Analysis Overview
SHA256
15c60b9188ef2cc9228ea576732f3b60eac10ca6e39f8a39956bad5722176650
Threat Level: Known bad
The file Evon.zip was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Blocklisted process makes network request
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Program crash
Command and Scripting Interpreter: PowerShell
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 15:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 15:09
Reported
2024-05-21 15:12
Platform
win10v2004-20240426-en
Max time kernel
63s
Max time network
64s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Evon.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\GetProtect.M2TS"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
memory/1184-8-0x00007FFADB3F0000-0x00007FFADB424000-memory.dmp
memory/1184-7-0x00007FF6B8820000-0x00007FF6B8918000-memory.dmp
memory/1184-9-0x00007FFAD98A0000-0x00007FFAD9B56000-memory.dmp
memory/1184-10-0x00007FFAD85E0000-0x00007FFAD9690000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 15:09
Reported
2024-05-21 15:41
Platform
win10v2004-20240508-en
Max time kernel
1701s
Max time network
1162s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4988 set thread context of 4920 | N/A | C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4108 set thread context of 3896 | N/A | C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Setup\Scripts\ErrorHandler.cmd | C:\Users\Admin\AppData\Local\Temp\luajit.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Users\Admin\AppData\Local\Temp\luajit.exe
luajit.exe log
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc daily /st 13:39 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Register-ScheduledTask -TaskName 'Um9ibG94Nzk4' -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Users\Admin\AppData\Roaming\Lua\bin\lua.dll", init
C:\Windows\system32\rundll32.exe
rundll32 "C:\Users\Admin\AppData\Roaming\Lua\bin\lua.dll", init
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Register-ScheduledTask -TaskName 'Um9ibG94ODAw' -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"
C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe
C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe
C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| RU | 80.66.81.137:80 | 80.66.81.137 | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.81.66.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:443 | www.microsoft.com | tcp |
| RU | 80.66.81.138:80 | 80.66.81.138 | tcp |
| US | 8.8.8.8:53 | 138.81.66.80.in-addr.arpa | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| RU | 147.45.47.64:11837 | tcp | |
| US | 8.8.8.8:53 | 64.47.45.147.in-addr.arpa | udp |
| RU | 147.45.47.64:11837 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/2368-4-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-9-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-63-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-62-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-61-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-60-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-59-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-58-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-57-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-56-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-55-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-54-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-53-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-52-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-51-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-50-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-49-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-46-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-45-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-44-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-42-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-41-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-40-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-39-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-38-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-37-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-36-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-35-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-34-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-31-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-30-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-26-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-28-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-27-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-25-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-78-0x0000000002850000-0x0000000002851000-memory.dmp
memory/2368-77-0x0000000002850000-0x0000000002851000-memory.dmp
memory/2368-76-0x0000000002850000-0x0000000002851000-memory.dmp
