Analysis Overview
SHA256
e156f0d787a2a3f6f90a144aee897febf467cf12cb41d912c7246c64cdaba8f1
Threat Level: Known bad
The file e156f0d787a2a3f6f90a144aee897febf467cf12cb41d912c7246c64cdaba8f1 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer, LummaC
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Suspicious use of SetThreadContext
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 19:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win7-20240705-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acdbase.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acdbase.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
126s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-runtime-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
97s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-stdio-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-utility-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win7-20240705-en
Max time kernel
141s
Max time network
124s
Command Line
Signatures
Banload
Lumma Stealer, LummaC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2852 set thread context of 1004 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\SearchIndexer.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%CommonProgramFiles%\\System\\ado\\msado15.dll" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID\ = "ADODB.Recordset" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6} | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32 | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\ibv1\\TEAMMALICKHUBBELLC" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "ADODB.Recordset" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "ADODB.Recordset.6.0" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ibv1\\TEAMMALICKHUBBELLC\\StrCmp.exe" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1 | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ibv1\\TEAMMALICKHUBBELLC\\StrCmp.exe" | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe
C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1032
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | calcuatllitwop.shop | udp |
| US | 172.67.214.24:443 | calcuatllitwop.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 104.21.58.213:443 | locatedblsoqp.shop | tcp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 104.21.67.155:443 | traineiwnqo.shop | tcp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 172.67.146.35:443 | condedqpwqm.shop | tcp |
| US | 8.8.8.8:53 | evoliutwoqm.shop | udp |
| US | 8.8.8.8:53 | millyscroqwp.shop | udp |
| US | 172.67.187.171:443 | millyscroqwp.shop | tcp |
| US | 8.8.8.8:53 | stagedchheiqwo.shop | udp |
| US | 104.21.0.224:443 | stagedchheiqwo.shop | tcp |
| US | 8.8.8.8:53 | stamppreewntnq.shop | udp |
| US | 172.67.208.211:443 | stamppreewntnq.shop | tcp |
| US | 8.8.8.8:53 | caffegclasiqwp.shop | udp |
| US | 172.67.215.62:443 | caffegclasiqwp.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | tenntysjuxmz.shop | udp |
| US | 172.67.141.209:443 | tenntysjuxmz.shop | tcp |
Files
memory/2852-0-0x0000000003DA0000-0x0000000003F88000-memory.dmp
memory/2852-10-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/2852-12-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/2852-14-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/2852-16-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/2852-19-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/2852-17-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/2852-15-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/2852-20-0x000007FEF6610000-0x000007FEF6768000-memory.dmp
memory/2852-36-0x000007FEF6610000-0x000007FEF6768000-memory.dmp
C:\Users\Admin\AppData\Roaming\ibv1\TEAMMALICKHUBBELLC\StrCmp.exe
| MD5 | 916d7425a559aaa77f640710a65f9182 |
| SHA1 | 23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13 |
| SHA256 | 118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35 |
| SHA512 | d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc |
memory/2852-42-0x000007FEF6610000-0x000007FEF6768000-memory.dmp
memory/2852-34-0x000007FEF6629000-0x000007FEF662A000-memory.dmp
memory/2852-41-0x000007FEF6610000-0x000007FEF6768000-memory.dmp
memory/2852-45-0x000007FEF6610000-0x000007FEF6768000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\549a587b
| MD5 | 3a3f4ba916875dcd5f36c54fe4091cf3 |
| SHA1 | feb7553f71751b4ab19ed0b53245667cf9f584fb |
| SHA256 | e44c8c5fb27ed81cbee61a34976060e0655b5db13cb0b134d12c53ef54b59d0d |
| SHA512 | 213a3dff7d64bacc03ea7ef112277fa13a7252c69da7f706b21910112fb7b166584f751fa90b8bf1e82e7fd7e9aa97ff6d9e9840275c87924cb46642c0fab6e4 |
memory/1004-51-0x0000000076F60000-0x0000000077109000-memory.dmp
memory/1004-53-0x00000000747AE000-0x00000000747B0000-memory.dmp
memory/1004-52-0x00000000747A0000-0x0000000074914000-memory.dmp
memory/1004-54-0x00000000747A0000-0x0000000074914000-memory.dmp
memory/1004-56-0x00000000747A0000-0x0000000074914000-memory.dmp
memory/1004-57-0x00000000747AE000-0x00000000747B0000-memory.dmp
memory/656-58-0x0000000076F60000-0x0000000077109000-memory.dmp
memory/656-59-0x0000000000400000-0x000000000046C000-memory.dmp
memory/656-60-0x0000000000400000-0x000000000046C000-memory.dmp
memory/656-61-0x0000000000400000-0x000000000046C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
152s
Command Line
Signatures
Banload
Lumma Stealer, LummaC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4532 set thread context of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\SearchIndexer.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1 | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25} | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32 | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0 | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791} | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ibv1\\PMBCYKKILWJUBYU\\StrCmp.exe" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\ibv1\\PMBCYKKILWJUBYU\\StrCmp.exe" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ = "C:\\Windows\\System32\\Windows.Graphics.Printing.dll" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0" | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe
C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | calcuatllitwop.shop | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 104.21.35.53:443 | calcuatllitwop.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 172.67.207.182:443 | locatedblsoqp.shop | tcp |
| US | 8.8.8.8:53 | 53.35.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 104.21.67.155:443 | traineiwnqo.shop | tcp |
| US | 8.8.8.8:53 | 182.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evoliutwoqm.shop | udp |
| US | 8.8.8.8:53 | millyscroqwp.shop | udp |
| US | 8.8.8.8:53 | 172.10.21.104.in-addr.arpa | udp |
| US | 172.67.187.171:443 | millyscroqwp.shop | tcp |
| US | 8.8.8.8:53 | stagedchheiqwo.shop | udp |
| US | 104.21.0.224:443 | stagedchheiqwo.shop | tcp |
| US | 8.8.8.8:53 | 171.187.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stamppreewntnq.shop | udp |
| US | 172.67.208.211:443 | stamppreewntnq.shop | tcp |
| US | 8.8.8.8:53 | caffegclasiqwp.shop | udp |
| US | 104.21.16.180:443 | caffegclasiqwp.shop | tcp |
| US | 8.8.8.8:53 | 224.0.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.208.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 180.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tenntysjuxmz.shop | udp |
| US | 172.67.141.209:443 | tenntysjuxmz.shop | tcp |
| US | 8.8.8.8:53 | 209.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4532-0-0x00000000040A0000-0x0000000004288000-memory.dmp
memory/4532-10-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/4532-12-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/4532-15-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/4532-14-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/4532-16-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/4532-17-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/4532-20-0x00007FF8BD8F0000-0x00007FF8BDA62000-memory.dmp
memory/4532-19-0x0000000000400000-0x0000000001CF7000-memory.dmp
memory/4532-36-0x00007FF8BD909000-0x00007FF8BD90A000-memory.dmp
memory/4532-37-0x00007FF8BD8F0000-0x00007FF8BDA62000-memory.dmp
C:\Users\Admin\AppData\Roaming\ibv1\PMBCYKKILWJUBYU\StrCmp.exe
| MD5 | 916d7425a559aaa77f640710a65f9182 |
| SHA1 | 23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13 |
| SHA256 | 118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35 |
| SHA512 | d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc |
memory/4532-35-0x00007FF8BD8F0000-0x00007FF8BDA62000-memory.dmp
memory/4532-43-0x00007FF8BD8F0000-0x00007FF8BDA62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ff37737d
| MD5 | f6d6e6f36f310271a2d2e5c323d34efb |
| SHA1 | d243774991e019f769c043d8c05b5181f8893dfc |
| SHA256 | d022d26d04de06a81731fd033a67d66724c558156755160bb489095a61472c5e |
| SHA512 | 52e415b4c3b80d70c9593c0ce5966157cfcdbbdfdd97e7b69c00eebef76214c2aa8fb931bcb690f747e827a92929b1a4f8a02545c906266f116f54bc40dce65c |
memory/452-47-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp
memory/452-49-0x000000007590E000-0x0000000075910000-memory.dmp
memory/452-48-0x0000000075900000-0x0000000075A7B000-memory.dmp
memory/452-50-0x0000000075900000-0x0000000075A7B000-memory.dmp
memory/452-52-0x0000000075900000-0x0000000075A7B000-memory.dmp
memory/3852-53-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp
memory/452-54-0x000000007590E000-0x0000000075910000-memory.dmp
memory/3852-55-0x0000000000640000-0x00000000006AC000-memory.dmp
memory/3852-56-0x0000000000640000-0x00000000006AC000-memory.dmp
memory/3852-57-0x0000000000640000-0x00000000006AC000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libmmd.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win7-20240704-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 1032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1952 wrote to memory of 1032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1952 wrote to memory of 1032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1952 -s 80
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| SE | 192.229.221.95:80 | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win7-20240729-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2324 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2324 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2324 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\trading_api64.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2324 -s 116
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\trading_api64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
157s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\config.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\config.exe
"C:\Users\Admin\AppData\Local\Temp\config.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-time-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win7-20240704-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\config.exe
"C:\Users\Admin\AppData\Local\Temp\config.exe"
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win7-20240708-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 2240 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 3044 wrote to memory of 2240 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 3044 wrote to memory of 2240 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libmmd.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3044 -s 80
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\tradingnetworkingsockets.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4008,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-convert-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-string-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win7-20240704-en
Max time kernel
13s
Max time network
20s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 560 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 560 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 560 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\x64\tradingnetworkingsockets.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 560 -s 152
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-environment-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-25 19:58
Reported
2024-08-25 20:01
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-heap-l1-1-0.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |