Malware Analysis Report

2024-11-30 05:37

Sample ID 240709-l5xjvayakk
Target 4566ae83ab0b869ba3d80e69966e7b296126ef28d9d5fe2e6c00b6a95ac3325d
SHA256 4566ae83ab0b869ba3d80e69966e7b296126ef28d9d5fe2e6c00b6a95ac3325d
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4566ae83ab0b869ba3d80e69966e7b296126ef28d9d5fe2e6c00b6a95ac3325d

Threat Level: Known bad

The file 4566ae83ab0b869ba3d80e69966e7b296126ef28d9d5fe2e6c00b6a95ac3325d was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Lumma Stealer

Downloads MZ/PE file

Checks computer location settings

Drops startup file

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates processes with tasklist

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 10:07

Signatures

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240705-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_multi_window_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1856 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1856 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_multi_window_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1856 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240708-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_windows.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3032 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3032 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_windows.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3032 -s 204

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240708-en

Max time kernel

16s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\screen_retriever_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2552 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2552 wrote to memory of 1920 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\screen_retriever_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2552 -s 204

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:11

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\uni_links_desktop_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\uni_links_desktop_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240705-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\url_launcher_windows_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2660 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2660 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\url_launcher_windows_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2660 -s 224

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\url_launcher_windows_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\url_launcher_windows_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240705-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_size_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3056 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3056 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_size_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3056 -s 204

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240705-en

Max time kernel

122s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ASPX.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2560 set thread context of 1628 N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1ASPX.exe

"C:\Users\Admin\AppData\Local\Temp\1ASPX.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/2560-0-0x000007FEFDC90000-0x000007FEFDE67000-memory.dmp

memory/2560-15-0x000007FEFDCA8000-0x000007FEFDCA9000-memory.dmp

memory/2560-16-0x000007FEFDC90000-0x000007FEFDE67000-memory.dmp

memory/2560-20-0x000007FEFDC90000-0x000007FEFDE67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8294f635

MD5 57e1c1921a6c02647a6b75ad25bb3cf2
SHA1 f52c1fe1e714cdfa311677d4d0b0d92c90737bbd
SHA256 10235e28e5487413afe24b38c553bd72576aeaa8ee4de3426bc9a6ed766b006e
SHA512 3310b4e0d976496f72c4e980b09c7bbf50f084c1db74fe652d0535748fdeedcb2947104867fa0fb0baeb7dd3f8a634389102fa1cfbaf19c73903228772e00758

memory/1628-21-0x00000000779A0000-0x0000000077B49000-memory.dmp

memory/1628-23-0x000000007588E000-0x0000000075890000-memory.dmp

memory/1628-22-0x0000000075880000-0x0000000075A1D000-memory.dmp

memory/1628-24-0x0000000075880000-0x0000000075A1D000-memory.dmp

memory/1628-26-0x0000000075880000-0x0000000075A1D000-memory.dmp

memory/2712-27-0x00000000779A0000-0x0000000077B49000-memory.dmp

memory/2712-28-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2712-29-0x00000000004BD000-0x00000000004C5000-memory.dmp

memory/2712-30-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1628-31-0x000000007588E000-0x0000000075890000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_gpu_texture_renderer_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_gpu_texture_renderer_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240705-en

Max time kernel

16s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\uni_links_desktop_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\uni_links_desktop_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_size_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_size_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

146s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\file_selector_windows_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\file_selector_windows_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_custom_cursor_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_custom_cursor_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

92s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_gpu_texture_renderer_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_gpu_texture_renderer_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_manager_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_manager_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240704-en

Max time kernel

9s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_custom_cursor_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2544 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2544 wrote to memory of 2292 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_custom_cursor_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2544 -s 200

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_windows.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\flutter_windows.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

106s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\screen_retriever_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\screen_retriever_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_drop_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 292 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 292 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 292 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_drop_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 292 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

92s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_drop_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_drop_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_multi_window_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop_multi_window_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240705-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\file_selector_windows_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2988 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2988 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\file_selector_windows_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2988 -s 224

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\texture_rgba_renderer_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2532 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2532 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\texture_rgba_renderer_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2532 -s 204

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win7-20240704-en

Max time kernel

12s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_manager_plugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 1800 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2456 wrote to memory of 1800 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2456 wrote to memory of 1800 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\window_manager_plugin.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2456 -s 232

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240708-en

Max time kernel

93s

Max time network

96s

Command Line

C:\Windows\Explorer.EXE

Signatures

Lumma Stealer

stealer lumma

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 996 created 3388 N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif C:\Windows\Explorer.EXE
PID 996 created 3388 N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif C:\Windows\Explorer.EXE

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5108 set thread context of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5108 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe C:\Windows\SysWOW64\more.com
PID 5108 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe C:\Windows\SysWOW64\more.com
PID 5108 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe C:\Windows\SysWOW64\more.com
PID 5108 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1ASPX.exe C:\Windows\SysWOW64\more.com
PID 3764 wrote to memory of 2924 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3764 wrote to memory of 2924 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3764 wrote to memory of 2924 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3764 wrote to memory of 2924 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 2924 wrote to memory of 4168 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe
PID 2924 wrote to memory of 4168 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe
PID 2924 wrote to memory of 4168 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe
PID 4168 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3024 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3024 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3024 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3024 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3024 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3024 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3024 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3024 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3024 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3024 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3024 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3024 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3024 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3024 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3024 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\64684\Run.pif
PID 3024 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\64684\Run.pif
PID 3024 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\64684\Run.pif
PID 3024 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3024 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3024 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 996 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1ASPX.exe

"C:\Users\Admin\AppData\Local\Temp\1ASPX.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe

"C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Pushing Pushing.cmd & Pushing.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 64684

C:\Windows\SysWOW64\findstr.exe

findstr /V "houseslegislationcivilianscientific" Corners

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Refresh + Host + Exists + Homeland + Wayne + Might 64684\x

C:\Users\Admin\AppData\Local\Temp\64684\Run.pif

64684\Run.pif 64684\x

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Pt" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Pt" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js'" /sc minute /mo 5 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 timetablepdodwp.shop udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 8.8.8.8:53 125.66.21.104.in-addr.arpa udp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 8.8.8.8:53 webtime.site udp
US 172.67.222.142:443 webtime.site tcp
US 8.8.8.8:53 142.222.67.172.in-addr.arpa udp
US 8.8.8.8:53 ieMODxkhNMrCbJWxGjU.ieMODxkhNMrCbJWxGjU udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/5108-0-0x00007FFCD2B00000-0x00007FFCD2F72000-memory.dmp

memory/5108-15-0x00007FFCD2B18000-0x00007FFCD2B19000-memory.dmp

memory/5108-16-0x00007FFCD2B00000-0x00007FFCD2F72000-memory.dmp

memory/5108-17-0x00007FFCD2B00000-0x00007FFCD2F72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db081906

MD5 48de55e8cc39fc0545c7d2700ea09a22
SHA1 4d494296c983c0c2fbe1b898f9e380425c29da2b
SHA256 ed3be347ef91f09bbedde7500534c20b1256a086421b17f23af36c7b9ec1766c
SHA512 66d8f7b99ed61241caac68e6be829f91c3b9306ff2abbe5ea8b3460dffb3995e78d783830dc9bab08dd1a60bd95ec7d6463e8e70ad5e2206e8aeb3c4e37efb23

memory/3764-20-0x00007FFCD4230000-0x00007FFCD4425000-memory.dmp

memory/3764-21-0x0000000077400000-0x000000007783C000-memory.dmp

memory/2924-23-0x00007FFCD4230000-0x00007FFCD4425000-memory.dmp

memory/2924-24-0x00000000008A0000-0x00000000008F0000-memory.dmp

memory/2924-27-0x00000000008A0000-0x00000000008F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VRCBPS5YWFFTJVXU57TK86GN8SW10T.exe

MD5 1dafe32d796bacf91fa5d16621994f06
SHA1 a2475aede47eb82a0b1d53bfff4ee0652dc21713
SHA256 b734d4460d675cf22a8059bd4ad036361e528ad7a14d877e657053746d4ef156
SHA512 19d3c8660b62c0ed267c610dc55351cfe0ee7bd3fcf70c346511a16dbf6fdbf5ab8440ca0637a64d9e401e113eae60de9050fe7b0797ff0b4913e8f4b4b6912c

memory/2924-32-0x00000000008A0000-0x00000000008F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Pushing

MD5 f32d10ac89424e8d8658ff3b481c07c8
SHA1 e9718a08c8660e86bed522c616b0868cc4c1f61c
SHA256 6affa8644e677b6e7d9923cb78189be774ee32e7d12cde4b402344dea79fd2e7
SHA512 01d281476c3ff1ddb3668c078f36e38b3dccdf4a1578fdc9678ca29a1970b4cba3dc74f061ea9605d393bf76a8af7b8bea16ca61b199eb72439d1196ee42dce2

C:\Users\Admin\AppData\Local\Temp\Corners

MD5 aad158effe372d5837b2b738055804bd
SHA1 adbfe2d61f2d90f2ce35b2a7c928af07e71f3ed6
SHA256 e4e93bd0761633cd2c2d266863a1965ecf82a205fe92d768deb11760b4c3aae3
SHA512 40546538a490c49613b8d2766358214252f6cf519624330df63ac988b3f1f9a8039e4ef2b82fff4327c804120b677fa0294c7215a4badbae904e86915aa76481

C:\Users\Admin\AppData\Local\Temp\Catalogue

MD5 9cc3b140ecdd745ef5c04fe4d4be8c3f
SHA1 8a2d1d56da65f4b7a81693cc96cf051923e1fc16
SHA256 491fccac80459a7b8f445224dfd2be4973678821f57b9981be0751914c28587f
SHA512 cbd14f2fb30cd4797e4b9ed280dc8c961642282194d21562decad3aa6e5fd2c0e6fc021f5f022a5d2d708920cdad4fe114969b83c06c5fd8068b3a9e7d131fe8

C:\Users\Admin\AppData\Local\Temp\Grades

MD5 7803427df7d422dae9e6925445606e0b
SHA1 01c538ff877a94590797dfc7d6edfba11c74ff9d
SHA256 f28c0b15944f29fc631c217ada8d94b39fb64fb76c43eb1692bdf4c9cec57576
SHA512 69e955afbb992635330e80f4092fec03dfad4459c6f327bc2329bbd741ca761fc8f86caf3aef2cbfa7b9562da60cf145a47f5d0f1df4582f55b94007a76c9795

C:\Users\Admin\AppData\Local\Temp\Returned

MD5 548a88c64fc98a1ba3bcbb37f25cdd51
SHA1 1c181e7c51758e6b1ab203edf9bb152c8e3e928f
SHA256 1fce6f2d4e262ab76ba778de9b7e77868fa752b0a1380369eb4eb08d6db77955
SHA512 df23ee1eb91b05c4d741e052d4df72eeb7492a08087fa4d72e1e5ad46148975863950c46227681d82e58b338335c8ebba75dc9c71421be25bcc2132fd51aca8f

C:\Users\Admin\AppData\Local\Temp\Asus

MD5 c7e1e47bc445c137fc76f74e6784f07c
SHA1 2e8347f67e8bab31182f5a8f7e1b8eb64650b309
SHA256 b53034530d8a41f695c5d5952d0316407c5bb84ba73afc650802276e35c476ad
SHA512 54b561748b8ec9ae09415ad5070f4e82d2beed6073a8346af8871652e2ae9dcfc1ef89fc546ef96034f7375fce25e326f72f3c64d97c104ab1e0167e7c61cbc5

C:\Users\Admin\AppData\Local\Temp\Keith

MD5 047e525dd90a231e7ac13f50079c3dd6
SHA1 aba79d53c2e2d2ee3dc193b4e35c9bab92bae10e
SHA256 9c2a5c267b10ef74c961d971764689fb83d38a08474be1d13e5b96f669ba81bc
SHA512 0589314ceeab05a93d2c6700f0e8942603dd9474dad6cb8bae28b54390e77e5be0fcb28dc2f05fa6f7420b795e996c5407d361ded67e8a501f5c79803fb5def7

C:\Users\Admin\AppData\Local\Temp\Snapshot

MD5 7e705ea8a6d5be215dc8efb2d3c4ba7e
SHA1 11b696ff9ae0dc6d0cedcb77041b071be0568303
SHA256 f1cd389190724a13334aa1821ae490516a4df3d3d83e73c8dcf98b566664f721
SHA512 d9f0622241aa429bce8ef2745a9b6de2adaf8056cca7d80daf519ba7dcd29cb6c9a073db592114fe6d0f242a6c74903f360d20855eaf534b5f13b6e75a3f4e86

C:\Users\Admin\AppData\Local\Temp\Wired

MD5 19bdb5f019272649852a7e6e79eb4eee
SHA1 31fadea35fb4b19a779de5df2b879f8ce85c8689
SHA256 c1e4d6bbfebd4aec9d63111f30fb414debc7e208d56223ebaf594848f032f722
SHA512 1aa6e6e452524cfb97e12db5af59c925de8f46064c0d23727f96007607e37d120a1516d54305de38be0723465ef24faac45efcb1dea4498e67a9dbfbf28a7e09

C:\Users\Admin\AppData\Local\Temp\Once

MD5 dc134ed65ba09749a8344a9142b64208
SHA1 3f37107ac954ef1a9c3a7612715311d28d72eec5
SHA256 7463cec4e1963e78bdae6f74f97c72a9d4729e41c6c2161dc68eb2a914748f6c
SHA512 73c275109828900971b406a0fac3039b4050ae4c0bd3f1b8e9b97bf7b60f8d300334c31c9c5da0fa4895700760bc63e84eacf63dce4c91f96b0fbba45098e673

C:\Users\Admin\AppData\Local\Temp\Lee

MD5 3da4ae79baa76ebd853741baed161dab
SHA1 78484535d2e48875c216db4f0898767d211692a3
SHA256 8a690f5d04a4ab2c34a96a42f63b1c7813c8c36ebd4ba7b35f67d4bee7e9e229
SHA512 907c5b772f50b3e4e39ea72da28297f894270db90a3a858eec2b54302128eaad8afcad1e9f922dcc62407a82dd03f3d29ac6a6eed9b23ffc403d39a77f0a40e0

C:\Users\Admin\AppData\Local\Temp\Wiki

MD5 dfc364fb54a975f1053e0d57dbff0d51
SHA1 db7ca4d9ca6be1838fb1b3130924c6bfd6bddddb
SHA256 417fda5fdc9794e6eaf4ff46b417917dc8be15247fdcf489b820ff419fd7ce82
SHA512 af310cc6ad3d79596a52f074889a5e23a0dbd31929ab815ae4c504e743aac1ecde542f73aff553798f2f33bed377e628984fbd69f55963fe96da952587a2d00d

C:\Users\Admin\AppData\Local\Temp\Rubber

MD5 520215bfa958af340965e37d5331fd06
SHA1 75925a8ade5ee57813053aa7a5c0a71e6902e423
SHA256 9cb129421e6f8dee6c9047cbd93c4b7f6f329551726f1a0843909dfa9dad2da8
SHA512 6e603ace8ba357aaf7206239a86ada8a9e122acb2e753f8c7c7cad8c4302e7a16091f1750c275f5e7e0addccc81da9ad8d18c991891505f3418b39d54d2a0819

C:\Users\Admin\AppData\Local\Temp\Tariff

MD5 89b86c678af7c520761cdcc1cba98c3f
SHA1 c000e79c9fc1bd58b3523cfc02eb035797a75662
SHA256 69ada8e67a3535cbe4ec8567012a8230e611522b340de549ef8404e0a745b06f
SHA512 280c7299a9bf8d3a1a13b3ef1a2d58d664f73fe83a4bddbc277779c0a122926cd8d7929863b5155771bd132135d13d3f4b82b0bea2505b626058aa3a4aff9f04

C:\Users\Admin\AppData\Local\Temp\Easily

MD5 26721ba63cf240f311c4033b30e89d52
SHA1 9195044452b91924180f68d0801eae00aaa80b06
SHA256 b24f7c09193604d489ffb1553e29b38b6bd5fd1b7708ac3da6eaf6eba6b5b2dd
SHA512 f1e1a1d3842fce4a22a689019933704889300f14d9da6925cbadff0cf93d01c948554b95464a84b7619a4a6133171e72e427c20881a2225c3642c454f5cc8086

C:\Users\Admin\AppData\Local\Temp\Per

MD5 18508153e333218ddb3602f018bac82e
SHA1 661cc21c14776f2ac4db77afdb34b88c8d3cb04f
SHA256 b1b04634df3064903e585af74451dd31efdda1976053033ade0b30dc61a18cdd
SHA512 7b360bc6c3cec05547589a5c7e2f074a8fa2df7c96b4f676798c89dfa19757b58841c29e59fa5b9d9047aaceb421338befac61ba4acdeebd6fd17fd3836c33cb

C:\Users\Admin\AppData\Local\Temp\Customise

MD5 d8a3eaa551a67baa8fcaebcff916e80f
SHA1 4aa77af67a0a5c2f84ad36b65c431f5d0d704e29
SHA256 9349f3cdba756edac3a0102f8e48d29561bceeae702d832704f1a01cc4650dd2
SHA512 132c5d9ec49c8971c690311c03deab8eba0a93f4e2dd56bad113cd6793641f261194ca28c3c2b6cb295143f6f45a2a93b93c1b4e9d359c01ff9215f6bae155f2

C:\Users\Admin\AppData\Local\Temp\Buried

MD5 0edf791c3db8ce3c41aaabf031901bf8
SHA1 47025e15628749259efbdf6c6be0ede01e2265da
SHA256 282ad8d76d90aa2d5211105613098b93da16288ce11a10260aea300b30822d12
SHA512 f2a5c8159a3ec2972971f84412622bdafa4ec68be263bcff68ef6cd4017984524124602fe7123596d2fa8605b57dcc9d9ef39329679eae3ed9021059dbe0416f

C:\Users\Admin\AppData\Local\Temp\Yen

MD5 1dad1d33c31a15d00a747e46052ad027
SHA1 4f0e8f83d294efb79ac3d8ba6c944cb66caf9a77
SHA256 6f41bc906f224bbf520d349866f0f645c5f0d95b9d47b3e177b1e34ff6ec598b
SHA512 4e1d560eb9ef6490a7a12ed966a5069e18c11a57a045b72e1aa36a3077474bede99fca5283c18f8107953e1085fb661228149fef708fe6d26725611ff3360ff3

C:\Users\Admin\AppData\Local\Temp\Compound

MD5 444eb90e48bf35d129a29a1ae9ca1eb6
SHA1 d76fa37d1b8e8533e2fb35dce77d09b53f6e08a5
SHA256 918819fb2635e977b2eb91c50f1eec02c1d88b1f2d52b183709f5b568984331c
SHA512 e80e751635083dc6ebad5bc6b95e2c4e00a5d55dc39ea382afd494365de12d4094ef82097d4b013741dba6f2855e438c2e4b261dfe16b3808aad3e3ea7b287c6

C:\Users\Admin\AppData\Local\Temp\Played

MD5 597630bc7ab01bbe40c1be7df0c38f8c
SHA1 08e5279dd1c69d2d55b44b29702606d3d4b22c6b
SHA256 2874dfe250a93d5ad29acd33db6f5d852e8bea3b32da56538f5ee7396e188ee3
SHA512 f996f69185092f9e818fd8660f9388908ad122e3b43c27951751164e899cc45296d28915a0b97ed37a9bb034b97c41b2841a4f349df978c21011085353660aab

C:\Users\Admin\AppData\Local\Temp\Proceedings

MD5 a7088f06f0a5aaff181eae717bc8935f
SHA1 e2a4e1f9711226b2d0189c0ff86c954cd52323d2
SHA256 4864074e4c3e9ab10109ab1ed548bf5bddaddfaece45c055e249d46185ca9d79
SHA512 c36fe3d8c3e6c91fe23246280f0f57009e898de200cbf148d7f1963cc9aa34259b18c67bb9276496cd9d37989342c3b3b1be9aa3098a62b22dcbf900ee3d7a88

C:\Users\Admin\AppData\Local\Temp\Pumps

MD5 fd02938634cd266cb1dde1ff93f8649a
SHA1 6a3a2dfd521c90cb62f456b28a6c15a9630bbd3e
SHA256 2ddc65a66274d8a0bf42db94a124ddcd2e536eed1c58071ae1a2fa2e11ba3e82
SHA512 5b5f35a9b1f147b9fe6d81198dbca14957be54eb88a430db61994933e948481b9dff19dccafe2fc346a2211ae0481e8ea27d3be1bc267d3c42545f80d3c65a02

C:\Users\Admin\AppData\Local\Temp\Src

MD5 1f1500711c6aba66779604d8c752bca4
SHA1 a7fb2b56844163a9aa27d9b4eb40ceac5f23b355
SHA256 c0d60d09082814ea4281ad8ca475d5882ccf71f72cb83174761b4b70deedac00
SHA512 4ce9b38c40936d667700a1392a4ece13e2ecde7db6c4d8e7a6d158b4276edf690d90f58ea3323302b84011ed9560d3709bfc010c0f3f085804903fae5111cbf0

C:\Users\Admin\AppData\Local\Temp\Christianity

MD5 02adc07b28f2865bc6ed3b25c5f3e877
SHA1 537919a89d5b813f12edfc856b54c85f7fe65283
SHA256 2083985c615c47aa1c8a0c37d0308ccc01e12a7d8048429653ea74a9838f9acc
SHA512 a8b286157f2ac554be346410a1ba23ed4693b899b7ab8fd425d99da6360fda9aa0d100bbc2282a094d7546c8bb4c92541989ebbe2c0d090c8fc761e6d4d99f33

C:\Users\Admin\AppData\Local\Temp\Languages

MD5 e809c69658463cee323df1e3d081f884
SHA1 0f732c8657e03691a6a453d32ad5f0870644044f
SHA256 6a8516e67efcdc63cb0cb815167453ed7eab4ec5f3409ef9139f58f2ff4c3ca5
SHA512 1d92e44afaadfc04bc3cdcdd2f4581ff0897009187eb227ba01404af0b439a7cb1ce22356ad1995c9989836dccd64efdbfeb34b53263fd3d07aedb43c5a6d8e1

C:\Users\Admin\AppData\Local\Temp\Chevrolet

MD5 93adb31684c33d29c1e369a0acbc57e1
SHA1 767367aced8d5451b5eca70a9a754e8493de32ae
SHA256 2892c85e734c671913a136f53a89bd82417a7ec5d4e3e12fb1e16dd78ae106ed
SHA512 2ed924374e421763245950568261ebd8c3674fdca1a90c2f66fa334db593f5ba2c1cc69fd47f6633f62dc8af5ceead5723d78bfc5f75df9ffc1141713497686d

C:\Users\Admin\AppData\Local\Temp\Grass

MD5 74be345f055d01cf93d10daa9322fc54
SHA1 355d1f3e36babf3f82d1d131e5874373bbc4707e
SHA256 5cf67b2cb9bcf17720ca2c10360d2ee29b6ca3d2b72f8d06a062c2853ee708b5
SHA512 ec8652aed64e7b4e88b4f7ae8a5c0f930d64663533d43b9c83b29cb718ed581eb03258f3d8b4951200be192d52a5158ce25ea22c5e748217bc271ece69c2a977

C:\Users\Admin\AppData\Local\Temp\Shape

MD5 28fa3e204b58775d1fb4862f227d9661
SHA1 06344121eb3b6843523b3857db8bcdaf8cde1ac0
SHA256 be5c9dbd7f8ed688e266a18aad04467b22b445d9064ed4f950a5a3b997be65a7
SHA512 26d0c39c5aedbc3877a021e61e1b6fca6f8e1d53b28c8cca158603757a8d63f57f5249e21330ccc9b92f156704f89fa9d9ee4b018fdc960338a5f612f0251f6f

C:\Users\Admin\AppData\Local\Temp\Workout

MD5 ee7d822c04628607dcce3339f2cf2fae
SHA1 37beb3efde099712e2ac7417944a99b021af7fd0
SHA256 5f92f44c954ce13610077e526b1685a376ebd9b3afc3b12b79c22a0fef3ac662
SHA512 afddde2267e8c35dd7e6bb007125ff65677d05306bfadf474af7373b2158d498d64513b87d67d19fef368314fa3beb68bd8d0715eff550835623e6b2c2c65586

C:\Users\Admin\AppData\Local\Temp\Lens

MD5 e07e60e67ba394a1f965858f5a9a5222
SHA1 03dfeb9bcf4c8cae8eb92e451d597078f83d8bf1
SHA256 9623f84885f90cb194fd39ea80fdbce3957f76ec9bb72f8d275a8753af58a61a
SHA512 24c378f515be6ffd1a5a177a320fce6d391594cbff742e2678138ba798507a1acfcd38d654cc225021f95cbb241bbd8ff7f78cda99b6cb85cec2698a2d7b6e15

