Malware Analysis Report

2024-11-13 13:55

Sample ID 241015-1lzbnashlk
Target Open AI Sora 4.0 Verison 4.89.zip
SHA256 9ecdf63c778837fe391974d12dbda0752ccb58ef8e6241dd2bfc223580b1f536
Tags
discovery persistence spyware stealer ducktail
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ecdf63c778837fe391974d12dbda0752ccb58ef8e6241dd2bfc223580b1f536

Threat Level: Known bad

The file Open AI Sora 4.0 Verison 4.89.zip was found to be: Known bad.

Malicious Activity Summary

discovery persistence spyware stealer ducktail

Ducktail family

Detect Ducktail Third Stage Payload

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 21:46

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win7-20241010-en

Max time kernel

117s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win7-20240708-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-string-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win7-20241010-en

Max time kernel

13s

Max time network

27s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-math-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-math-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win7-20240903-en

Max time kernel

117s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2056 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2056 wrote to memory of 1804 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2056 -s 80

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-process-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-process-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 5028 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 5028 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/5028-4-0x0000000000DD4000-0x0000000000DD5000-memory.dmp

memory/5028-0-0x0000000006B90000-0x0000000007519000-memory.dmp

memory/5028-3-0x0000000006B90000-0x0000000007519000-memory.dmp

memory/5028-12-0x0000000006430000-0x000000000644D000-memory.dmp

memory/5028-16-0x0000000006480000-0x00000000064A8000-memory.dmp

memory/5028-13-0x0000000006480000-0x00000000064A8000-memory.dmp

memory/5028-9-0x0000000006430000-0x000000000644D000-memory.dmp

memory/5028-8-0x00000000064C0000-0x0000000006567000-memory.dmp

memory/5028-5-0x00000000064C0000-0x0000000006567000-memory.dmp

memory/5028-20-0x000000002DB10000-0x000000002DC9E000-memory.dmp

memory/5028-57-0x000000002DE70000-0x000000002DEAC000-memory.dmp

memory/5028-60-0x000000002DE70000-0x000000002DEAC000-memory.dmp

memory/5028-56-0x000000002DEB0000-0x000000002DF2A000-memory.dmp

memory/5028-53-0x000000002DEB0000-0x000000002DF2A000-memory.dmp

memory/5028-64-0x000000002DF90000-0x000000002DFA2000-memory.dmp

memory/5028-61-0x000000002DF90000-0x000000002DFA2000-memory.dmp

memory/5028-52-0x000000002DA70000-0x000000002DB06000-memory.dmp

memory/5028-49-0x000000002DA70000-0x000000002DB06000-memory.dmp

memory/5028-48-0x000000002DDD0000-0x000000002DE24000-memory.dmp

memory/5028-45-0x000000002DDD0000-0x000000002DE24000-memory.dmp

memory/5028-44-0x000000002DD50000-0x000000002DDC5000-memory.dmp

memory/5028-41-0x000000002DD50000-0x000000002DDC5000-memory.dmp

memory/5028-40-0x000000002DA30000-0x000000002DA41000-memory.dmp

memory/5028-37-0x000000002DA30000-0x000000002DA41000-memory.dmp

memory/5028-36-0x0000000006B20000-0x0000000006B35000-memory.dmp

memory/5028-33-0x0000000006B20000-0x0000000006B35000-memory.dmp

memory/5028-32-0x000000002DCA0000-0x000000002DD45000-memory.dmp

memory/5028-28-0x000000002E000000-0x000000002E356000-memory.dmp

memory/5028-25-0x000000002E000000-0x000000002E356000-memory.dmp

memory/5028-24-0x0000000006AC0000-0x0000000006AF0000-memory.dmp

memory/5028-21-0x0000000006AC0000-0x0000000006AF0000-memory.dmp

memory/5028-29-0x000000002DCA0000-0x000000002DD45000-memory.dmp

memory/5028-17-0x000000002DB10000-0x000000002DC9E000-memory.dmp

memory/1512-143-0x000000007352E000-0x000000007352F000-memory.dmp

memory/1512-144-0x00000000022C0000-0x00000000022F6000-memory.dmp

memory/1512-145-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/1512-146-0x0000000004E20000-0x0000000005448000-memory.dmp

memory/1512-147-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/1512-148-0x0000000004D40000-0x0000000004D62000-memory.dmp

memory/1512-149-0x0000000005500000-0x0000000005566000-memory.dmp

memory/1512-150-0x0000000005570000-0x00000000055D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ncclj3to.jnp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1512-160-0x00000000055E0000-0x0000000005934000-memory.dmp

memory/1512-161-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

memory/1512-162-0x0000000005C10000-0x0000000005C5C000-memory.dmp

memory/1512-163-0x0000000006BD0000-0x0000000006C66000-memory.dmp

memory/1512-164-0x00000000060C0000-0x00000000060DA000-memory.dmp

memory/1512-165-0x0000000006130000-0x0000000006152000-memory.dmp

memory/1512-166-0x0000000007220000-0x00000000077C4000-memory.dmp

memory/1512-169-0x0000000073520000-0x0000000073CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/3388-180-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/3388-181-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/3388-182-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/3388-192-0x0000000005BB0000-0x0000000005F04000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dacf7b69d0f2cf691d1000faffe696f4
SHA1 b5d5c4eeca92da611c1d671278327ebfabe50d5a
SHA256 e6526da3dfdf0ad671244ed120888369ea0963e297046bd45c982bb995e8a744
SHA512 3b63772d5a14a103fef627c2150c9f9f72a0476d90f9f2e12014e857df8f6513617fd35c91160dd5b75980b8cce10ecbadeca440d207ebcf52fc0e3e2dc3c768

memory/3388-195-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/3952-197-0x0000000006040000-0x0000000006394000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f0590cae80ae688603e8894f8409cac2
SHA1 84868af435be768f3ff0ed043eaa8bc7db29141d
SHA256 bd37ae3b0fcd80dd2c1efd31d7f665d0577240c3e2b5c32d3703ae3217ae23ab
SHA512 ef662faa8c27cd7508b22dcf7e082c00a285acf4cb4177a91bd086b3cc31544b4bce92bca81e47f8e3d4743d67a5f0df9e424118f391dcc0ce02f7c8fa2034bf

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-private-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-private-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win7-20240903-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 1840 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 1840 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 1840 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 616 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 616 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 616 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 616 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 616 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 616 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 616 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 616 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 616 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 616 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 616 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 616 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/616-1-0x00000000068E0000-0x0000000007269000-memory.dmp

memory/616-60-0x0000000001294000-0x0000000001295000-memory.dmp

memory/616-59-0x000000002C210000-0x000000002C24C000-memory.dmp

memory/616-64-0x00000000067A0000-0x00000000067B2000-memory.dmp

memory/616-61-0x00000000067A0000-0x00000000067B2000-memory.dmp

memory/616-56-0x000000002C210000-0x000000002C24C000-memory.dmp

memory/616-53-0x000000002C360000-0x000000002C3DA000-memory.dmp

memory/616-51-0x000000002C2C0000-0x000000002C356000-memory.dmp

memory/616-48-0x000000002C2C0000-0x000000002C356000-memory.dmp

memory/616-44-0x0000000006850000-0x00000000068A4000-memory.dmp

memory/616-40-0x00000000067D0000-0x0000000006845000-memory.dmp

memory/616-39-0x0000000006730000-0x0000000006741000-memory.dmp

memory/616-36-0x0000000006730000-0x0000000006741000-memory.dmp

memory/616-35-0x00000000066C0000-0x00000000066D5000-memory.dmp

memory/616-32-0x00000000066C0000-0x00000000066D5000-memory.dmp

memory/616-31-0x0000000006100000-0x00000000061A5000-memory.dmp

memory/616-28-0x0000000006100000-0x00000000061A5000-memory.dmp

memory/616-24-0x000000002C570000-0x000000002C8C6000-memory.dmp

memory/616-23-0x00000000060D0000-0x0000000006100000-memory.dmp

memory/616-20-0x00000000060D0000-0x0000000006100000-memory.dmp

memory/616-19-0x000000002C080000-0x000000002C20E000-memory.dmp

memory/616-16-0x000000002C080000-0x000000002C20E000-memory.dmp

memory/616-15-0x0000000000D70000-0x0000000000D98000-memory.dmp

memory/616-12-0x0000000000D70000-0x0000000000D98000-memory.dmp

memory/616-11-0x0000000000520000-0x000000000053D000-memory.dmp

memory/616-8-0x0000000000520000-0x000000000053D000-memory.dmp

memory/616-7-0x0000000005D20000-0x0000000005DC7000-memory.dmp

memory/616-4-0x0000000005D20000-0x0000000005DC7000-memory.dmp

memory/616-55-0x000000002C360000-0x000000002C3DA000-memory.dmp

memory/616-47-0x0000000006850000-0x00000000068A4000-memory.dmp

memory/616-43-0x00000000067D0000-0x0000000006845000-memory.dmp

memory/616-27-0x000000002C570000-0x000000002C8C6000-memory.dmp

memory/616-3-0x00000000068E0000-0x0000000007269000-memory.dmp

memory/1620-148-0x0000000073A21000-0x0000000073A22000-memory.dmp

memory/1620-149-0x0000000073A20000-0x0000000073FCB000-memory.dmp

memory/1620-150-0x0000000073A20000-0x0000000073FCB000-memory.dmp

memory/1620-151-0x0000000073A20000-0x0000000073FCB000-memory.dmp

memory/1620-152-0x0000000073A20000-0x0000000073FCB000-memory.dmp

memory/1620-153-0x0000000073A20000-0x0000000073FCB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e03f747c21b3f97cc779bfef6468a917
SHA1 124e3e26e23a88399ef3396a0e4f0b3dbda96ce4
SHA256 c1831c42c16ef3e1243907df4a8555ca9c491ab1b71cb31e3244ab2bfec975ee
SHA512 396e90e3d86c5effe3d3b261c3d4f0601336895d225417389e5366ace8c311755eb3e236320c3a7cf74b659e18a1227b50d2da94a38500b3b949045236b773b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 1016 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 1016 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 2484 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2484 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2484 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2484-0-0x00000000070D0000-0x0000000007A59000-memory.dmp

memory/2484-3-0x00000000070D0000-0x0000000007A59000-memory.dmp

memory/2484-4-0x00000000012F4000-0x00000000012F5000-memory.dmp

memory/2484-9-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2484-15-0x0000000006A40000-0x0000000006A68000-memory.dmp

memory/2484-12-0x0000000006A40000-0x0000000006A68000-memory.dmp

memory/2484-8-0x0000000006B70000-0x0000000006C17000-memory.dmp

memory/2484-5-0x0000000006B70000-0x0000000006C17000-memory.dmp

memory/2484-16-0x000000002E050000-0x000000002E1DE000-memory.dmp

memory/2484-23-0x0000000006B40000-0x0000000006B70000-memory.dmp

memory/2484-24-0x000000002E540000-0x000000002E896000-memory.dmp

memory/2484-19-0x000000002E050000-0x000000002E1DE000-memory.dmp

memory/2484-51-0x000000002E3F0000-0x000000002E486000-memory.dmp

memory/2484-52-0x000000002E340000-0x000000002E3BA000-memory.dmp

memory/2484-59-0x000000002E1E0000-0x000000002E21C000-memory.dmp

memory/2484-64-0x000000002E040000-0x000000002E046000-memory.dmp

memory/2484-63-0x000000002E3C0000-0x000000002E3D2000-memory.dmp

memory/2484-60-0x000000002E3C0000-0x000000002E3D2000-memory.dmp

memory/2484-55-0x000000002E340000-0x000000002E3BA000-memory.dmp

memory/2484-47-0x000000002E2E0000-0x000000002E334000-memory.dmp

memory/2484-44-0x000000002E2E0000-0x000000002E334000-memory.dmp

memory/2484-43-0x000000002E260000-0x000000002E2D5000-memory.dmp

memory/2484-40-0x000000002E260000-0x000000002E2D5000-memory.dmp

memory/2484-39-0x00000000070B0000-0x00000000070C1000-memory.dmp

memory/2484-36-0x00000000070B0000-0x00000000070C1000-memory.dmp

memory/2484-35-0x0000000007090000-0x00000000070A5000-memory.dmp

memory/2484-32-0x0000000007090000-0x00000000070A5000-memory.dmp

memory/2484-31-0x000000002DF70000-0x000000002E015000-memory.dmp

memory/2484-56-0x000000002E1E0000-0x000000002E21C000-memory.dmp

memory/2484-48-0x000000002E3F0000-0x000000002E486000-memory.dmp

memory/2484-28-0x000000002DF70000-0x000000002E015000-memory.dmp

memory/2484-27-0x000000002E540000-0x000000002E896000-memory.dmp

memory/2484-20-0x0000000006B40000-0x0000000006B70000-memory.dmp

memory/1508-142-0x00000000738DE000-0x00000000738DF000-memory.dmp

memory/1508-143-0x0000000005080000-0x00000000050B6000-memory.dmp

memory/1508-144-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/1508-145-0x0000000005750000-0x0000000005D78000-memory.dmp

memory/1508-146-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/1508-147-0x0000000005680000-0x00000000056A2000-memory.dmp

memory/1508-148-0x0000000005F70000-0x0000000005FD6000-memory.dmp

memory/1508-149-0x0000000005FE0000-0x0000000006046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sqzzgx5s.mb2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1508-159-0x0000000006050000-0x00000000063A4000-memory.dmp

memory/1508-160-0x0000000006630000-0x000000000664E000-memory.dmp

memory/1508-161-0x0000000006680000-0x00000000066CC000-memory.dmp

memory/1508-162-0x00000000078B0000-0x0000000007946000-memory.dmp

memory/1508-163-0x0000000006B00000-0x0000000006B1A000-memory.dmp

memory/1508-164-0x0000000006B70000-0x0000000006B92000-memory.dmp

memory/1508-165-0x0000000007F00000-0x00000000084A4000-memory.dmp

memory/1508-168-0x00000000738D0000-0x0000000074080000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/716-179-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/716-180-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/716-181-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/716-191-0x0000000005D70000-0x00000000060C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9440f316533f70e7b4d3cdb8df05d743
SHA1 7a4949aac188063d3f1a207172b0503c088d0c94
SHA256 e0a6ef97c0561bf90f0eb7da03f24deb6e98dca78e62f801ab805f77ca71e551
SHA512 5dd59e6f01a096afddb99effa84090b87f2a0bdbef26950175b79cb0326b371795f8859d4fe63abe0168d66aa7ba22858ef3ec19e7ed733ccc23737872a62ca0

memory/716-194-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/2492-196-0x0000000005A60000-0x0000000005DB4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7667c3d7a664de4b675fd1f790f84ffa
SHA1 87e4b175a4e52737dc21a1e40df44c6a665197ac
SHA256 1e7492aa72914f144ed015350595ad0e8887e19a966d76eebb73722851fa77f4
SHA512 2c1cd7bc55616e27d7562727898f93df931a6fb0037c36d28eec55b2816de534603184429f30be8c06dad462f39775ebbdbcc4459447ed701eb2245a64af9f02

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win7-20240903-en

Max time kernel

119s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win7-20240903-en

Max time kernel

117s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 796 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 796 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 796 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 796 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/796-1-0x0000000006810000-0x0000000007199000-memory.dmp

memory/796-12-0x00000000029C0000-0x00000000029DD000-memory.dmp

memory/796-9-0x00000000029C0000-0x00000000029DD000-memory.dmp

memory/796-8-0x0000000000CE0000-0x0000000000D87000-memory.dmp

memory/796-5-0x0000000000CE0000-0x0000000000D87000-memory.dmp

memory/796-4-0x0000000001274000-0x0000000001275000-memory.dmp

memory/796-3-0x0000000006810000-0x0000000007199000-memory.dmp

memory/796-16-0x00000000029E0000-0x0000000002A08000-memory.dmp

memory/796-13-0x00000000029E0000-0x0000000002A08000-memory.dmp

memory/796-17-0x000000002BFB0000-0x000000002C13E000-memory.dmp

memory/796-20-0x000000002BFB0000-0x000000002C13E000-memory.dmp

memory/796-32-0x000000002C140000-0x000000002C1E5000-memory.dmp

memory/796-52-0x000000002C1F0000-0x000000002C286000-memory.dmp

memory/796-60-0x0000000006250000-0x000000000628C000-memory.dmp

memory/796-57-0x0000000006250000-0x000000000628C000-memory.dmp

memory/796-56-0x00000000066D0000-0x000000000674A000-memory.dmp

memory/796-53-0x00000000066D0000-0x000000000674A000-memory.dmp

memory/796-49-0x000000002C1F0000-0x000000002C286000-memory.dmp

memory/796-48-0x00000000061F0000-0x0000000006244000-memory.dmp

memory/796-64-0x00000000061B0000-0x00000000061C2000-memory.dmp

memory/796-61-0x00000000061B0000-0x00000000061C2000-memory.dmp

memory/796-45-0x00000000061F0000-0x0000000006244000-memory.dmp

memory/796-44-0x0000000006750000-0x00000000067C5000-memory.dmp

memory/796-41-0x0000000006750000-0x00000000067C5000-memory.dmp

memory/796-40-0x0000000005FA0000-0x0000000005FB1000-memory.dmp

memory/796-37-0x0000000005FA0000-0x0000000005FB1000-memory.dmp

memory/796-36-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/796-33-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/796-29-0x000000002C140000-0x000000002C1E5000-memory.dmp

memory/796-28-0x000000002C4A0000-0x000000002C7F6000-memory.dmp

memory/796-25-0x000000002C4A0000-0x000000002C7F6000-memory.dmp

memory/796-24-0x0000000005C40000-0x0000000005C70000-memory.dmp

memory/796-21-0x0000000005C40000-0x0000000005C70000-memory.dmp

memory/2248-148-0x00000000730F1000-0x00000000730F2000-memory.dmp

memory/2248-149-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/2248-150-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/2248-151-0x00000000730F0000-0x000000007369B000-memory.dmp

memory/2248-152-0x00000000730F0000-0x000000007369B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 daf0ab18f186644483b6483025f12369
SHA1 b827f9ad4e9af95d96692b9df024dd6517ce330b
SHA256 e085c3bc1a309c41f788447846b2bef887ce6f32861f5737c154d14409ca0f28
SHA512 0e5e8b6d0606692197176be6f522e8c0b046f66245dd96a9681024694b4bed24392d047223f3c248162d6dddd8a018b20343d9e1fca70dd8c3e39d96f5ae791d

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win7-20241010-en

Max time kernel

11s

Max time network

28s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win7-20240729-en

Max time kernel

80s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-environment-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-environment-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-heap-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-locale-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-locale-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win7-20241010-en

Max time kernel

120s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-convert-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-convert-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-runtime-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-runtime-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-stdio-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-stdio-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-15 21:44

Reported

2024-10-15 21:53

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

N/A