Malware Analysis Report

2024-10-16 03:34

Sample ID 240502-bvldqadb3s
Target 5c580db21537810972fd6de552da5fbe9203d1fd4cff6373070cb5df3cd91b83.rar
SHA256 5c580db21537810972fd6de552da5fbe9203d1fd4cff6373070cb5df3cd91b83
Tags
banload vidar 3c6ffb3181118d4e1071419a800b7369 downloader dropper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c580db21537810972fd6de552da5fbe9203d1fd4cff6373070cb5df3cd91b83

Threat Level: Known bad

The file 5c580db21537810972fd6de552da5fbe9203d1fd4cff6373070cb5df3cd91b83.rar was found to be: Known bad.

Malicious Activity Summary

banload vidar 3c6ffb3181118d4e1071419a800b7369 downloader dropper evasion persistence stealer trojan

Vidar

Detect Vidar Stealer

Banload

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Checks BIOS information in registry

Suspicious use of SetThreadContext

Registers COM server for autorun

Loads dropped DLL

Program crash

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-02 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.UI.Xaml.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.UI.Xaml.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3748 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\libmmd.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2936 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2936 wrote to memory of 2888 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\libmmd.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2936 -s 84

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20240419-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\AzureKeyVaultDgssLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\AzureKeyVaultDgssLib.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20240419-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\acdbase.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2432 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2432 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\acdbase.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2432 -s 84

Network

N/A

Files

memory/2432-0-0x0000000001FE0000-0x00000000023DA000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\acdbase.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\acdbase.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20240220-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\vcruntime140.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2504 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2604 wrote to memory of 2504 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2604 wrote to memory of 2504 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\vcruntime140.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2604 -s 80

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-heap-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

136s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-utility-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-utility-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20240215-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.Toolkit.Win32.UI.XamlHost.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.Toolkit.Win32.UI.XamlHost.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"

Signatures

Banload

trojan dropper downloader banload

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4276 set thread context of 5632 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ = "%SystemRoot%\\System32\\taskbarcpl.dll" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "Taskbar Control Panel" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ = "%SystemRoot%\\System32\\taskbarcpl.dll" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1944

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 redddog.xyz udp
US 188.114.96.2:443 redddog.xyz tcp
US 188.114.96.2:443 redddog.xyz tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 188.114.96.2:443 redddog.xyz tcp
US 188.114.96.2:443 redddog.xyz tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/4276-0-0x0000000003FB0000-0x0000000004198000-memory.dmp

memory/4276-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4276-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4276-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4276-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4276-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4276-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4276-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4276-20-0x00007FFA0FF50000-0x00007FFA100C2000-memory.dmp

memory/4276-34-0x00007FFA0FF68000-0x00007FFA0FF69000-memory.dmp

memory/4276-35-0x00007FFA0FF50000-0x00007FFA100C2000-memory.dmp

memory/4276-36-0x00007FFA0FF50000-0x00007FFA100C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a097cf38

MD5 e2ddd22c4c477d869ba7b1ff83629f4f
SHA1 1a8edb1b82f963846297171c8fe25ed7d693f570
SHA256 f6ece4e4f7747c7d561022dc623081ec72e857023a4183f7df611fefd47ed1b4
SHA512 99acb5c52922a16373f138f2bea44e95a7320325b77d882d4b4068642ed9e3811e87a4ea26b484eeed26162a0ec2347f231527982f38ee84068a7f1b0fc77ba9

memory/5632-39-0x00007FFA2EA10000-0x00007FFA2EC05000-memory.dmp

memory/5632-43-0x0000000073F11000-0x0000000073F1F000-memory.dmp

memory/5632-42-0x0000000073F1E000-0x0000000073F20000-memory.dmp

memory/5632-46-0x0000000073F11000-0x0000000073F1F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

MD5 3d754cfa4a5b2a3f19720550acf6d3cf
SHA1 e5c78edbd54e14a42258a6c223d2cf128530e1b6
SHA256 8e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8
SHA512 18db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b

memory/812-49-0x00007FFA2EA10000-0x00007FFA2EC05000-memory.dmp

memory/812-56-0x0000000000B70000-0x00000000012BB000-memory.dmp

memory/812-57-0x0000000000B70000-0x00000000012BB000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\stich.pptx"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\stich.pptx"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2268-0-0x000000002D971000-0x000000002D972000-memory.dmp

memory/2268-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2268-2-0x0000000071E2D000-0x0000000071E38000-memory.dmp

memory/2268-5-0x0000000071E2D000-0x0000000071E38000-memory.dmp

memory/2268-6-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2268-7-0x0000000071E2D000-0x0000000071E38000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

139s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\AzureKeyVaultDgssLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\AzureKeyVaultDgssLib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

135s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\stich.pptx" /ou ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\stich.pptx" /ou ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/4624-0-0x00007FF919CD0000-0x00007FF919CE0000-memory.dmp

memory/4624-1-0x00007FF919CD0000-0x00007FF919CE0000-memory.dmp

memory/4624-2-0x00007FF919CD0000-0x00007FF919CE0000-memory.dmp

memory/4624-4-0x00007FF959CED000-0x00007FF959CEE000-memory.dmp

memory/4624-3-0x00007FF919CD0000-0x00007FF919CE0000-memory.dmp

memory/4624-5-0x00007FF919CD0000-0x00007FF919CE0000-memory.dmp

memory/4624-6-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-8-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-7-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-9-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-10-0x00007FF917910000-0x00007FF917920000-memory.dmp

memory/4624-11-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-12-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-13-0x00007FF917910000-0x00007FF917920000-memory.dmp

memory/4624-14-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-16-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-19-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-18-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-20-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-17-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-15-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

memory/4624-44-0x00007FF919CD0000-0x00007FF919CE0000-memory.dmp

memory/4624-45-0x00007FF919CD0000-0x00007FF919CE0000-memory.dmp

memory/4624-47-0x00007FF919CD0000-0x00007FF919CE0000-memory.dmp

memory/4624-46-0x00007FF919CD0000-0x00007FF919CE0000-memory.dmp

memory/4624-48-0x00007FF959C50000-0x00007FF959E45000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20240221-en

Max time kernel

121s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.UI.Xaml.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.UI.Xaml.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

140s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-convert-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-convert-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

139s

Max time network

109s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-string-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240426-en

Max time kernel

90s

Max time network

93s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-time-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-time-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\WinUiBootstrapper.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\WinUiBootstrapper.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

140s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\WinUiBootstrapper.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\WinUiBootstrapper.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

137s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\vcruntime140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\vcruntime140.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

110s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.Toolkit.Win32.UI.XamlHost.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\Microsoft.Toolkit.Win32.UI.XamlHost.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

139s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-stdio-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-stdio-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:29

Platform

win10v2004-20240419-en

Max time kernel

0s

Max time network

12s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe"

Network

N/A

Files

memory/2124-0-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\updater.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3592 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/1868-0-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

138s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\BugReporter.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win7-20231129-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"

Signatures

Banload

trojan dropper downloader banload

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2972 set thread context of 2720 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%SystemRoot%\\System32\\AUDIOENG.dll" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "AudioConstrictor Class" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%SystemRoot%\\System32\\AUDIOENG.dll" C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2972 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2720 wrote to memory of 2688 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2720 wrote to memory of 2688 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2720 wrote to memory of 2688 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2720 wrote to memory of 2688 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2720 wrote to memory of 2688 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2720 wrote to memory of 2688 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
PID 2688 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe C:\Windows\SysWOW64\WerFault.exe
PID 2688 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe C:\Windows\SysWOW64\WerFault.exe
PID 2688 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe C:\Windows\SysWOW64\WerFault.exe
PID 2688 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 148

Network

N/A

Files

memory/2972-0-0x0000000003D50000-0x0000000003F38000-memory.dmp

memory/2972-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2972-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2972-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2972-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2972-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2972-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2972-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2972-20-0x00000000048D0000-0x0000000004CCA000-memory.dmp

memory/2972-22-0x000007FEF6010000-0x000007FEF6168000-memory.dmp

memory/2972-37-0x000007FEF6010000-0x000007FEF6168000-memory.dmp

memory/2972-36-0x000007FEF6028000-0x000007FEF6029000-memory.dmp

memory/2972-38-0x000007FEF6010000-0x000007FEF6168000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\913ce289

MD5 714d0c393a78a6f8fa9d06d7575266cd
SHA1 1d4681d9b4b493a84500897cb5c7e72475bf1221
SHA256 b6497d1c1ff17840db86bdd1f1f39ca3854b73ef700ac82036647343e1a0754c
SHA512 7bd6bfb7143679431fd928f86b6204978d7c44771a49dc6f0bb92c13424a6f97a9779afc21690c590cd3a034315950fa1ee5e2e7ecee65158c72a281cd3ddc16

memory/2720-41-0x00000000773E0000-0x0000000077589000-memory.dmp

memory/2720-48-0x00000000736D0000-0x0000000073844000-memory.dmp

memory/2720-47-0x00000000736DE000-0x00000000736E0000-memory.dmp

memory/2720-43-0x00000000736D0000-0x0000000073844000-memory.dmp

\Users\Admin\AppData\Local\Temp\BvInputDiag.exe

MD5 3d754cfa4a5b2a3f19720550acf6d3cf
SHA1 e5c78edbd54e14a42258a6c223d2cf128530e1b6
SHA256 8e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8
SHA512 18db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b

memory/2688-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2688-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2720-52-0x00000000736D0000-0x0000000073844000-memory.dmp

memory/2688-54-0x00000000004F0000-0x0000000000C3B000-memory.dmp

memory/2688-59-0x00000000004F0000-0x0000000000C3B000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-environment-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-environment-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240426-en

Max time kernel

90s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-runtime-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\api-ms-win-crt-runtime-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-02 01:27

Reported

2024-05-02 01:31

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe

"C:\Users\Admin\AppData\Local\Temp\#Frée-FɨLéŜ-!PằŜSwṟo͍d--63180\x64\ComExtractor.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A