Analysis Overview
SHA256
b6251f402464c488e25deb7fe3a2c5aeea4376b6cf51173a7bb2ec5498c5cb29
Threat Level: Known bad
The file da570126399784f6d6f251b7edd5c2b9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks BIOS information in registry
Enumerates physical storage devices
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
NSIS installer
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-09 15:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
146s
Command Line
Signatures
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\da570126399784f6d6f251b7edd5c2b9_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\da570126399784f6d6f251b7edd5c2b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da570126399784f6d6f251b7edd5c2b9_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsc73C9.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsc73C9.tmp\ioSpecial.ini
| MD5 | 19a60902ef88eb6a2b2e69e7d763332b |
| SHA1 | 0976196638f75b0ed887ef64474da964d384e95d |
| SHA256 | 3afebb09779df97386ecc005d593794541198d4fd69bbc8da64fd3da0f4f911b |
| SHA512 | f3b8113cc94a760824e27f9aec6606dd9f4b9737bc68777c18bacb763721e80d4af946ecff31be1b18e073dbb7089cba462e2324dd9490b82132c570eded396f |
C:\Users\Admin\AppData\Local\Temp\nsc73C9.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsc73C9.tmp\StartMenu.dll
| MD5 | a4173b381625f9f12aadb4e1cdaefdb8 |
| SHA1 | cf1680c2bc970d5675adbf5e89292a97e6724713 |
| SHA256 | 7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b |
| SHA512 | fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20241023-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 244
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4464 wrote to memory of 4576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4464 wrote to memory of 4576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4464 wrote to memory of 4576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4576 -ip 4576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 224
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1764 wrote to memory of 116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1764 wrote to memory of 116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1764 wrote to memory of 116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 116 -ip 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240903-en
Max time kernel
147s
Max time network
119s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocServer32\ = "%SystemRoot%\\SysWow64\\AUDIOENG.DLL" | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocServer32\ThreadingModel = "both" | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D} | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\ = "AudioVolume Class" | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe
"C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe"
Network
Files
memory/2168-8-0x0000000002670000-0x000000000287C000-memory.dmp
memory/2168-0-0x0000000002670000-0x000000000287C000-memory.dmp
memory/2168-1-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-11-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-14-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-12-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-15-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-16-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-17-0x0000000002670000-0x000000000287C000-memory.dmp
memory/2168-18-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-19-0x0000000002670000-0x000000000287C000-memory.dmp
memory/2168-22-0x0000000006E00000-0x0000000006FA7000-memory.dmp
memory/2168-32-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-33-0x0000000002670000-0x000000000287C000-memory.dmp
memory/2168-35-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-34-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-36-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-38-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-37-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-40-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-39-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-133-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-132-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-135-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-134-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-137-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-136-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-139-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-138-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-141-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-140-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-143-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-142-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-145-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-144-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-147-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-146-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-149-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-148-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-151-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-150-0x0000000000400000-0x000000000083E000-memory.dmp
memory/2168-153-0x0000000010000000-0x000000001005A000-memory.dmp
memory/2168-152-0x0000000000400000-0x000000000083E000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\DAO\\dao360.dll" | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\ProgID | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\ = "DAO.PrivateDBEngine.36" | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocServer32\Assembly = "dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocServer32\Class = "dao.PrivDBEngineClass" | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\ProgID\ = "DAO.PrivateDBEngine.36" | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D} | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe
"C:\Users\Admin\AppData\Local\Temp\Heavy Weapon Deluxe.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4f0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
memory/4252-0-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-2-0x0000000002BC0000-0x0000000002DCC000-memory.dmp
memory/4252-9-0x0000000002BC0000-0x0000000002DCC000-memory.dmp
memory/4252-12-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-15-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-13-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-16-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-17-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-18-0x0000000002BC0000-0x0000000002DCC000-memory.dmp
memory/4252-19-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-21-0x000000000A130000-0x000000000A2D7000-memory.dmp
memory/4252-40-0x0000000002BC0000-0x0000000002DCC000-memory.dmp
memory/4252-44-0x0000000002BC0000-0x0000000002DCC000-memory.dmp
memory/4252-60-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-61-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-62-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-63-0x0000000002BC0000-0x0000000002DCC000-memory.dmp
memory/4252-64-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-66-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-65-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-68-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-67-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-161-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-160-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-163-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-162-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-165-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-164-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-167-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-166-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-169-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-168-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-171-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-170-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-173-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-172-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-175-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-174-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-177-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-176-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-179-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-178-0x0000000000400000-0x000000000083E000-memory.dmp
memory/4252-181-0x0000000010000000-0x000000001005A000-memory.dmp
memory/4252-180-0x0000000000400000-0x000000000083E000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240903-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2668 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2668 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2668 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2668 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
