Analysis Overview
SHA256
0cd33fd45b2a73c3ddd84afe74aaf91cdeaf62d28de523c25884df5d5add7cc7
Threat Level: Likely benign
The file WindowBlinds v11.02-Jasi2169.rar was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
One or more HTTP URLs in qr code identified
Unsigned PE
System Location Discovery: System Language Discovery
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 16:37
Signatures
One or more HTTP URLs in qr code identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 16:36
Reported
2024-11-03 16:38
Platform
win10v2004-20241007-en
Max time kernel
26s
Max time network
25s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Download More.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.140.118.28:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-03 16:36
Reported
2024-11-03 16:38
Platform
win7-20240708-en
Max time kernel
13s
Max time network
18s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe"
Network
Files
memory/2860-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp
memory/2860-1-0x0000000000120000-0x00000000003CA000-memory.dmp
memory/2860-2-0x0000000074CB0000-0x000000007539E000-memory.dmp
memory/2860-3-0x0000000006350000-0x00000000068E8000-memory.dmp
memory/2860-4-0x0000000074CBE000-0x0000000074CBF000-memory.dmp
memory/2860-5-0x0000000074CB0000-0x000000007539E000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-03 16:36
Reported
2024-11-03 16:38
Platform
win7-20240903-en
Max time kernel
52s
Max time network
59s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe
"C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1981986 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3533259084-2542256011-65585152-1000"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | install.api.stardock.net | udp |
| US | 66.79.209.82:443 | install.api.stardock.net | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.18.190.80:80 | r10.o.lencr.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 68ac216f38a5f7c823712c216ca4b060 |
| SHA1 | f6ad96e91103c40eb33fd3f1324d99093e5d014e |
| SHA256 | 748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80 |
| SHA512 | 9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b |
memory/2748-7-0x0000000003300000-0x00000000036E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
memory/2748-17-0x0000000003300000-0x00000000036E8000-memory.dmp
memory/2748-19-0x0000000003300000-0x00000000036E8000-memory.dmp
memory/2748-20-0x0000000003300000-0x00000000036E8000-memory.dmp
memory/2644-30-0x0000000000920000-0x0000000000D08000-memory.dmp
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
memory/2644-39-0x0000000000870000-0x0000000000873000-memory.dmp
memory/2644-38-0x0000000010000000-0x0000000010051000-memory.dmp
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd
| MD5 | 6eec47ab86d212fe3ed0f56985c8e817 |
| SHA1 | 06da90bcc06c73ce2c7e112818af65f66fcae6c3 |
| SHA256 | d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed |
| SHA512 | 36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb |
memory/2644-44-0x00000000008E0000-0x00000000008E3000-memory.dmp
memory/2644-43-0x0000000004BD0000-0x0000000004D14000-memory.dmp
memory/2644-55-0x0000000002360000-0x0000000002370000-memory.dmp
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
| MD5 | 55bbf335f75f2a2fe0a5daf603964d41 |
| SHA1 | f1b9686e8a9f10682722fc5e08c02c016b597804 |
| SHA256 | 723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43 |
| SHA512 | af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
| MD5 | 865c04af1ace3192feae236929e93f75 |
| SHA1 | 5a7e1395345d4f17e7ffb9fbebcfd848f25f583a |
| SHA256 | 8cea363a44ac2993ef8a802e01e7f810e54fd4740db077c953a0512edd5e4c59 |
| SHA512 | 19bebd5127a267295666625175e7b8e533f1ab355b7cbede457632ca527ab2da32fda25e2980c3e0ba8e294a8ddd62647a9a21bfe8df111e60e60a7abd0bb49e |
memory/2644-74-0x0000000000920000-0x0000000000D08000-memory.dmp
memory/2644-99-0x0000000004BD0000-0x0000000004D14000-memory.dmp
memory/2644-100-0x00000000008E0000-0x00000000008E3000-memory.dmp
memory/2644-98-0x0000000010000000-0x0000000010051000-memory.dmp
memory/2644-97-0x0000000000920000-0x0000000000D08000-memory.dmp
memory/2644-101-0x0000000002360000-0x0000000002370000-memory.dmp
memory/2644-104-0x0000000004BD0000-0x0000000004D14000-memory.dmp
memory/2644-103-0x0000000010000000-0x0000000010051000-memory.dmp
memory/2644-105-0x0000000000920000-0x0000000000D08000-memory.dmp
memory/2644-109-0x0000000010000000-0x0000000010051000-memory.dmp
