Malware Analysis Report

2025-03-15 04:56

Sample ID 240714-kxb3hatfnk
Target podrebro.zip
SHA256 7706a695da0b080283cb224d820e8e3976ea32c8845c71362af539ddcaf30fa3
Tags
spyware redline infostealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7706a695da0b080283cb224d820e8e3976ea32c8845c71362af539ddcaf30fa3

Threat Level: Known bad

The file podrebro.zip was found to be: Known bad.

Malicious Activity Summary

spyware redline infostealer upx

RedLine payload

RedLine

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 08:58

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

89s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_chromecast_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_chromecast_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240704-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_stl_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_stl_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240708-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe"

Network

N/A

Files

memory/2360-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

memory/2360-1-0x00000000010D0000-0x000000000123E000-memory.dmp

memory/2360-2-0x00000000003B0000-0x00000000003B6000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 ee247d29feb603e4e553f496b9ae8e0f
SHA1 5a7499b8fc9436af4f52203442ff724d53e1b229
SHA256 74e7e43e3d517aad3e294341bf0ed3909d8ac53353e25224cded5285da31f3c1
SHA512 03549dc604c4ca5c9910f5dd44820c16e03e856805d16cabf6be1d32cb3156bf314d66df15c8f41d2beeab8f6c66a286e07ecb20c42dc99f3adc95b8df7d9205

memory/2360-7-0x0000000077310000-0x00000000773D1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

144s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libasf_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libasf_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240704-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libavi_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libavi_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240704-en

Max time kernel

8s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_cdg_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_cdg_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240704-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdiracsys_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdiracsys_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240708-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdirectory_demux_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdirectory_demux_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240708-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libaiff_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libaiff_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240704-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libau_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libau_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240708-en

Max time kernel

13s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libcaf_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libcaf_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240705-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe"

Network

N/A

Files

memory/2416-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

memory/2416-1-0x0000000000850000-0x0000000000A1A000-memory.dmp

memory/2416-2-0x00000000006C0000-0x00000000006C6000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 eaa369f85440b19162e260f5f8a6b6a1
SHA1 353a802d881be10699e324599a719c27596a9a92
SHA256 628554ddfac5bb7fb3eed07a0507208e572d602470269692dc703a5c4ab25512
SHA512 1475774a1378b7af81a4676a114d01cfe4c6830066e0400c14089500cabf73b35c91e85724601b3187e7f7d738e2acdc98b2c2194a0b761faadd3a882efcf643

memory/2416-7-0x0000000077030000-0x00000000770F1000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:00

Platform

win10v2004-20240709-en

Max time kernel

39s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2608 set thread context of 4788 N/A C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4788 -ip 4788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 2744

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CH 185.196.9.6:43164 tcp
US 8.8.8.8:53 6.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/2608-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

memory/2608-1-0x00000000005B0000-0x000000000077A000-memory.dmp

memory/2608-2-0x00000000050A0000-0x00000000050A6000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 eaa369f85440b19162e260f5f8a6b6a1
SHA1 353a802d881be10699e324599a719c27596a9a92
SHA256 628554ddfac5bb7fb3eed07a0507208e572d602470269692dc703a5c4ab25512
SHA512 1475774a1378b7af81a4676a114d01cfe4c6830066e0400c14089500cabf73b35c91e85724601b3187e7f7d738e2acdc98b2c2194a0b761faadd3a882efcf643

memory/4788-9-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2608-11-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4788-13-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4788-12-0x0000000005430000-0x00000000059D4000-memory.dmp

memory/4788-14-0x0000000004E80000-0x0000000004F12000-memory.dmp

memory/4788-15-0x0000000004E60000-0x0000000004E6A000-memory.dmp

memory/4788-16-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/4788-17-0x0000000008520000-0x0000000008B38000-memory.dmp

memory/4788-18-0x00000000080A0000-0x00000000081AA000-memory.dmp

memory/4788-19-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

memory/4788-20-0x0000000008040000-0x000000000807C000-memory.dmp

memory/4788-21-0x00000000081B0000-0x00000000081FC000-memory.dmp

memory/4788-22-0x0000000008DB0000-0x0000000008E16000-memory.dmp

memory/4788-23-0x00000000090A0000-0x0000000009116000-memory.dmp

memory/4788-24-0x0000000009060000-0x000000000907E000-memory.dmp

memory/4788-25-0x00000000094E0000-0x00000000096A2000-memory.dmp

memory/4788-26-0x0000000009F90000-0x000000000A4BC000-memory.dmp

memory/4788-27-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/2608-28-0x0000000074D60000-0x0000000075510000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

92s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libcaf_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libcaf_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
PL 93.184.221.240:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:00

Platform

win10v2004-20240709-en

Max time kernel

30s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2056 set thread context of 2668 N/A C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe

"C:\Users\Admin\AppData\Local\Temp\podrebro\safeline v2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
CH 185.196.9.26:6302 tcp
US 8.8.8.8:53 26.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2056-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/2056-1-0x0000000000DC0000-0x0000000000F2E000-memory.dmp

memory/2056-2-0x0000000003270000-0x0000000003276000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 ee247d29feb603e4e553f496b9ae8e0f
SHA1 5a7499b8fc9436af4f52203442ff724d53e1b229
SHA256 74e7e43e3d517aad3e294341bf0ed3909d8ac53353e25224cded5285da31f3c1
SHA512 03549dc604c4ca5c9910f5dd44820c16e03e856805d16cabf6be1d32cb3156bf314d66df15c8f41d2beeab8f6c66a286e07ecb20c42dc99f3adc95b8df7d9205

memory/2668-9-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2056-11-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2668-13-0x0000000005AF0000-0x0000000006094000-memory.dmp

memory/2668-12-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2668-14-0x00000000055E0000-0x0000000005672000-memory.dmp

memory/2668-15-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2668-16-0x00000000055A0000-0x00000000055AA000-memory.dmp

memory/2668-17-0x00000000066C0000-0x0000000006CD8000-memory.dmp

memory/2668-18-0x00000000060A0000-0x00000000061AA000-memory.dmp

memory/2668-19-0x0000000005950000-0x0000000005962000-memory.dmp

memory/2668-20-0x00000000059B0000-0x00000000059EC000-memory.dmp

memory/2668-21-0x0000000005A00000-0x0000000005A4C000-memory.dmp

memory/2668-22-0x0000000006260000-0x00000000062C6000-memory.dmp

memory/2668-23-0x0000000007170000-0x00000000071C0000-memory.dmp

memory/2668-24-0x00000000074A0000-0x0000000007662000-memory.dmp

memory/2668-25-0x0000000007BA0000-0x00000000080CC000-memory.dmp

memory/2668-27-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2056-28-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/1316-29-0x0000025908DB0000-0x0000025908DB1000-memory.dmp

memory/1316-30-0x0000025908DB0000-0x0000025908DB1000-memory.dmp

memory/1316-31-0x0000025908DB0000-0x0000025908DB1000-memory.dmp

memory/1316-41-0x0000025908DB0000-0x0000025908DB1000-memory.dmp

memory/1316-40-0x0000025908DB0000-0x0000025908DB1000-memory.dmp

memory/1316-39-0x0000025908DB0000-0x0000025908DB1000-memory.dmp

memory/1316-38-0x0000025908DB0000-0x0000025908DB1000-memory.dmp

memory/1316-37-0x0000025908DB0000-0x0000025908DB1000-memory.dmp

memory/1316-36-0x0000025908DB0000-0x0000025908DB1000-memory.dmp

memory/1316-35-0x0000025908DB0000-0x0000025908DB1000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_stl_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_stl_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemuxdump_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemuxdump_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdiracsys_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdiracsys_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240705-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libadaptive_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libadaptive_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libadaptive_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libadaptive_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

146s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libaiff_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libaiff_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_cdg_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_cdg_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

144s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdirectory_demux_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdirectory_demux_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

146s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libau_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libau_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win10v2004-20240709-en

Max time kernel

90s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libavi_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libavi_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240705-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemuxdump_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemuxdump_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240708-en

Max time kernel

13s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libasf_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libasf_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-14 08:58

Reported

2024-07-14 09:02

Platform

win7-20240708-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_chromecast_plugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\podrebro\library\libdemux_chromecast_plugin.dll,#1

Network

N/A

Files

N/A