Analysis Overview
SHA256
7706a695da0b080283cb224d820e8e3976ea32c8845c71362af539ddcaf30fa3
Threat Level: Known bad
The file podrebro.zip was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 08:58
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
89s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_chromecast_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240704-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_stl_plugin.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240708-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe
"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe"
Network
Files
memory/2360-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp
memory/2360-1-0x00000000010D0000-0x000000000123E000-memory.dmp
memory/2360-2-0x00000000003B0000-0x00000000003B6000-memory.dmp
\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | ee247d29feb603e4e553f496b9ae8e0f |
| SHA1 | 5a7499b8fc9436af4f52203442ff724d53e1b229 |
| SHA256 | 74e7e43e3d517aad3e294341bf0ed3909d8ac53353e25224cded5285da31f3c1 |
| SHA512 | 03549dc604c4ca5c9910f5dd44820c16e03e856805d16cabf6be1d32cb3156bf314d66df15c8f41d2beeab8f6c66a286e07ecb20c42dc99f3adc95b8df7d9205 |
memory/2360-7-0x0000000077310000-0x00000000773D1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
144s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libasf_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240704-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libavi_plugin.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240704-en
Max time kernel
8s
Max time network
20s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_cdg_plugin.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240704-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdiracsys_plugin.dll,#1
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240708-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdirectory_demux_plugin.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240708-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libaiff_plugin.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240704-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libau_plugin.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240708-en
Max time kernel
13s
Max time network
16s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libcaf_plugin.dll,#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240705-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe
"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe"
Network
Files
memory/2416-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
memory/2416-1-0x0000000000850000-0x0000000000A1A000-memory.dmp
memory/2416-2-0x00000000006C0000-0x00000000006C6000-memory.dmp
\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | eaa369f85440b19162e260f5f8a6b6a1 |
| SHA1 | 353a802d881be10699e324599a719c27596a9a92 |
| SHA256 | 628554ddfac5bb7fb3eed07a0507208e572d602470269692dc703a5c4ab25512 |
| SHA512 | 1475774a1378b7af81a4676a114d01cfe4c6830066e0400c14089500cabf73b35c91e85724601b3187e7f7d738e2acdc98b2c2194a0b761faadd3a882efcf643 |
memory/2416-7-0x0000000077030000-0x00000000770F1000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:00
Platform
win10v2004-20240709-en
Max time kernel
39s
Max time network
36s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2608 set thread context of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe
"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4788 -ip 4788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 2744
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CH | 185.196.9.6:43164 | tcp | |
| US | 8.8.8.8:53 | 6.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/2608-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp
memory/2608-1-0x00000000005B0000-0x000000000077A000-memory.dmp
memory/2608-2-0x00000000050A0000-0x00000000050A6000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | eaa369f85440b19162e260f5f8a6b6a1 |
| SHA1 | 353a802d881be10699e324599a719c27596a9a92 |
| SHA256 | 628554ddfac5bb7fb3eed07a0507208e572d602470269692dc703a5c4ab25512 |
| SHA512 | 1475774a1378b7af81a4676a114d01cfe4c6830066e0400c14089500cabf73b35c91e85724601b3187e7f7d738e2acdc98b2c2194a0b761faadd3a882efcf643 |
memory/4788-9-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2608-11-0x0000000074D60000-0x0000000075510000-memory.dmp
memory/4788-13-0x0000000074D60000-0x0000000075510000-memory.dmp
memory/4788-12-0x0000000005430000-0x00000000059D4000-memory.dmp
memory/4788-14-0x0000000004E80000-0x0000000004F12000-memory.dmp
memory/4788-15-0x0000000004E60000-0x0000000004E6A000-memory.dmp
memory/4788-16-0x0000000074D60000-0x0000000075510000-memory.dmp
memory/4788-17-0x0000000008520000-0x0000000008B38000-memory.dmp
memory/4788-18-0x00000000080A0000-0x00000000081AA000-memory.dmp
memory/4788-19-0x0000000007FE0000-0x0000000007FF2000-memory.dmp
memory/4788-20-0x0000000008040000-0x000000000807C000-memory.dmp
memory/4788-21-0x00000000081B0000-0x00000000081FC000-memory.dmp
memory/4788-22-0x0000000008DB0000-0x0000000008E16000-memory.dmp
memory/4788-23-0x00000000090A0000-0x0000000009116000-memory.dmp
memory/4788-24-0x0000000009060000-0x000000000907E000-memory.dmp
memory/4788-25-0x00000000094E0000-0x00000000096A2000-memory.dmp
memory/4788-26-0x0000000009F90000-0x000000000A4BC000-memory.dmp
memory/4788-27-0x0000000074D60000-0x0000000075510000-memory.dmp
memory/2608-28-0x0000000074D60000-0x0000000075510000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
92s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libcaf_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| PL | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:00
Platform
win10v2004-20240709-en
Max time kernel
30s
Max time network
35s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2056 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe
"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| CH | 185.196.9.26:6302 | tcp | |
| US | 8.8.8.8:53 | 26.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2056-0-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/2056-1-0x0000000000DC0000-0x0000000000F2E000-memory.dmp
memory/2056-2-0x0000000003270000-0x0000000003276000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | ee247d29feb603e4e553f496b9ae8e0f |
| SHA1 | 5a7499b8fc9436af4f52203442ff724d53e1b229 |
| SHA256 | 74e7e43e3d517aad3e294341bf0ed3909d8ac53353e25224cded5285da31f3c1 |
| SHA512 | 03549dc604c4ca5c9910f5dd44820c16e03e856805d16cabf6be1d32cb3156bf314d66df15c8f41d2beeab8f6c66a286e07ecb20c42dc99f3adc95b8df7d9205 |
memory/2668-9-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2056-11-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/2668-13-0x0000000005AF0000-0x0000000006094000-memory.dmp
memory/2668-12-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/2668-14-0x00000000055E0000-0x0000000005672000-memory.dmp
memory/2668-15-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/2668-16-0x00000000055A0000-0x00000000055AA000-memory.dmp
memory/2668-17-0x00000000066C0000-0x0000000006CD8000-memory.dmp
memory/2668-18-0x00000000060A0000-0x00000000061AA000-memory.dmp
memory/2668-19-0x0000000005950000-0x0000000005962000-memory.dmp
memory/2668-20-0x00000000059B0000-0x00000000059EC000-memory.dmp
memory/2668-21-0x0000000005A00000-0x0000000005A4C000-memory.dmp
memory/2668-22-0x0000000006260000-0x00000000062C6000-memory.dmp
memory/2668-23-0x0000000007170000-0x00000000071C0000-memory.dmp
memory/2668-24-0x00000000074A0000-0x0000000007662000-memory.dmp
memory/2668-25-0x0000000007BA0000-0x00000000080CC000-memory.dmp
memory/2668-27-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/2056-28-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1316-29-0x0000025908DB0000-0x0000025908DB1000-memory.dmp
memory/1316-30-0x0000025908DB0000-0x0000025908DB1000-memory.dmp
memory/1316-31-0x0000025908DB0000-0x0000025908DB1000-memory.dmp
memory/1316-41-0x0000025908DB0000-0x0000025908DB1000-memory.dmp
memory/1316-40-0x0000025908DB0000-0x0000025908DB1000-memory.dmp
memory/1316-39-0x0000025908DB0000-0x0000025908DB1000-memory.dmp
memory/1316-38-0x0000025908DB0000-0x0000025908DB1000-memory.dmp
memory/1316-37-0x0000025908DB0000-0x0000025908DB1000-memory.dmp
memory/1316-36-0x0000025908DB0000-0x0000025908DB1000-memory.dmp
memory/1316-35-0x0000025908DB0000-0x0000025908DB1000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_stl_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemuxdump_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdiracsys_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240705-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libadaptive_plugin.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libadaptive_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
146s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libaiff_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
143s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_cdg_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
144s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdirectory_demux_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libau_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win10v2004-20240709-en
Max time kernel
90s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libavi_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240705-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemuxdump_plugin.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240708-en
Max time kernel
13s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libasf_plugin.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-14 08:58
Reported
2024-07-14 09:02
Platform
win7-20240708-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_chromecast_plugin.dll,#1