Analysis Overview
SHA256
4566ae83ab0b869ba3d80e69966e7b296126ef28d9d5fe2e6c00b6a95ac3325d
Threat Level: Known bad
The file 4566ae83ab0b869ba3d80e69966e7b296126ef28d9d5fe2e6c00b6a95ac3325d was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Lumma Stealer
Downloads MZ/PE file
Checks computer location settings
Drops startup file
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Enumerates processes with tasklist
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 10:07
Signatures
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240705-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1856 wrote to memory of 2092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1856 wrote to memory of 2092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1856 wrote to memory of 2092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_multi_window_plugin.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1856 -s 224
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240708-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3032 wrote to memory of 2772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 3032 wrote to memory of 2772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 3032 wrote to memory of 2772 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_windows.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3032 -s 204
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240708-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2552 wrote to memory of 1920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2552 wrote to memory of 1920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2552 wrote to memory of 1920 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\screen_retriever_plugin.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2552 -s 204
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:11
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\uni_links_desktop_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240705-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2660 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2660 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2660 wrote to memory of 2680 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\url_launcher_windows_plugin.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2660 -s 224
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
93s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\url_launcher_windows_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240705-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3056 wrote to memory of 1500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 3056 wrote to memory of 1500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 3056 wrote to memory of 1500 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_size_plugin.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3056 -s 204
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240705-en
Max time kernel
122s
Max time network
130s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2560 set thread context of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\1ASPX.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ASPX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ASPX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ASPX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ASPX.exe
"C:\Users\Admin\AppData\Local\Temp\1ASPX.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
Files
memory/2560-0-0x000007FEFDC90000-0x000007FEFDE67000-memory.dmp
memory/2560-15-0x000007FEFDCA8000-0x000007FEFDCA9000-memory.dmp
memory/2560-16-0x000007FEFDC90000-0x000007FEFDE67000-memory.dmp
memory/2560-20-0x000007FEFDC90000-0x000007FEFDE67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8294f635
| MD5 | 57e1c1921a6c02647a6b75ad25bb3cf2 |
| SHA1 | f52c1fe1e714cdfa311677d4d0b0d92c90737bbd |
| SHA256 | 10235e28e5487413afe24b38c553bd72576aeaa8ee4de3426bc9a6ed766b006e |
| SHA512 | 3310b4e0d976496f72c4e980b09c7bbf50f084c1db74fe652d0535748fdeedcb2947104867fa0fb0baeb7dd3f8a634389102fa1cfbaf19c73903228772e00758 |
memory/1628-21-0x00000000779A0000-0x0000000077B49000-memory.dmp
memory/1628-23-0x000000007588E000-0x0000000075890000-memory.dmp
memory/1628-22-0x0000000075880000-0x0000000075A1D000-memory.dmp
memory/1628-24-0x0000000075880000-0x0000000075A1D000-memory.dmp
memory/1628-26-0x0000000075880000-0x0000000075A1D000-memory.dmp
memory/2712-27-0x00000000779A0000-0x0000000077B49000-memory.dmp
memory/2712-28-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2712-29-0x00000000004BD000-0x00000000004C5000-memory.dmp
memory/2712-30-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1628-31-0x000000007588E000-0x0000000075890000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240708-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_gpu_texture_renderer_plugin.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240705-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\uni_links_desktop_plugin.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_size_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
146s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\file_selector_windows_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_custom_cursor_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
92s
Max time network
105s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_gpu_texture_renderer_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_manager_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240704-en
Max time kernel
9s
Max time network
16s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2544 wrote to memory of 2292 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2544 wrote to memory of 2292 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2544 wrote to memory of 2292 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_custom_cursor_plugin.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2544 -s 200
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_windows.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
106s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\screen_retriever_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240708-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 292 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 292 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 292 wrote to memory of 2052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_drop_plugin.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 292 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
92s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_drop_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_multi_window_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240705-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2988 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2988 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\file_selector_windows_plugin.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2988 -s 224
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240708-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2532 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2532 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\texture_rgba_renderer_plugin.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2532 -s 204
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win7-20240704-en
Max time kernel
12s
Max time network
19s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2456 wrote to memory of 1800 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2456 wrote to memory of 1800 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2456 wrote to memory of 1800 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_manager_plugin.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2456 -s 232
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240708-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 996 created 3388 | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | C:\Windows\Explorer.EXE |
| PID 996 created 3388 | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5108 set thread context of 3764 | N/A | C:\Users\Admin\AppData\Local\Temp\1ASPX.exe | C:\Windows\SysWOW64\more.com |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ASPX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1ASPX.exe
"C:\Users\Admin\AppData\Local\Temp\1ASPX.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe
"C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Pushing Pushing.cmd & Pushing.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 64684
C:\Windows\SysWOW64\findstr.exe
findstr /V "houseslegislationcivilianscientific" Corners
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Refresh + Host + Exists + Homeland + Wayne + Might 64684\x
C:\Users\Admin\AppData\Local\Temp\64684\Run.pif
64684\Run.pif 64684\x
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Pt" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Pt" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js'" /sc minute /mo 5 /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | timetablepdodwp.shop | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 8.8.8.8:53 | 125.66.21.104.in-addr.arpa | udp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 8.8.8.8:53 | webtime.site | udp |
| US | 172.67.222.142:443 | webtime.site | tcp |
| US | 8.8.8.8:53 | 142.222.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ieMODxkhNMrCbJWxGjU.ieMODxkhNMrCbJWxGjU | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/5108-0-0x00007FFCD2B00000-0x00007FFCD2F72000-memory.dmp
memory/5108-15-0x00007FFCD2B18000-0x00007FFCD2B19000-memory.dmp
memory/5108-16-0x00007FFCD2B00000-0x00007FFCD2F72000-memory.dmp
memory/5108-17-0x00007FFCD2B00000-0x00007FFCD2F72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\db081906
| MD5 | 48de55e8cc39fc0545c7d2700ea09a22 |
| SHA1 | 4d494296c983c0c2fbe1b898f9e380425c29da2b |
| SHA256 | ed3be347ef91f09bbedde7500534c20b1256a086421b17f23af36c7b9ec1766c |
| SHA512 | 66d8f7b99ed61241caac68e6be829f91c3b9306ff2abbe5ea8b3460dffb3995e78d783830dc9bab08dd1a60bd95ec7d6463e8e70ad5e2206e8aeb3c4e37efb23 |
memory/3764-20-0x00007FFCD4230000-0x00007FFCD4425000-memory.dmp
memory/3764-21-0x0000000077400000-0x000000007783C000-memory.dmp
memory/2924-23-0x00007FFCD4230000-0x00007FFCD4425000-memory.dmp
memory/2924-24-0x00000000008A0000-0x00000000008F0000-memory.dmp
memory/2924-27-0x00000000008A0000-0x00000000008F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe
| MD5 | 1dafe32d796bacf91fa5d16621994f06 |
| SHA1 | a2475aede47eb82a0b1d53bfff4ee0652dc21713 |
| SHA256 | b734d4460d675cf22a8059bd4ad036361e528ad7a14d877e657053746d4ef156 |
