Analysis Overview
SHA256
e2263400ad0b27acf1e9b89895de5364c997bb2f2aa338ab37f81e37ee71da8a
Threat Level: Known bad
The file 5c64ce5f7c6b88767f77b788a4fb5b19.bin was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Loads dropped DLL
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Unsigned PE
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-24 01:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-24 01:20
Reported
2024-10-24 01:23
Platform
win7-20240903-en
Max time kernel
148s
Max time network
146s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2528 set thread context of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\synderegistres.lnk | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| File opened for modification | C:\Windows\negotiate\Anstdeligheden.ini | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| File created | C:\Windows\resources\synderegistres.lnk | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe
"C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe"
C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe
"C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | comercializadoradeinsumos.cl | udp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
Files
C:\Windows\Resources\synderegistres.lnk
| MD5 | 6edf2c7536a8a9bddec2566a79adfeda |
| SHA1 | 205604300b215a9ea9c5864cac2f275dbcc29b3f |
| SHA256 | 13e90ad02116f9d001d8a3adaec56b56fbcace5ef65786dcddad96030a5bf61c |
| SHA512 | 18857fd2d88e8eb77b17de71a6dee860fabc3d0a5206abcb64fcf115634eae8a84b02f854f1471acdd372a44f1d9c4c3aa100605c3b40bfcb6f9e68218f8d778 |
C:\ProgramData\Microsoft\Windows\Start Menu\eksportafgrde.ini
| MD5 | a0d91a2f9acb4dec3b5260aba27839c4 |
| SHA1 | 8a9037c691a2bdeebcab8bf3d4c954e62aca9207 |
| SHA256 | 773cd6fba7d53550b4c41aa889e330b744a7a579df2bb02212773b67e72f5844 |
| SHA512 | d3df7852aea197e901c787cd8d943faaa30ee9a6678c4853ed0bb494679897854e4e7556f420f1c176443a485cf1e02e0b4bff86f8da4017a053362b2c9a0608 |
\Users\Admin\AppData\Local\Temp\nsoAA36.tmp\System.dll
| MD5 | 12b140583e3273ee1f65016becea58c4 |
| SHA1 | 92df24d11797fefd2e1f8d29be9dfd67c56c1ada |
| SHA256 | 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042 |
| SHA512 | 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a |
memory/2924-828-0x0000000000400000-0x0000000001462000-memory.dmp
memory/2924-829-0x0000000000400000-0x0000000001462000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-24 01:20
Reported
2024-10-24 19:30
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3172 set thread context of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\resources\synderegistres.lnk | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| File opened for modification | C:\Windows\resources\synderegistres.lnk | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| File opened for modification | C:\Windows\negotiate\Anstdeligheden.ini | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe
"C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe"
C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe
"C:\Users\Admin\AppData\Local\Temp\8d9cacf5c0689e332f4e043117ecdc533edf1b52b65179885ceb284ff706a6fe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1916 -ip 1916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | comercializadoradeinsumos.cl | udp |
| US | 162.240.106.189:443 | comercializadoradeinsumos.cl | tcp |
| US | 8.8.8.8:53 | 189.106.240.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.45.26.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Windows\Resources\synderegistres.lnk
| MD5 | 709f6a46c1ffc6854dc571f7ff852930 |
| SHA1 | 7ffaba1c971f93c06870d936e39c4d1f43d7b2b0 |
| SHA256 | 5e934f3b0c68352e78a6820ed1c9529391d1155f244ed084f9d40a41b1bf75da |
| SHA512 | cc2ecff8e9a134588be438463d1dec13bfaa714833bf13d11f3aac30f21e6f3b361eee10d98ab884fb46c70686978535c160eaa0220ef31b58b62e02e7bc1784 |
C:\ProgramData\Microsoft\Windows\Start Menu\eksportafgrde.ini
| MD5 | a0d91a2f9acb4dec3b5260aba27839c4 |
| SHA1 | 8a9037c691a2bdeebcab8bf3d4c954e62aca9207 |
| SHA256 | 773cd6fba7d53550b4c41aa889e330b744a7a579df2bb02212773b67e72f5844 |
| SHA512 | d3df7852aea197e901c787cd8d943faaa30ee9a6678c4853ed0bb494679897854e4e7556f420f1c176443a485cf1e02e0b4bff86f8da4017a053362b2c9a0608 |
C:\Users\Admin\AppData\Local\Temp\nsh97DD.tmp\System.dll
| MD5 | 12b140583e3273ee1f65016becea58c4 |
| SHA1 | 92df24d11797fefd2e1f8d29be9dfd67c56c1ada |
| SHA256 | 014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042 |
| SHA512 | 49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a |
memory/3172-826-0x00000000034C0000-0x0000000004989000-memory.dmp
memory/3172-827-0x0000000077131000-0x0000000077251000-memory.dmp
memory/3172-828-0x0000000073E25000-0x0000000073E26000-memory.dmp
memory/3172-829-0x00000000034C0000-0x0000000004989000-memory.dmp
memory/1916-830-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1916-831-0x0000000001660000-0x0000000002B29000-memory.dmp
memory/1916-832-0x00000000771B8000-0x00000000771B9000-memory.dmp
memory/1916-833-0x00000000771D5000-0x00000000771D6000-memory.dmp
memory/1916-834-0x0000000001660000-0x0000000002B29000-memory.dmp
memory/1916-836-0x0000000077131000-0x0000000077251000-memory.dmp
memory/1916-835-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1916-840-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1916-841-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1916-842-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1916-843-0x0000000001660000-0x0000000002B29000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-24 01:20
Reported
2024-10-24 01:23
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 220
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-24 01:20
Reported
2024-10-24 19:30
Platform
win10v2004-20241007-en
Max time kernel
124s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2264 wrote to memory of 3976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2264 wrote to memory of 3976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2264 wrote to memory of 3976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3976 -ip 3976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-24 01:20
Reported
2024-10-24 01:23
Platform
macos-20240711.1-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "open /Users/run/frlighed.app"]
/bin/bash
[sh -c sudo /bin/zsh -c "open /Users/run/frlighed.app"]
/usr/bin/sudo
[sudo /bin/zsh -c open /Users/run/frlighed.app]
/bin/zsh
[/bin/zsh -c open /Users/run/frlighed.app]
/usr/bin/open
[open /Users/run/frlighed.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
Network
| Country | Destination | Domain | Proto |
| GB | 184.85.51.234:443 | tcp | |
| US | 8.8.8.8:53 | 40.courier-push-apple.com.akadns.net | udp |
| GB | 2.18.109.84:443 | tcp | |
| DE | 17.253.15.204:80 | valid.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp |