Malware Analysis Report

2024-11-30 05:31

Sample ID 240709-vt6stavelp
Target !@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip
SHA256 d57b10e9d526efa1bd489c873ec7df24614816de093610d5f47c843728814053
Tags
amadey lumma execution persistence privilege_escalation spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d57b10e9d526efa1bd489c873ec7df24614816de093610d5f47c843728814053

Threat Level: Known bad

The file !@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip was found to be: Known bad.

Malicious Activity Summary

amadey lumma execution persistence privilege_escalation spyware stealer trojan

Lumma Stealer

Amadey

Downloads MZ/PE file

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Command and Scripting Interpreter: PowerShell

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 17:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:21

Platform

win7-20240705-en

Max time kernel

144s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar"

Network

N/A

Files

memory/2580-30-0x000007FEFAF40000-0x000007FEFAF74000-memory.dmp

memory/2580-29-0x000000013F5E0000-0x000000013F6D8000-memory.dmp

memory/2580-32-0x000007FEFAF20000-0x000007FEFAF38000-memory.dmp

memory/2580-34-0x000007FEFAD50000-0x000007FEFAD61000-memory.dmp

memory/2580-33-0x000007FEFAF00000-0x000007FEFAF17000-memory.dmp

memory/2580-35-0x000007FEFAD30000-0x000007FEFAD47000-memory.dmp

memory/2580-36-0x000007FEFAD10000-0x000007FEFAD21000-memory.dmp

memory/2580-37-0x000007FEFACB0000-0x000007FEFACCD000-memory.dmp

memory/2580-31-0x000007FEF65D0000-0x000007FEF6886000-memory.dmp

memory/2580-38-0x000007FEFAC90000-0x000007FEFACA1000-memory.dmp

memory/2580-43-0x000007FEFA8A0000-0x000007FEFA8B8000-memory.dmp

memory/2580-47-0x000007FEF7590000-0x000007FEF75AB000-memory.dmp

memory/2580-52-0x000007FEF5220000-0x000007FEF529C000-memory.dmp

memory/2580-40-0x000007FEF5310000-0x000007FEF551B000-memory.dmp

memory/2580-41-0x000007FEFA8F0000-0x000007FEFA931000-memory.dmp

memory/2580-58-0x000007FEF5140000-0x000007FEF5163000-memory.dmp

memory/2580-42-0x000007FEFA8C0000-0x000007FEFA8E1000-memory.dmp

memory/2580-46-0x000007FEF75B0000-0x000007FEF75C1000-memory.dmp

memory/2580-50-0x000007FEF6A10000-0x000007FEF6A40000-memory.dmp

memory/2580-55-0x000007FEF69C0000-0x000007FEF69E8000-memory.dmp

memory/2580-64-0x000007FEFB010000-0x000007FEFB020000-memory.dmp

memory/2580-69-0x000007FEF1AC0000-0x000007FEF1B02000-memory.dmp

memory/2580-68-0x000007FEF1B10000-0x000007FEF1BD5000-memory.dmp

memory/2580-67-0x000007FEF1BE0000-0x000007FEF1BF6000-memory.dmp

memory/2580-66-0x000007FEF1C00000-0x000007FEF1C11000-memory.dmp

memory/2580-70-0x000007FEF1A50000-0x000007FEF1AB2000-memory.dmp

memory/2580-65-0x000007FEF1C20000-0x000007FEF1C4F000-memory.dmp

memory/2580-71-0x000007FEF1570000-0x000007FEF15DD000-memory.dmp

memory/2580-63-0x000007FEF1C50000-0x000007FEF1C67000-memory.dmp

memory/2580-62-0x000007FEF1C70000-0x000007FEF1C81000-memory.dmp

memory/2580-61-0x000007FEF1C90000-0x000007FEF1CB1000-memory.dmp

memory/2580-60-0x000007FEF5100000-0x000007FEF5112000-memory.dmp

memory/2580-59-0x000007FEF5120000-0x000007FEF5131000-memory.dmp

memory/2580-72-0x000007FEEF570000-0x000007FEEF6F0000-memory.dmp

memory/2580-57-0x000007FEF5170000-0x000007FEF5188000-memory.dmp

memory/2580-56-0x000007FEF5190000-0x000007FEF51B4000-memory.dmp

memory/2580-54-0x000007FEF51C0000-0x000007FEF5217000-memory.dmp

memory/2580-53-0x000007FEF69F0000-0x000007FEF6A01000-memory.dmp

memory/2580-51-0x000007FEF52A0000-0x000007FEF5307000-memory.dmp

memory/2580-49-0x000007FEF7550000-0x000007FEF7568000-memory.dmp

memory/2580-48-0x000007FEF7570000-0x000007FEF7581000-memory.dmp

memory/2580-45-0x000007FEF75D0000-0x000007FEF75E1000-memory.dmp

memory/2580-44-0x000007FEF75F0000-0x000007FEF7601000-memory.dmp

memory/2580-39-0x000007FEF5520000-0x000007FEF65D0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:19

Platform

win7-20240705-en

Max time kernel

44s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2988 set thread context of 812 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/2988-0-0x00000000001D0000-0x000000000022E000-memory.dmp

memory/2988-1-0x000007FEFF170000-0x000007FEFF347000-memory.dmp

memory/2988-5-0x000007FEFF188000-0x000007FEFF189000-memory.dmp

memory/2988-6-0x000007FEFF170000-0x000007FEFF347000-memory.dmp

memory/2988-10-0x000007FEFF170000-0x000007FEFF347000-memory.dmp

memory/2988-9-0x00000000001D0000-0x000000000022E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a6d9ec20

MD5 5f0dfee0331752fdce995eb113a528be
SHA1 cb1aabb366b35f47c60b36dd3c7e495779bc44e8
SHA256 1f36ea13fca11044e9579c85a496ba34aba93822ca292fddd2c10215e23d69d1
SHA512 461e8b326fac49978178a0016a0459af53f9c88ee417201f0250d909ebd8aebb078a0425ad612591746be1a46afc02e7a64bcfdfadf4c5e5583d65136f1415a7

memory/812-12-0x00000000772D0000-0x0000000077479000-memory.dmp

memory/812-14-0x0000000076BCE000-0x0000000076BD0000-memory.dmp

memory/812-13-0x0000000076BC0000-0x0000000076D5D000-memory.dmp

memory/812-15-0x0000000076BC0000-0x0000000076D5D000-memory.dmp

memory/812-17-0x0000000076BC0000-0x0000000076D5D000-memory.dmp

memory/1712-18-0x00000000772D0000-0x0000000077479000-memory.dmp

memory/1712-19-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1712-21-0x0000000000D5D000-0x0000000000D65000-memory.dmp

memory/1712-20-0x0000000000400000-0x0000000000452000-memory.dmp

memory/812-22-0x0000000076BCE000-0x0000000076BD0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:21

Platform

win7-20240705-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\rondure.flv"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\rondure.flv"

Network

N/A

Files

memory/3052-1-0x000007FEF71F0000-0x000007FEF7224000-memory.dmp

memory/3052-0-0x000000013F880000-0x000000013F978000-memory.dmp

memory/3052-3-0x000007FEFAF30000-0x000007FEFAF48000-memory.dmp

memory/3052-4-0x000007FEF6970000-0x000007FEF6987000-memory.dmp

memory/3052-5-0x000007FEF6410000-0x000007FEF6421000-memory.dmp

memory/3052-6-0x000007FEF63F0000-0x000007FEF6407000-memory.dmp

memory/3052-2-0x000007FEF6F30000-0x000007FEF71E6000-memory.dmp

memory/3052-7-0x000007FEF63D0000-0x000007FEF63E1000-memory.dmp

memory/3052-8-0x000007FEF63B0000-0x000007FEF63CD000-memory.dmp

memory/3052-9-0x000007FEF5F20000-0x000007FEF5F31000-memory.dmp

memory/3052-10-0x000007FEF55C0000-0x000007FEF57CB000-memory.dmp

memory/3052-12-0x000007FEF5EA0000-0x000007FEF5EE1000-memory.dmp

memory/3052-13-0x000007FEF5CD0000-0x000007FEF5CF1000-memory.dmp

memory/3052-19-0x000007FEF5B90000-0x000007FEF5BA1000-memory.dmp

memory/3052-23-0x000007FEF4420000-0x000007FEF449C000-memory.dmp

memory/3052-22-0x000007FEF44A0000-0x000007FEF4507000-memory.dmp

memory/3052-21-0x000007FEF5B40000-0x000007FEF5B70000-memory.dmp

memory/3052-20-0x000007FEF5B70000-0x000007FEF5B88000-memory.dmp

memory/3052-30-0x000007FEF42D0000-0x000007FEF42E1000-memory.dmp

memory/3052-29-0x000007FEF42F0000-0x000007FEF4313000-memory.dmp

memory/3052-28-0x000007FEF4320000-0x000007FEF4338000-memory.dmp

memory/3052-27-0x000007FEF4340000-0x000007FEF4364000-memory.dmp

memory/3052-31-0x000007FEF42B0000-0x000007FEF42C2000-memory.dmp

memory/3052-26-0x000007FEF4370000-0x000007FEF4398000-memory.dmp

memory/3052-25-0x000007FEF43A0000-0x000007FEF43F7000-memory.dmp

memory/3052-24-0x000007FEF4400000-0x000007FEF4411000-memory.dmp

memory/3052-11-0x000007FEF4510000-0x000007FEF55C0000-memory.dmp

memory/3052-18-0x000007FEF5BB0000-0x000007FEF5BCB000-memory.dmp

memory/3052-17-0x000007FEF5BD0000-0x000007FEF5BE1000-memory.dmp

memory/3052-16-0x000007FEF5BF0000-0x000007FEF5C01000-memory.dmp

memory/3052-15-0x000007FEF5C10000-0x000007FEF5C21000-memory.dmp

memory/3052-14-0x000007FEF5C30000-0x000007FEF5C48000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:21

Platform

win7-20240704-en

Max time kernel

13s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tak_deco_lib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tak_deco_lib.dll,#1

Network

N/A

Files

memory/1996-0-0x0000000000100000-0x000000000015E000-memory.dmp

memory/1996-1-0x0000000000100000-0x000000000015E000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:21

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tak_deco_lib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tak_deco_lib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4040-0-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:19

Platform

win7-20240704-en

Max time kernel

15s

Max time network

17s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:20

Platform

win10v2004-20240709-en

Max time kernel

100s

Max time network

102s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:21

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

100s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\file___here\!!ṨetUp--@!Pa$$Kḙy!$$__64911.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:21

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Amadey

trojan amadey

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1528 set thread context of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 4520 set thread context of 3112 N/A C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe C:\Windows\SysWOW64\netsh.exe
PID 1896 set thread context of 4668 N/A C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe C:\Windows\SysWOW64\netsh.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\MH Beacon Helper.job C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\Tasks\ToolUpdate.job C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1528 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1528 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1528 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 2828 wrote to memory of 4736 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 2828 wrote to memory of 4736 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 2828 wrote to memory of 4736 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 2828 wrote to memory of 4736 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4736 wrote to memory of 1896 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe
PID 4736 wrote to memory of 1896 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe
PID 4736 wrote to memory of 1896 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe
PID 1896 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe C:\Windows\SysWOW64\netsh.exe
PID 1896 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe C:\Windows\SysWOW64\netsh.exe
PID 1896 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe C:\Windows\SysWOW64\netsh.exe
PID 4736 wrote to memory of 4520 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe
PID 4736 wrote to memory of 4520 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe
PID 4736 wrote to memory of 4520 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe
PID 4520 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe C:\Windows\SysWOW64\netsh.exe
PID 4520 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe C:\Windows\SysWOW64\netsh.exe
PID 4520 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe C:\Windows\SysWOW64\netsh.exe
PID 4520 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe C:\Windows\SysWOW64\netsh.exe
PID 1896 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe C:\Windows\SysWOW64\netsh.exe
PID 3112 wrote to memory of 2148 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 3112 wrote to memory of 2148 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 3112 wrote to memory of 2148 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 3112 wrote to memory of 2148 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 4668 wrote to memory of 4680 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 4668 wrote to memory of 4680 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 4668 wrote to memory of 4680 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 4668 wrote to memory of 4680 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 2148 wrote to memory of 4912 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 4912 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 4912 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe

"C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe

"C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 bittercoldzzdwu.shop udp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 113.134.67.172.in-addr.arpa udp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 foodupdates.shop udp
US 104.21.48.83:443 foodupdates.shop tcp
US 8.8.8.8:53 83.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 cdn.steamstatic.com udp
GB 2.16.170.57:443 cdn.steamstatic.com tcp
US 8.8.8.8:53 57.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 downloaddining3.com udp
US 8.8.8.8:53 downloaddining.com udp
US 8.8.8.8:53 downloaddining2.com udp
RU 45.140.19.240:80 downloaddining.com tcp
US 104.21.77.130:80 downloaddining3.com tcp
US 104.21.53.53:80 downloaddining2.com tcp
US 8.8.8.8:53 contur2fa.recipeupdates.rest udp
US 172.67.197.250:443 contur2fa.recipeupdates.rest tcp
US 8.8.8.8:53 53.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 130.77.21.104.in-addr.arpa udp
US 8.8.8.8:53 250.197.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.19.140.45.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/1528-0-0x0000000000820000-0x000000000087E000-memory.dmp

memory/1528-1-0x00007FFFCFF90000-0x00007FFFD0402000-memory.dmp

memory/1528-5-0x00007FFFCFFA8000-0x00007FFFCFFA9000-memory.dmp

memory/1528-6-0x00007FFFCFF90000-0x00007FFFD0402000-memory.dmp

memory/1528-7-0x00007FFFCFF90000-0x00007FFFD0402000-memory.dmp

memory/1528-9-0x0000000000820000-0x000000000087E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\df2e7189

MD5 f93e936c7eb82d5739a85439b8ea96dc
SHA1 fa4ff832333b5b1e95e2290d7a71c644e58a21c6
SHA256 8bc08ec625a022b7c5a4de7c024c0bcd3c8f4ad9a69a0e29ca1cde1e4460e7c5
SHA512 b5038a0ad4a8ea19105c62310875e99ee1ae3192d78b0d2523f1ed42b0bd4a32ab881093b9bdbccdaec35a19cb2cced04f7ab6fc27637a2890ffa047fbc13227

memory/2828-11-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp

memory/2828-13-0x000000007580E000-0x0000000075810000-memory.dmp

memory/2828-12-0x0000000075800000-0x0000000075C3C000-memory.dmp

memory/2828-14-0x0000000075800000-0x0000000075C3C000-memory.dmp

memory/2828-16-0x0000000075800000-0x0000000075C3C000-memory.dmp

memory/4736-17-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp

memory/4736-18-0x0000000000F20000-0x0000000000F72000-memory.dmp

memory/4736-21-0x000000000091B000-0x0000000000922000-memory.dmp

memory/2828-22-0x000000007580E000-0x0000000075810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8KI9GMWH1YRHZ7M6IP333.exe

MD5 d8d3eaf3756ec2fd01063f9fd2623c7e
SHA1 0e63c687984112e96bbfcf985c1fbf602f1c86e4
SHA256 0ac72e797e244a733d5357b9fc90a5efaee168b5ab9b751493c080183be58829
SHA512 d87f33d7b6596719545899be6f54eb0f3b9f4ccf2ab4afea16d2a05386201c77243a6c80890ace81940ae2a09f743329bc3ed38b03499b2f6700da363668fa6c

memory/1896-27-0x0000000000640000-0x0000000000973000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aaf13407

MD5 0bb8b2b96cd95f9a6fb8192883c94ca7
SHA1 16b7b4cfcacef943b4824e21b475c295cb4d9dff
SHA256 42139a8703db654c15f60607495822317b23a29b7c64b1b083428cc3716c14ec
SHA512 44d45b97bf76b3194375f2a63314dacf47add2223b37a9e080ddcfe49cb30a844436686ae62842cb08589b1b248c864b5d17ee7ae3e766931722824bd205565b

memory/1896-33-0x0000000073560000-0x00000000736DB000-memory.dmp

memory/1896-34-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp

memory/4736-35-0x0000000000F20000-0x0000000000F72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BUJJISTWYWGGCPLC3.exe

MD5 753234a5fa72cf7ff8c56fd867478f31
SHA1 9d689ec16a5da11eea5e60c800ef2bce6f4212f3
SHA256 211646612334caf8f5779788e6b9bd3a47a23c35c9cdcddddca34cba4e12379f
SHA512 f641b30948127a0ee9bd538d4ad3aaae1047720a141eb71f2f82276cbd2bb5393e174a7f5a79778ef248ca43781dd55bdaa1d7cf84ef12a8e99028b5fb0a9e82

memory/4736-39-0x0000000000F20000-0x0000000000F72000-memory.dmp

memory/4520-40-0x0000000000DB0000-0x000000000136E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b5fa3146

MD5 f74f23c47dbb6ed0a1422be1c86ba44d
SHA1 585956eab70da3892bd82cf21470be142daec324
SHA256 aa2cc4edd00008635d8c09a5706b5e5b28886825065895afe733426c794af041
SHA512 9db56c720c03f87d332cdab8d61ff22f0b2dd376bb22ef91b6b8a52dbcb6893bdf7a7db0a55dc10e23619ed1099a8a773f1bdacdad70ca04733bc60b440280dd

memory/4520-47-0x0000000073560000-0x00000000736DB000-memory.dmp

memory/4520-48-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp

memory/4520-49-0x0000000073560000-0x00000000736DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9c8160e

MD5 4dd3343ff41a04d28619a6e5348f1bcb
SHA1 2f2f186fea2ab0a18145493656e1604c5cbd3b09
SHA256 ce4103ab41adacf57880417d16675b7c3c3868411788270b262fb44be1326eb6
SHA512 0badb1b5ac0f66de09e36a92f5728e448dbf6d63bf9458515de1e450619779d6c246b49b80b41d9576285079760df1241a38eaf0b444b86d9ea67b8530d8822d

memory/3112-52-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp

memory/1896-55-0x0000000073560000-0x00000000736DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad7e3d76

MD5 f3a63736867debbed5eb74f1c05e965d
SHA1 efe575e9fbe9bf574118c0e4fb64bfb02b4fd245
SHA256 f42fbddb039440a114437e575d6231dd6d38897957f4967fa339383fd1b6d3df
SHA512 c8d575144e59f99ffd4aeea47465da8152b9b460a3c2b1219d8f99849b037e581cd181fb49b511a10d9f0ebbd4ebf61bf8c9e4138e5c12c88c6c69aef3112977

memory/4668-58-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp

memory/2148-62-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp

memory/2148-63-0x0000000000670000-0x00000000006E1000-memory.dmp

memory/4680-65-0x00007FFFD0450000-0x00007FFFD0645000-memory.dmp

memory/4680-66-0x0000000000580000-0x00000000005E7000-memory.dmp

memory/2148-68-0x0000000000670000-0x00000000006E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 0fb684cc15d197c0b937e5528359d7c8
SHA1 7d963246f52f42012bdcddb31214283c84c954ed
SHA256 e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260
SHA512 c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c

memory/4912-82-0x00000000029C0000-0x00000000029F6000-memory.dmp

memory/4912-83-0x0000000005460000-0x0000000005A88000-memory.dmp

memory/4912-84-0x0000000005340000-0x0000000005362000-memory.dmp

memory/4912-85-0x0000000005C00000-0x0000000005C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obh3uni5.z50.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4912-88-0x0000000005CE0000-0x0000000005D46000-memory.dmp

memory/4912-98-0x0000000005E50000-0x00000000061A4000-memory.dmp

memory/4912-99-0x00000000062B0000-0x00000000062CE000-memory.dmp

memory/4912-100-0x0000000006300000-0x000000000634C000-memory.dmp

memory/4912-102-0x00000000074D0000-0x0000000007502000-memory.dmp

memory/4912-113-0x00000000068B0000-0x00000000068CE000-memory.dmp

memory/4912-103-0x0000000072DD0000-0x0000000072E1C000-memory.dmp

memory/4912-114-0x00000000075A0000-0x0000000007643000-memory.dmp

memory/4912-115-0x0000000007CD0000-0x000000000834A000-memory.dmp

memory/4912-116-0x0000000007650000-0x000000000766A000-memory.dmp

memory/4912-117-0x0000000007680000-0x000000000768A000-memory.dmp

memory/4912-118-0x00000000078B0000-0x0000000007946000-memory.dmp

memory/4912-119-0x0000000007810000-0x0000000007821000-memory.dmp

memory/4912-120-0x0000000007850000-0x000000000785E000-memory.dmp

memory/4912-121-0x0000000007860000-0x0000000007874000-memory.dmp

memory/4912-122-0x0000000007950000-0x000000000796A000-memory.dmp

memory/4912-123-0x0000000007890000-0x0000000007898000-memory.dmp

memory/4680-125-0x0000000000580000-0x00000000005E7000-memory.dmp

memory/2148-126-0x0000000000670000-0x00000000006E1000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:21

Platform

win7-20240705-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\formwork.gz

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\formwork.gz

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\formwork.gz

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\formwork.gz

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\formwork.gz"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 18c3763742e210f4ae4c2017e49a70c5
SHA1 60e017b0e3a551034f4836a11c8d6faa87515b43
SHA256 57e4c78d1e83f1460b3f489d4056645370b3fec8b0971ca0e7704cc3d64dfd7c
SHA512 1cb896873fe8722dc0156982a5809a3ab0d923f9cc481fc516f454b049f2719f5d90d63a35ddc0acef339ac7415b99eee1d98cbc277f181acdc22f149117557a

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:21

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\formwork.gz

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\formwork.gz

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-09 17:17

Reported

2024-07-09 17:21

Platform

win10v2004-20240709-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\rondure.flv"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\rondure.flv"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4240-6-0x00007FFC36CF0000-0x00007FFC36D24000-memory.dmp

memory/4240-5-0x00007FF70B0B0000-0x00007FF70B1A8000-memory.dmp

memory/4240-13-0x00007FFC36B00000-0x00007FFC36B1D000-memory.dmp

memory/4240-14-0x00007FFC36A00000-0x00007FFC36A11000-memory.dmp

memory/4240-12-0x00007FFC36CD0000-0x00007FFC36CE1000-memory.dmp

memory/4240-11-0x00007FFC39DB0000-0x00007FFC39DC7000-memory.dmp

memory/4240-16-0x00007FFC369B0000-0x00007FFC369F1000-memory.dmp

memory/4240-10-0x00007FFC3A2A0000-0x00007FFC3A2B1000-memory.dmp

memory/4240-9-0x00007FFC3B9C0000-0x00007FFC3B9D7000-memory.dmp

memory/4240-7-0x00007FFC26FB0000-0x00007FFC27266000-memory.dmp

memory/4240-8-0x00007FFC3DD60000-0x00007FFC3DD78000-memory.dmp

memory/4240-15-0x00007FFC27480000-0x00007FFC2768B000-memory.dmp

memory/4240-20-0x00007FFC36860000-0x00007FFC36871000-memory.dmp

memory/4240-22-0x00007FFC36820000-0x00007FFC36831000-memory.dmp

memory/4240-23-0x00007FFC25580000-0x00007FFC2568E000-memory.dmp

memory/4240-21-0x00007FFC36840000-0x00007FFC36851000-memory.dmp

memory/4240-19-0x00007FFC36880000-0x00007FFC36898000-memory.dmp

memory/4240-18-0x00007FFC36980000-0x00007FFC369A1000-memory.dmp

memory/4240-17-0x00007FFC25B50000-0x00007FFC26C00000-memory.dmp

memory/4240-36-0x00007FFC25B50000-0x00007FFC26C00000-memory.dmp

memory/4240-55-0x00007FFC25B50000-0x00007FFC26C00000-memory.dmp