| SHA512 | 19d3c8660b62c0ed267c610dc55351cfe0ee7bd3fcf70c346511a16dbf6fdbf5ab8440ca0637a64d9e401e113eae60de9050fe7b0797ff0b4913e8f4b4b6912c |
memory/2924-32-0x00000000008A0000-0x00000000008F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Pushing
| MD5 | f32d10ac89424e8d8658ff3b481c07c8 |
| SHA1 | e9718a08c8660e86bed522c616b0868cc4c1f61c |
| SHA256 | 6affa8644e677b6e7d9923cb78189be774ee32e7d12cde4b402344dea79fd2e7 |
| SHA512 | 01d281476c3ff1ddb3668c078f36e38b3dccdf4a1578fdc9678ca29a1970b4cba3dc74f061ea9605d393bf76a8af7b8bea16ca61b199eb72439d1196ee42dce2 |
C:\Users\Admin\AppData\Local\Temp\Corners
| MD5 | aad158effe372d5837b2b738055804bd |
| SHA1 | adbfe2d61f2d90f2ce35b2a7c928af07e71f3ed6 |
| SHA256 | e4e93bd0761633cd2c2d266863a1965ecf82a205fe92d768deb11760b4c3aae3 |
| SHA512 | 40546538a490c49613b8d2766358214252f6cf519624330df63ac988b3f1f9a8039e4ef2b82fff4327c804120b677fa0294c7215a4badbae904e86915aa76481 |
C:\Users\Admin\AppData\Local\Temp\Catalogue
| MD5 | 9cc3b140ecdd745ef5c04fe4d4be8c3f |
| SHA1 | 8a2d1d56da65f4b7a81693cc96cf051923e1fc16 |
| SHA256 | 491fccac80459a7b8f445224dfd2be4973678821f57b9981be0751914c28587f |
| SHA512 | cbd14f2fb30cd4797e4b9ed280dc8c961642282194d21562decad3aa6e5fd2c0e6fc021f5f022a5d2d708920cdad4fe114969b83c06c5fd8068b3a9e7d131fe8 |
C:\Users\Admin\AppData\Local\Temp\Grades
| MD5 | 7803427df7d422dae9e6925445606e0b |
| SHA1 | 01c538ff877a94590797dfc7d6edfba11c74ff9d |
| SHA256 | f28c0b15944f29fc631c217ada8d94b39fb64fb76c43eb1692bdf4c9cec57576 |
| SHA512 | 69e955afbb992635330e80f4092fec03dfad4459c6f327bc2329bbd741ca761fc8f86caf3aef2cbfa7b9562da60cf145a47f5d0f1df4582f55b94007a76c9795 |
C:\Users\Admin\AppData\Local\Temp\Returned
| MD5 | 548a88c64fc98a1ba3bcbb37f25cdd51 |
| SHA1 | 1c181e7c51758e6b1ab203edf9bb152c8e3e928f |
| SHA256 | 1fce6f2d4e262ab76ba778de9b7e77868fa752b0a1380369eb4eb08d6db77955 |
| SHA512 | df23ee1eb91b05c4d741e052d4df72eeb7492a08087fa4d72e1e5ad46148975863950c46227681d82e58b338335c8ebba75dc9c71421be25bcc2132fd51aca8f |
C:\Users\Admin\AppData\Local\Temp\Asus
| MD5 | c7e1e47bc445c137fc76f74e6784f07c |
| SHA1 | 2e8347f67e8bab31182f5a8f7e1b8eb64650b309 |
| SHA256 | b53034530d8a41f695c5d5952d0316407c5bb84ba73afc650802276e35c476ad |
| SHA512 | 54b561748b8ec9ae09415ad5070f4e82d2beed6073a8346af8871652e2ae9dcfc1ef89fc546ef96034f7375fce25e326f72f3c64d97c104ab1e0167e7c61cbc5 |
C:\Users\Admin\AppData\Local\Temp\Keith
| MD5 | 047e525dd90a231e7ac13f50079c3dd6 |
| SHA1 | aba79d53c2e2d2ee3dc193b4e35c9bab92bae10e |
| SHA256 | 9c2a5c267b10ef74c961d971764689fb83d38a08474be1d13e5b96f669ba81bc |
| SHA512 | 0589314ceeab05a93d2c6700f0e8942603dd9474dad6cb8bae28b54390e77e5be0fcb28dc2f05fa6f7420b795e996c5407d361ded67e8a501f5c79803fb5def7 |
C:\Users\Admin\AppData\Local\Temp\Snapshot
| MD5 | 7e705ea8a6d5be215dc8efb2d3c4ba7e |
| SHA1 | 11b696ff9ae0dc6d0cedcb77041b071be0568303 |
| SHA256 | f1cd389190724a13334aa1821ae490516a4df3d3d83e73c8dcf98b566664f721 |
| SHA512 | d9f0622241aa429bce8ef2745a9b6de2adaf8056cca7d80daf519ba7dcd29cb6c9a073db592114fe6d0f242a6c74903f360d20855eaf534b5f13b6e75a3f4e86 |
C:\Users\Admin\AppData\Local\Temp\Wired
| MD5 | 19bdb5f019272649852a7e6e79eb4eee |
| SHA1 | 31fadea35fb4b19a779de5df2b879f8ce85c8689 |
| SHA256 | c1e4d6bbfebd4aec9d63111f30fb414debc7e208d56223ebaf594848f032f722 |
| SHA512 | 1aa6e6e452524cfb97e12db5af59c925de8f46064c0d23727f96007607e37d120a1516d54305de38be0723465ef24faac45efcb1dea4498e67a9dbfbf28a7e09 |
C:\Users\Admin\AppData\Local\Temp\Once
| MD5 | dc134ed65ba09749a8344a9142b64208 |
| SHA1 | 3f37107ac954ef1a9c3a7612715311d28d72eec5 |
| SHA256 | 7463cec4e1963e78bdae6f74f97c72a9d4729e41c6c2161dc68eb2a914748f6c |
| SHA512 | 73c275109828900971b406a0fac3039b4050ae4c0bd3f1b8e9b97bf7b60f8d300334c31c9c5da0fa4895700760bc63e84eacf63dce4c91f96b0fbba45098e673 |
C:\Users\Admin\AppData\Local\Temp\Lee
| MD5 | 3da4ae79baa76ebd853741baed161dab |
| SHA1 | 78484535d2e48875c216db4f0898767d211692a3 |
| SHA256 | 8a690f5d04a4ab2c34a96a42f63b1c7813c8c36ebd4ba7b35f67d4bee7e9e229 |
| SHA512 | 907c5b772f50b3e4e39ea72da28297f894270db90a3a858eec2b54302128eaad8afcad1e9f922dcc62407a82dd03f3d29ac6a6eed9b23ffc403d39a77f0a40e0 |
C:\Users\Admin\AppData\Local\Temp\Wiki
| MD5 | dfc364fb54a975f1053e0d57dbff0d51 |
| SHA1 | db7ca4d9ca6be1838fb1b3130924c6bfd6bddddb |
| SHA256 | 417fda5fdc9794e6eaf4ff46b417917dc8be15247fdcf489b820ff419fd7ce82 |
| SHA512 | af310cc6ad3d79596a52f074889a5e23a0dbd31929ab815ae4c504e743aac1ecde542f73aff553798f2f33bed377e628984fbd69f55963fe96da952587a2d00d |
C:\Users\Admin\AppData\Local\Temp\Rubber
| MD5 | 520215bfa958af340965e37d5331fd06 |
| SHA1 | 75925a8ade5ee57813053aa7a5c0a71e6902e423 |
| SHA256 | 9cb129421e6f8dee6c9047cbd93c4b7f6f329551726f1a0843909dfa9dad2da8 |
| SHA512 | 6e603ace8ba357aaf7206239a86ada8a9e122acb2e753f8c7c7cad8c4302e7a16091f1750c275f5e7e0addccc81da9ad8d18c991891505f3418b39d54d2a0819 |
C:\Users\Admin\AppData\Local\Temp\Tariff
| MD5 | 89b86c678af7c520761cdcc1cba98c3f |
| SHA1 | c000e79c9fc1bd58b3523cfc02eb035797a75662 |
| SHA256 | 69ada8e67a3535cbe4ec8567012a8230e611522b340de549ef8404e0a745b06f |
| SHA512 | 280c7299a9bf8d3a1a13b3ef1a2d58d664f73fe83a4bddbc277779c0a122926cd8d7929863b5155771bd132135d13d3f4b82b0bea2505b626058aa3a4aff9f04 |
C:\Users\Admin\AppData\Local\Temp\Easily
| MD5 | 26721ba63cf240f311c4033b30e89d52 |
| SHA1 | 9195044452b91924180f68d0801eae00aaa80b06 |
| SHA256 | b24f7c09193604d489ffb1553e29b38b6bd5fd1b7708ac3da6eaf6eba6b5b2dd |
| SHA512 | f1e1a1d3842fce4a22a689019933704889300f14d9da6925cbadff0cf93d01c948554b95464a84b7619a4a6133171e72e427c20881a2225c3642c454f5cc8086 |
C:\Users\Admin\AppData\Local\Temp\Per
| MD5 | 18508153e333218ddb3602f018bac82e |
| SHA1 | 661cc21c14776f2ac4db77afdb34b88c8d3cb04f |
| SHA256 | b1b04634df3064903e585af74451dd31efdda1976053033ade0b30dc61a18cdd |
| SHA512 | 7b360bc6c3cec05547589a5c7e2f074a8fa2df7c96b4f676798c89dfa19757b58841c29e59fa5b9d9047aaceb421338befac61ba4acdeebd6fd17fd3836c33cb |
C:\Users\Admin\AppData\Local\Temp\Customise
| MD5 | d8a3eaa551a67baa8fcaebcff916e80f |
| SHA1 | 4aa77af67a0a5c2f84ad36b65c431f5d0d704e29 |
| SHA256 | 9349f3cdba756edac3a0102f8e48d29561bceeae702d832704f1a01cc4650dd2 |
| SHA512 | 132c5d9ec49c8971c690311c03deab8eba0a93f4e2dd56bad113cd6793641f261194ca28c3c2b6cb295143f6f45a2a93b93c1b4e9d359c01ff9215f6bae155f2 |
C:\Users\Admin\AppData\Local\Temp\Buried
| MD5 | 0edf791c3db8ce3c41aaabf031901bf8 |
| SHA1 | 47025e15628749259efbdf6c6be0ede01e2265da |
| SHA256 | 282ad8d76d90aa2d5211105613098b93da16288ce11a10260aea300b30822d12 |
| SHA512 | f2a5c8159a3ec2972971f84412622bdafa4ec68be263bcff68ef6cd4017984524124602fe7123596d2fa8605b57dcc9d9ef39329679eae3ed9021059dbe0416f |
C:\Users\Admin\AppData\Local\Temp\Yen
| MD5 | 1dad1d33c31a15d00a747e46052ad027 |
| SHA1 | 4f0e8f83d294efb79ac3d8ba6c944cb66caf9a77 |
| SHA256 | 6f41bc906f224bbf520d349866f0f645c5f0d95b9d47b3e177b1e34ff6ec598b |
| SHA512 | 4e1d560eb9ef6490a7a12ed966a5069e18c11a57a045b72e1aa36a3077474bede99fca5283c18f8107953e1085fb661228149fef708fe6d26725611ff3360ff3 |
C:\Users\Admin\AppData\Local\Temp\Compound
| MD5 | 444eb90e48bf35d129a29a1ae9ca1eb6 |
| SHA1 | d76fa37d1b8e8533e2fb35dce77d09b53f6e08a5 |
| SHA256 | 918819fb2635e977b2eb91c50f1eec02c1d88b1f2d52b183709f5b568984331c |
| SHA512 | e80e751635083dc6ebad5bc6b95e2c4e00a5d55dc39ea382afd494365de12d4094ef82097d4b013741dba6f2855e438c2e4b261dfe16b3808aad3e3ea7b287c6 |
C:\Users\Admin\AppData\Local\Temp\Played
| MD5 | 597630bc7ab01bbe40c1be7df0c38f8c |
| SHA1 | 08e5279dd1c69d2d55b44b29702606d3d4b22c6b |
| SHA256 | 2874dfe250a93d5ad29acd33db6f5d852e8bea3b32da56538f5ee7396e188ee3 |
| SHA512 | f996f69185092f9e818fd8660f9388908ad122e3b43c27951751164e899cc45296d28915a0b97ed37a9bb034b97c41b2841a4f349df978c21011085353660aab |
C:\Users\Admin\AppData\Local\Temp\Proceedings
| MD5 | a7088f06f0a5aaff181eae717bc8935f |
| SHA1 | e2a4e1f9711226b2d0189c0ff86c954cd52323d2 |
| SHA256 | 4864074e4c3e9ab10109ab1ed548bf5bddaddfaece45c055e249d46185ca9d79 |
| SHA512 | c36fe3d8c3e6c91fe23246280f0f57009e898de200cbf148d7f1963cc9aa34259b18c67bb9276496cd9d37989342c3b3b1be9aa3098a62b22dcbf900ee3d7a88 |
C:\Users\Admin\AppData\Local\Temp\Pumps
| MD5 | fd02938634cd266cb1dde1ff93f8649a |
| SHA1 | 6a3a2dfd521c90cb62f456b28a6c15a9630bbd3e |
| SHA256 | 2ddc65a66274d8a0bf42db94a124ddcd2e536eed1c58071ae1a2fa2e11ba3e82 |
| SHA512 | 5b5f35a9b1f147b9fe6d81198dbca14957be54eb88a430db61994933e948481b9dff19dccafe2fc346a2211ae0481e8ea27d3be1bc267d3c42545f80d3c65a02 |
C:\Users\Admin\AppData\Local\Temp\Src
| MD5 | 1f1500711c6aba66779604d8c752bca4 |
| SHA1 | a7fb2b56844163a9aa27d9b4eb40ceac5f23b355 |
| SHA256 | c0d60d09082814ea4281ad8ca475d5882ccf71f72cb83174761b4b70deedac00 |
| SHA512 | 4ce9b38c40936d667700a1392a4ece13e2ecde7db6c4d8e7a6d158b4276edf690d90f58ea3323302b84011ed9560d3709bfc010c0f3f085804903fae5111cbf0 |
C:\Users\Admin\AppData\Local\Temp\Christianity
| MD5 | 02adc07b28f2865bc6ed3b25c5f3e877 |
| SHA1 | 537919a89d5b813f12edfc856b54c85f7fe65283 |
| SHA256 | 2083985c615c47aa1c8a0c37d0308ccc01e12a7d8048429653ea74a9838f9acc |
| SHA512 | a8b286157f2ac554be346410a1ba23ed4693b899b7ab8fd425d99da6360fda9aa0d100bbc2282a094d7546c8bb4c92541989ebbe2c0d090c8fc761e6d4d99f33 |
C:\Users\Admin\AppData\Local\Temp\Languages
| MD5 | e809c69658463cee323df1e3d081f884 |
| SHA1 | 0f732c8657e03691a6a453d32ad5f0870644044f |
| SHA256 | 6a8516e67efcdc63cb0cb815167453ed7eab4ec5f3409ef9139f58f2ff4c3ca5 |
| SHA512 | 1d92e44afaadfc04bc3cdcdd2f4581ff0897009187eb227ba01404af0b439a7cb1ce22356ad1995c9989836dccd64efdbfeb34b53263fd3d07aedb43c5a6d8e1 |
C:\Users\Admin\AppData\Local\Temp\Chevrolet
| MD5 | 93adb31684c33d29c1e369a0acbc57e1 |
| SHA1 | 767367aced8d5451b5eca70a9a754e8493de32ae |
| SHA256 | 2892c85e734c671913a136f53a89bd82417a7ec5d4e3e12fb1e16dd78ae106ed |
| SHA512 | 2ed924374e421763245950568261ebd8c3674fdca1a90c2f66fa334db593f5ba2c1cc69fd47f6633f62dc8af5ceead5723d78bfc5f75df9ffc1141713497686d |
C:\Users\Admin\AppData\Local\Temp\Grass
| MD5 | 74be345f055d01cf93d10daa9322fc54 |
| SHA1 | 355d1f3e36babf3f82d1d131e5874373bbc4707e |
| SHA256 | 5cf67b2cb9bcf17720ca2c10360d2ee29b6ca3d2b72f8d06a062c2853ee708b5 |
| SHA512 | ec8652aed64e7b4e88b4f7ae8a5c0f930d64663533d43b9c83b29cb718ed581eb03258f3d8b4951200be192d52a5158ce25ea22c5e748217bc271ece69c2a977 |
C:\Users\Admin\AppData\Local\Temp\Shape
| MD5 | 28fa3e204b58775d1fb4862f227d9661 |
| SHA1 | 06344121eb3b6843523b3857db8bcdaf8cde1ac0 |
| SHA256 | be5c9dbd7f8ed688e266a18aad04467b22b445d9064ed4f950a5a3b997be65a7 |
| SHA512 | 26d0c39c5aedbc3877a021e61e1b6fca6f8e1d53b28c8cca158603757a8d63f57f5249e21330ccc9b92f156704f89fa9d9ee4b018fdc960338a5f612f0251f6f |
C:\Users\Admin\AppData\Local\Temp\Workout
| MD5 | ee7d822c04628607dcce3339f2cf2fae |
| SHA1 | 37beb3efde099712e2ac7417944a99b021af7fd0 |
| SHA256 | 5f92f44c954ce13610077e526b1685a376ebd9b3afc3b12b79c22a0fef3ac662 |
| SHA512 | afddde2267e8c35dd7e6bb007125ff65677d05306bfadf474af7373b2158d498d64513b87d67d19fef368314fa3beb68bd8d0715eff550835623e6b2c2c65586 |
C:\Users\Admin\AppData\Local\Temp\Lens
| MD5 | e07e60e67ba394a1f965858f5a9a5222 |
| SHA1 | 03dfeb9bcf4c8cae8eb92e451d597078f83d8bf1 |
| SHA256 | 9623f84885f90cb194fd39ea80fdbce3957f76ec9bb72f8d275a8753af58a61a |
| SHA512 | 24c378f515be6ffd1a5a177a320fce6d391594cbff742e2678138ba798507a1acfcd38d654cc225021f95cbb241bbd8ff7f78cda99b6cb85cec2698a2d7b6e15 |
C:\Users\Admin\AppData\Local\Temp\Refresh
| MD5 | 19b734738c0ade46c0889f36a5b18204 |
| SHA1 | 79481a1428b523a00c89d8c1e27b3c859e73255d |
| SHA256 | 719079fb2d1399a73a430744c66ed83e3d1f0523a82d87520a930818dc31fc98 |
| SHA512 | 321ea7ae121df6277d807ba480471406958fe04fb7d5b98d0f2a459439ad5558cf0b609b141efcd502fc4127e1587b64c0a6affd57f440bb33734571a192b460 |
C:\Users\Admin\AppData\Local\Temp\Host
| MD5 | c3eda42689d391fef65b80c898462c21 |
| SHA1 | 43a49a9884cce6448231d33b7aab6261dcffe748 |
| SHA256 | 6208c0357e3c6ab33a0190d65f65c516d212a475da14a5fc9c6ba344e4b4daae |
| SHA512 | bd5e697e8de53beb5774a50b2eaac8f587fdff5ee5b2f10a4ed99a2180b29fc2a5b5efe486629fca7096806a1e7b2fdc735b59507b1f989081110f6c20078396 |
C:\Users\Admin\AppData\Local\Temp\Exists
| MD5 | 3ad59988b3bb98e11ad11a64ba99400e |
| SHA1 | 8e8ebedf4689b4a9709e11f969ff1ea1d7406e0e |
| SHA256 | ca0f732eb0889f6bf1ae6c48642df81fd4ad99a13c43264177cf307f489adea3 |
| SHA512 | 2984bf9ddb3412de212fe380354ab87ba13d5fffd3536f83513228fa4e3678dc1f415de799899199b5c6f62afb070b2ccb73b43828ec2f5ff8a683c957a33129 |
C:\Users\Admin\AppData\Local\Temp\Homeland
| MD5 | ed1be935848c0849aae08f6ebbe977f3 |
| SHA1 | 4049632120ab53e661be18ff3e395e0fd23b3307 |
| SHA256 | 149d0aff08fc743016d18305a35c3a9b20095f9b73573cf979f45adb15e09ee7 |
| SHA512 | 338fee6ad74b23ce38490a4676acb114abd341063613e99cdd89724d8dcc2f3a061f390cbb1423d467fb3d996eca773d1e6d5ce82457366cc85be9df688c909a |
C:\Users\Admin\AppData\Local\Temp\Wayne
| MD5 | 6fb10c110d196f1d014cbf4acacc01c7 |
| SHA1 | 016876256e766c648320aeb96a73bd97948f380e |
| SHA256 | 3d88e3be158ce018e991f2ff0b5f5844117f0e2ad9997108def9b0f3a4b0119b |
| SHA512 | d4091d514ee03a2e52feb950e6f0f96a02223ac77668c2febc64b184854c18eadc23ee79ae2ff95f078e17d03a417c7117d243573f1eb26b50fd7b4d85aeeb40 |
C:\Users\Admin\AppData\Local\Temp\Might
| MD5 | 8742991cf52ad0051ce2a30f41cd1a1b |
| SHA1 | c80491a98b9b0e9c1a78db68217a84ee5a140f09 |
| SHA256 | 82125933da5b7db986930a056c5102573477aa3f70936226c949a575f1fd0797 |
| SHA512 | 62e145942e625f757330c11d7340ce2c7a9448dd5dff71997d27ff939c9b057bfb1e9cd0effa3254804f860ff40744616d5ec41b339b097d1be6eeead33ffe8f |
C:\Users\Admin\AppData\Local\Temp\64684\Run.pif
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Temp\64684\x
| MD5 | 1f9b5a942b513f1fbd30ceb1c706ad8b |
| SHA1 | b41e420c4202e90493d7900f8e62b92dfac3a3c3 |
| SHA256 | ac78619a32f1d561436ea5cbe000374255a263c2ea9131887670b539d154fb4f |
| SHA512 | 1ee595b4a1a7b083f84b514acc55e66928240d230d31e0415986ca9452e2647dfff81b6d910e4402350bb56fd54005f8474fc20badd5e8e2ac4945e179a20abb |
memory/996-528-0x00000000000E0000-0x0000000000146000-memory.dmp
memory/996-529-0x00000000000E0000-0x0000000000146000-memory.dmp
memory/996-530-0x00000000000E0000-0x0000000000146000-memory.dmp
memory/996-532-0x00000000000E0000-0x0000000000146000-memory.dmp
memory/996-533-0x00000000000E0000-0x0000000000146000-memory.dmp
memory/996-531-0x00000000000E0000-0x0000000000146000-memory.dmp
memory/996-534-0x00000000000E0000-0x0000000000146000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-09 10:07
Reported
2024-07-09 10:10
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\texture_rgba_renderer_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |