Malware Analysis Report

2025-08-10 13:40

Sample ID 241107-mtys7stkgn
Target 19784713277.zip
SHA256 1565a99ed69c22b2a18e2458e5652eaf7f2fe5c62e962b19da7cafd3aa2f804c
Tags
discovery upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1565a99ed69c22b2a18e2458e5652eaf7f2fe5c62e962b19da7cafd3aa2f804c

Threat Level: Shows suspicious behavior

The file 19784713277.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx persistence

Deletes itself

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

UPX packed file

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 10:46

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

209s

Max time network

280s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TaskScheduler.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TaskScheduler.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:54

Platform

win11-20241007-en

Max time kernel

89s

Max time network

206s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libclamav.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2620 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2620 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libclamav.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libclamav.dll,#1

Network

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

89s

Max time network

201s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\log4net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\log4net.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:48

Platform

win11-20241007-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\update_db.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\update_db.exe

"C:\Users\Admin\AppData\Local\Temp\update_db.exe"

Network

N/A

Files

memory/2436-0-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:54

Platform

win11-20241007-en

Max time kernel

84s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Core.dll,#1

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:54

Platform

win11-20241007-en

Max time kernel

85s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 1888 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1888 -ip 1888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 480

Network

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

209s

Max time network

278s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\db\main.cld

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\db\main.cld

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:54

Platform

win11-20241007-en

Max time kernel

209s

Max time network

281s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\db\mirrors.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\db\mirrors.dat

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

90s

Max time network

205s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ioSpecial.ini

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ioSpecial.ini

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

91s

Max time network

206s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CButtonLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CButtonLib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:54

Platform

win11-20241007-en

Max time kernel

208s

Max time network

289s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Interop.IWshRuntimeLibrary.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Interop.IWshRuntimeLibrary.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:54

Platform

win11-20241007-en

Max time kernel

85s

Max time network

203s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\db\AVStrikeDB.ldb

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\db\AVStrikeDB.ldb

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

91s

Max time network

204s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\db\AVStrikeDB.ldb.bak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\db\AVStrikeDB.ldb.bak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

208s

Max time network

278s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 3452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3476 wrote to memory of 3452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3476 wrote to memory of 3452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\AccessControl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3452 -ip 3452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 476

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/3452-0-0x0000000075640000-0x000000007564A000-memory.dmp

memory/3452-1-0x0000000075640000-0x000000007564A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

86s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 2508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2508 -ip 2508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 552

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

143s

Max time network

278s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\AVStrike.exe.config

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "3" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "2" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\OpenWith.exe N/A
Key created \Registry\User\S-1-5-21-556537508-2730415644-482548075-1000_Classes\NotificationData C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c0031000000000047591d67110050524f4752417e310000740009000400efbec552596147591d672e0000003f0000000000010000000000000000004a00000000008b4f6000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\AVStrike.exe.config

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

88s

Max time network

204s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\scandll.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1792 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1792 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\scandll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\scandll.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:54

Platform

win11-20241007-en

Max time kernel

91s

Max time network

207s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
N/A N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVStrike = "C:\\Program Files (x86)\\AVStrike\\AVStrike.exe" C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVStrike = "C:\\Program Files (x86)\\AVStrike\\AVStrike.exe" C:\Program Files (x86)\AVStrike\AVStrike.exe N/A

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AVStrike\LumenWorks.Framework.IO.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\libclamavd.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\AVStrike.exe.config C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\Interop.IWshRuntimeLibrary.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\KernelBase.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File opened for modification C:\Program Files (x86)\AVStrike\Error-20241107.txt C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File created C:\Program Files (x86)\AVStrike\db\daily.cld C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File opened for modification C:\Program Files (x86)\AVStrike\ExcludeFiles.txt C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File created C:\Program Files (x86)\AVStrike\freshclam.conf C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File created C:\Program Files (x86)\AVStrike\Error-20241107.txt C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File created C:\Program Files (x86)\AVStrike\libclamav.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\db\AVStrikeDB.ldb C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\log4net.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\db\AVStrikeDB.ldb.bak C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\db\main.cld C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\db\mirrors.dat C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File opened for modification C:\Program Files (x86)\AVStrike\AVStrike.AVStrike-journal C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File created C:\Program Files (x86)\AVStrike\ExcludeFiles.txt C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File created C:\Program Files (x86)\AVStrike\Common Tools.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\TaskScheduler.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File opened for modification C:\Program Files (x86)\AVStrike\freshclam.conf C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File created C:\Program Files (x86)\AVStrike\avstrike.avstrike C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File opened for modification C:\Program Files (x86)\AVStrike\AVStrike.AVStrike C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File created C:\Program Files (x86)\AVStrike\CButtonLib.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\db\bytecode.cld C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\update_db.exe C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\ExcludeFolders.txt C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File created C:\Program Files (x86)\AVStrike\Core.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\scandll.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File opened for modification C:\Program Files (x86)\AVStrike\AVStrike.AVStrike C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
File created C:\Program Files (x86)\AVStrike\AVStrike.exe C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
File created C:\Program Files (x86)\AVStrike\System.Data.SQLite.dll C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\AVStrike\AVStrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\AVStrike\AVStrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe

"C:\Users\Admin\AppData\Local\Temp\3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe"

C:\Program Files (x86)\AVStrike\AVStrike.exe

"C:\Program Files (x86)\AVStrike\AVStrike.exe"

C:\Program Files (x86)\AVStrike\AVStrike.exe

"C:\Program Files (x86)\AVStrike\AVStrike.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\nsb9636.tmp\ioSpecial.ini

MD5 2c5e6778fbdc9dc5d05e6e20caff0a34
SHA1 dd3c6de1fd27a0297af4e7ac3e11936acff3b8a3
SHA256 8aa254d0092425741fb21c330281896bb34abcce45c7c1d7a096051f3add2f03
SHA512 3c68d15074fe12011f4c5c82142cc6cb736b7a1566599bc10d126748b3e20faef0fc852c6c93e43f969079f9af3865eed1e6f1da0be9f22c6c2442c204dc4bda

C:\Users\Admin\AppData\Local\Temp\nsb9636.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsb9636.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsb9636.tmp\AccessControl.dll

MD5 9f1a88b953fd2a2c23b09703b253186c
SHA1 29d5a5a24e7f782a07e9f5d2ec1d1a6218fec737
SHA256 8a8f5bafc105186c85f14e017ab6da33ae8f88a9635e51756f90b6d95381d80d
SHA512 10b3a812c92b7324bddcd23adf923fcaec2532f31bdd9fbf17494fc33f99aa0a0a48b94f1fdd6599fa0189567626a90b324a1d132bf9cb8b00a6afc547e64018

C:\Users\Admin\AppData\Local\Temp\nsb9636.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/2380-121-0x00000000745A0000-0x00000000745AA000-memory.dmp

C:\Program Files (x86)\AVStrike\AVStrike.exe

MD5 625ceb491ee54a693bfcf4ae7338bf3e
SHA1 e0eca9a959fc54c6adf8cb0fe168496ae1982916
SHA256 55eb603c027d50a86699391522ce35c3d03c67fa5820ee3755444bb927bb18cd
SHA512 1a8c8a0ba6653bf6988c851ca095b80113346ec5612f1f479977aa893eb4464a7bd76b9ef0fbd34ab3754ebd99b82688aa8a95645ba680569153cb23cc39ddad

memory/2380-138-0x00000000745A0000-0x00000000745AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsb9636.tmp\ioSpecial.ini

MD5 76598dcca68e7fe2aaa149c7b2ee92ab
SHA1 5b0622c9f1c32e27c8b05d5487b3c1747f482b24
SHA256 651218fef8108e8566e9bc9f1e717bff9bbe3d11cdaca53394b5e4b94283627a
SHA512 3e338e04824df10bee506da07d74ee1c936262e78bc11fe73dfc04c119bb8ade73095a815637614da72ea62fc74fcda6f112524982254d2610287efe1e7f76e3

memory/2380-258-0x00000000745A0000-0x00000000745AA000-memory.dmp

C:\Program Files (x86)\AVStrike\AVStrike.exe.config

MD5 b37ea027280a6ffcda20de4e5817750d
SHA1 ec522027d14006f1d621b939d3e1a56d72fe6011
SHA256 708bf566dde3dc21eac5f192186e5e419e0ae790dacb62c2b5e0f1739d54d6e1
SHA512 0002bde8cdb2cfc034a4f29a8d592e03cf8e7be1a3b7e733250dc6372b14d1132ff9713a9bd1483c11c6b1a15fd809427c46c8f11a7951b559a69527c51df1bf

memory/1696-259-0x0000000073461000-0x0000000073462000-memory.dmp

memory/1696-260-0x0000000073460000-0x0000000073A11000-memory.dmp

memory/1696-261-0x0000000073460000-0x0000000073A11000-memory.dmp

C:\Program Files (x86)\AVStrike\db\daily.cld

MD5 50fbd12738c2cb401afbbf803906dc08
SHA1 b0c86564fbc6812a0f123c2f39c44e77d430a0ae
SHA256 998b8a3f828c12f2d1b296b099180d345a4d537d8c5c5a7c9743bcda82d33ff4
SHA512 f52eb499f8f62240599c6aebf7a1d41455a60eb919846abe7f46f4856b604b5d5e458b2154f330255315e57ba982efef3aac83cc9e9972510346fdcbb8a9542f

C:\Program Files (x86)\AVStrike\CButtonLib.dll

MD5 7b3c2af71311af1d7c3ea7079853a9fc
SHA1 a031fb584c4b859b13d83d6d0874a2f204dbd6dd
SHA256 432e960a04e7e056acbebdadf1ccf436a92117d6021c4cc8a2384021f07a0688
SHA512 f51c58d9700766c30b7f7f60b88625eb77887a50c21dd28858d28075d35a984102d8c6fe78f28f6ae17da2a4454f81d8de9fe6a2763601da1f22a0bb2641e09b

memory/1696-268-0x0000000073460000-0x0000000073A11000-memory.dmp

memory/1696-269-0x0000000073460000-0x0000000073A11000-memory.dmp

memory/1696-270-0x0000000073460000-0x0000000073A11000-memory.dmp

C:\Program Files (x86)\AVStrike\System.Data.SQLite.dll

MD5 8943a2272551512a5d5a7b14bdd00642
SHA1 10765fa31727f8033910cde8c8f80f82967537d1
SHA256 b76a0c8295fe09f08aca6f5624a571741d0f7d5162935e8b403c221f51e5a29e
SHA512 1b454c33f195c499d913c136b9bc0afddabd85fd38186c3fa840759dcfe981802f254ea49ccad7e4b8f6363a6d7bf51608e2ade7b80ead93cc95f394ff9e605b

C:\Program Files (x86)\AVStrike\Common Tools.dll

MD5 9b2065ccce15d9980bac9b085f0048b1
SHA1 b6a980e5b336039d87f794e106074b4e6cecdd86
SHA256 18e0affb2d6fa5316bcfe7ffb5762ba37366d954c977e2f8b3a93d8b90169cbe
SHA512 ac745375d066806a8a7b13a1ae7cc15c24e916e5a9d5028f65a1454b076dca409b2c18abc15780eef65ff6e667519f743e817f7e9f5a4050f8bb42948aaf2956

C:\Program Files (x86)\AVStrike\Core.dll

MD5 132bbbab05d33d8b7a7659caf902d6e0
SHA1 22c29159eee0e9cf33c1a04c9113ce5b743b7081
SHA256 fa467404e0dfd9792c4fb41d5513f7d72fbbb7e099e6106fde95c842cd24325c
SHA512 30b6b22a51e17f8b734d5465c64d44e8e75605d536ff2f6f47b33cac74077cf820eda17d30389d2eb93d4e091cfb9969eee531d8e0b85c06656d3ba4800ccfdc

C:\Program Files (x86)\AVStrike\libclamav.dll

MD5 e5ca400a4579a0b6e943b0e165a479b2
SHA1 b651842e6e7b547fb9db5b34fea5b49a20718361
SHA256 2b54ff03ba3d151f11f27eb85c01eb2646657764d8d6b87647bf9ee2573566de
SHA512 c550ebc0b40710943c6a2f17626457b971d774d9e78f30b3117e221b4b9eedf1920b668c1c1ad095f7db2c7a313b587a7f746045f542024156110cfccf042a45

C:\Program Files (x86)\AVStrike\scandll.dll

MD5 95e4717876a51ab4ab47603f1dd854f1
SHA1 02367faeb8654ddacebb8cb559b08f9f87249b74
SHA256 594484c04962483d9ad0acb0e2fb97c8a3f19d29f80212fdcda817bca8ff5a58
SHA512 52873f570d733105a2c908874d3ec1468752d51edfa5354a0f4eec62e327dd6477d1870345598aec4418ae5cc4d36609eb81948c66f4892c94e54b698dcc2484

C:\Program Files (x86)\AVStrike\db\bytecode.cld

MD5 970952477c6285a57141506f4506a15a
SHA1 0bfd399f8a5b85defa569fe54f459165142ffdd9
SHA256 eba384089d1d33034e15f1014c4c8cfd45adf63c933b096d5d9beae3b772f568
SHA512 f4f3d3e9989d8647a1f0f0878fcf17fda27f3e2aad5f61f271348630eafe714f0962e36917729317e144ed0be590e78c277df9a064627209404aace6c9448fd7

C:\Program Files (x86)\AVStrike\db\AVStrikeDB.ldb

MD5 de898899ffb1e32309a60fd601ca76df
SHA1 7aef58f9512458a7a250f090dab0b61a6c283282
SHA256 7b1142ad26a4cbf5dba0d7fac584bcee73b03ba35de53bf865809646728c24fc
SHA512 555d32b6b7ea03e650d92f8737b7cbbd313fe8b7102328a4765134a0675e7af52498fc8fd0adba1c88d41e1f5ce511055089299ae83537bb207ff2b5a337fb6d

memory/1696-309-0x0000000073460000-0x0000000073A11000-memory.dmp

memory/500-313-0x0000000074DE0000-0x0000000075391000-memory.dmp

memory/500-312-0x0000000074DE0000-0x0000000075391000-memory.dmp

memory/500-311-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

C:\Users\Admin\AppData\Local\AVStrike_LLC\AVStrike.exe_Url_tje5nlxlhq2l5smqmcjvg0fo0avsv0ve\0.0.0.6\user.config

MD5 41132e9c1e48e2ad7dfe4fa1052999a9
SHA1 83859909d3b8550ff4e8540013d6c24ecffacac6
SHA256 6ec18244e8867172ed48c49fe03b92f6d162e4002669e15aae5bde475ac85f35
SHA512 1456e0e75361a53dfdb606eeba60fad3ae61e1183256fe688cafb18475793035246b4eb4fe2673cfdc41299a634224e94df4fc3b967e068bbefe0228331e34a9

C:\Program Files (x86)\AVStrike\Error-20241107.txt

MD5 84a4b77bfca9e2ff634f57ce29140cdc
SHA1 5cbacdfd9f2429eec1793296676ea11fd779da2b
SHA256 30b4f35db8b7cd8c3b319579025fa655209f2d726d164fb6163d3e2469ac9e6e
SHA512 514c2edddc4d6eaec58533935433e41abfc3c862e25d6f8b092e7f88df33664ec356ae44f58da8bf254cb8aaefe5216fef41bad77b6e5dded360fd6e00ac9ff6

