Analysis Overview
SHA256
a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f
Threat Level: Known bad
The file a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Detects executables referencing many email and collaboration clients. Observed in information stealers
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Detects executables built or packed with MPress PE compressor
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 02:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 02:05
Reported
2024-05-22 02:08
Platform
win7-20240221-en
Max time kernel
150s
Max time network
131s
Command Line
Signatures
Guloader,Cloudeye
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Tjenestetiders = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Moonblind\\Chokoladecigarerne.exe" | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\opyytpnmjfcfmiplnxvzhp"
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\ykdruhxnxnukwodpwhibrclxn"
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\jmibvaihlvmxyuzbnkvcuhygvdez"
Network
| Country | Destination | Domain | Proto |
| BG | 194.59.31.149:80 | 194.59.31.149 | tcp |
| US | 8.8.8.8:53 | iwarsut775laudrye2.duckdns.org | udp |
| AU | 192.253.251.227:57484 | iwarsut775laudrye2.duckdns.org | tcp |
| AU | 192.253.251.227:57484 | iwarsut775laudrye2.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\nso8336.tmp\System.dll
| MD5 | fc3772787eb239ef4d0399680dcc4343 |
| SHA1 | db2fa99ec967178cd8057a14a428a8439a961a73 |
| SHA256 | 9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed |
| SHA512 | 79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89 |
C:\Users\Admin\Pictures\belejrernes.lnk
| MD5 | 7088c6359f22a1602c8e26f1c9e45abc |
| SHA1 | 0c941f500cba269cbca3712726892b5a353683ec |
| SHA256 | 5b1b37bb003f79cab91158e0254ae528aba45909da920876c419ac5bdb773a86 |
| SHA512 | 8f144af503cde1aec06292b6f192e11a9f2775c134e9683216b2783b86925ca2c036413a130fb00ce7af4a18ee2a294e20a98120fdacdb2b8b33625ffcc07961 |
memory/2256-291-0x0000000077201000-0x0000000077302000-memory.dmp
memory/2256-292-0x0000000077200000-0x00000000773A9000-memory.dmp
memory/2000-293-0x0000000077200000-0x00000000773A9000-memory.dmp
memory/2000-295-0x00000000004B0000-0x0000000001512000-memory.dmp
memory/2000-297-0x0000000001520000-0x0000000006D7F000-memory.dmp
memory/2436-302-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2376-308-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2436-307-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2496-306-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2436-305-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2496-304-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2496-303-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2376-310-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2376-313-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2496-312-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2436-311-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2376-309-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2376-314-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2436-320-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\opyytpnmjfcfmiplnxvzhp
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2496-325-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2000-326-0x0000000037720000-0x0000000037739000-memory.dmp
memory/2000-329-0x0000000037720000-0x0000000037739000-memory.dmp
memory/2000-330-0x0000000037720000-0x0000000037739000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 02:05
Reported
2024-05-22 02:08
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Guloader,Cloudeye
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Tjenestetiders = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Moonblind\\Chokoladecigarerne.exe" | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
"C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\utjxel"
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\enoqedtly"
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppuafvmnmhhp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| BG | 194.59.31.149:80 | 194.59.31.149 | tcp |
| US | 8.8.8.8:53 | iwarsut775laudrye2.duckdns.org | udp |
| US | 8.8.8.8:53 | 149.31.59.194.in-addr.arpa | udp |
| AU | 192.253.251.227:57484 | iwarsut775laudrye2.duckdns.org | tcp |
| US | 8.8.8.8:53 | 227.251.253.192.in-addr.arpa | udp |
| AU | 192.253.251.227:57484 | iwarsut775laudrye2.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\Pictures\belejrernes.lnk
| MD5 | faa0fcb80d5343263f469e8733354215 |
| SHA1 | 585955f30bc29b245140609efaafc7d3073b6c74 |
| SHA256 | 36d94b5eb10a503d6ba59d0332120e6e9b3632faa6caab597d856192a9b28dc0 |
| SHA512 | 7b9b63b692a57e7d77df6595d5f0d0cc9c05d360e969ede0e51a206deb88c410b602eff51e9b3cd527662f7ecefc98e14e2832b9b971bdba10f5b012f0b3352c |
C:\Users\Admin\AppData\Local\Temp\nsz4661.tmp\System.dll
| MD5 | fc3772787eb239ef4d0399680dcc4343 |
| SHA1 | db2fa99ec967178cd8057a14a428a8439a961a73 |
| SHA256 | 9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed |
| SHA512 | 79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89 |
memory/2536-290-0x0000000077621000-0x0000000077741000-memory.dmp
memory/2536-291-0x0000000010004000-0x0000000010005000-memory.dmp
memory/3944-292-0x00000000776A8000-0x00000000776A9000-memory.dmp
memory/3944-293-0x0000000077621000-0x0000000077741000-memory.dmp
memory/3944-295-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-296-0x0000000077621000-0x0000000077741000-memory.dmp
memory/3944-298-0x00000000004E4000-0x00000000004E5000-memory.dmp
memory/3944-299-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-300-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-301-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-297-0x0000000001710000-0x0000000006F6F000-memory.dmp
memory/3944-302-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-303-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-304-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-305-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-307-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-308-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-309-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-310-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-311-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/4272-321-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4272-331-0x0000000000400000-0x0000000000424000-memory.dmp
memory/336-329-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4272-323-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4272-322-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3944-318-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/336-316-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4772-315-0x0000000000400000-0x0000000000478000-memory.dmp
memory/336-320-0x0000000000400000-0x0000000000462000-memory.dmp
memory/336-319-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4772-317-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4772-314-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4772-334-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3944-336-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-342-0x0000000038430000-0x0000000038449000-memory.dmp
memory/3944-341-0x0000000038430000-0x0000000038449000-memory.dmp
memory/3944-338-0x0000000038430000-0x0000000038449000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\utjxel
| MD5 | 135c60fadfa99b241d9109417db8b53c |
| SHA1 | b73785818a32e8d84bb55c02ccdc3d546a615526 |
| SHA256 | 01fc52f877352f6252d3d9351993fc35d7b6b0051ac6d3146184e12f9bc6e704 |
| SHA512 | 76812b91e51f1a206e3829b44cf13ee4cc4e5e90d88c0b0b3755b1e092eee26e6a4b18ef038a311a9443dab138761ff45fdd18145931207764c2355047611f51 |
memory/3944-343-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-344-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-345-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-346-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-347-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-348-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-349-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-350-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-351-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-352-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-354-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-355-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-356-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-357-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-358-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-359-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-360-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-361-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-362-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-363-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-364-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-365-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-366-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-368-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-369-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-370-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-371-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-372-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-373-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-374-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-375-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-377-0x0000000077621000-0x0000000077741000-memory.dmp
memory/3944-379-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-380-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-381-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-382-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-383-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-384-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-385-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-386-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-388-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-389-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-390-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-391-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-392-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-393-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-394-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-395-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-396-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-397-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-398-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-399-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-400-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-401-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-402-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-403-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-404-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/3944-405-0x00000000004B0000-0x0000000001704000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 02:05
Reported
2024-05-22 02:08
Platform
win7-20231129-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 02:05
Reported
2024-05-22 02:08
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
103s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1672 wrote to memory of 1220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1672 wrote to memory of 1220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1672 wrote to memory of 1220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1220 -ip 1220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |