Malware Analysis Report

2024-10-16 03:32

Sample ID 240825-yqcbkstdkp
Target e156f0d787a2a3f6f90a144aee897febf467cf12cb41d912c7246c64cdaba8f1
SHA256 e156f0d787a2a3f6f90a144aee897febf467cf12cb41d912c7246c64cdaba8f1
Tags
banload lumma discovery downloader dropper evasion persistence privilege_escalation stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e156f0d787a2a3f6f90a144aee897febf467cf12cb41d912c7246c64cdaba8f1

Threat Level: Known bad

The file e156f0d787a2a3f6f90a144aee897febf467cf12cb41d912c7246c64cdaba8f1 was found to be: Known bad.

Malicious Activity Summary

banload lumma discovery downloader dropper evasion persistence privilege_escalation stealer trojan

Lumma Stealer, LummaC

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Suspicious use of SetThreadContext

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 19:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win7-20240705-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\acdbase.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\acdbase.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\acdbase.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\acdbase.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

126s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-runtime-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-runtime-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

97s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-stdio-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-stdio-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-utility-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-utility-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win7-20240705-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Banload

trojan dropper downloader banload

Lumma Stealer, LummaC

stealer lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2852 set thread context of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\SearchIndexer.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SearchIndexer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%CommonProgramFiles%\\System\\ado\\msado15.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID\ = "ADODB.Recordset" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6} C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32 C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\ibv1\\TEAMMALICKHUBBELLC" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "ADODB.Recordset" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "ADODB.Recordset.6.0" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ibv1\\TEAMMALICKHUBBELLC\\StrCmp.exe" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1 C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ibv1\\TEAMMALICKHUBBELLC\\StrCmp.exe" C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe
PID 2852 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe
PID 2852 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe
PID 2852 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe
PID 2852 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 2852 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 2852 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 2852 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 2852 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1004 wrote to memory of 656 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1004 wrote to memory of 656 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1004 wrote to memory of 656 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1004 wrote to memory of 656 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1004 wrote to memory of 656 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1004 wrote to memory of 656 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 656 wrote to memory of 2860 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\WerFault.exe
PID 656 wrote to memory of 2860 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\WerFault.exe
PID 656 wrote to memory of 2860 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\WerFault.exe
PID 656 wrote to memory of 2860 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe

C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1032

Network

Country Destination Domain Proto
US 8.8.8.8:53 calcuatllitwop.shop udp
US 172.67.214.24:443 calcuatllitwop.shop tcp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 104.21.58.213:443 locatedblsoqp.shop tcp
US 8.8.8.8:53 traineiwnqo.shop udp
US 104.21.67.155:443 traineiwnqo.shop tcp
US 8.8.8.8:53 condedqpwqm.shop udp
US 172.67.146.35:443 condedqpwqm.shop tcp
US 8.8.8.8:53 evoliutwoqm.shop udp
US 8.8.8.8:53 millyscroqwp.shop udp
US 172.67.187.171:443 millyscroqwp.shop tcp
US 8.8.8.8:53 stagedchheiqwo.shop udp
US 104.21.0.224:443 stagedchheiqwo.shop tcp
US 8.8.8.8:53 stamppreewntnq.shop udp
US 172.67.208.211:443 stamppreewntnq.shop tcp
US 8.8.8.8:53 caffegclasiqwp.shop udp
US 172.67.215.62:443 caffegclasiqwp.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 tenntysjuxmz.shop udp
US 172.67.141.209:443 tenntysjuxmz.shop tcp

Files

memory/2852-0-0x0000000003DA0000-0x0000000003F88000-memory.dmp

memory/2852-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2852-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2852-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2852-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2852-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2852-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2852-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/2852-20-0x000007FEF6610000-0x000007FEF6768000-memory.dmp

memory/2852-36-0x000007FEF6610000-0x000007FEF6768000-memory.dmp

C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe

MD5 916d7425a559aaa77f640710a65f9182
SHA1 23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13
SHA256 118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35
SHA512 d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

memory/2852-42-0x000007FEF6610000-0x000007FEF6768000-memory.dmp

memory/2852-34-0x000007FEF6629000-0x000007FEF662A000-memory.dmp

memory/2852-41-0x000007FEF6610000-0x000007FEF6768000-memory.dmp

memory/2852-45-0x000007FEF6610000-0x000007FEF6768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\549a587b

MD5 3a3f4ba916875dcd5f36c54fe4091cf3
SHA1 feb7553f71751b4ab19ed0b53245667cf9f584fb
SHA256 e44c8c5fb27ed81cbee61a34976060e0655b5db13cb0b134d12c53ef54b59d0d
SHA512 213a3dff7d64bacc03ea7ef112277fa13a7252c69da7f706b21910112fb7b166584f751fa90b8bf1e82e7fd7e9aa97ff6d9e9840275c87924cb46642c0fab6e4

memory/1004-51-0x0000000076F60000-0x0000000077109000-memory.dmp

memory/1004-53-0x00000000747AE000-0x00000000747B0000-memory.dmp

memory/1004-52-0x00000000747A0000-0x0000000074914000-memory.dmp

memory/1004-54-0x00000000747A0000-0x0000000074914000-memory.dmp

memory/1004-56-0x00000000747A0000-0x0000000074914000-memory.dmp

memory/1004-57-0x00000000747AE000-0x00000000747B0000-memory.dmp

memory/656-58-0x0000000076F60000-0x0000000077109000-memory.dmp

memory/656-59-0x0000000000400000-0x000000000046C000-memory.dmp

memory/656-60-0x0000000000400000-0x000000000046C000-memory.dmp

memory/656-61-0x0000000000400000-0x000000000046C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Banload

trojan dropper downloader banload

Lumma Stealer, LummaC

stealer lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4532 set thread context of 452 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\SearchIndexer.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SearchIndexer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1 C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25} C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32 C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0 C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791} C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ibv1\\PMBCYKKILWJUBYU\\StrCmp.exe" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ibv1\\PMBCYKKILWJUBYU\\StrCmp.exe" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ = "C:\\Windows\\System32\\Windows.Graphics.Printing.dll" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0" C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe

C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3852 -ip 3852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 564

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 calcuatllitwop.shop udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 104.21.35.53:443 calcuatllitwop.shop tcp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 172.67.207.182:443 locatedblsoqp.shop tcp
US 8.8.8.8:53 53.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 traineiwnqo.shop udp
US 104.21.67.155:443 traineiwnqo.shop tcp
US 8.8.8.8:53 182.207.67.172.in-addr.arpa udp
US 8.8.8.8:53 condedqpwqm.shop udp
US 104.21.10.172:443 condedqpwqm.shop tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 155.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 evoliutwoqm.shop udp
US 8.8.8.8:53 millyscroqwp.shop udp
US 8.8.8.8:53 172.10.21.104.in-addr.arpa udp
US 172.67.187.171:443 millyscroqwp.shop tcp
US 8.8.8.8:53 stagedchheiqwo.shop udp
US 104.21.0.224:443 stagedchheiqwo.shop tcp
US 8.8.8.8:53 171.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 stamppreewntnq.shop udp
US 172.67.208.211:443 stamppreewntnq.shop tcp
US 8.8.8.8:53 caffegclasiqwp.shop udp
US 104.21.16.180:443 caffegclasiqwp.shop tcp
US 8.8.8.8:53 224.0.21.104.in-addr.arpa udp
US 8.8.8.8:53 211.208.67.172.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 180.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 8.8.8.8:53 tenntysjuxmz.shop udp
US 172.67.141.209:443 tenntysjuxmz.shop tcp
US 8.8.8.8:53 209.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4532-0-0x00000000040A0000-0x0000000004288000-memory.dmp

memory/4532-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4532-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4532-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4532-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4532-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4532-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4532-20-0x00007FF8BD8F0000-0x00007FF8BDA62000-memory.dmp

memory/4532-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

memory/4532-36-0x00007FF8BD909000-0x00007FF8BD90A000-memory.dmp

memory/4532-37-0x00007FF8BD8F0000-0x00007FF8BDA62000-memory.dmp

C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe

MD5 916d7425a559aaa77f640710a65f9182
SHA1 23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13
SHA256 118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35
SHA512 d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

memory/4532-35-0x00007FF8BD8F0000-0x00007FF8BDA62000-memory.dmp

memory/4532-43-0x00007FF8BD8F0000-0x00007FF8BDA62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ff37737d

MD5 f6d6e6f36f310271a2d2e5c323d34efb
SHA1 d243774991e019f769c043d8c05b5181f8893dfc
SHA256 d022d26d04de06a81731fd033a67d66724c558156755160bb489095a61472c5e
SHA512 52e415b4c3b80d70c9593c0ce5966157cfcdbbdfdd97e7b69c00eebef76214c2aa8fb931bcb690f747e827a92929b1a4f8a02545c906266f116f54bc40dce65c

memory/452-47-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

memory/452-49-0x000000007590E000-0x0000000075910000-memory.dmp

memory/452-48-0x0000000075900000-0x0000000075A7B000-memory.dmp

memory/452-50-0x0000000075900000-0x0000000075A7B000-memory.dmp

memory/452-52-0x0000000075900000-0x0000000075A7B000-memory.dmp

memory/3852-53-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

memory/452-54-0x000000007590E000-0x0000000075910000-memory.dmp

memory/3852-55-0x0000000000640000-0x00000000006AC000-memory.dmp

memory/3852-56-0x0000000000640000-0x00000000006AC000-memory.dmp

memory/3852-57-0x0000000000640000-0x00000000006AC000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libmmd.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libmmd.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win7-20240704-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 1032 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1952 wrote to memory of 1032 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1952 wrote to memory of 1032 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1952 -s 80

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
SE 192.229.221.95:80 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win7-20240729-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\trading_api64.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2324 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2324 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\trading_api64.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2324 -s 116

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\trading_api64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\trading_api64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\config.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\config.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\config.exe

"C:\Users\Admin\AppData\Local\Temp\config.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-time-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-time-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win7-20240704-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\config.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\config.exe

"C:\Users\Admin\AppData\Local\Temp\config.exe"

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win7-20240708-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libmmd.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3044 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3044 wrote to memory of 2240 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libmmd.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3044 -s 80

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

136s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\tradingnetworkingsockets.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\tradingnetworkingsockets.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4008,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-convert-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-convert-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-string-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win7-20240704-en

Max time kernel

13s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\tradingnetworkingsockets.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 560 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 560 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\tradingnetworkingsockets.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 560 -s 152

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-environment-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-environment-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-25 19:58

Reported

2024-08-25 20:01

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-heap-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A