C:\Program Files (x86)\AVStrike\AVStrike.AVStrike

MD5 973b4ec79ca6a72ebad9a71c735b5a44
SHA1 6c382ed8eded79585e47640313e98fe9ab5cf689
SHA256 efa328c8db9e1397e085c86bd8c564ff1ef0653c4351b9a5eb1b92b9e69cf262
SHA512 3a4646ab5dd6e7858151a141225a73b5bd0316b1a0f8f943ab35f385acdc5c6dbc248941848edad507852c30eac9e4eac6d795ed82573cf8267d51724bf9cfe5

memory/500-345-0x0000000074DE0000-0x0000000075391000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241023-en

Max time kernel

204s

Max time network

281s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3384 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3384 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2076 -ip 2076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 460

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

300s

Max time network

302s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4700 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4700 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4536 -ip 4536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 460

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

209s

Max time network

278s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-header.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-header.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:54

Platform

win11-20241007-en

Max time kernel

89s

Max time network

207s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

298s

Max time network

205s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AVStrike.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVStrike = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AVStrike.exe" C:\Users\Admin\AppData\Local\Temp\AVStrike.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AVStrike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AVStrike.exe

"C:\Users\Admin\AppData\Local\Temp\AVStrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1132-0-0x00000000750A1000-0x00000000750A2000-memory.dmp

memory/1132-1-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/1132-2-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/1132-3-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/1132-4-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/1132-5-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/1132-22-0x0000000010570000-0x0000000010810000-memory.dmp

memory/1132-25-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/1132-26-0x00000000750A0000-0x0000000075651000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241023-en

Max time kernel

85s

Max time network

207s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Common Tools.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Common Tools.dll",#1

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:54

Platform

win11-20241007-en

Max time kernel

210s

Max time network

281s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll,#1

Network

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

209s

Max time network

285s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 36fa034cda60273c9741364387ad84e1
SHA1 a772b823b150b57826ab1ada00fbca4021d52499
SHA256 88e2b9e458da15730c4ea538127b2f7dea75e511e9418f458ab93c8a4b9b8a86
SHA512 8b8db29532b5193831e27fbd2d83b388678241209bf74b0e0448f53ecfc74a482fd7bd837d4a3a219ee446d5b4c6ae1c42dbfa861b9a6dab46a578f1fc18d9b4

C:\Users\Admin\AppData\Local\Temp\nsv8790.tmp\KillProc.dll

MD5 6c2b245e89428fb917a5805815a4054e
SHA1 5bcd987700dd761f02d2d1d024b8f20077985051
SHA256 0558bbdfe61eefb680e8560a7d4b174447a9516098f9cd8b4c84bf1552cee5c5
SHA512 ecb3fb77532d6ffa1ca08df05a6a86b18138356e63cb40edf68f97fc7fdf2e781a4ebeb1efdb9f13f947304312dd19ef5c4a78ddc60843f5f726cde69b2c57d4

memory/1452-12-0x00000000040A0000-0x00000000040B4000-memory.dmp

memory/1452-19-0x00000000040A0000-0x00000000040B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsv8790.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241023-en

Max time kernel

207s

Max time network

282s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\db\daily.cld

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\db\daily.cld

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

91s

Max time network

207s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KernelBase.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 3112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 3112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 3112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KernelBase.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\KernelBase.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

85s

Max time network

200s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LumenWorks.Framework.IO.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LumenWorks.Framework.IO.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:53

Platform

win11-20241007-en

Max time kernel

143s

Max time network

279s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\db\bytecode.cld

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\db\bytecode.cld

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-07 10:46

Reported

2024-11-07 10:54

Platform

win11-20241007-en

Max time kernel

85s

Max time network

205s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libclamavd.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 1316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5084 wrote to memory of 1316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5084 wrote to memory of 1316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libclamavd.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libclamavd.dll,#1

Network

Files

memory/1316-0-0x0000000010000000-0x000000001035B000-memory.dmp