Analysis Overview
SHA256
8bee452d2535953e7ad9d18fffacbef60560fc05647c735ef55393c0869b673d
Threat Level: Known bad
The file 8bee452d2535953e7ad9d18fffacbef60560fc05647c735ef55393c0869b673d.zip was found to be: Known bad.
Malicious Activity Summary
Amadey
Stealc
xmrig
Vidar
Detect Vidar Stealer
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables manipulated with Fody
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects executables containing potential Windows Defender anti-emulation checks
Detects Windows executables referencing non-Windows User-Agents
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Detect binaries embedding considerable number of MFA browser extension IDs.
UPX packed file
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Checks computer location settings
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Checks installed software on the system
Program crash
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Delays execution with timeout.exe
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 01:32
Signatures
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe
"C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe"
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-string-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
143s
Max time network
130s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\TypeLib\ = "{A15A1C00-9788-44D9-AA0A-723F170887CF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\files\\ptusredt.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CLSID\ = "{E8D0CE8D-BC70-4025-978F-E86068362730}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CurVer\ = "UserEditHelp.UserNameHolder.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\ = "UserNameHolder Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\files\\ptusredt.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\ = "UserEditHelp 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\files" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1\ = "UserNameHolder Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1\CLSID\ = "{E8D0CE8D-BC70-4025-978F-E86068362730}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\VersionIndependentProgID\ = "UserEditHelp.UserNameHolder" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\ = "UserNameHolder Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\ProgID\ = "UserEditHelp.UserNameHolder.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4528 wrote to memory of 4872 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4528 wrote to memory of 4872 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4528 wrote to memory of 4872 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\ptusredt.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\files\ptusredt.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\msvcp140.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\msvcp140.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 220
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240611-en
Max time kernel
142s
Max time network
118s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing potential Windows Defender anti-emulation checks
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2108 set thread context of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | C:\Windows\SysWOW64\more.com |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\CUF.au3 |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\files\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\AppData\Local\Temp\CUF.au3
C:\Users\Admin\AppData\Local\Temp\CUF.au3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 148
Network
Files
memory/2108-0-0x0000000000460000-0x0000000000461000-memory.dmp
memory/2108-1-0x0000000076EC0000-0x0000000077069000-memory.dmp
memory/2108-11-0x0000000073331000-0x0000000073343000-memory.dmp
memory/2108-10-0x0000000073342000-0x0000000073344000-memory.dmp
memory/2108-13-0x0000000073331000-0x0000000073343000-memory.dmp
memory/2304-14-0x0000000073330000-0x00000000734A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8ec972f6
| MD5 | e1d87140d0b83ec4bbf66357d80962b6 |
| SHA1 | 4fed77ee63c955f3fd71e57245c24a0c0d2e65ce |
| SHA256 | 33e0af0e55b4072f342c53d4dcc947b9af4b4af231e6561513258018348da165 |
| SHA512 | 7d068007443d83b0e59555da4e7794cc0313fac1f93b018a4f4c29483eea8e1eb9a604272339e6b046c3c0e63b32357ecd1543662241bcbfdc5d48fed74109cd |
memory/2304-16-0x0000000076EC0000-0x0000000077069000-memory.dmp
memory/2304-18-0x0000000073330000-0x00000000734A4000-memory.dmp
\Users\Admin\AppData\Local\Temp\CUF.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2304-22-0x0000000073330000-0x00000000734A4000-memory.dmp
memory/2780-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2780-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2304-26-0x0000000073330000-0x00000000734A4000-memory.dmp
memory/2780-28-0x00000000006F0000-0x0000000000E3B000-memory.dmp
memory/2780-35-0x00000000006F0000-0x0000000000E3B000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\wbxtrace.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\wbxtrace.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\files\x86\HDHelper_[0MB]_[1].exe
"C:\Users\Admin\AppData\Local\Temp\files\x86\HDHelper_[0MB]_[1].exe"
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240419-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\files\x86\VSLauncher_[0MB]_[1].exe
"C:\Users\Admin\AppData\Local\Temp\files\x86\VSLauncher_[0MB]_[1].exe"
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
132s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-crt-conio-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240611-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\ = "UserNameHolder Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CurVer\ = "UserEditHelp.UserNameHolder.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\ = "UserNameHolder Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\ProgID\ = "UserEditHelp.UserNameHolder.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\TypeLib\ = "{A15A1C00-9788-44D9-AA0A-723F170887CF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\files\\ptusredt.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\VersionIndependentProgID\ = "UserEditHelp.UserNameHolder" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\ = "UserEditHelp 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CLSID\ = "{E8D0CE8D-BC70-4025-978F-E86068362730}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\files\\ptusredt.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\files" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1\ = "UserNameHolder Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1\CLSID\ = "{E8D0CE8D-BC70-4025-978F-E86068362730}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2400 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2400 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2400 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2400 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2400 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2400 wrote to memory of 1644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\ptusredt.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\files\ptusredt.dll
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1452 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1452 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1452 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1452 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1452 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1452 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1452 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\WCLDll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\WCLDll.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2548 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140_app.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140_app.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\files\x86\HDHelper_[0MB]_[1].exe
"C:\Users\Admin\AppData\Local\Temp\files\x86\HDHelper_[0MB]_[1].exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
135s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe |
Processes
C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe
"C:\Users\Admin\AppData\Local\Temp\files\x86\NvStereoUtilityOGL_[1MB]_[1].exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4028 -ip 4028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4028 -ip 4028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 560
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3776,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-profile-l1-1-0.dll,#1
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-sysinfo-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2548 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2548 wrote to memory of 2356 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\msvcp140.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\msvcp140.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2356 -ip 2356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 604
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 13.107.253.67:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 220
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
104s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-synch-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
54s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-synch-l1-2-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
xmrig
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing potential Windows Defender anti-emulation checks
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables manipulated with Fody
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2160 set thread context of 3700 | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3780 set thread context of 1852 | N/A | C:\ProgramData\DBGHJEBKJE.exe | C:\Windows\SysWOW64\ftp.exe |
| PID 2488 set thread context of 1124 | N/A | C:\ProgramData\DBKEHDGDGH.exe | C:\Windows\SysWOW64\ftp.exe |
| PID 1124 set thread context of 1080 | N/A | C:\Windows\SysWOW64\ftp.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
| PID 1080 set thread context of 4084 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Watcher Com SH.job | C:\Windows\SysWOW64\ftp.exe | N/A |
| File created | C:\Windows\Tasks\TWI Cloud Host.job | C:\Windows\SysWOW64\ftp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DBGHJEBKJE.exe | N/A |
| N/A | N/A | C:\ProgramData\DBKEHDGDGH.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
| N/A | N/A | C:\ProgramData\DBGHJEBKJE.exe | N/A |
| N/A | N/A | C:\ProgramData\DBGHJEBKJE.exe | N/A |
| N/A | N/A | C:\ProgramData\DBKEHDGDGH.exe | N/A |
| N/A | N/A | C:\ProgramData\DBKEHDGDGH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CUF.au3 | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\ProgramData\DBGHJEBKJE.exe | N/A |
| N/A | N/A | C:\ProgramData\DBKEHDGDGH.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\files\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\files\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\AppData\Local\Temp\CUF.au3
C:\Users\Admin\AppData\Local\Temp\CUF.au3
C:\ProgramData\DBGHJEBKJE.exe
"C:\ProgramData\DBGHJEBKJE.exe"
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\ProgramData\DBKEHDGDGH.exe
"C:\ProgramData\DBKEHDGDGH.exe"
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGDAAEHDHIIJ" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | poocoin.online | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | 18.53.55.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | businessdownloads.ltd | udp |
| US | 104.21.16.123:443 | businessdownloads.ltd | tcp |
| US | 8.8.8.8:53 | 123.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| US | 199.232.196.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | 193.196.232.199.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| DE | 162.55.53.18:9000 | 162.55.53.18 | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 135.181.22.88:80 | 135.181.22.88 | tcp |
| US | 8.8.8.8:53 | 88.22.181.135.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | proresupdate.com | udp |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| US | 8.8.8.8:53 | 146.112.152.45.in-addr.arpa | udp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/2160-0-0x0000000073A70000-0x0000000073BEB000-memory.dmp
memory/2160-1-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp
memory/2160-11-0x0000000073A70000-0x0000000073BEB000-memory.dmp
memory/2160-10-0x0000000073A82000-0x0000000073A84000-memory.dmp
memory/2160-12-0x0000000073A70000-0x0000000073BEB000-memory.dmp
memory/3700-14-0x0000000073A70000-0x0000000073BEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9e3a3507
| MD5 | 3580f7f7dfcbe541692a7d64ff370339 |
| SHA1 | 9d973563a8917462062da1e62e509ea66c990dfa |
| SHA256 | de2690431d7a8982839e0c40cc4051d49378e6f750269d5dfb397a5345193b47 |
| SHA512 | a0ef879fde86359d86a653af9bee94b58597bb2022e70fc4f09ed74d2aa346a89fe6712baaafee31c7c8d7cd84350fad9dbf5a75952458bcebebc5ce7d9ee77c |
memory/3700-16-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp
memory/3700-18-0x0000000073A70000-0x0000000073BEB000-memory.dmp
memory/3700-20-0x0000000073A70000-0x0000000073BEB000-memory.dmp
memory/3700-24-0x0000000073A70000-0x0000000073BEB000-memory.dmp
memory/4516-26-0x0000000001200000-0x000000000194B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CUF.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/4516-28-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp
memory/4516-38-0x0000000001200000-0x000000000194B000-memory.dmp
memory/4516-41-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/4516-60-0x0000000001200000-0x000000000194B000-memory.dmp
C:\ProgramData\BGDAAEHDHIIJ\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\BGDAAEHDHIIJ\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4516-116-0x0000000001200000-0x000000000194B000-memory.dmp
C:\ProgramData\DBGHJEBKJE.exe
| MD5 | 6cfddd5ce9ca4bb209bd5d8c2cd80025 |
| SHA1 | 424da82e9edbb6b39a979ab97d84239a1d67c48b |
| SHA256 | 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7 |
| SHA512 | d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8 |
memory/3780-130-0x00000000008F0000-0x0000000000E03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e66f7ae9
| MD5 | 8d443e7cb87cacf0f589ce55599e008f |
| SHA1 | c7ff0475a3978271e0a8417ac4a826089c083772 |
| SHA256 | e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a |
| SHA512 | c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5 |
memory/3780-136-0x00000000727F0000-0x000000007296B000-memory.dmp
memory/3780-137-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp
C:\ProgramData\DBKEHDGDGH.exe
| MD5 | daaff76b0baf0a1f9cec253560c5db20 |
| SHA1 | 0311cf0eeb4beddd2c69c6e97462595313a41e78 |
| SHA256 | 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c |
| SHA512 | 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3 |
memory/2488-148-0x00000000008B0000-0x0000000000AF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eee3e429
| MD5 | c62f812e250409fbd3c78141984270f2 |
| SHA1 | 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806 |
| SHA256 | d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8 |
| SHA512 | 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092 |
memory/2488-154-0x00000000727F0000-0x000000007296B000-memory.dmp
memory/2488-155-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp
memory/4516-163-0x0000000001200000-0x000000000194B000-memory.dmp
memory/4516-164-0x0000000001200000-0x000000000194B000-memory.dmp
memory/3780-165-0x00000000727F0000-0x000000007296B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e8881e54
| MD5 | 26e1ae64df91bf978c857d2cf472c939 |
| SHA1 | 2cc616bd9b1c7dc24b8ce09f28b4742d3b8259d2 |
| SHA256 | b51b908b2677937966747d7d9918ad7cdf605413ee05d851f79ab8b0709e71ed |
| SHA512 | 527a2159431c58028e870968ff3571b4315955a1e6172ebf435ba286d3a6f251ada9a85c795ef3abec41ecc86cddb3e5801166099be3d62a4c33ee086ef38251 |
memory/2488-168-0x00000000727F0000-0x000000007296B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f1c8f740
| MD5 | d0f9bff531c4ac1a88b4282f41d53418 |
| SHA1 | f52b9f60631389042ce6ebfa7b199298ee93b82e |
| SHA256 | 0b48969ba80a746ec2bc16acc34df69129f6a45ccd2615dc51853406fc7d6303 |
| SHA512 | 1508aecab18733ae113209940432b3334eaf02dac828cc88bb80057e1f5ebb3885a1f4de59fabfc786089914d981332be969bebd6c8e9c3a366ed8117e5f160b |
memory/1852-177-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp
memory/4516-183-0x0000000001200000-0x000000000194B000-memory.dmp
memory/4516-186-0x0000000001200000-0x000000000194B000-memory.dmp
memory/1124-187-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp
memory/1852-188-0x00000000727F0000-0x000000007296B000-memory.dmp
C:\ProgramData\BGDAAEHDHIIJ\VCRUNT~1.DLL
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\BGDAAEHDHIIJ\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\BGDAAEHDHIIJ\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
memory/1852-203-0x00000000727F0000-0x000000007296B000-memory.dmp
memory/1080-207-0x00007FFC99D30000-0x00007FFC9B3A7000-memory.dmp
memory/3108-210-0x00007FFCBAC30000-0x00007FFCBAE25000-memory.dmp
memory/1080-211-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3108-212-0x0000000000300000-0x0000000000371000-memory.dmp
memory/4084-216-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/4084-220-0x0000022EC0090000-0x0000022EC00B0000-memory.dmp
memory/4084-219-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/4084-218-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/4084-221-0x0000000140000000-0x00000001407DC000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4388 wrote to memory of 3104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4388 wrote to memory of 3104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4388 wrote to memory of 3104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140_app.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140_app.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3104 -ip 3104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 604
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4704 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4704 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4704 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\WCLDll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\WCLDll.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-timezone-l1-1-0.dll,#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
144s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-util-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
146s
Max time network
130s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4496 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4496 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4496 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ptMgr.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ptMgr.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 736
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240508-en
Max time kernel
80s
Max time network
104s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3964 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3964 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3964 wrote to memory of 2924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\vcruntime140.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1616 wrote to memory of 2972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1616 wrote to memory of 2972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1616 wrote to memory of 2972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\wbxtrace.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\wbxtrace.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\files\x86\VSLauncher_[0MB]_[1].exe
"C:\Users\Admin\AppData\Local\Temp\files\x86\VSLauncher_[0MB]_[1].exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win10v2004-20240611-en
Max time kernel
135s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\x86\api-ms-win-core-rtlsupport-l1-1-0.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-20 01:32
Reported
2024-06-20 01:35
Platform
win7-20240508-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2904 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ptMgr.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\ptMgr.dll,#1