Malware Analysis Report

2025-01-02 07:17

Sample ID 241129-czfvgavrcj
Target ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118
SHA256 adacc03ecf3c2a0196c96067db10114b80f7ca106ffdcd849f05bb859641d1dd
Tags
discovery persistence privilege_escalation upx privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adacc03ecf3c2a0196c96067db10114b80f7ca106ffdcd849f05bb859641d1dd

Threat Level: Known bad

The file ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence privilege_escalation upx privateloader

Privateloader family

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Network Share Discovery

Checks installed software on the system

UPX packed file

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 02:31

Signatures

Privateloader family

privateloader

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1796 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1796 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\ = "PotPlayerMini_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\ = "PotPlayerLive_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\ = "PotPlayerLive_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\ = "PotPlayerMCE_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\ = "PotPlayerMini_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\ = "PotPlayerMCE_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe

"C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 3604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4924 wrote to memory of 3604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4924 wrote to memory of 3604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3604 -ip 3604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 3256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 3256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 3256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3256 -ip 3256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/3256-0-0x0000000074B60000-0x0000000074B70000-memory.dmp

memory/3256-1-0x0000000074B60000-0x0000000074B70000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 2516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 244

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 244

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20241023-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LockedList.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 224

Network

N/A

Files

memory/1584-2-0x0000000074960000-0x0000000074970000-memory.dmp

memory/1584-3-0x00000000748C0000-0x00000000748D0000-memory.dmp

memory/1584-1-0x00000000748C0000-0x00000000748D0000-memory.dmp

memory/1584-0-0x0000000074960000-0x0000000074970000-memory.dmp

memory/1584-4-0x00000000748C0000-0x00000000748D0000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240903-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATextOut64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATextOut64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20241010-en

Max time kernel

106s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Network Share Discovery

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DAUM\PotPlayer\DesktopHook64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\3D SBS to 2D.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Deinterlace (blend).txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Levels2.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\SharpenComplex (jim ro).txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\YV12 Chroma Upsampling.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\BT601BT709.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Levels.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\NightVision.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Spotlight.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\EdgeSharpen v1_1.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\FastTrueMotionNoGPU.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\GameCaptureHook.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\AviSynth.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\DesktopHook.exe C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\History.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\ffcodec64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Remap_16_235.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\ATextOut64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\MP3Lame64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\default.dsf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\original_en.dsf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\LogManager.exe C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\bass_ape.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\3D SBS RedCyan.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Contour.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Emboss.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\SkinSupport.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\GameCaptureHook64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\3D OAU RedCyan.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\EdgeSharpen v1_1(jim ro).txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Sharpen_3x3.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\DesktopHook.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\TrueMotion2NoGPU.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\bass_mpc.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Logos\PotPlayer.png C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Invert.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Sharpen.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\FasterTrueMotion.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\3D OAU to 2D.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Letterbox.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\SharpenComplex2.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\bass.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\DaumCrashHandler64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Wave.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\BlackBox3_en.dsf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Urllist\TV.asx C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\DTDrop64.exe C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\TrueMotionNoGPU.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\BlackBox2_en.dsf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\QuickSync64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\3D OAU GreenMagenta.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Denoise.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\TrueMotion.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\TrueMotion2.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Sphere.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\OverlayText.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Alarm.wav C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\ColorBars.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\FastestTrueMotion.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\License.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Loading.swf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\GrayScale.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1494B531-ADFA-11EF-8121-F6D98E36DBEF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439009377" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net\ = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\recaptcha.net\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000e8eb77ecf8f9b8c9d656bdfbe6785688109686019b9a3cc09e6bf526b9248427000000000e8000000002000020000000e7b113fdb38cd122519a573e2bb1aed5918395b2d857c7905f35db50cedb7683900000001c5093d932acf9cdb4092fe4fb9cd7bad507a3c216ff14db19840c60b6a5393b1d3274b62ad3634dcf48f4ba36bf9971c0737a25bb9f889a258f00f949eadaa48d78ad263faa15d770382956c9e4bd19fb92695b1880f62eb276bab15c5df3c694f2376d2aad76ad3658bcf43fb850064105d72e962c162547bd0f82346439a023a8d248ea13a150db72fddfc60c3e9b40000000003f3bbad8f2e9487c03dfd70a196c64336d1b13de76f6bd5ed3c3b9e94f3e081fa47ac3d47a30a7efac2ad8b5e00d1497992eaa67364d994b6104ea40c51aae C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\recaptcha.net C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40af65ee0642db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\recaptcha.net\Total = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000008985e85530f07f5d75ab435d10721f27a1a203a617c661cf812314e66304da4000000000e8000000002000020000000d2618e101fea86645193200f2f0618e5adf03e24d3301c07752505b33880b16120000000d77af2a2c239d3e77c604ab2ee1add841c8396944a0f8ead85a6ae3a479c084c40000000f5d3d72d102ff9d6427c5110cebc750d9a3a85ba5dc5fef8eb46dd0cd293311568a5bf29950af3bbbde4684522ffc246b318acda39f6cb06843b08c082c1e759 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dvbsupport.net/download/index.php?act=view&id=134

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1584 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.dvbsupport.net udp
NL 145.14.151.112:80 www.dvbsupport.net tcp
NL 145.14.151.112:80 www.dvbsupport.net tcp
NL 145.14.151.112:443 www.dvbsupport.net tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
NL 145.14.151.112:443 www.dvbsupport.net tcp
NL 145.14.151.112:443 www.dvbsupport.net tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.200.3:80 o.pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nse787C.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nse787C.tmp\newadvsplash.dll

MD5 7ee14dff57fb6e6c644b318d16768f4c
SHA1 9a5d5b31ab56ab01e9b0bd76c51b8b4605a8ccce
SHA256 53377d0710f551182edbab4150935425948535d11b92bf08a1c2dcf989723bd7
SHA512 0565ff2bdbdf044c5f90bd45475d478b48cdbd5e19569976291b1bdd703e61355410c65f29f2c9213faf56251beb16d342c8625288dad6afc670717b9636d51f

\Users\Admin\AppData\Local\Temp\nse787C.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

memory/2344-31-0x00000000746B0000-0x00000000746C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\nse787C.tmp\LockedList.dll

MD5 c159258782ae42dd593e1dc23fd9a403
SHA1 7acc527c7fa826ae9bc316402d222dd6ed6dd2da
SHA256 32764f8901f0e953a0386331ece0a33706173de25a8cdf5752dcc5ccb425244e
SHA512 7b7184e23aa4451b0c24638c475d2ae093f488ed253fc677be186da5fb71b28475bc90337357dc18d85a41fc70e681926a294374aa7018d1df05e6248a77bba9

\Program Files\DAUM\PotPlayer\Uninstall.exe

MD5 eb15023c28b97e58ae8625ab59b5e3d4
SHA1 bb5793f63ebdd0e1f4a4253cde3b3941bffae814
SHA256 2ce78c6cbc93e0e2724ef96ff44badae8fcffcc337b2a8198c89436485b3bbd0
SHA512 1fc879a19a62f72aaee73f5961592bbb356ce156e64bd32c8fdfa280c9ad6f91b1a94cd459acf9addea6751822206a10f4c475e7aab9e554d9f4d19bbfeb2a0d

\Users\Admin\AppData\Local\Temp\nse787C.tmp\ShellLink.dll

MD5 aad75be0bdd1f1bac758b521c9f1d022
SHA1 5d444b8432c8834f5b5cd29225101856cebb8ecf
SHA256 d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7
SHA512 4c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0

\Users\Admin\AppData\Local\Temp\nse787C.tmp\HwInfo.dll

MD5 44e5c77cae3ae434d1e4e619bdb1c39b
SHA1 9988f020eac45207d148668227b6819a38bdafa0
SHA256 326c406116026019a41c94b2e6b4c1061154f3bc9a395638063dae349f8a7579
SHA512 c3e40499d1296bebd2b1a770d9cd1f025859963a0f6dff002eb336f069f057ac4b3d2f5819232af6d2802ba1a3770f62440136030eb37355fa6f5b6ee0bc0470

memory/2344-150-0x0000000003770000-0x0000000003783000-memory.dmp

\Users\Admin\AppData\Local\Temp\nse787C.tmp\textreplace.dll

MD5 72d1177bad86f4df8eaee2a8afe50e6f
SHA1 c36019dfa2ff5c90c9da31c89dfcda08f93df68d
SHA256 c058f4439617bdb2019c90abd9920070a23f751b9349051d0744280cd5d9c5d7
SHA512 e0e764fcafa833f94ad2d5ae2a407f3e35bd27efa078625d5a2c9372ea28d7889c4b339e457d6fd7c3c90475b2d1603142a8c46a23f59b5784478860b06ee1b3

\Users\Admin\AppData\Local\Temp\nse787C.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe

MD5 9fa9e7b64e33fb31ea96b793448d24bb
SHA1 731b07c086357f0fc02fd98c3e65e9b036d520b0
SHA256 4c5f62b915a9078b4b60c5f204f4bb9092b30295ac88abe70ff3bf653e195d20
SHA512 0654108bbecacc822c2274eb1b25ddb80f76327a311d6ccfef0ea2e01cef9263401c10dab0167f565fdb986651f19690873daa9da3b846c64c3e1228cfdceea9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52725f969ebc9cbfe4ba264ac71b9077
SHA1 7bb350f32a22f5c4bc44aedfac2d499a7b456757
SHA256 02962fd0f12a6b727b64ed63cd52e1af8fb7277dc8907785615cb8773389e2f5
SHA512 100dba08d3028ba65375fc398eb32a75a36887633943e3640bf3b02cbd0bd8aa84b6240682bf3514632ccf36a8d19c6cc41c8258b0973be6f5335cc0bd07cbe6

C:\Users\Admin\AppData\Local\Temp\CabCCD.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\recaptcha__en[1].js

MD5 81697e6cdd98e37117d7bddcecf07576
SHA1 0ea9efeb29efc158cd175bb05b72c8516dbaa965
SHA256 73dd640564004ec8730e7f3433b9dfaa6876ac3a27e6964a17834f07f6d56116
SHA512 fc29d4a1fd39a7c78b7f57b221596acee9b805a133ce2d6ff4bc497a7b3584ab10e3d4ffde30c86884f1abeac7d521598ebda6e0b01fc92525986c98250fa3f8

C:\Users\Admin\AppData\Local\Temp\nse787C.tmp\modern-wizard.bmp

MD5 8b49c446f03367d2e8d827ab88be6d32
SHA1 7bb10907c59ea930b6565f3286a7a83ae1967329
SHA256 d6051a16fcd597e4b54fb2e4f22df9e8efff33f88b486251dfe69957f7c514e0
SHA512 26a7ac652e111003cc1fd3baad9c13b593cffcb2db008d3ccb7c2800cf7341126f76e175419477d15d6575dfbd758cddc8df669573fcbb8a6025ac2459226558

C:\Users\Admin\AppData\Local\Temp\Tar3F64.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61dd5ede391e365fe20fc4e15e598730
SHA1 ea6032e382b3094ae4aa8a83dcbf15c3bad5bb6b
SHA256 ee91a3615d1e1821b2434cb904b02814b830742543a0e4b7c888484cfce2cbad
SHA512 2814bd9dc9c0da3a6783d8882d325918c2d2aefb9b8956ff8390a79f38278a1035ff1b6dd9f49c748fab18a4b2870a412c035cee5c21d8ade1fb427aa47708a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87eeba9b017e682351ac9842d66ffa6e
SHA1 e26c071712f44924bc646908e8479caa52032791
SHA256 d52e6bb010230cb83eacaff1a4b97d1fe182919230b3f12a575fcbcc3879a32b
SHA512 bf4df638d6452d04f15af152431fe4c272671635a268264e122dec8b90b7eb25227c5167b918cd5d2a8921fb8a0b75fb0d5730159fb6b07c7ce18d7c801c0a6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bac7f04c2470b059f158203cc90961b
SHA1 5a09eb21560e8daa6c335702ede9440ec18ce140
SHA256 8800da658a7f2f387039f8a6abf5af7814301be7a4a7c24fcb94b3737dfea6a5
SHA512 72f2e01b0801b1850e7895cd2786997211fbde0686261a77e8bbd5198b71e7a93b15bb9810dc983abff64a05dadff85e6af55fe034cc5814d8ab94cb2732cf4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d17b4c571664750a5dd9240341f92ff
SHA1 c1d4eb383ed25b3b122ef7eeb17d1b8bf027cd2a
SHA256 67ba2cd06847808bc48bba02eca844df29534cd0ab1c90955e8e1c2af8d323a2
SHA512 5c4d5dc4656f62dca62dd8348562122cc6eae5637dfc8140f650d836ad8a9c03b64db8fb24e88f1ea425a1bceb321dd1bec84e0627c40de769871e75a76061c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bc9afbdfab74e69bd8dbf8832b1a236
SHA1 b632a2289dd37a311e2a011163acd3018bc88787
SHA256 87174edbfa0fa96024ea7ef6a8887edd5f604ae698f292e7b2f79b811ffa61e1
SHA512 c70053852cd8c9cac5d1b2788ba2365f5cfb3ca2ebb0b3ab42191e45e43315031a63010b2a94fe5fb34b9d703d2a178809e0737c7bb079ba6bb005dd4d884144

