Malware Analysis Report

2024-11-13 13:55

Sample ID 241017-vrexbazakj
Target Open AI Sora 4.0 Verison 4.89.zip
SHA256 9ecdf63c778837fe391974d12dbda0752ccb58ef8e6241dd2bfc223580b1f536
Tags
discovery persistence spyware stealer ducktail
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ecdf63c778837fe391974d12dbda0752ccb58ef8e6241dd2bfc223580b1f536

Threat Level: Known bad

The file Open AI Sora 4.0 Verison 4.89.zip was found to be: Known bad.

Malicious Activity Summary

discovery persistence spyware stealer ducktail

Detect Ducktail Third Stage Payload

Ducktail family

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Unsigned PE

System Location Discovery: System Language Discovery

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 17:15

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win7-20240903-en

Max time kernel

119s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2100 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2100 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2100 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2100-0-0x00000000068F0000-0x0000000007279000-memory.dmp

memory/2100-3-0x00000000068F0000-0x0000000007279000-memory.dmp

memory/2100-4-0x0000000000594000-0x0000000000595000-memory.dmp

memory/2100-9-0x0000000000D10000-0x0000000000D2D000-memory.dmp

memory/2100-12-0x0000000000D10000-0x0000000000D2D000-memory.dmp

memory/2100-8-0x0000000005F60000-0x0000000006007000-memory.dmp

memory/2100-6-0x0000000005F60000-0x0000000006007000-memory.dmp

memory/2100-16-0x0000000000D80000-0x0000000000DA8000-memory.dmp

memory/2100-13-0x0000000000D80000-0x0000000000DA8000-memory.dmp

memory/2100-17-0x000000002BE60000-0x000000002BFEE000-memory.dmp

memory/2100-32-0x000000002BFF0000-0x000000002C095000-memory.dmp

memory/2100-45-0x000000002BD80000-0x000000002BDD4000-memory.dmp

memory/2100-57-0x0000000006880000-0x00000000068BC000-memory.dmp

memory/2100-24-0x0000000002A10000-0x0000000002A40000-memory.dmp

memory/2100-60-0x0000000006880000-0x00000000068BC000-memory.dmp

memory/2100-56-0x000000002C120000-0x000000002C19A000-memory.dmp

memory/2100-53-0x000000002C120000-0x000000002C19A000-memory.dmp

memory/2100-52-0x000000002C1D0000-0x000000002C266000-memory.dmp

memory/2100-49-0x000000002C1D0000-0x000000002C266000-memory.dmp

memory/2100-48-0x000000002BD80000-0x000000002BDD4000-memory.dmp

memory/2100-44-0x000000002C0A0000-0x000000002C115000-memory.dmp

memory/2100-41-0x000000002C0A0000-0x000000002C115000-memory.dmp

memory/2100-40-0x0000000002C20000-0x0000000002C31000-memory.dmp

memory/2100-37-0x0000000002C20000-0x0000000002C31000-memory.dmp

memory/2100-36-0x0000000002A40000-0x0000000002A55000-memory.dmp

memory/2100-33-0x0000000002A40000-0x0000000002A55000-memory.dmp

memory/2100-29-0x000000002BFF0000-0x000000002C095000-memory.dmp

memory/2100-28-0x000000002C350000-0x000000002C6A6000-memory.dmp

memory/2100-25-0x000000002C350000-0x000000002C6A6000-memory.dmp

memory/2100-21-0x0000000002A10000-0x0000000002A40000-memory.dmp

memory/2100-20-0x000000002BE60000-0x000000002BFEE000-memory.dmp

memory/2100-64-0x0000000006030000-0x0000000006042000-memory.dmp

memory/2100-61-0x0000000006030000-0x0000000006042000-memory.dmp

memory/1020-148-0x0000000072EB1000-0x0000000072EB2000-memory.dmp

memory/1020-149-0x0000000072EB0000-0x000000007345B000-memory.dmp

memory/1020-150-0x0000000072EB0000-0x000000007345B000-memory.dmp

memory/1020-151-0x0000000072EB0000-0x000000007345B000-memory.dmp

memory/1020-152-0x0000000072EB0000-0x000000007345B000-memory.dmp

memory/1020-153-0x0000000072EB0000-0x000000007345B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 62a5c95f439409c6f20621c5dd69a9da
SHA1 40fd565b81682b48d38f3b0598b430c1c84acce3
SHA256 f299d4dd08ed45f1d10150148a4fcfe464913aa234affcb11c58998a146ba47f
SHA512 2ba3a69546e405f64877f3f1302598ca1f72f4bc24a2db4baacd2f90a5f919a8064cd934b089d3070138235c754b8a2bc7abdf81d4b7ee4e428022e0483d9438

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win7-20240903-en

Max time kernel

121s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 828 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 828 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 828 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 828 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 2280 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2280 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2280 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2280 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2280-0-0x0000000006770000-0x00000000070F9000-memory.dmp

memory/2280-12-0x0000000000514000-0x0000000000515000-memory.dmp

memory/2280-11-0x0000000002750000-0x000000000276D000-memory.dmp

memory/2280-8-0x0000000002750000-0x000000000276D000-memory.dmp

memory/2280-7-0x0000000006120000-0x00000000061C7000-memory.dmp

memory/2280-16-0x0000000005BF0000-0x0000000005C18000-memory.dmp

memory/2280-13-0x0000000005BF0000-0x0000000005C18000-memory.dmp

memory/2280-3-0x0000000006770000-0x00000000070F9000-memory.dmp

memory/2280-48-0x0000000006630000-0x0000000006684000-memory.dmp

memory/2280-60-0x0000000006260000-0x000000000629C000-memory.dmp

memory/2280-64-0x0000000006320000-0x0000000006332000-memory.dmp

memory/2280-61-0x0000000006320000-0x0000000006332000-memory.dmp

memory/2280-57-0x0000000006260000-0x000000000629C000-memory.dmp

memory/2280-56-0x0000000006690000-0x000000000670A000-memory.dmp

memory/2280-53-0x0000000006690000-0x000000000670A000-memory.dmp

memory/2280-52-0x000000002BFC0000-0x000000002C056000-memory.dmp

memory/2280-49-0x000000002BFC0000-0x000000002C056000-memory.dmp

memory/2280-45-0x0000000006630000-0x0000000006684000-memory.dmp

memory/2280-44-0x00000000062A0000-0x0000000006315000-memory.dmp

memory/2280-41-0x00000000062A0000-0x0000000006315000-memory.dmp

memory/2280-40-0x0000000005F70000-0x0000000005F81000-memory.dmp

memory/2280-37-0x0000000005F70000-0x0000000005F81000-memory.dmp

memory/2280-36-0x0000000005E60000-0x0000000005E75000-memory.dmp

memory/2280-33-0x0000000005E60000-0x0000000005E75000-memory.dmp

memory/2280-32-0x000000002BF10000-0x000000002BFB5000-memory.dmp

memory/2280-29-0x000000002BF10000-0x000000002BFB5000-memory.dmp

memory/2280-28-0x000000002C5A0000-0x000000002C8F6000-memory.dmp

memory/2280-25-0x000000002C5A0000-0x000000002C8F6000-memory.dmp

memory/2280-24-0x0000000005E80000-0x0000000005EB0000-memory.dmp

memory/2280-21-0x0000000005E80000-0x0000000005EB0000-memory.dmp

memory/2280-20-0x000000002C0B0000-0x000000002C23E000-memory.dmp

memory/2280-17-0x000000002C0B0000-0x000000002C23E000-memory.dmp

memory/2280-4-0x0000000006120000-0x00000000061C7000-memory.dmp

memory/2816-148-0x00000000735E1000-0x00000000735E2000-memory.dmp

memory/2816-149-0x00000000735E0000-0x0000000073B8B000-memory.dmp

memory/2816-150-0x00000000735E0000-0x0000000073B8B000-memory.dmp

memory/2816-151-0x00000000735E0000-0x0000000073B8B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 143a2c8ff8ebad276ee5ded629035bea
SHA1 d28cd1e18a0909fe80a7ed0174fd8556fcd561ab
SHA256 9cee9bf7a23bdf522a8587335e044b05923d4105b209ce0e2a29c423c34f30f5
SHA512 762bc270e6adbacfe434f5e84f0fcf4fd25b84f7338a4f4677e982f545d9ade153b57d5b310b3b32011bcf6061c6f945fdf92b265b66543e1e31eba402728ff6

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win7-20240903-en

Max time kernel

118s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:19

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-environment-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-environment-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-heap-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-runtime-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-runtime-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win7-20240903-en

Max time kernel

121s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

167s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-private-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-private-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win7-20240903-en

Max time kernel

117s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtilsOld.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win7-20240729-en

Max time kernel

122s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsQmlModels.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-locale-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-locale-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-process-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-process-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-stdio-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-stdio-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 4532 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 4532 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe
PID 2040 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2040 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2040 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora 4.0 Verison 4.89.exe"

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/2040-0-0x0000000006FD0000-0x0000000007959000-memory.dmp

memory/2040-3-0x0000000006FD0000-0x0000000007959000-memory.dmp

memory/2040-4-0x0000000001214000-0x0000000001215000-memory.dmp

memory/2040-5-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/2040-11-0x0000000006900000-0x000000000691D000-memory.dmp

memory/2040-15-0x0000000006950000-0x0000000006978000-memory.dmp

memory/2040-12-0x0000000006950000-0x0000000006978000-memory.dmp

memory/2040-8-0x0000000006900000-0x000000000691D000-memory.dmp

memory/2040-19-0x000000002DDB0000-0x000000002DF3E000-memory.dmp

memory/2040-43-0x000000002E070000-0x000000002E0E5000-memory.dmp

memory/2040-47-0x000000002E0F0000-0x000000002E144000-memory.dmp

memory/2040-64-0x000000002E1F0000-0x000000002E1F6000-memory.dmp

memory/2040-63-0x000000002E640000-0x000000002E652000-memory.dmp

memory/2040-60-0x000000002E640000-0x000000002E652000-memory.dmp

memory/2040-59-0x000000002E030000-0x000000002E06C000-memory.dmp

memory/2040-56-0x000000002E030000-0x000000002E06C000-memory.dmp

memory/2040-55-0x000000002E150000-0x000000002E1CA000-memory.dmp

memory/2040-52-0x000000002E150000-0x000000002E1CA000-memory.dmp

memory/2040-51-0x000000002E200000-0x000000002E296000-memory.dmp

memory/2040-48-0x000000002E200000-0x000000002E296000-memory.dmp

memory/2040-44-0x000000002E0F0000-0x000000002E144000-memory.dmp

memory/2040-40-0x000000002E070000-0x000000002E0E5000-memory.dmp

memory/2040-39-0x0000000006F80000-0x0000000006F91000-memory.dmp

memory/2040-36-0x0000000006F80000-0x0000000006F91000-memory.dmp

memory/2040-35-0x0000000006F10000-0x0000000006F25000-memory.dmp

memory/2040-32-0x0000000006F10000-0x0000000006F25000-memory.dmp

memory/2040-31-0x000000002DF40000-0x000000002DFE5000-memory.dmp

memory/2040-27-0x000000002E2A0000-0x000000002E5F6000-memory.dmp

memory/2040-24-0x000000002E2A0000-0x000000002E5F6000-memory.dmp

memory/2040-23-0x0000000006DF0000-0x0000000006E20000-memory.dmp

memory/2040-20-0x0000000006DF0000-0x0000000006E20000-memory.dmp

memory/2040-28-0x000000002DF40000-0x000000002DFE5000-memory.dmp

memory/2040-16-0x000000002DDB0000-0x000000002DF3E000-memory.dmp

memory/4576-142-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

memory/4576-143-0x0000000002BE0000-0x0000000002C16000-memory.dmp

memory/4576-144-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/4576-145-0x00000000057C0000-0x0000000005DE8000-memory.dmp

memory/4576-146-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/4576-147-0x0000000005660000-0x0000000005682000-memory.dmp

memory/4576-149-0x0000000005ED0000-0x0000000005F36000-memory.dmp

memory/4576-148-0x0000000005E60000-0x0000000005EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ig4mvkl1.ekw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4576-155-0x0000000005F40000-0x0000000006294000-memory.dmp

memory/4576-160-0x0000000006510000-0x000000000652E000-memory.dmp

memory/4576-161-0x0000000006540000-0x000000000658C000-memory.dmp

memory/4576-162-0x00000000074D0000-0x0000000007566000-memory.dmp

memory/4576-163-0x0000000006A00000-0x0000000006A1A000-memory.dmp

memory/4576-164-0x0000000006A50000-0x0000000006A72000-memory.dmp

memory/4576-165-0x0000000007B20000-0x00000000080C4000-memory.dmp

memory/4576-168-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/2052-179-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/2052-180-0x0000000073CC0000-0x0000000074470000-memory.dmp

memory/2052-181-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ac70eddb6cdee1f7950a6672ea0b105d
SHA1 fe5f3602ec86d04ce10c2990721583d717f22f71
SHA256 d50610b260831c402d091a726523a505ac377e5c3c496a848ec69d9fb9ee0837
SHA512 c8dd7892a49d60ef9f91b7507d21f599381a867baa12a6be158977f2ae59b60377a2849bc3cf470ab787a118c8a26b94ddf8d5b3e72b5426447b97fe110fb4ce

memory/2052-193-0x0000000073CC0000-0x0000000074470000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e1fa3f2ceebabda5a8e6b7c4de4814c0
SHA1 f33eb1724ee1e99628acb108685090fe9d58c46b
SHA256 0b3bb5726220a355b2e00beeb47d7ab0ebde9e1f79c0ab93d3d00ba80479c6ca
SHA512 1b09edcacca0906cbb6fb2885c22b8596ad4151c15275cd8a9558a6faf048420d17cbc02ed6cb87b42f30b86f2f7c2ce3b86368ba7f1fdfa3c96e9331fe19b1b

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6LabsSettings.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win7-20240903-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickControls2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win7-20240903-en

Max time kernel

120s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Qt6QuickDialogs2Utils.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win7-20241010-en

Max time kernel

7s

Max time network

29s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_1.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:19

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-string-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win7-20240903-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 804 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 804 wrote to memory of 2272 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\msvcp140_codecvt_ids.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 804 -s 80

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\EMUtils.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 4284 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 4284 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe

"C:\Users\Admin\AppData\Local\Temp\app-11.4.0\Open AI Sora 4.0 Verison 4.89.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4284-1-0x0000000006F40000-0x00000000078C9000-memory.dmp

memory/4284-3-0x0000000006F40000-0x00000000078C9000-memory.dmp

memory/4284-4-0x0000000000734000-0x0000000000735000-memory.dmp

memory/4284-5-0x00000000068F0000-0x0000000006997000-memory.dmp

memory/4284-8-0x00000000068F0000-0x0000000006997000-memory.dmp

memory/4284-12-0x0000000006A30000-0x0000000006A4D000-memory.dmp

memory/4284-16-0x0000000006A80000-0x0000000006AA8000-memory.dmp

memory/4284-13-0x0000000006A80000-0x0000000006AA8000-memory.dmp

memory/4284-9-0x0000000006A30000-0x0000000006A4D000-memory.dmp

memory/4284-17-0x000000002DEC0000-0x000000002E04E000-memory.dmp

memory/4284-24-0x0000000006EB0000-0x0000000006EE0000-memory.dmp

memory/4284-57-0x000000002E100000-0x000000002E13C000-memory.dmp

memory/4284-60-0x000000002E100000-0x000000002E13C000-memory.dmp

memory/4284-56-0x000000002E260000-0x000000002E2DA000-memory.dmp

memory/4284-53-0x000000002E260000-0x000000002E2DA000-memory.dmp

memory/4284-52-0x000000002E310000-0x000000002E3A6000-memory.dmp

memory/4284-49-0x000000002E310000-0x000000002E3A6000-memory.dmp

memory/4284-48-0x000000002E200000-0x000000002E254000-memory.dmp

memory/4284-45-0x000000002E200000-0x000000002E254000-memory.dmp

memory/4284-44-0x000000002E180000-0x000000002E1F5000-memory.dmp

memory/4284-41-0x000000002E180000-0x000000002E1F5000-memory.dmp

memory/4284-40-0x000000002DE30000-0x000000002DE41000-memory.dmp

memory/4284-37-0x000000002DE30000-0x000000002DE41000-memory.dmp

memory/4284-36-0x0000000006F10000-0x0000000006F25000-memory.dmp

memory/4284-33-0x0000000006F10000-0x0000000006F25000-memory.dmp

memory/4284-29-0x000000002E050000-0x000000002E0F5000-memory.dmp

memory/4284-28-0x000000002E3B0000-0x000000002E706000-memory.dmp

memory/4284-21-0x0000000006EB0000-0x0000000006EE0000-memory.dmp

memory/4284-64-0x000000002E710000-0x000000002E722000-memory.dmp

memory/4284-61-0x000000002E710000-0x000000002E722000-memory.dmp

memory/4284-20-0x000000002DEC0000-0x000000002E04E000-memory.dmp

memory/4284-32-0x000000002E050000-0x000000002E0F5000-memory.dmp

memory/4284-25-0x000000002E3B0000-0x000000002E706000-memory.dmp

memory/3516-143-0x000000007396E000-0x000000007396F000-memory.dmp

memory/3516-144-0x0000000002A00000-0x0000000002A36000-memory.dmp

memory/3516-145-0x0000000073960000-0x0000000074110000-memory.dmp

memory/3516-146-0x0000000005430000-0x0000000005A58000-memory.dmp

memory/3516-147-0x0000000073960000-0x0000000074110000-memory.dmp

memory/3516-148-0x0000000005A90000-0x0000000005AB2000-memory.dmp

memory/3516-150-0x0000000005D10000-0x0000000005D76000-memory.dmp

memory/3516-149-0x0000000005C30000-0x0000000005C96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_znzj0bg3.wap.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3516-160-0x0000000005D80000-0x00000000060D4000-memory.dmp

memory/3516-161-0x0000000006310000-0x000000000632E000-memory.dmp

memory/3516-162-0x0000000006350000-0x000000000639C000-memory.dmp

memory/3516-163-0x00000000068A0000-0x0000000006936000-memory.dmp

memory/3516-164-0x0000000006820000-0x000000000683A000-memory.dmp

memory/3516-165-0x0000000006870000-0x0000000006892000-memory.dmp

memory/3516-166-0x00000000078A0000-0x0000000007E44000-memory.dmp

memory/3516-169-0x0000000073960000-0x0000000074110000-memory.dmp

memory/2856-180-0x0000000073960000-0x0000000074110000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b015b512ade3e681649a9d4d3e5a6ebb
SHA1 9dc07c730c4f7080e10f59ef2369bb7333b4bb9a
SHA256 be2a6cbe8f82da39e827f1662c28b6ac09f8eddecdf86a25c34a231fc0b4d2bb
SHA512 f210b415a004550058bdadb22c3360248238271ef59d655a34a57b67205e6baa29467a3937595cb2a30874e50a51650e8c352ac7b4f1a51cc55677b4b4289bbf

memory/2856-190-0x00000000056F0000-0x0000000005A44000-memory.dmp

memory/2856-193-0x0000000073960000-0x0000000074110000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 057788610fc668ec68273f0a943afd10
SHA1 ce096a47e88db34a76bbe94a9c89482258308ad2
SHA256 4655d833993a7280ed1977dea9bed6005d1f5b7ed0cf1a60ca5678d86aab3961
SHA512 417db9008c92515f3908dcc3fc406f293198dc65fa50abc3dce806d122d98ba4d60a0f8436389e04b279cee69c9227b3b69bbb429484eca1b431d987b83cd782

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-convert-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-convert-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-17 17:13

Reported

2024-10-17 17:20

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-math-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\app-11.4.0\api-ms-win-crt-math-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A