Analysis Overview
SHA256
2baa36ebea1ad309fa1083845b0510d4ea439bd52463c67dc1376a722c2e9fbb
Threat Level: Known bad
The file 2baa36ebea1ad309fa1083845b0510d4ea439bd52463c67dc1376a722c2e9fbb.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-19 08:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 08:51
Reported
2024-05-19 08:53
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Remcos
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2580 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"
C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT
C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
"C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"
C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| NO | 195.54.170.36:22077 | tcp | |
| NO | 195.54.170.36:22077 | tcp | |
| NO | 195.54.170.36:22077 | tcp | |
| NO | 195.54.170.36:22077 | tcp | |
| NO | 195.54.170.36:22077 | tcp | |
| NO | 195.54.170.36:22077 | tcp |
Files
memory/1444-0-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/1444-3-0x0000000000400000-0x0000000000712000-memory.dmp
\Users\Admin\AppData\Roaming\UniversalInstaller.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
memory/2372-20-0x0000000000400000-0x0000000000712000-memory.dmp
C:\Users\Admin\AppData\Roaming\relay.dll
| MD5 | 26f5bc7e93d04836018674ea346fcfc7 |
| SHA1 | 3b7d74663bfc45388c403d2b4e242df5ee18e8f0 |
| SHA256 | 2da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163 |
| SHA512 | 7e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9 |
C:\Users\Admin\AppData\Roaming\nighttime.xlsx
| MD5 | 6c6f6a14e9d0a4a4cccf42c556fbd674 |
| SHA1 | 171078d45ebc27f5a8e448dc451d4f94947d82e5 |
| SHA256 | 3b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3 |
| SHA512 | 8757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e |
C:\Users\Admin\AppData\Roaming\bigmouth.ai
| MD5 | 2006f33bd138198426dd0029bfb59d78 |
| SHA1 | b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4 |
| SHA256 | 33a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f |
| SHA512 | 9fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649 |
memory/3064-26-0x00000000740B0000-0x0000000074224000-memory.dmp
memory/3064-27-0x0000000076F10000-0x00000000770B9000-memory.dmp
C:\Users\Admin\AppData\Roaming\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/2580-43-0x0000000073FC0000-0x0000000074134000-memory.dmp
memory/2580-44-0x0000000076F10000-0x00000000770B9000-memory.dmp
memory/2580-45-0x0000000073FC0000-0x0000000074134000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ae9afef0
| MD5 | 03589f8b75e953163cbb68744ecfba52 |
| SHA1 | 256eace1dc57506c05cbec4a52fc108e4d5c28f8 |
| SHA256 | 91ca0be2a18a0d47153f3a93986e1b3efe1a128a08fd8f6d75fe604a5d9867a4 |
| SHA512 | 0984bd32153df95be1c23026dfee28d4d47ebf538b8f1f2c5cea47030446bc0af617e5a6c3538018eddaaf4ef013ca00af1d98e53e7e8ba81829e412a7741681 |
memory/2696-48-0x0000000076F10000-0x00000000770B9000-memory.dmp
memory/2696-94-0x0000000073FC0000-0x0000000074134000-memory.dmp
memory/2168-96-0x0000000076F10000-0x00000000770B9000-memory.dmp
memory/2168-97-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-100-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-101-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-102-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-103-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-104-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-105-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-106-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-107-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-108-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-109-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2168-110-0x0000000000400000-0x0000000000483000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 08:51
Reported
2024-05-19 08:53
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1568 set thread context of 4468 | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe"
C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\CodeBlock-wallet_v1.3.1.exe" /VERYSILENT
C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
"C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe"
C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\ruzNode_test\UniversalInstaller.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NO | 195.54.170.36:22077 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| NO | 195.54.170.36:22077 | tcp | |
| NO | 195.54.170.36:22077 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NO | 195.54.170.36:22077 | tcp | |
| NO | 195.54.170.36:22077 | tcp |
Files
memory/452-0-0x0000000000830000-0x0000000000831000-memory.dmp
memory/452-3-0x0000000000400000-0x0000000000712000-memory.dmp
memory/3948-5-0x0000000000820000-0x0000000000821000-memory.dmp
C:\Users\Admin\AppData\Roaming\UniversalInstaller.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
memory/3948-20-0x0000000000400000-0x0000000000712000-memory.dmp
C:\Users\Admin\AppData\Roaming\relay.dll
| MD5 | 26f5bc7e93d04836018674ea346fcfc7 |
| SHA1 | 3b7d74663bfc45388c403d2b4e242df5ee18e8f0 |
| SHA256 | 2da4a73ab27ca87449151f119852b16280c64c8f7f4a1f3170a27875ae577163 |
| SHA512 | 7e59b552b3c4b1b5278ad65f2da91bae9e1e429863b8f629ee8522ef330fe0973bb5c52bc69c4cb0b2af92274c2630246403debc9596f211921ed91ba736d7b9 |
C:\Users\Admin\AppData\Roaming\nighttime.xlsx
| MD5 | 6c6f6a14e9d0a4a4cccf42c556fbd674 |
| SHA1 | 171078d45ebc27f5a8e448dc451d4f94947d82e5 |
| SHA256 | 3b5e6c71c2ffbfb6e2db0338d44df9c403aca7778f487543cc6a1cb07a9a21e3 |
| SHA512 | 8757f66f912ffb888229dbf9d21243dc14888bf21c401818e467d5d12865c7430c48fa0a9c5e6b96db3305f8413f2fe1200dcd9e9325839758a8c6ecac09477e |
C:\Users\Admin\AppData\Roaming\bigmouth.ai
| MD5 | 2006f33bd138198426dd0029bfb59d78 |
| SHA1 | b6331330a0ac4eec341c1c9eeb6f2f8cd202d1e4 |
| SHA256 | 33a2f64783b7ccd9f66145d9d7288bff62a4a89b5ee3c82f7f5fe8d1bf68581f |
| SHA512 | 9fd5b2280c80b953fa74a5e5a8278b85b229daca0dfce988d8dafa14bc6db8906811da3b4628f27336886de8495822a173c36a72cfd9b8a90fbd8327fed5b649 |
memory/3736-25-0x0000000074600000-0x000000007477B000-memory.dmp
memory/3736-26-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp
C:\Users\Admin\AppData\Roaming\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/1568-40-0x0000000074590000-0x000000007470B000-memory.dmp
memory/1568-41-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp
memory/1568-42-0x0000000074590000-0x000000007470B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ad8e0611
| MD5 | 316a23c9db64cdf058deb04d5cb6fe7a |
| SHA1 | f973c3256ec85a05a4118cb7363e5fb51d6f1429 |
| SHA256 | 125800a75afd70bee0202e147ebbf2843dbf4fe7ab6bda1227ecd5ad03d249c7 |
| SHA512 | e889ca550646ba91847d587ef0a26b316646203d87773faac1187de9f90fb18260da6cf641ade243fa88a76aba72857c14eb78b593e4576f968e4f5ba53450eb |
memory/4468-45-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp
memory/4468-47-0x0000000074590000-0x000000007470B000-memory.dmp
memory/964-49-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp
memory/964-50-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-53-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-54-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-55-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-56-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-57-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-58-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-59-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-60-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-61-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-62-0x0000000000C90000-0x0000000000D13000-memory.dmp
memory/964-63-0x0000000000C90000-0x0000000000D13000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-19 08:51
Reported
2024-05-19 08:53
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
103s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\devobj.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-19 08:51
Reported
2024-05-19 08:53
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lmhsvc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-19 08:51
Reported
2024-05-19 08:53
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tzsyncres.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |