf85f7e20a4b001008cf4d656a94052b3 | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version\ = "1.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\ | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib\ = "{b2b48c07-0fd4-4374-80f2-bfa407c71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib\ = "{b2b48c07-0fd4-4374-80f2-bfa407c71319}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha6139\\ie\\TrustMediaViewerV1alpha6139.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win64\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha6139\\ie\\TrustMediaViewerV1alpha6139x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha6139\\ie\\TrustMediaViewerV1alpha6139x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\ = "TrustMediaViewerV1alpha6139Lib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "Trust Media Viewer" | C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\ = "TrustMediaViewerV1alpha6139" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha6139\\ie\\TrustMediaViewerV1alpha6139.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ = "ITrustMediaViewerV1alpha6139BHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha6139\\ie" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version\ = "1.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\ | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3d6c43e8-e696-4c6c-91fd-9616ac0a17ad}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B2B48C07-0FD4-4374-80F2-BFA407C71319}\1.1\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A11DFF-8260-40D1-A07A-95FC676DDE48}\TypeLib\ = "{B2B48C07-0FD4-4374-80F2-BFA407C71319}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\763e370d93391ed70d3e7fd2cf74e476_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139x64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139x64.dll"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsq8723.tmp\aminsis.dll
| MD5 | f346047b13f37f79c462e59a6319faa1 |
| SHA1 | ce9e7cb9719000a69b463fe024c81229e322279f |
| SHA256 | e78e0e61707cabec8383f1e74da9db8e0fa123a3a7b36f0080d70fbaed6f7453 |
| SHA512 | 429209cc489ba9ac2d62055b128efb3cded3e31f966c7cdb1aee592ec7a54ab090526705fa2519498d92eb4bc2efa141cd83adc6c251b793388ad1208b172167 |
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139.dll
| MD5 | 2250175d281eda6183b9376bb27fb889 |
| SHA1 | 1990befbfde155c502c1a2acf888807df0ba9ffe |
| SHA256 | 5d40312a771802eec3a428e5ba60df2f22fffca1593f5b7b73503c9943b63ce3 |
| SHA512 | 01cd5bcae658cd2f77ea033e4dbafe48d350aeb89de1e43b8a0fbd4005e1d6913e1c8534e1539e68412621490a0fa65167089008bab901b0bcb9567665a69651 |
C:\Users\Admin\AppData\Local\Temp\nsq8723.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha6139\ie\TrustMediaViewerV1alpha6139x64.dll
| MD5 | ba711a3398a46e9bac670817f8d3cf2c |
| SHA1 | dd08bd5516b883eb499df0e90db96fbf04cd0108 |
| SHA256 | 5f54c1a1f9acc11d656497fd2fdd6b7a02e59bf81a6842c41382b4a97e0c1f81 |
| SHA512 | 4edd4cdb65998c95a6d94f30b4f6f03c529544753e78b297e89e3561fa60dbd34051b3d7a07569f2b6ac0123c1f9310b94eb0b4e1c77fcbcf62320d20aa6b43b |