Files
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 547babef61d913ab1a8ab5391fb65195 |
| SHA1 | 0004077c7679e5b7fb9cdaeb842ca7c631d0f09f |
| SHA256 | 2bf784a7ba86703a5317b656312eac2a18242cc1492b7d5d2eb8b0ac797491ee |
| SHA512 | 498f154205794a709ba39aea766d322c300aeee401a104288182cdf731873a374e6ab77e37b0e4227e6f195286def90ea674be33917402e5e33d8aa3b143badb |
\Users\Admin\AppData\Local\Temp\nseF317.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nseF317.tmp\ioSpecial.ini
| MD5 | 757441e3a47931001ded4461cbc25a41 |
| SHA1 | b7a2b9b5918a498656e9e2a1fa6c0f693780208b |
| SHA256 | c9facf9ff51b7df4607886e5c7d4e865d690aa7ff84ee7f103b9db53108af8e5 |
| SHA512 | abbe9718329309d4b796db00757ddc7965bab91428f334388c234768119048073c40305670fe5908859fca779824e1060c24960472e04c75af54948fff1a2b55 |
\Users\Admin\AppData\Local\Temp\nseF317.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nseF317.tmp\ioSpecial.ini
| MD5 | 5ebba6a273e7a79edada9ecd9dcb2035 |
| SHA1 | 98f925305b8238f60bf0bb6c12e01717a651eb6f |
| SHA256 | fb734cbc8728911aae956a5b2adcca83189e328dce9dbcf0c8f0271a7f947f0c |
| SHA512 | 6a1ca32a5d21040ad4a7e8d402a231a30dfc831477044f84ed2ce5b56e69ddad309fe45307ab45c620f5f049e0a5b293d7a7d7c6d202c929030ecee7b4e01fef |
Analysis: behavioral20
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
129s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4684 wrote to memory of 4940 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 4684 wrote to memory of 4940 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 4684 wrote to memory of 4940 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 547babef61d913ab1a8ab5391fb65195 |
| SHA1 | 0004077c7679e5b7fb9cdaeb842ca7c631d0f09f |
| SHA256 | 2bf784a7ba86703a5317b656312eac2a18242cc1492b7d5d2eb8b0ac797491ee |
| SHA512 | 498f154205794a709ba39aea766d322c300aeee401a104288182cdf731873a374e6ab77e37b0e4227e6f195286def90ea674be33917402e5e33d8aa3b143badb |
C:\Users\Admin\AppData\Local\Temp\nsjAA5A.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsjAA5A.tmp\ioSpecial.ini
| MD5 | ec0c2c508c28f4757dce4ad9db7809f7 |
| SHA1 | 82b52c7fdaacb9577df8d294a599423edbf2bdbd |
| SHA256 | 52360d0d81cc3c2c95034f736f195754a0d83d88844bd8ea28a530eead1b8538 |
| SHA512 | 3aed9b11a7805f77bf507465161765e37e465fdc17f67685c3aa0019e843bcc837a884e1083edbb3850f99ff52806a8a4a84ce435a910468e93c9ab565378bd6 |
C:\Users\Admin\AppData\Local\Temp\nsjAA5A.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsjAA5A.tmp\ioSpecial.ini
| MD5 | 5ebba6a273e7a79edada9ecd9dcb2035 |
| SHA1 | 98f925305b8238f60bf0bb6c12e01717a651eb6f |
| SHA256 | fb734cbc8728911aae956a5b2adcca83189e328dce9dbcf0c8f0271a7f947f0c |
| SHA512 | 6a1ca32a5d21040ad4a7e8d402a231a30dfc831477044f84ed2ce5b56e69ddad309fe45307ab45c620f5f049e0a5b293d7a7d7c6d202c929030ecee7b4e01fef |
Analysis: behavioral21
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 244
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 516 wrote to memory of 772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 516 wrote to memory of 772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 516 wrote to memory of 772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 772 -ip 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
148s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4956 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4956 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4956 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4304 wrote to memory of 3744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4304 wrote to memory of 3744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4304 wrote to memory of 3744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240903-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da570126399784f6d6f251b7edd5c2b9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da570126399784f6d6f251b7edd5c2b9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da570126399784f6d6f251b7edd5c2b9_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\da570126399784f6d6f251b7edd5c2b9_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da570126399784f6d6f251b7edd5c2b9_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\da570126399784f6d6f251b7edd5c2b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da570126399784f6d6f251b7edd5c2b9_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsyEABD.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsyEABD.tmp\ioSpecial.ini
| MD5 | 73ed6784180a4aa7b89045387f11ca5f |
| SHA1 | 4f2f97cc27784820ec5b1fee0639a9ab00c69a7e |
| SHA256 | fe3f7a495a5ce081a298191c270e1c36c8c161b44e02d4bec958c78d933774c1 |
| SHA512 | 6bfa1e1973729f64f5bae4f3c02d78d1136fcd8eb58d5c7ff523ff483d3dcb1f4994ae15f5ab0a97996fc1f33ef9a8a08c6b1ac92813de71bc5bf0a0f007a659 |
C:\Users\Admin\AppData\Local\Temp\nsyEABD.tmp\ioSpecial.ini
| MD5 | 220b4dbe3c1e3f9cd9c7ecb846838d98 |
| SHA1 | 9830b97e66aa9c99a90db8fb627add1b46d117b8 |
| SHA256 | 602a5b5db7d90808f510beba1b3198f48cca516b8278a6a78897e51c0670d730 |
| SHA512 | 2dc30168e6ab8380e736c12a995a4666e7091c143b37627ef865754115c311b47be7785ee4c6feb4474e6b7f53623f3ad5b2bf6c1537efba43f39b3db06eb00c |
\Users\Admin\AppData\Local\Temp\nsyEABD.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
\Users\Admin\AppData\Local\Temp\nsyEABD.tmp\StartMenu.dll
| MD5 | a4173b381625f9f12aadb4e1cdaefdb8 |
| SHA1 | cf1680c2bc970d5675adbf5e89292a97e6724713 |
| SHA256 | 7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b |
| SHA512 | fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 228
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1192 wrote to memory of 452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1192 wrote to memory of 452 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 452 -ip 452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3588 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3588 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3588 wrote to memory of 2456 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bass.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bass.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/2456-0-0x0000000010000000-0x000000001005A000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\readme.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff003946f8,0x7fff00394708,0x7fff00394718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,13143478467467502385,16649276151196761380,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5344 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 37f660dd4b6ddf23bc37f5c823d1c33a |
| SHA1 | 1c35538aa307a3e09d15519df6ace99674ae428b |
| SHA256 | 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8 |
| SHA512 | 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d |
\??\pipe\LOCAL\crashpad_4456_SOAZVTXERRHSMXKG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d7cb450b1315c63b1d5d89d98ba22da5 |
| SHA1 | 694005cd9e1a4c54e0b83d0598a8a0c089df1556 |
| SHA256 | 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031 |
| SHA512 | df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | babef5af57ff16bb4cb04c141fa416ac |
| SHA1 | 39261da5735d4103ff762f80bb518826b440f5f2 |
| SHA256 | f53256df0429b471ee0e63ebcd7cd8554181dc0e65bdeee4a35937bb777d1241 |
| SHA512 | c0e46e243388e8de2cd5ff9568cf788a3738cd6d7f84e8e7296ff02566e07f13824d0d64445527214144767698c1648769242d7c9ddcd2f98b0795f3c5692ad8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 740bab3f6e15b8ec163a62bfa37740fb |
| SHA1 | 7f1706b5295b4d05a310242c66083df12822d6db |
| SHA256 | 9c336fa996ab70788e562fae73f941d49b0ff8df63f4e4f715bd0aa0a6d627e2 |
| SHA512 | aaacd50625909cea53afb08f977e797987773a7f4fabe6ebad33d264a42962b012ab3542ce69d5e6a896e475b890653a023b033f0d0e3c01f1fdabcbb7a1e8b5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e216b22486f2a7b5c4d01b3cff794eca |
| SHA1 | 307318be850efd0cb91c1e39ef417b9f635f3890 |
| SHA256 | 298934df3a3f2ac49da9b5a0d892a7d9be072bbe49760beb50b38d0dbaadca6e |
| SHA512 | ebcd6f8f81123c1f017f2f47c7e9f81af6d3f51fdfa3b9a1300859c1d3e55e0272b71c6720b1f8416de6d61e425ee9071aaab01b8a7eeda89e540b8ebb555ff8 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240903-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 224
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 224
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240729-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Flash.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp\CurVer\ = "FlashProp.FlashProp.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Flash.dll, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\ = "FlashProp Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\ = "FlashAccessibility" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon\ = "\"%1\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "FlashFactory.FlashFactory" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3032 wrote to memory of 2328 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 2328 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 2328 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 2328 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 2328 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 2328 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3032 wrote to memory of 2328 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Flash.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Flash.dll
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D} | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\ = "Voice Activation Manager 2 Class" | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InProcServer32\ = "%SystemRoot%\\SysWow64\\VoiceActivationManager.dll" | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\GLWorker.exe
"C:\Users\Admin\AppData\Local\Temp\GLWorker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
Files
memory/1648-0-0x0000000000400000-0x000000000060C000-memory.dmp
memory/1648-2-0x0000000002BC0000-0x0000000002DCC000-memory.dmp
memory/1648-9-0x0000000002BC0000-0x0000000002DCC000-memory.dmp
memory/1648-12-0x0000000000400000-0x000000000060C000-memory.dmp
memory/1648-14-0x0000000000400000-0x000000000060C000-memory.dmp
memory/1648-15-0x0000000002BC0000-0x0000000002DCC000-memory.dmp
memory/1648-13-0x0000000000400000-0x000000000060C000-memory.dmp
memory/1648-16-0x0000000002BC0000-0x0000000002DCC000-memory.dmp
memory/1648-18-0x0000000000400000-0x000000000060C000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240903-en
Max time kernel
136s
Max time network
130s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439920678" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a771f21df581f3488fe336c0790e4ff900000000020000000000106600000001000020000000d7ecb4fb22b1601eb36fa66be1146bf4cd9405d64d1ed38f9d9b6068936e01f4000000000e80000000020000200000006ee31c362c2f8f8c9a1b51734eeae3c30a7133b5c4d437c6363b86c47e76c99290000000daabfa817d0c582c31adeeedb031f5b72895d0c5990d0def3b4f028c67479c546305d9b8f2bfcafc60b0c92cc173e0a1ad4773a0830d2ae302387ef3a9b24b53d007da7777d0aa961403086396fd4f00ac24fb6edf8b61c6142ff88e2441648a2d1c34a5aa8e6d241fff9bf6301b0fa0ac5548e1778a23fd7424272582e1f4d3886fe2dc059d1e85d3ba4df920fe019240000000a5dc9394edba9fa8aaac1fb899ed6449f1dcfecc12e280b02084e3f488dd16095b1769c899e45b9f0ee288c7659a9b6f5e0af9e2c2ebc68666a152f415d9d968 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d06233b3504adb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a771f21df581f3488fe336c0790e4ff900000000020000000000106600000001000020000000d4fb0fa6384d8fd3e8533d33d0d39337c204e7ed62c44ae5fcf1b50b58655229000000000e800000000200002000000041ca941bd187599a7e7a490da6cf4cbf11b51b19ce6202c07de903b969bb30c22000000062b04703dca661df1d5f34e335f81ed9d93252c566fc3810b41a7484781c34d34000000056f3a20df03018e2c93ed2984b5ac390a59ba1aa00f0166c179cd9d78840bba0deadea70215225605d0ffd5ccb1b93f81c141092928e9bbc1e33f42ec7f634f8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DEBFDA51-B643-11EF-BEB7-46BBF83CD43C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2108 wrote to memory of 2512 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2108 wrote to memory of 2512 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2108 wrote to memory of 2512 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2108 wrote to memory of 2512 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\readme.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2108 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabCA16.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCAC4.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0a2486f8a5e8dc2eea757110edea0788 |
| SHA1 | 10bf887d22fe2b46b3d98ef6a2853f3a14357ccc |
| SHA256 | 40148e5a8bdf87710b9942cabe461d0054b778c62304149686d33ce76476bf5f |
| SHA512 | d5f7fefe56c4ea46a3146d8ca9c04e57e66de880aedb756840951c86c9c7be51c8f362e702439b4a0bf7361e2d54a9813e045407da27346340532d32f4098575 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6057504a2edfb9f9705a581005308575 |
| SHA1 | 1c86c667427b244a03346898d1a2adb8782f9b2e |
| SHA256 | c0cfc3c3ce400be4ef254348018f5a50fb98733da480df1bf223de21858f071c |
| SHA512 | 6fd3c858127774f56b3dd84afefbd8ade4412804c2cb807fb0e0e00739a86ba2f515048e72d8b059e282b4c559d66e93bd1bf479c97df1d8209775ea3ff2c8d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95ba0eaf5750c53653d2c327d3f19cd6 |
| SHA1 | 86dc38e003616c42ba9d9af3c366eb6615b9b027 |
| SHA256 | 26dd90a2ee7daf28f53e587c559aa06f64c8b4faeda2c6fc3fb7b487176bdd11 |
| SHA512 | 8e5584cd45a5ae9c46275ff4ce8c2c03eef9e47d701322f74d4f9b8fe97a0131241aa380d8dc83562613fc4eed31d03b8a45de6504ad40df2979852e0501ffaa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f395099f55eb55e96ced1e766be6c853 |
| SHA1 | edfde10d3bb40f663ab43535110acbca7cf4751b |
| SHA256 | 4d35381adae97639fb0fc34d0bde5ae73d6b2dc8f6daf49d0008843720b3dced |
| SHA512 | c7bdb3796eee125d54b37261c0489d227b7827279e97e0a1dc5fe534d281b314330307629f556fb8285f0176fa27db11a2c1aaa8f803d3335132dfacbb991f45 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c67fd98b6d1ec47899ed2e251af7c92 |
| SHA1 | c6bcbd7df2d030610a6848c98d56b5a7fc242954 |
| SHA256 | 83952b93f2fbc94a4cd867918966e8bb726553c29f69c9b7a3f10667f788ce57 |
| SHA512 | e897cd55ea4faded67e79f65d3e6c2c6bbd02794889321f66d79123f1e57f594c6d1ff358dbd2841024b3bb940c38eb8b27537913162b76612b4441d501508e8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e767726477a5b3e12bb2f4bd9405835d |
| SHA1 | 502eccf4f2034c26c4cd3f321f627ff13c16e838 |
| SHA256 | bc0521feed0e595bb89a1859b01eb5ac116ed243939ab056815894edcd4d20de |
| SHA512 | 2d7ef644142973a3086118e68fd1cb1575872c3d62d8b3be4e691ac83accda5ac483501d99626a08974d301983e9127f6cb8e9d06b5f278ee23403f835aa47a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d13e8514fcdbf0aeb911fef6f40e3a8 |
| SHA1 | b082c8185ba5aa8072edb7906916534d25e405d3 |
| SHA256 | 5c4906f145d51816398e88de2a8094cebfb8800ab9aa57171b3e5d4e03a0dd1f |
| SHA512 | 9a558118d1fbec9d2ee595a74578d385ef4b2aff958035ca7aa8e393f62adb9c4a6d1826004ad608a5a1e8e6e4c3b8793d649692365cd902fe89881aafe430fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1d4d2fc150a519b80cda6d8e3f8cfd0 |
| SHA1 | f8ca9b38a5b46d9f6bdd440af566e70a50fc9a69 |
| SHA256 | 1a844f790cc0d966a6ff36d9a958c698d48baaab673fcd437099ace8daa23b26 |
| SHA512 | a3cfd0d0f80516e85cc4fd73b7e2a6c4ea3142e77160c7aeb923f261a97a070cdb8d1770eda49df6bc5991819b492d89fa9ed7fdd4556a1a3b34305f8e29becb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9f95335e993afffca7215c15a0995377 |
| SHA1 | c74dc0785b15493de5716934375614834880d501 |
| SHA256 | 723b868e4595c9c87e4533d6305a58b3fda80ae5033d41a67d0f53e93fe6d6b2 |
| SHA512 | d28c58863acb9fed44ae4bd9de06684fdfe705952fca8f34ce877373193859c00823e6836f37b33413311243d0797b11f119cdd4b2594b76a01fd52e9e1c3ede |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c4f6aed909dcc35d1f968487b443060 |
| SHA1 | 56031e98d132b21c9a21e0f0ce8f75fc838676c0 |
| SHA256 | 9ae92deed3b7b43d2dcc8ad06ac1a441b23f4d7c32d133fe796aab88deb9a900 |
| SHA512 | 2c7e9a78abbbdd043406d5d15ae3e94639414bcae0a0fda8f1e38ef66e949222b0e88795990f52f7c971dcf32cd1dc816e153ad7e9ab49d122dab2d41e699a41 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 28339c2d8ee8c3dd7fec3b5525056304 |
| SHA1 | 6ac45d78265bf8ed2b64e3cad49977c7c96712d0 |
| SHA256 | 6596b1b2bd2f6b142623539d083c54e51dd0e8c20ff8c2d0e6e768ab12cbc19c |
| SHA512 | d89bd7299a96b2e673b9a85bd8d050eda559e83b614ca89033aaea96fc8b6ddf6d7fe74318e958649aad501e93bd02fe16579651196775f1df7c8e749340780e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ea274d5815b8412998f73a52b4cf2d0c |
| SHA1 | 9d34d22a3ba908bec63d62261b056da4eb831757 |
| SHA256 | 108cadba184b39a89c02d63d450ff9e2336913d7fde7194dc286dc4143edc0a3 |
| SHA512 | 36de2caa63f28c83a9099e893f153034ba75fe4bd0897e0e8180ec41cd18da379ba474619e9c28b4a6c8941dadb860edceff0d5ff7a8ead2dac0e55d6798166c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a70ebbb1b35e5572af7cd33fb0e02092 |
| SHA1 | 7e2aa43b0645fb58521ebba95d3ff843fee30f14 |
| SHA256 | 3757be72ce30db6e0bf6e3f8b9dac9d4826d49defc8888bc6fdc2bd0e04156f8 |
| SHA512 | 36474ffa432d88f4444b43a873604987f3d94fcde947e1835b490f70966349e2212a2dec3acfea1f6d65db36a323e45f5eb9e78fa1266f977ddb819bfb6235a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc56aac632d2256b4e4d7b135a9cbf02 |
| SHA1 | adf2bafb6e4ceb89f299704d5c77f15f27959c3b |
| SHA256 | b1cc79c4480adf6f4eae7ce95967cd7703324f78efbcbd21c2370f43ff59b202 |
| SHA512 | b0c69fcedff93c97ec7c1527d3cf3cef15c9df238294fa4dab1eab736ffae6526fc5f112f51e7d3c047ee0bc5269221532c5773fcbf6efe51cba1670676791f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b8c5538720d0957a6a56997b37663d1 |
| SHA1 | 59ea4a3442e3cc8366ba7b94c33eaa671fbee476 |
| SHA256 | 06b590c9c73fddc833ffcba59d0c4d0d15af7a677e3c311534001237bfc2dfea |
| SHA512 | f516f96bff67840a6dbe2a3e62fea90fd4071fd3a017554cf9464c266c701ad5477b781847fd053b52d4b28effd06b4bf77a590fd491b198befc22255a08b7d1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2596b7a240b39019609496fb47515558 |
| SHA1 | 5093304c891d07d9625023775fbbd77dd57e2194 |
| SHA256 | 464e6997ae0b6bbce84222857b42f811b5bb79c399df70730f5579f69aa6528e |
| SHA512 | fff6cb9697731ca6b4554d2e2ea4540185c3b90e9eeacc07cdf160bd42d9dc6d486e8498e43e82b1fce117f6ce52837c062cdfecb8506bf6b54214ee0870e459 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 254f1cd0813e2e7246d4bc05ff545c0b |
| SHA1 | fc03d80dbbc3b09e82648c762b763a2344bf6bdc |
| SHA256 | 7b98af2d41ee19928c1d8c2159b859fdb54f4fa752463e95d4c8a4fd19c92e8d |
| SHA512 | 8c08c0849d7e8c911b167af38ebbdb9e887ece41e0e19041da9d346ea60314b656a9f344feb993c3fd21b465efd88fab95951b03470292da050500e32bb15f08 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a835aeca9deb5837571c1d593cd2dbf |
| SHA1 | 73b7d14931b48116a7be12395422dd531887e95d |
| SHA256 | 49e685348908a8da6d9c88de3a9c53be4242b782cdb29607f3666d025f918a90 |
| SHA512 | 752b2002e91eb44bef5332a7c76445e429a22c576da17417361af7c7262a95612aefd6a65cdd6424ded11b0d63d7f039b44b5449d1c8b21f18f8d355ccd268ed |
Analysis: behavioral15
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE" | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D} | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\ = "Outlook Message Site Object" | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C56790F4-4E43-170F-CCE7-3FF6C299290D}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\GLWorker.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\GLWorker.exe
"C:\Users\Admin\AppData\Local\Temp\GLWorker.exe"
Network
Files
memory/2392-4-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2392-8-0x0000000002570000-0x000000000277C000-memory.dmp
memory/2392-0-0x0000000002570000-0x000000000277C000-memory.dmp
memory/2392-18-0x0000000002570000-0x000000000277C000-memory.dmp
memory/2392-17-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2392-14-0x0000000002570000-0x000000000277C000-memory.dmp
memory/2392-13-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2392-12-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2392-11-0x0000000000400000-0x000000000060C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1984 wrote to memory of 2952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1984 wrote to memory of 2952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1984 wrote to memory of 2952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2952 -ip 2952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240729-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 224
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\Extension = ".swf" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.swf | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\ = "FlashAccessibility" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon\ = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe,-17" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Flash.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp.1\CLSID\ = "{1171A62F-05D2-11D1-83FC-00A0C9089C5A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Flash.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Flash.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4824 wrote to memory of 2504 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4824 wrote to memory of 2504 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4824 wrote to memory of 2504 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Flash.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Flash.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-12-09 15:39
Reported
2024-12-09 15:42
Platform
win7-20240903-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1784 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1784 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1784 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1784 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1784 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1784 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1784 wrote to memory of 536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bass.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bass.dll,#1
Network
Files
memory/536-0-0x0000000010000000-0x000000001005A000-memory.dmp
memory/536-3-0x0000000010059000-0x000000001005A000-memory.dmp
memory/536-2-0x0000000010000000-0x000000001005A000-memory.dmp
memory/536-1-0x0000000010000000-0x000000001005A000-memory.dmp