C:\Users\Admin\AppData\Local\Temp\Refresh

MD5 19b734738c0ade46c0889f36a5b18204
SHA1 79481a1428b523a00c89d8c1e27b3c859e73255d
SHA256 719079fb2d1399a73a430744c66ed83e3d1f0523a82d87520a930818dc31fc98
SHA512 321ea7ae121df6277d807ba480471406958fe04fb7d5b98d0f2a459439ad5558cf0b609b141efcd502fc4127e1587b64c0a6affd57f440bb33734571a192b460

C:\Users\Admin\AppData\Local\Temp\Host

MD5 c3eda42689d391fef65b80c898462c21
SHA1 43a49a9884cce6448231d33b7aab6261dcffe748
SHA256 6208c0357e3c6ab33a0190d65f65c516d212a475da14a5fc9c6ba344e4b4daae
SHA512 bd5e697e8de53beb5774a50b2eaac8f587fdff5ee5b2f10a4ed99a2180b29fc2a5b5efe486629fca7096806a1e7b2fdc735b59507b1f989081110f6c20078396

C:\Users\Admin\AppData\Local\Temp\Exists

MD5 3ad59988b3bb98e11ad11a64ba99400e
SHA1 8e8ebedf4689b4a9709e11f969ff1ea1d7406e0e
SHA256 ca0f732eb0889f6bf1ae6c48642df81fd4ad99a13c43264177cf307f489adea3
SHA512 2984bf9ddb3412de212fe380354ab87ba13d5fffd3536f83513228fa4e3678dc1f415de799899199b5c6f62afb070b2ccb73b43828ec2f5ff8a683c957a33129

C:\Users\Admin\AppData\Local\Temp\Homeland

MD5 ed1be935848c0849aae08f6ebbe977f3
SHA1 4049632120ab53e661be18ff3e395e0fd23b3307
SHA256 149d0aff08fc743016d18305a35c3a9b20095f9b73573cf979f45adb15e09ee7
SHA512 338fee6ad74b23ce38490a4676acb114abd341063613e99cdd89724d8dcc2f3a061f390cbb1423d467fb3d996eca773d1e6d5ce82457366cc85be9df688c909a

C:\Users\Admin\AppData\Local\Temp\Wayne

MD5 6fb10c110d196f1d014cbf4acacc01c7
SHA1 016876256e766c648320aeb96a73bd97948f380e
SHA256 3d88e3be158ce018e991f2ff0b5f5844117f0e2ad9997108def9b0f3a4b0119b
SHA512 d4091d514ee03a2e52feb950e6f0f96a02223ac77668c2febc64b184854c18eadc23ee79ae2ff95f078e17d03a417c7117d243573f1eb26b50fd7b4d85aeeb40

C:\Users\Admin\AppData\Local\Temp\Might

MD5 8742991cf52ad0051ce2a30f41cd1a1b
SHA1 c80491a98b9b0e9c1a78db68217a84ee5a140f09
SHA256 82125933da5b7db986930a056c5102573477aa3f70936226c949a575f1fd0797
SHA512 62e145942e625f757330c11d7340ce2c7a9448dd5dff71997d27ff939c9b057bfb1e9cd0effa3254804f860ff40744616d5ec41b339b097d1be6eeead33ffe8f

C:\Users\Admin\AppData\Local\Temp\64684\Run.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\64684\x

MD5 1f9b5a942b513f1fbd30ceb1c706ad8b
SHA1 b41e420c4202e90493d7900f8e62b92dfac3a3c3
SHA256 ac78619a32f1d561436ea5cbe000374255a263c2ea9131887670b539d154fb4f
SHA512 1ee595b4a1a7b083f84b514acc55e66928240d230d31e0415986ca9452e2647dfff81b6d910e4402350bb56fd54005f8474fc20badd5e8e2ac4945e179a20abb

memory/996-528-0x00000000000E0000-0x0000000000146000-memory.dmp

memory/996-529-0x00000000000E0000-0x0000000000146000-memory.dmp

memory/996-530-0x00000000000E0000-0x0000000000146000-memory.dmp

memory/996-532-0x00000000000E0000-0x0000000000146000-memory.dmp

memory/996-533-0x00000000000E0000-0x0000000000146000-memory.dmp

memory/996-531-0x00000000000E0000-0x0000000000146000-memory.dmp

memory/996-534-0x00000000000E0000-0x0000000000146000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-09 10:07

Reported

2024-07-09 10:10

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\texture_rgba_renderer_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\texture_rgba_renderer_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A