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\styles__ltr[1].css

MD5 c8bc74b65a8a31d4c7af2526b0c75a62
SHA1 dd1524ca86eb241b31724a9614285a2845880604
SHA256 3b457e0acfb1d231461936c78086c9ea63de3397cbb019c4fe0182a645d67717
SHA512 4d7214ac44475cb4d9d848d71caee30a3872cab3957fbb26a0aca13db1933cda1e9799938ba1460581483123dd6f81c3193bbc80989cba7e555f308c212841ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65fe53e1473fd7ccfe62d4456aa74082
SHA1 3dbc4347a6c744b529833d189fd3dacc6b81bb24
SHA256 6ed99ad33638cdb79feb0d2a0ba8abb2d87a1734563aa32d2cdfbb8e84fc201e
SHA512 5ced25197b881d7d163c85a87d614735655940f660f72e08fb7e3f8d52efa2de785e7d6659fe25128d07468b953ba1c5a6d98cc48630c33c763d0b1c144aab65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa6861b31091b068f48a7a090ebf3380
SHA1 b1b75847173245b5b2efdb23ccc600022fa8e455
SHA256 4f50bb7ddd5fbbded15253306047732ec5e8d28353651b22b12d1c4b54ece869
SHA512 123d4b18a7eb1ec4d55b6f62e383ad2728d13450497e47572ff9cb0a10c87413ac131d9da44ac48d91f65c540fd44b4c77d122764ccf388df0375db5a5dd989a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a0934551cab1115130547639a62fb91
SHA1 fd6bf94244a5c949e1af138ec1bf274656076921
SHA256 857ac0addd9cb95deecdd21da06cad3253699b81bde20a1c2811333f5cbdeb46
SHA512 06409d1ce7b70832ee23472f2d50c33a5692bb16ab5748123158abcafb88dfeaba8e2a7dc6850dc46e4fa9d577e2f6748bd22caea708e2cfbf1e51e78a72d7db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36190849a8976250fb51ad9cb8519f39
SHA1 f3a7133439c488cc6632041223c5e895f23db7a9
SHA256 ce055fc5e0a45b48ebc02cf50bb89f099bb1de941be88022dfd01a4b0519657b
SHA512 eb9c0ca26efe1e01d5310d37acc01784453c923f98b6d46643dfbe2255167368a4455810135657810059876d06c2e1e4f4c6694f5fd96b8d5e0441de9192e0bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67e4f3a915fbf006b4aa54dfe05fbed3
SHA1 25e9316e3e95d5236582dc3166db4c8159fe9d0d
SHA256 02686eebb5653988fec599b66ee76781d99cf9115680a4cc4adef082850ed09f
SHA512 2061eecba2be0560816ba259b679221a73773d73b5ada9fd64e481435f5b7f8a8773d5d0d73bfde5f2a6c68b8d26bdbf81e58ca334f4dce58ea08554348eaa0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fa8d00d2929cb6342ea970c20d9636a
SHA1 34682813efedb2d184bdf57928ff662ca7b840c7
SHA256 a1b72e8e2be109b7a5537495378bdfb9d8315c22c05045c23d0a643568e1fb9d
SHA512 114dd2008b1fee14800793b7467c08b27b90dca15155a3e7e42c0e5149eac6f5eb5c1a58be9ebb5f03fa3c678aced0edd869d38df5d7f15b75a5d46a985a29a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c80d62702a1d709fe32dcc02c29f00ba
SHA1 d0a8f37a613850afe561879ccf40350c8cf272de
SHA256 844f612809e49c8a5506927bdad3343a6a2bdc4795a6a91b9ba2b54d68a549c3
SHA512 c91ed7314475c9b3315f31aab7f44e0e1bbf34acd4c14ca78e907962f60f7b7c4c7f5bfc369d024716280e1044fc2fecf1813459cff27406358b8adeb55fdbb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b69db084bb8c3d6de2ab09536f92cd2c
SHA1 833ac8df32d13e825616d30cdc989a8ad632249d
SHA256 29588b90423f5abb2eb1bdab327c1c8456affadcaa5955af17b4a09a343c63f3
SHA512 c752b114ab02deeed7cdf90ecac74161d5ba40af8c307dcbd70a4c499850680ed2dd876c640191ae6d06bc5ac875c31f2083d7c27f770983bfc7d36226ffcab1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3b7046ca5457eb6958f9a06c0ee338b
SHA1 15e8c7c2c8668b264402756b9a5ae82df162c321
SHA256 d23edb29ca4ccd77f7b1cdcdb9d2b510f5458f7a481d09b1b99bb40667de54c3
SHA512 3068849efde8b647915827b3d7b9f82b6da1b5f71f5a61d07641b5a1695da7e66e55a2e99de0bd404893bcbc29086d69bdbe83397615ef760f511b4974970044

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b76b07b95d5cd61abaa2e18d9ae3c29f
SHA1 dfafa9ec2672165128303c2c520bae7db9905cbd
SHA256 26a862c9b7fc5c21fe08e419c2fc019aac558da97742607b3cbe228443b20e5c
SHA512 9d2857ebd31d4bdf711077b6cf428a0fbb2bdc777fe14c5f7dc81741b7a7dd221fc5c8e4704961f01be55ef582758c637f360440555611a92bab4fe7e971375c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64f05ea0a21ff158b389c893614d5ad8
SHA1 d1558a54c9feacc88030269da9b45b1b69bf1c21
SHA256 551f9f06cbf54598e1493d2e6f6a1c3f903647c8838a0dc9688152475910ef2d
SHA512 2a6e54abb3323da5749a21ed633ee0bcab29b0554fc41186274b08498f244912c73a33671265b1a0d41e7b6294ec3145427a90a5cc8a5379e9dc41f9b0cea133

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5472f789cfa8ce18635901158769ad6
SHA1 c5f5d2e814494712e38712b5fbbc716accba7fca
SHA256 64a5e89dc62add7379aecaf76bf3945482eb0aa125c12fe2826f33df4d27e44e
SHA512 6268218e3734ad684aed70dfba3ddb0625ed279e9bc4c8f085369dec8b1b6f850839e6b7984e7bfe35b30697c2214f23863b651021f7ca66c489ba1afb396ebc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 af8a7c17bce6968a5f993e3c1bfae139
SHA1 2efc45f20fa886462be4b2f96f274e0de366d21a
SHA256 594b59309e68e49515bd350aceacc874df71b85c379b890cc8ae7f9a7c0b9435
SHA512 c12f8607cb11ebd7faaf802715b637fe4639b6e6d8fbc883937ae7d0b7a39210af254e548649970054f583a388b519ebe073cb6c1d8427d30cbee0306785378e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bb30ad6ef4bef7a2ae1dfd44299851d
SHA1 b3cfe78a3236daa4c399b193db67d5fd32ce5440
SHA256 266af82ae4a6ee0cf1ec3c2efd00e81320edc0f3081ecdcc0ab8512b784dfe7c
SHA512 e4d5183fccb71b9a912006570fdd3f9e823fb5e7fe40c0cb9edfad4766534adca1e43fa8bc2b46d8904849bdcb0d67a127b71e902b109e16e3c6559200b4ba46

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 1320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 1320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 1320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1320 -ip 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 224

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:32

Platform

win10v2004-20241007-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3332 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3332 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2576 -ip 2576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240729-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 224

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$SYSDIR\PotPlayerLauncher64.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\ToolboxBitmap32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\MiscStatus\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Control\ C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1569185-083C-4209-B06B-44982BCAF7FE} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\ = "DaumLiveLauncher ActiveX Control module" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\PotPlayerLauncher64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\MiscStatus\1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1569185-083C-4209-B06B-44982BCAF7FE}\ = "DaumLiveLauncher Property Page" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DAUMLIVELAUNCHER.DaumLiveLauncherCtrl.1\ = "DaumLiveLauncher Control" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DAUMLIVELAUNCHER.DaumLiveLauncherCtrl.1\CLSID\ = "{2E215D23-8D32-4141-BB8F-6254C84FBC9E}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DAUMLIVELAUNCHER.DaumLiveLauncherCtrl.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DAUMLIVELAUNCHER.DaumLiveLauncherCtrl.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\POTPLA~1.DLL" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\HELPDIR\ C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\TypeLib\ = "{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\ = "DaumLiveLauncher Control" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\MiscStatus C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\ = "_DDaumLiveLauncher" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\TypeLib\ = "{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\POTPLA~1.DLL, 1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\ = "_DDaumLiveLauncher" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1569185-083C-4209-B06B-44982BCAF7FE}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\TypeLib\ = "{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\ProgID\ = "DAUMLIVELAUNCHER.DaumLiveLauncherCtrl.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Control C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Version C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\FLAGS\ = "2" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\ = "_DDaumLiveLauncherEvents" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\MiscStatus\1\ = "131473" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E215D23-8D32-4141-BB8F-6254C84FBC9E}\TypeLib\ = "{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C34AB2B7-84D3-414B-88DA-3B8E9DCC45C5}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A974545-864D-44CE-88E8-A3838FBD0BB2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A2D5DAE-7CC1-4D4C-BD4A-46B765DC60A9}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$SYSDIR\PotPlayerLauncher64.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Network Share Discovery

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DAUM\PotPlayer\PxShader\Procamp.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\BlackBox2_en.dsf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\BlackSpace_en.dsf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\EdgeSharpen v1_1(jim ro).txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Unsharp mask.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\MP3Lame64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\3D OAU to 2D.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\LogoMini.swf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\FasterTrueMotion.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\Olddefault.dsf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PotIcons64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Deinterlace (blend).txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Denoise.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Levels2.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\FastTrueMotion.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\FastTrueMotionNoGPU.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\SharpenComplex2.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\TrueMotion2.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Urllist\TV.asx C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\MediaInfo64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\QuickSync64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\BlackBox3_en.dsf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\default.dsf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\DTDrop64.exe C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PotPlayer64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Sphere.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\TrueMotion.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\DesktopHook.exe C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Logos\PotPlayer.png C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\3D SBS GreenMagenta.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\DisplayLessThan16 v1_1.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Emboss.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Invert.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\bass.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\bass_flac.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\DaumCrashHandler64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Loading.swf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\bass_wv.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\3D SBS RedCyan.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\SharpenFlou (jim ro).txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Undot.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\FastestTrueMotion.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\ATextOut64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Levels.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\OverlayText.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\AviSynth\TrueMotion2NoGPU.avs C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Alarm.wav C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\GameCaptureHook64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\3D SBS to 2D.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Letterbox.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\YV12 Chroma Upsampling.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Skins\SkinSupport.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\DesktopHook64.dll C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\License.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\Logo.swf C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\3D OAU GreenMagenta.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\BT601BT709.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Contour.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\NightVision.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\History.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\LogManager.exe C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
File created C:\Program Files\DAUM\PotPlayer\PxShader\Sharpen.txt C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1016 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 60 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 60 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 3156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3628 wrote to memory of 2144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.dvbsupport.net/download/index.php?act=view&id=134

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba8d346f8,0x7ffba8d34708,0x7ffba8d34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 www.dvbsupport.net udp
NL 145.14.151.112:80 www.dvbsupport.net tcp
NL 145.14.151.112:80 www.dvbsupport.net tcp
NL 145.14.151.112:80 www.dvbsupport.net tcp
NL 145.14.151.112:443 www.dvbsupport.net tcp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 112.151.14.145.in-addr.arpa udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
GB 142.250.200.3:443 www.recaptcha.net udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
NL 145.14.151.112:443 www.dvbsupport.net udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\newadvsplash.dll

MD5 7ee14dff57fb6e6c644b318d16768f4c
SHA1 9a5d5b31ab56ab01e9b0bd76c51b8b4605a8ccce
SHA256 53377d0710f551182edbab4150935425948535d11b92bf08a1c2dcf989723bd7
SHA512 0565ff2bdbdf044c5f90bd45475d478b48cdbd5e19569976291b1bdd703e61355410c65f29f2c9213faf56251beb16d342c8625288dad6afc670717b9636d51f

C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\LockedList.dll

MD5 c159258782ae42dd593e1dc23fd9a403
SHA1 7acc527c7fa826ae9bc316402d222dd6ed6dd2da
SHA256 32764f8901f0e953a0386331ece0a33706173de25a8cdf5752dcc5ccb425244e
SHA512 7b7184e23aa4451b0c24638c475d2ae093f488ed253fc677be186da5fb71b28475bc90337357dc18d85a41fc70e681926a294374aa7018d1df05e6248a77bba9

memory/1016-35-0x00000000745F0000-0x0000000074600000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\ShellLink.dll

MD5 aad75be0bdd1f1bac758b521c9f1d022
SHA1 5d444b8432c8834f5b5cd29225101856cebb8ecf
SHA256 d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7
SHA512 4c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0

C:\Program Files\DAUM\PotPlayer\Uninstall.exe

MD5 eb15023c28b97e58ae8625ab59b5e3d4
SHA1 bb5793f63ebdd0e1f4a4253cde3b3941bffae814
SHA256 2ce78c6cbc93e0e2724ef96ff44badae8fcffcc337b2a8198c89436485b3bbd0
SHA512 1fc879a19a62f72aaee73f5961592bbb356ce156e64bd32c8fdfa280c9ad6f91b1a94cd459acf9addea6751822206a10f4c475e7aab9e554d9f4d19bbfeb2a0d

C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\HwInfo.dll

MD5 44e5c77cae3ae434d1e4e619bdb1c39b
SHA1 9988f020eac45207d148668227b6819a38bdafa0
SHA256 326c406116026019a41c94b2e6b4c1061154f3bc9a395638063dae349f8a7579
SHA512 c3e40499d1296bebd2b1a770d9cd1f025859963a0f6dff002eb336f069f057ac4b3d2f5819232af6d2802ba1a3770f62440136030eb37355fa6f5b6ee0bc0470

memory/1016-155-0x0000000004000000-0x0000000004013000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\textreplace.dll

MD5 72d1177bad86f4df8eaee2a8afe50e6f
SHA1 c36019dfa2ff5c90c9da31c89dfcda08f93df68d
SHA256 c058f4439617bdb2019c90abd9920070a23f751b9349051d0744280cd5d9c5d7
SHA512 e0e764fcafa833f94ad2d5ae2a407f3e35bd27efa078625d5a2c9372ea28d7889c4b339e457d6fd7c3c90475b2d1603142a8c46a23f59b5784478860b06ee1b3

C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe

MD5 9fa9e7b64e33fb31ea96b793448d24bb
SHA1 731b07c086357f0fc02fd98c3e65e9b036d520b0
SHA256 4c5f62b915a9078b4b60c5f204f4bb9092b30295ac88abe70ff3bf653e195d20
SHA512 0654108bbecacc822c2274eb1b25ddb80f76327a311d6ccfef0ea2e01cef9263401c10dab0167f565fdb986651f19690873daa9da3b846c64c3e1228cfdceea9

memory/1016-215-0x00000000745F0000-0x0000000074600000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a0486d6f8406d852dd805b66ff467692
SHA1 77ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256 c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512 065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dc058ebc0f8181946a312f0be99ed79c
SHA1 0c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256 378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA512 36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

\??\pipe\LOCAL\crashpad_3628_HBZKMSOLVCSDLKSQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\300b82dc-64a1-424e-b2ae-9d683e0d0698.tmp

MD5 08f12ad1822f0b3c77f6fec0d0c8feff
SHA1 f1ebabb0fb53e9f23932dc5137acc2c6c449a212
SHA256 fd81aed256a9bc09585cae5037bad9f465c54dd6daebdb11ea5eee2d641a82ce
SHA512 e20d88d0a4e3cff3410f80b58e66263ed3d04a89d1d8424c9b674946b3ae242ab1fbe7a11e1fc60f5ea4cfcc16c531c51814af477e93e60d1d23e3547272ef86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 2be38925751dc3580e84c3af3a87f98d
SHA1 8a390d24e6588bef5da1d3db713784c11ca58921
SHA256 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b
SHA512 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

C:\Users\Admin\Desktop\PotPlayer x64.lnk

MD5 265e6116acf63b9e6bdec755e7701b6a
SHA1 9687ed875e66ba26bc9706abdabb9c8ee53b26fc
SHA256 61144262dce08d5b98af3ce006f677c2d7cdd76b7fa1851b9148f2977eb8cc38
SHA512 2150b03c7cb5b8f81cfd6385a22ab2e8889b095611a18c9f9ab24efb33aa32405ae7d3a4b95abb43f05f6f10bb76238192bc2bcd0894e0ce86cd5409ca67169c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 96e802121ec7eeb59052375ecdebf6b9
SHA1 51372c78b55fa6a7a1e84002740fdd6158ec25d0
SHA256 e952cd2ebf2b607e5a2b90a00ee6119f9bd427907e6e417c5f1134e9be458c62
SHA512 dd27b8f6f7300e9fe699e3129a4cebe0178a187754a400c527ebae6d38a7e9335e5d9d013a5e498d4df2bea902e85f24498d6902417914fdb52323aecb5d5c6b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6001648ea26d31dfb111ac94e7ed68c2
SHA1 43bcea5301ddc8c26022ae600bb666d060792d96
SHA256 482ddd21bf0df593b030a3c48ceaec48060be427bc759191e876895a79d0a882
SHA512 47d39d3d6fc968838c9296a1b0e44779c5874f14338a7ff35b5d6842a6d666cdb67dc0b437f62e6dccfd299a5057d30c0302524b3f3abcf62515278199cdf15e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f976c0643864b32ea9c8a6314d58ca98
SHA1 56a4f57aa6a418879464d5298702f28be6b89dd1
SHA256 984048358c19b1367ed7061fdf5050e6ce448553f0a11163a94ad27413150ae0
SHA512 26dbb3b0336fdc016e46d98b46d7dc6902a15aa8616c665d5fb373a66ea1b1ae7cbdef00005001ec9671e31a016004497e0784dcf573b7a6d080e5e684029dcf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 921d24c8f11e209603d1e94c5893e524
SHA1 5ba20ceef588dbf454df0ab13937e85662832a2f
SHA256 6ab8d1d0fc0533827030f4a874f47a4c8b405ec890aea942a7c55699bc24240e
SHA512 f880a117c3d217a66e4b81a3e3487973b335b99a033954bee659f7c734a67726ba9d003b08cf0df2e45cad861085fed11ccdac74b7de59f8be41f7213477daff

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 4172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 764 wrote to memory of 4172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 764 wrote to memory of 4172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\HwInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4172 -ip 4172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240729-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\CLSID C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\ = "PotPlayerMCE_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\ = "PotPlayerMini_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\ = "PotPlayerLive_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FFE7772-0EE7-40f4-B7D6-3A44BCF0C42A}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CAD4875-0AB6-4178-9E77-7EFB04692A19}\ = "PotPlayerMini_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2985A0EF-30E2-4b31-B3B8-8ABA20E3BF97}\ = "PotPlayerMCE_Play" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\ = "PotPlayerLive_Enqueue" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1DEBA2A8-DF1C-40a5-BED4-29F118F80771}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6712D17C-CEB6-4886-9641-427AF3D488B7} C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D56E1AC5-92D0-4b2a-A8B2-D3E164F540DD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DTDrop64.exe" C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe

"C:\Users\Admin\AppData\Local\Temp\DTDrop64.exe"

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1492 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1492 wrote to memory of 4728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\textreplace.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4728 -ip 4728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240708-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 224

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATextOut64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATextOut64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 108.116.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DChat64.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2684 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2684 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DChat64.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2684 -s 104

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240729-en

Max time kernel

15s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1800 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2084 -ip 2084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 224

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 4344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4852 wrote to memory of 4344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4852 wrote to memory of 4344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 312 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\time.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 312 -ip 312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DChat64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DChat64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240903-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ShellLink.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win7-20240708-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-29 02:30

Reported

2024-11-29 02:33

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1236 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1236 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\newadvsplash.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A