Malware Analysis Report

2024-11-13 18:06

Sample ID 241110-aq38asvkdx
Target bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N
SHA256 bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277
Tags
discovery evasion trojan bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277

Threat Level: Shows suspicious behavior

The file bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion trojan bootkit persistence

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Unsigned PE

Enumerates physical storage devices

Program crash

Browser Information Discovery

System Location Discovery: System Language Discovery

NSIS installer

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 00:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N.exe

"C:\Users\Admin\AppData\Local\Temp\bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsy76B8.tmp\System.dll

MD5 7d85b1f619a3023cc693a88f040826d2
SHA1 09f5d32f8143e7e0d9270430708db1b9fc8871a8
SHA256 dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18
SHA512 5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 1052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1052 -ip 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win7-20240903-en

Max time kernel

15s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ast.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1924 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1924 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ast.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ast.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\home.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000bf76d3a8a668a406e7f39c9f911e7011e6f8b4bf6a058fe783232e18fa993985000000000e8000000002000020000000a68b9bb389017b47b1504a4e49d47e40deb4090ba2f07eb2bf4a5df5e4f6103a900000006da190027dabb8fe61fc582f29dd788fc47c865c0107475775562277a46ada8a27cd8bfa845ad6bdacb280272ed3a1f28d203afcccaaf810cb890c352295b9ed8364db80c8009e6acd00df8a9126d35d54565dc45195c73b695708a40478a151efbb497c73b2ffccabfef3763abcc877c0009abb32dc748c6fcaee488ba8435c88efa9b26e9ff8fb80b2b4e3e4bd902f40000000769496fcd2e9444a9d48850051011c0e43c72aa5b13551c6e478416f8bd3e65147fa40c4d25f745aad2809134b7a9de6a955161b4702428a4aad6976dd03b88c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ba8a2f0733db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437360222" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d9070000000002000000000010660000000100002000000072a0f2e7887bdb3dd3689f43dedc80524b8b1473bb1a98d73476dd5838b045af000000000e80000000020000200000003bc36957ae909a556db6d7e468fc16ef8d7dd7b69e4a63ac21b617ba02efaec920000000e5aa8fd2e0c5a73004dfa22784955410dd3f82aaa18864f640947adfdfb70a3040000000ae4f48660072965b58aa2b0e3a8a97cdb3bba95eb680e591e2f7cdf082840ee7e052d016de31fae895646c39aa615e00ea515053c4930d4cc849d6c9a1e97ddc C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{599B18E1-9EFA-11EF-8BDE-523A95B0E536} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\home.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.passcape.com udp
RU 77.222.40.132:80 www.passcape.com tcp
RU 77.222.40.132:80 www.passcape.com tcp
RU 77.222.40.132:443 www.passcape.com tcp
RU 77.222.40.132:443 www.passcape.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2904-0-0x0000000001DB0000-0x0000000001DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7216.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7229.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

MD5 9a239ba2f64e59d0da0f28247fd84107
SHA1 2fc5b5be02c97daf7c863b7a16cf4741762314c1
SHA256 0bf5e902dedace12828c0711c933758875fa79801721eac450b54fcb81bb5537
SHA512 25d45daccf347d16a6e71bd69083ce4d31bec305b4e2e5d1c0035a4818d4e6f9120c207a17d89077dbf202255d0d7e827b09944d2fdd1e167ee8e2a6f0def0aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

MD5 c5dfb849ca051355ee2dba1ac33eb028
SHA1 d69b561148f01c77c54578c10926df5b856976ad
SHA256 cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
SHA512 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ab9d3a95a98094058a5fdd2703c8f2c
SHA1 ea1a566c68d3f4ed4b7d4971bbd4c770839b8346
SHA256 2f1d4e2e51b3e9c8ad98b5402b06e40955a2335a18d75726d33fde24e8b82ee3
SHA512 bb23202594decc15b092b1c66d5535e3c3faa317a527f4e97bb7a51edc2e0e041fee659ec98a8eb9a2d89d6a5e76c854f7f33267cb21a05f66603c50dcfb8914

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8516987a109f6e6558c0aea342175d1
SHA1 746e00914da33279d35378495c3ac8f3bd7e7024
SHA256 4941b9db8901338b63c0e8a7830bacde1b07a8b0dc04f54aeebcd92a741eda6c
SHA512 6ea3ec64466e085f4b0aa31abfc45ae96f4378a6af7e3955757d74402c85598319ae3d4ec0496da9741232c613f9f050ab441ece5db0ebc6b4a03077146c1a4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 daa8faaf9bd23ff2be3389170167e1b8
SHA1 528ec306ab11c335284f2ff787d5ff3027fb86d9
SHA256 3ddd3b57610fb20f283742b64c44deecd2bacd7dc8f150707b2475bf6846e814
SHA512 f07826d61ee9e3e1cc0566aa4d2adfbcdc27dd7e39946bbb7d8e877e218ce4970919faffbdc2605b0d88872d00c61448de1766d72c3c4e6f99e1e3a9678c061b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea175207a1cf05cf2f001005fa6d7dde
SHA1 1238804d45422cafb5784cd0963e437d699466bc
SHA256 8e44ac7e7882101f3300e476eeb80a2760a45ec40ad1650a991608bc3c963186
SHA512 a75725375ba1cafc8ef32d2f1509d8b3638be373a70d32fa80eaee5efafa56f05bc1cd87c3bad7c5d3deee086fcf0552a8b39c3e747695a9f0805838b20b9090

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bfca28138d9b188f185d82ce95c5da0
SHA1 09af608e91a13be2d375323a4807d693cd616125
SHA256 9527b67d7799738bca013418eb61edc3f1298eb1286bb5472d065f23272fcdcd
SHA512 09742e9c55a27638547acbbf2289c6a2f9e6f1617a76e2bc341efca54840eecc0d2f8675bbeb4931eb58f041a84f6a19c30366009cb4e7cf84be62c722eb0594

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d765be4562cca7cd17a8bd7c269e6e25
SHA1 8cbf4c844619ee3e306cd53582fde6fe2e156aaa
SHA256 0ff919120f8d4ab387540cf374976f11991ba021350815579acba50896f4764c
SHA512 b4a580ace20fb339cd1f7060ac042e906e522e38a8bb7e9ed00d2758e2d79cd7d80f4abfd727a6c772989e4ebe5d285f2b34c4bcf78dc20acd7fecbb4b74d5d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5c52609649cb8e8e0e1ef1faba4ded2
SHA1 230cc37d8a64315365e8e28d3b5d8cca94fc3584
SHA256 b76917c136617ab5070694a76bfac91ff5f650245b2e38dd5a932d9ab4cf5833
SHA512 418b6480dca7a910afd61b0e9cc046e6c534fbd87c623b6a3503d493c58cb213e7f42536eef08b6ae79383dfae35e4480f5b77ee6f217ce60f5507992ac05c90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b0154defa43af52545b1c8b45e89f80
SHA1 f49f5086f61e9b5619342fcac7833a5cf9d25356
SHA256 5b2b631fa53782145fc58761f51522e07a655c79da1500d1324f6c456ec5200d
SHA512 9d046dc7831bb02c982243a1d4434a6dd54fb5e6ac550b00b6240e118321f5bc2de3228afb7eca53a59d8c1d5fba763e93c9d4a546e0af36d2bf8f8faf328453

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b000ad5149d3b4442f5463184bf88ed9
SHA1 1a6a4a5a504064bf689a97b56feaa2ce8547550e
SHA256 a2046c50900d83861802fb194131ecc4b803ae6d01842f969a6614abc3f99f18
SHA512 3b55f9764735eba81a070baee34476e69a61c3fc37896be625f8c53ff808ad7feb8fc48fd2f51a603a08ffef97a529ed6daef463d720a86c30c6ede8f20f12e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5971e0e35f61f402aedcd3b977149eb3
SHA1 dd15b3f217979fa1318916aa47759059e90f3afe
SHA256 1ad097619af771a4b3ad24cea242b5721c590e050ea2e9f735c518610d3ce879
SHA512 3ac572be45916dfd87a952b2aefde1e2084ff0189f3a322b9e2367be03941a58dfe416a3b978ea22bd0bb9e713dd570620fdc847fc3519ba99a65c742270f51e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e62df3a129f2f8baed32f2a38a8b767b
SHA1 563aa326d006cabb41a8281b634222a7d30a7740
SHA256 51cc159f9efc10b057fc7018dbd0b0086e93c368e5bfc1e909e170ffa1369cdc
SHA512 7ee20c693f6702dc5a79c4cc47f27d107dbdbeb500bd56a953592b06c061d94f46b74b834b8b90bf269291802402a44e8cbf4f96ae55b7effc5ddae7ecc25088

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5775eecc8f0694df0ef65bc922dadee2
SHA1 3d6bf6fd97ac34148a25d8c0ee1a6f0bd7764d07
SHA256 8b9148a92497cf43c62e28a3a59c28e41d3b8ccd1834ea85bb30728d72cf6ece
SHA512 edc37bc993c0fa30d6b762359b7067f536ad16b881faeeb5f60c530ab12e88d0052ce31fccdf4599c8d7eb2726dbeb576e18c488b5f3c5b6f0fcc61586d82668

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eef1fb8c906bfaf3fdf1b5903006faa3
SHA1 7e23f55cb271d71c2e8a70b13301b37ed29fafa5
SHA256 8c709fd048afe8f738a2d2ebc73c5e36673833b13dc42460597a4891ed1b1f84
SHA512 75c3d6a82e8ddd662474f8fc5513580f44249dd96cf6b558f469f53f9b0e45708d4020f21883d6d2944507dbd4edfa2102734b6aa7ac6d4bfd3b27e4bfd1e7b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26b1f35c8b176b74c4857649a4023715
SHA1 deb4bad278e37d2b5eba2daf7c03902f70e548ff
SHA256 0f2b5e0ccecf96d78e8e2918f7d1bdbfea3c4ba3f15675fb2dcde4b77fb7d3d4
SHA512 4905e204574a2dd3b3f17a9b911596da4b8a8bde747ad9ef7275903fab2930aa7a4daf8208e854fb0d905a5a3cd2616242987b344d11191f535ff8c200b25795

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2215a24c038daef611a451f026ff6036
SHA1 8f67cc1c9c3ab9f99113a2d6e07f45fc79dd2c10
SHA256 efd914ea6d47877b35c5e2270d1983a2f37bfa6644eed9a419bfd903adcaca3f
SHA512 4442de79a4cfe4ee314d937e66207215918f51b2bc0eb2f865a34c80790ce1adc5dff0e722aa3435111592529d94472dc9c28381536d4bef251ec909f6a6920a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a048bd21904d5f60fa67f6c70cf8177
SHA1 3311137d0fd12ae7370e6d32c5315bd9a0f6680e
SHA256 8b73ee324922bee31805f3e5dc515de71c500dd8febcedb519156467cf926c99
SHA512 52084f2f6e0f367c04687aee8f6dfd556bf99a5dc14c3d621cc9bfaf63eb9d28b91ef2fa96fe6792a07e2cfd6036d5ad5e69226085b0c47dc63bca6a241a7ae6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11bed70bef7953642ef0acf193a08f7f
SHA1 f9ee515acb5f481001f22b37ebf86133d905ed8a
SHA256 af43d396611ccb7c7d327f8bdba3f53a0ef6620ef563152c4596a97a3c18444b
SHA512 f1edb6460ca6f908f45e628132564c21918ec1bba40b90f4be55ed35068626c1905176ef7f5fc79a1a66332a779ae83e786a1202d0d3edbc461c98dc574e6f23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f08b649fbf49564290a2a4f816d355a
SHA1 69b9c30cb51f5f657b1fb47d43530cc197fc4c88
SHA256 889bc05df9b01c4cbbf778fdc5c4c5cf06c09fd95034cdc37fb912007899d667
SHA512 d41345b26be8fe88a4d59ea5bfb764c9d9939fc655662fa1e421941ec8a9f77cc4c631a192a796cc0989abf93463fa5cdc5a29a6d141c6a332ce7479361c9601

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b098d673c595f48888143f46e4d02305
SHA1 8aa701f397a25498d901ba9d5136885e6236130f
SHA256 c4e88d8fb9ee6fb1fff0c84ca577d39d568c5114c6f1252c2101fcdfeb5c3b3a
SHA512 54ac590567e2ab58f5a3bbf3b0e24a7f40dcdb7130e433b5af88a4455f2183a8ef0d4ece25ce8d58e93ab7001cf1c6ba79bfad5762239baeb0788064aa97e2c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f259cd9460a149a99d78d1fa4c7aa738
SHA1 5cb8de2df561da80505c3c45d0442290f3e733f0
SHA256 52abf8a60a86fbf004db66fc6e394e6e80d344d9bfb795d16378d8076c9f914d
SHA512 4ddf73f1ecb46439efe1155cd00752d5d73d9777b7c43b1e31d1bbec94e117bef0ed1d801b678b1de5588983067e743d591c19ee9d119798313be64136a13560

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:28

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

106s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\home.url

Signatures

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 1896 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 1896 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 3972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\home.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.passcape.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6db846f8,0x7ffe6db84708,0x7ffe6db84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10250112627528035086,904168376335093075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.passcape.com udp
RU 77.222.40.132:80 www.passcape.com tcp
RU 77.222.40.132:80 www.passcape.com tcp
RU 77.222.40.132:443 www.passcape.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 132.40.222.77.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 443a627d539ca4eab732bad0cbe7332b
SHA1 86b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA256 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

\??\pipe\LOCAL\crashpad_1896_KTWPYMAUUVYZFDCW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 99afa4934d1e3c56bbce114b356e8a99
SHA1 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA256 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA512 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6b4b97e2237c16860b8f04ba19a6d5ae
SHA1 fe5e688a8f4dff9b6f0e3068eb33eb6351ecf930
SHA256 a576037c1db963b41074aea500d6113d94828b9c065fa00dd93f586b7acc1d5e
SHA512 30996ca1c60fef5f20082140fa581e7a2c23273d150cb3f20b7959a0001c047870a9ea32d50e12ae16070632317206a60df62b3d121aa7c44e9b11b179c1e8ae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1939ee652ae949d7e25b04aa7e13bfdb
SHA1 3789b8469c4e2e05a47278b3db4f63a5f9e1eceb
SHA256 4c6c40b1b529312fd1e10db62075a3c670fc7c8999ca683c302cca1788b3a77d
SHA512 a3388c4004bfd43238f51197ab929c610df9c46d8f2ac2d7a4c11e42536fb435d6a986379965ef8abfc084418a2ca8ff82c023a41c32a72c384d8453129f638a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 747af6448246c00eab095f0c82441e97
SHA1 5e800f31273952ee22e9594c99ac3a2b70a5fc69
SHA256 601e70e253ab8fd1fdd020a16d933f1a4c59bebe48f525dd9b733b420803a295
SHA512 7e8319475ca01e6609bae6a1b9f01013784946084b405023a17bc522b5040994069c83a79758b4245da42faba2db00fcb6a92c5f56dde891160e69adeb8be4e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 13b26dfed782934eea385a3a83226ee5
SHA1 9c0504a0cbaeee4aa62e0f9ffe521721d3ab5f42
SHA256 e39136d7132664ae62eec286fb674fa8204bfc700827048c1e4f04f2a20b2b20
SHA512 d6b9b8e160b194567d071cd77fd3186d328a77d010952acbfaae6dcc673445090503c5007f9ccdb7423f887c7f78da81afb97aa4a0f87e061478e0704b80d78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 eca489a2ed001141d7018b7865f91cb8
SHA1 dc916c5e34663413e6ad643c06cab82cc5e7718e
SHA256 24ca81f022c5a7ca5f5eacb4f4a4ce481c358e2bd9b20571273e6d76f88f895b
SHA512 d45cfb3dfd149c5c793c75ba35b9ca4ab48780a1dad4c0002f0199eecb280f04118098a32c1a503ab63c505a8fc44d55501c62b539cce0f18b29e62dcfb91556

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 3204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3820 wrote to memory of 3204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3820 wrote to memory of 3204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3204 -ip 3204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win7-20240903-en

Max time kernel

116s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 4d781f6e8dfedee3cf2bda540655a70d
SHA1 5aef00094b15790491f22da963070841dfddec5b
SHA256 2781156cc6ceb1ab85ec1243cba9d5bb1d71ce385b5ea33c353fb29a57587327
SHA512 ce75a3631ba8dac98e57badc6d8c04b2a7fe8a16fc081a4b686fcde80314bac9bd2e698989bf3e25ff45b8b1d646514379b0033b88d236cf4ce384cf1a2387bb

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 4d781f6e8dfedee3cf2bda540655a70d
SHA1 5aef00094b15790491f22da963070841dfddec5b
SHA256 2781156cc6ceb1ab85ec1243cba9d5bb1d71ce385b5ea33c353fb29a57587327
SHA512 ce75a3631ba8dac98e57badc6d8c04b2a7fe8a16fc081a4b686fcde80314bac9bd2e698989bf3e25ff45b8b1d646514379b0033b88d236cf4ce384cf1a2387bb

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\popr.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\popr.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\popr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\popr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\popr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\popr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\popr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\popr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\popr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\popr.exe

"C:\Users\Admin\AppData\Local\Temp\popr.exe"

Network

N/A

Files

memory/2960-1-0x00000000003C0000-0x00000000003F0000-memory.dmp

memory/2960-0-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-50-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/2960-49-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/2960-51-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/2960-62-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/2960-61-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/2960-60-0x0000000001E40000-0x0000000001E41000-memory.dmp

memory/2960-59-0x0000000002190000-0x0000000002191000-memory.dmp

memory/2960-58-0x0000000002180000-0x0000000002181000-memory.dmp

memory/2960-63-0x0000000001E80000-0x0000000001E81000-memory.dmp

memory/2960-57-0x0000000000780000-0x0000000000781000-memory.dmp

memory/2960-56-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/2960-55-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/2960-54-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/2960-53-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/2960-52-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/2960-35-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/2960-34-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/2960-33-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/2960-32-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/2960-31-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2960-30-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/2960-29-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/2960-28-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2960-27-0x0000000002990000-0x0000000002991000-memory.dmp

memory/2960-26-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/2960-25-0x0000000002980000-0x0000000002981000-memory.dmp

memory/2960-24-0x00000000027C0000-0x00000000027C1000-memory.dmp

memory/2960-23-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/2960-22-0x0000000002780000-0x0000000002781000-memory.dmp

memory/2960-21-0x0000000002790000-0x0000000002791000-memory.dmp

memory/2960-20-0x0000000002760000-0x0000000002761000-memory.dmp

memory/2960-19-0x0000000002770000-0x0000000002771000-memory.dmp

memory/2960-18-0x0000000002740000-0x0000000002741000-memory.dmp

memory/2960-17-0x0000000002720000-0x0000000002721000-memory.dmp

memory/2960-16-0x0000000002730000-0x0000000002731000-memory.dmp

memory/2960-15-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2960-14-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2960-13-0x00000000001F0000-0x00000000001F5000-memory.dmp

memory/2960-12-0x0000000002690000-0x0000000002692000-memory.dmp

memory/2960-11-0x00000000025D0000-0x00000000025D2000-memory.dmp

memory/2960-10-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/2960-8-0x0000000002230000-0x0000000002231000-memory.dmp

memory/2960-7-0x0000000002200000-0x0000000002201000-memory.dmp

memory/2960-6-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/2960-5-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/2960-4-0x0000000002170000-0x0000000002172000-memory.dmp

memory/2960-3-0x0000000002140000-0x0000000002141000-memory.dmp

memory/2960-2-0x0000000000280000-0x0000000000286000-memory.dmp

memory/2960-48-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/2960-47-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/2960-46-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/2960-45-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/2960-44-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/2960-43-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/2960-42-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/2960-41-0x00000000027B0000-0x00000000027B1000-memory.dmp

memory/2960-40-0x0000000002750000-0x0000000002751000-memory.dmp

memory/2960-39-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2960-38-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2960-37-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/2960-36-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/2960-9-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2960-64-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-65-0x00000000003C0000-0x00000000003F0000-memory.dmp

memory/2960-66-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-67-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-68-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-69-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-70-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-71-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-72-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-73-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-74-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-75-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2960-76-0x0000000000400000-0x0000000000547000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:28

Platform

win7-20241010-en

Max time kernel

71s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 228

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win7-20240903-en

Max time kernel

110s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ast.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 2712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ast.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ast.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:28

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\popr.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\popr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\popr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\popr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\popr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\popr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\popr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\popr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\popr.exe

"C:\Users\Admin\AppData\Local\Temp\popr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4100-0-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-1-0x0000000000504000-0x0000000000505000-memory.dmp

memory/4100-2-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-3-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-4-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-5-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-6-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-8-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-9-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-7-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-11-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-12-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-10-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-13-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-14-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-15-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-16-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-17-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-18-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-19-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-20-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-21-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-22-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-23-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-24-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-25-0x0000000000504000-0x0000000000505000-memory.dmp

memory/4100-26-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-27-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-28-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-29-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-30-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-31-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-32-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-33-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-34-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-35-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-36-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-37-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-38-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-39-0x0000000000400000-0x0000000000547000-memory.dmp

memory/4100-40-0x0000000000400000-0x0000000000547000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N.exe

"C:\Users\Admin\AppData\Local\Temp\bf388f9182f816e19fb683e7f719fac66f294028c24e2b536273d7d355e51277N.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd789B.tmp\System.dll

MD5 7d85b1f619a3023cc693a88f040826d2
SHA1 09f5d32f8143e7e0d9270430708db1b9fc8871a8
SHA256 dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18
SHA512 5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win7-20240903-en

Max time kernel

16s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 244

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 440 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 440 -ip 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\popr.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\popr.chm

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-10 00:25

Reported

2024-11-10 00:27

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

97s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\popr.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\popr.chm

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A