memory/2644-110-0x0000000004BD0000-0x0000000004D14000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-03 16:36
Reported
2024-11-03 16:38
Platform
win10v2004-20241007-en
Max time kernel
23s
Max time network
33s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe
"C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1981986 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-940901362-3608833189-1915618603-1000"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | install.api.stardock.net | udp |
| US | 66.79.209.82:443 | install.api.stardock.net | tcp |
| US | 8.8.8.8:53 | 82.209.79.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.18.190.80:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 125.21.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 68ac216f38a5f7c823712c216ca4b060 |
| SHA1 | f6ad96e91103c40eb33fd3f1324d99093e5d014e |
| SHA256 | 748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80 |
| SHA512 | 9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b |
memory/2376-12-0x0000000000BE0000-0x0000000000FC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
memory/2376-32-0x0000000005F70000-0x0000000005F73000-memory.dmp
memory/2376-31-0x0000000010000000-0x0000000010051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd
| MD5 | 6eec47ab86d212fe3ed0f56985c8e817 |
| SHA1 | 06da90bcc06c73ce2c7e112818af65f66fcae6c3 |
| SHA256 | d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed |
| SHA512 | 36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb |
memory/2376-40-0x0000000005F90000-0x00000000060D4000-memory.dmp
memory/2376-42-0x0000000006100000-0x0000000006103000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
| MD5 | 55bbf335f75f2a2fe0a5daf603964d41 |
| SHA1 | f1b9686e8a9f10682722fc5e08c02c016b597804 |
| SHA256 | 723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43 |
| SHA512 | af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
| MD5 | 6d6cb67cd48dcf308659c0468bc3e69f |
| SHA1 | 824bfa48cf3ae8dca339262b99c90797e6eb34e4 |
| SHA256 | e284975f7f465c7cbfd0576d807f539ec1f5621b86fd512297f10a38b7df435d |
| SHA512 | a53fdc9a7f72f9bbaeff3bbb88ec2d6bc3d2a6e2b379fc973b0efdfcfd914ba1fd1d04428a4c85acd5e13c961701941a9da4d3833172da8fda47bd2777d48c42 |
memory/2376-65-0x0000000000BE0000-0x0000000000FC8000-memory.dmp
memory/2376-80-0x0000000010000000-0x0000000010051000-memory.dmp
memory/2376-79-0x0000000000BE0000-0x0000000000FC8000-memory.dmp
memory/2376-81-0x0000000005F90000-0x00000000060D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
| MD5 | 3220a6aefb4fc719cc8849f060859169 |
| SHA1 | 85f624debcefd45fdfdf559ac2510a7d1501b412 |
| SHA256 | 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765 |
| SHA512 | 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d |
memory/2376-84-0x0000000000BE0000-0x0000000000FC8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 16:36
Reported
2024-11-03 16:38
Platform
win7-20240903-en
Max time kernel
13s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Download More.url"
Network
Files
memory/2084-0-0x0000000001D80000-0x0000000001D81000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-03 16:36
Reported
2024-11-03 16:38
Platform
win10v2004-20241007-en
Max time kernel
41s
Max time network
49s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
Files
memory/912-0-0x000000007442E000-0x000000007442F000-memory.dmp
memory/912-1-0x0000000000510000-0x00000000007BA000-memory.dmp
memory/912-2-0x0000000074420000-0x0000000074BD0000-memory.dmp
memory/912-3-0x0000000006400000-0x0000000006998000-memory.dmp
memory/912-4-0x0000000006F50000-0x00000000074F4000-memory.dmp
memory/912-5-0x0000000006A80000-0x0000000006B12000-memory.dmp
memory/912-6-0x0000000005170000-0x000000000517A000-memory.dmp
memory/912-7-0x0000000074420000-0x0000000074BD0000-memory.dmp
memory/912-8-0x000000007442E000-0x000000007442F000-memory.dmp
memory/912-9-0x0000000074420000-0x0000000074BD0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-03 16:36
Reported
2024-11-03 16:38
Platform
win7-20240903-en
Max time kernel
13s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Join Telegram for more.url"
Network
Files
memory/996-0-0x0000000000570000-0x0000000000571000-memory.dmp
memory/996-1-0x0000000000570000-0x0000000000571000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-03 16:36
Reported
2024-11-03 16:38
Platform
win10v2004-20241007-en
Max time kernel
67s
Max time network
74s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Join Telegram for more.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |