Malware Analysis Report

2025-01-03 09:57

Sample ID 241103-t4ld7aydnf
Target WindowBlinds v11.02-Jasi2169.rar
SHA256 0cd33fd45b2a73c3ddd84afe74aaf91cdeaf62d28de523c25884df5d5add7cc7
Tags
qr link discovery upx
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

0cd33fd45b2a73c3ddd84afe74aaf91cdeaf62d28de523c25884df5d5add7cc7

Threat Level: Likely benign

The file WindowBlinds v11.02-Jasi2169.rar was found to be: Likely benign.

Malicious Activity Summary

qr link discovery upx

UPX packed file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

One or more HTTP URLs in qr code identified

Unsigned PE

System Location Discovery: System Language Discovery

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 16:37

Signatures

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 16:36

Reported

2024-11-03 16:38

Platform

win10v2004-20241007-en

Max time kernel

26s

Max time network

25s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Download More.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Download More.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 52.140.118.28:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 16:36

Reported

2024-11-03 16:38

Platform

win7-20240708-en

Max time kernel

13s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe"

Network

N/A

Files

memory/2860-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

memory/2860-1-0x0000000000120000-0x00000000003CA000-memory.dmp

memory/2860-2-0x0000000074CB0000-0x000000007539E000-memory.dmp

memory/2860-3-0x0000000006350000-0x00000000068E8000-memory.dmp

memory/2860-4-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

memory/2860-5-0x0000000074CB0000-0x000000007539E000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-03 16:36

Reported

2024-11-03 16:38

Platform

win7-20240903-en

Max time kernel

52s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2748 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2748 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2748 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2748 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2748 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2748 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2644 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
PID 2644 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
PID 2644 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
PID 2644 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
PID 2644 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
PID 2644 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
PID 2644 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe

"C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1981986 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3533259084-2542256011-65585152-1000"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Network

Country Destination Domain Proto
US 8.8.8.8:53 install.api.stardock.net udp
US 66.79.209.82:443 install.api.stardock.net tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.80:80 r10.o.lencr.org tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 68ac216f38a5f7c823712c216ca4b060
SHA1 f6ad96e91103c40eb33fd3f1324d99093e5d014e
SHA256 748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80
SHA512 9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

memory/2748-7-0x0000000003300000-0x00000000036E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

memory/2748-17-0x0000000003300000-0x00000000036E8000-memory.dmp

memory/2748-19-0x0000000003300000-0x00000000036E8000-memory.dmp

memory/2748-20-0x0000000003300000-0x00000000036E8000-memory.dmp

memory/2644-30-0x0000000000920000-0x0000000000D08000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

memory/2644-39-0x0000000000870000-0x0000000000873000-memory.dmp

memory/2644-38-0x0000000010000000-0x0000000010051000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

MD5 6eec47ab86d212fe3ed0f56985c8e817
SHA1 06da90bcc06c73ce2c7e112818af65f66fcae6c3
SHA256 d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed
SHA512 36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

memory/2644-44-0x00000000008E0000-0x00000000008E3000-memory.dmp

memory/2644-43-0x0000000004BD0000-0x0000000004D14000-memory.dmp

memory/2644-55-0x0000000002360000-0x0000000002370000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

MD5 55bbf335f75f2a2fe0a5daf603964d41
SHA1 f1b9686e8a9f10682722fc5e08c02c016b597804
SHA256 723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43
SHA512 af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

MD5 865c04af1ace3192feae236929e93f75
SHA1 5a7e1395345d4f17e7ffb9fbebcfd848f25f583a
SHA256 8cea363a44ac2993ef8a802e01e7f810e54fd4740db077c953a0512edd5e4c59
SHA512 19bebd5127a267295666625175e7b8e533f1ab355b7cbede457632ca527ab2da32fda25e2980c3e0ba8e294a8ddd62647a9a21bfe8df111e60e60a7abd0bb49e

memory/2644-74-0x0000000000920000-0x0000000000D08000-memory.dmp

memory/2644-99-0x0000000004BD0000-0x0000000004D14000-memory.dmp

memory/2644-100-0x00000000008E0000-0x00000000008E3000-memory.dmp

memory/2644-98-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2644-97-0x0000000000920000-0x0000000000D08000-memory.dmp

memory/2644-101-0x0000000002360000-0x0000000002370000-memory.dmp

memory/2644-104-0x0000000004BD0000-0x0000000004D14000-memory.dmp

memory/2644-103-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2644-105-0x0000000000920000-0x0000000000D08000-memory.dmp

memory/2644-109-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2644-110-0x0000000004BD0000-0x0000000004D14000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-03 16:36

Reported

2024-11-03 16:38

Platform

win10v2004-20241007-en

Max time kernel

23s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe

"C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1981986 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-940901362-3608833189-1915618603-1000"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 install.api.stardock.net udp
US 66.79.209.82:443 install.api.stardock.net tcp
US 8.8.8.8:53 82.209.79.66.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.80:80 r10.o.lencr.org tcp
US 8.8.8.8:53 125.21.192.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 68ac216f38a5f7c823712c216ca4b060
SHA1 f6ad96e91103c40eb33fd3f1324d99093e5d014e
SHA256 748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80
SHA512 9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

memory/2376-12-0x0000000000BE0000-0x0000000000FC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

memory/2376-32-0x0000000005F70000-0x0000000005F73000-memory.dmp

memory/2376-31-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

MD5 6eec47ab86d212fe3ed0f56985c8e817
SHA1 06da90bcc06c73ce2c7e112818af65f66fcae6c3
SHA256 d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed
SHA512 36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

memory/2376-40-0x0000000005F90000-0x00000000060D4000-memory.dmp

memory/2376-42-0x0000000006100000-0x0000000006103000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

MD5 55bbf335f75f2a2fe0a5daf603964d41
SHA1 f1b9686e8a9f10682722fc5e08c02c016b597804
SHA256 723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43
SHA512 af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

MD5 6d6cb67cd48dcf308659c0468bc3e69f
SHA1 824bfa48cf3ae8dca339262b99c90797e6eb34e4
SHA256 e284975f7f465c7cbfd0576d807f539ec1f5621b86fd512297f10a38b7df435d
SHA512 a53fdc9a7f72f9bbaeff3bbb88ec2d6bc3d2a6e2b379fc973b0efdfcfd914ba1fd1d04428a4c85acd5e13c961701941a9da4d3833172da8fda47bd2777d48c42

memory/2376-65-0x0000000000BE0000-0x0000000000FC8000-memory.dmp

memory/2376-80-0x0000000010000000-0x0000000010051000-memory.dmp

memory/2376-79-0x0000000000BE0000-0x0000000000FC8000-memory.dmp

memory/2376-81-0x0000000005F90000-0x00000000060D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

MD5 3220a6aefb4fc719cc8849f060859169
SHA1 85f624debcefd45fdfdf559ac2510a7d1501b412
SHA256 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765
SHA512 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

memory/2376-84-0x0000000000BE0000-0x0000000000FC8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 16:36

Reported

2024-11-03 16:38

Platform

win7-20240903-en

Max time kernel

13s

Max time network

17s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Download More.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Download More.url"

Network

N/A

Files

memory/2084-0-0x0000000001D80000-0x0000000001D81000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-03 16:36

Reported

2024-11-03 16:38

Platform

win10v2004-20241007-en

Max time kernel

41s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp

Files

memory/912-0-0x000000007442E000-0x000000007442F000-memory.dmp

memory/912-1-0x0000000000510000-0x00000000007BA000-memory.dmp

memory/912-2-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/912-3-0x0000000006400000-0x0000000006998000-memory.dmp

memory/912-4-0x0000000006F50000-0x00000000074F4000-memory.dmp

memory/912-5-0x0000000006A80000-0x0000000006B12000-memory.dmp

memory/912-6-0x0000000005170000-0x000000000517A000-memory.dmp

memory/912-7-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/912-8-0x000000007442E000-0x000000007442F000-memory.dmp

memory/912-9-0x0000000074420000-0x0000000074BD0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-03 16:36

Reported

2024-11-03 16:38

Platform

win7-20240903-en

Max time kernel

13s

Max time network

17s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Join Telegram for more.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Join Telegram for more.url"

Network

N/A

Files

memory/996-0-0x0000000000570000-0x0000000000571000-memory.dmp

memory/996-1-0x0000000000570000-0x0000000000571000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-03 16:36

Reported

2024-11-03 16:38

Platform

win10v2004-20241007-en

Max time kernel

67s

Max time network

74s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Join Telegram for more.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Join Telegram for more.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

N/A