memory/2368-24-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-23-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-19-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-18-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-17-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-16-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-15-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-14-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-12-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-10-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-8-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-7-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-6-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-5-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-48-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-47-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-43-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-33-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-29-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-32-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-21-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-22-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-20-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-13-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-11-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-3-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-2-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-1-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/2368-0-0x000000007F4F0000-0x000000007F500000-memory.dmp
memory/4784-177-0x00000000736CE000-0x00000000736CF000-memory.dmp
memory/2368-178-0x0000000002850000-0x0000000002851000-memory.dmp
memory/4784-179-0x0000000004D50000-0x0000000004D86000-memory.dmp
memory/4784-180-0x00000000736C0000-0x0000000073E70000-memory.dmp
memory/4784-181-0x00000000053F0000-0x0000000005A18000-memory.dmp
memory/4784-182-0x00000000736C0000-0x0000000073E70000-memory.dmp
memory/4784-187-0x0000000005BA0000-0x0000000005BC2000-memory.dmp
memory/4784-189-0x0000000005CB0000-0x0000000005D16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u2hvzgri.qzb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4784-188-0x0000000005C40000-0x0000000005CA6000-memory.dmp
memory/4784-199-0x0000000005E20000-0x0000000006174000-memory.dmp
memory/4784-200-0x0000000006310000-0x000000000632E000-memory.dmp
memory/4784-201-0x00000000063C0000-0x000000000640C000-memory.dmp
memory/4784-204-0x000000006FFC0000-0x000000007000C000-memory.dmp
memory/4784-203-0x00000000068E0000-0x0000000006912000-memory.dmp
memory/4784-214-0x0000000006920000-0x000000000693E000-memory.dmp
memory/4784-216-0x00000000736C0000-0x0000000073E70000-memory.dmp
memory/4784-217-0x00000000736C0000-0x0000000073E70000-memory.dmp
memory/4784-215-0x0000000007330000-0x00000000073D3000-memory.dmp
memory/4784-218-0x0000000007CE0000-0x000000000835A000-memory.dmp
memory/4784-219-0x0000000007660000-0x000000000767A000-memory.dmp
memory/4784-220-0x00000000076B0000-0x00000000076BA000-memory.dmp
memory/4784-221-0x00000000078C0000-0x0000000007956000-memory.dmp
memory/4784-223-0x0000000007850000-0x0000000007861000-memory.dmp
memory/4784-224-0x00000000736C0000-0x0000000073E70000-memory.dmp
memory/4784-227-0x00000000736C0000-0x0000000073E70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\json[1].json
| MD5 | bd0c2d8e6b0fe0de4a3869c02ee43a85 |
| SHA1 | 21d8cca90ea489f88c2953156e6c3dec6945388b |
| SHA256 | 3a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533 |
| SHA512 | 496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | a4bae28bb2e23e486f9c1aa562a58823 |
| SHA1 | c200627a1eeb1217bcd1be85fdadf133e5033b6d |
| SHA256 | 37acdd7fc40ae1e1238ccde843516ccba1598d0d0d129541711a645716cfbc1a |
| SHA512 | d30ca73ef53911fbb08c90e67ed01a4ebffdeeee6b3079af568e8bc566163f07346d54d0baeb005a95fcbb48673235208fd071c666f52fd789e7af1144701077 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | 28bd5ad01c84d7a87d7cebfb443ee983 |
| SHA1 | bd7d86173e9be252d361753e6339136bddad0ec4 |
| SHA256 | 10e0f924e04c6d72ce5b14ee2c9789c4befc8cc608c6be8eb4f251d8c1d393c4 |
| SHA512 | 0399e6a9840d50d9008ad04b679274f2f94a5726e31feb5aab6ab3fed308f81911fd37970d097106842895e6ae80938b203d35cf6f40d7d3c248c06742a5d04a |
C:\Users\Admin\Pictures\39FBC0DFD4964AE0B1D7BDE60E245D90
| MD5 | dcfd2c000eb1a7981a52ca9b9747a677 |
| SHA1 | fb78027f6adcb20c83af72023436060d8ac25b51 |
| SHA256 | 5328e0a22b2a5bc1624cc71ce933eea57366ae45119b6a823764cc9b667775ad |
| SHA512 | 7b4d80d18519a25d8152ceaaf8e29bc69062a7be403af0cd27b8aedded29307367006f75e5c0f581da5659ce5f286e60df7325cfede895a40c5b4c0408fb5c28 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
| MD5 | a7b131770791b58fe90a1186abb62e8f |
| SHA1 | 72b0fef4549737ab00ba534b7513dd97e06b6dba |
| SHA256 | 94fac9fc889bb22bba4b0db7c144b87ba12a29f7e148af5bfd017c09ee1cf80b |
| SHA512 | d6b3758d5fe3d3b81771f498996a34a3cb849a47055b3a5601281bc1ef39c885f1a008379e3d03525c2e0c8af45d9969934938a844c74de9f716cd500092ff00 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
| MD5 | 68be1c07470106e35a3498204140940e |
| SHA1 | 28b48d06647df036ac0e765e0d23c5dc09de927c |
| SHA256 | a98758a48a0ab5bd70bdea140b0e3dc8424bb5a377c8b896794cc7357c199005 |
| SHA512 | 3248e2293421679f51f4e6694a75c35825ed082f7d5ffbbbe1e364dce16771ddf63f27cac2312e69955f565b30d09805a122fba7ff3a40d81c77b07038c41ad4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
| MD5 | 3f1f64ef1ac2505c491a9179aabcf161 |
| SHA1 | 2dbc58127a0f9cc955fe14eb6cb092a667e5df69 |
| SHA256 | 035147a855c81d2b3995721aa288fd84466f0e95314344966bbfea68bf828228 |
| SHA512 | ee7085c9cc64f634fe624d08e634a7531e709b1a1191808e72c0467427e269e64250b047d9e57fd4221d3088c6b9671deb000e668a0bf274063959f47d31e681 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
| MD5 | 6f78c82189354eefda54e26116fa17e0 |
| SHA1 | 2033b822b309c8aac2898766d3201db89885d703 |
| SHA256 | 50788f1b1b8eaa6ba6d5f2d206573128e10a403290b907969f892d4dd0f47edc |
| SHA512 | 7a5cd6871a6c84c02e148ca44cc1f56048b195bc0d8b5578aff2e01744338b65eae36530fd97346432d9ada97dbbcf655a3d598630753d007f10527abd47e5a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C
| MD5 | 2db5345850c203829dc2d4c66b441ac6 |
| SHA1 | 25e5cbaffdfe0456301188b304106baea4750535 |
| SHA256 | 2716710828b2390a73099b978e2ca941a8bce3fdc275fa58d511be7177e150ca |
| SHA512 | c36e197ca81a2d9786d822d1058e1817600e82763c2027213ea67abbc0eb1257d48893163550cb6d46205e282c101efdfee9388d1457e30e78dee34e5b1e0ac5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C
| MD5 | 2bc9ff5c3f4b86593a421595a463b2c8 |
| SHA1 | 28e0f9be18a6f7fd0a1014d897b3267c601e9c32 |
| SHA256 | dc7255e4621629178e6b835f3295c3ab39026ee1c8006573153e8b1f47abc5c6 |
| SHA512 | 341dcc1a7167ba577597e1cfd861db9518a68756c28c377791d989d98afa1ede902730bd0f47e476daecbcfc7f889209ff87b032b15ae7bf197ea4a1c3fe739d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGYR01BB\loss[1].txt
| MD5 | b46245811322e05ce45fd8c1427425da |
| SHA1 | 25e5494776d13a77fe4d50b3aaa91a8030bd9d23 |
| SHA256 | e42f79eebc439a67b73389e0cb8dd6015aba862bf2e6731e4df243055fc6a9be |
| SHA512 | 2155679928b9241a3d7d451deca34ff671d1d5a7b672cae25fabda520849f20168fa3cdae384af5c7335836580de4ae711b2cfed1e6267d97fef9dbee75c7f30 |
C:\Users\Admin\AppData\Roaming\Roblox\Studio\Roblox.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2764-417-0x000001EB23200000-0x000001EB23222000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 12c7cf9253e930baf098eefe2f0d8cf1 |
| SHA1 | e1c23a3483f7c4168483789084cd56276a41ab77 |
| SHA256 | 5f3397fc0e285bc9728e22f78f52f27767121d766aaa479cb00395ea7da28955 |
| SHA512 | fceec1e9b2d72f73bab283dd4077e88eb1b306f3519b50a36c0c0c6024e4c4ad9dda5385e3ea7366b4ec5cc03301adf61bb9d0daab7b5e7e4fa4f813ebb6db38 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\packet[1].log
| MD5 | 0ffd3bd05a9281981db2330e5a7291c1 |
| SHA1 | fabbfea6c072f68692b81571d38e8eab72de1362 |
| SHA256 | 286dca4423a65cbd5d23e9bf002e584ec16a88c0a5edf4cfdc6b639d982593ad |
| SHA512 | 54ff1df237207e4fe70808583b96a07d0366887ed7e3389527eaadb6c3e045c19c4ba1621a47e24fa661f52b504274b46af91acd1b562bc15b1e51518846c333 |
memory/4920-449-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4920-450-0x00000000054F0000-0x0000000005A94000-memory.dmp
memory/4920-451-0x0000000005020000-0x00000000050B2000-memory.dmp
memory/4920-452-0x00000000051B0000-0x00000000051BA000-memory.dmp
memory/4920-453-0x0000000006680000-0x0000000006C98000-memory.dmp
memory/4920-454-0x00000000061B0000-0x00000000062BA000-memory.dmp
memory/4920-457-0x00000000062C0000-0x000000000630C000-memory.dmp
memory/4920-456-0x0000000006130000-0x000000000616C000-memory.dmp
memory/4920-455-0x00000000060D0000-0x00000000060E2000-memory.dmp
memory/4920-458-0x0000000006F20000-0x0000000006F96000-memory.dmp
memory/4920-459-0x0000000006650000-0x000000000666E000-memory.dmp
memory/4920-460-0x0000000007A00000-0x0000000007BC2000-memory.dmp
memory/4920-461-0x0000000008200000-0x000000000872C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 60ad21e008a8447fc1130a9c9c155148 |
| SHA1 | 5dfa21d14dc33de3cc93a463688fe1d640b01730 |
| SHA256 | bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9 |
| SHA512 | 42a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-21 15:09
Reported
2024-05-21 15:42
Platform
win10v2004-20240426-en
Max time kernel
1381s
Max time network
1173s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.98.74.40.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-21 15:09
Reported
2024-05-21 15:44
Platform
win10v2004-20240426-en
Max time kernel
1388s
Max time network
1175s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 744 wrote to memory of 3808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 744 wrote to memory of 3808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 744 wrote to memory of 3808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lua51.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lua51.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3808 -ip 3808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.240.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-21 15:09
Reported
2024-05-21 15:44
Platform
win10v2004-20240508-en
Max time kernel
1721s
Max time network
1492s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\luajit.exe
"C:\Users\Admin\AppData\Local\Temp\luajit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |