Malware Analysis Report

2024-12-07 16:15

Sample ID 241113-mehtfazend
Target Вооtstrap-v1.0.9-x64.zip
SHA256 d49f9a79848735ce6ea9e8bd2a4570d0203bc2fa7b3fbd5fbfc948b6ea3825fd
Tags
lumma discovery stealer execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d49f9a79848735ce6ea9e8bd2a4570d0203bc2fa7b3fbd5fbfc948b6ea3825fd

Threat Level: Known bad

The file Вооtstrap-v1.0.9-x64.zip was found to be: Known bad.

Malicious Activity Summary

lumma discovery stealer execution

Lumma family

Lumma Stealer, LummaC

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates processes with tasklist

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Command and Scripting Interpreter: JavaScript

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 10:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\mkl_mc3.1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\mkl_mc3.1.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

148s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Вооtstrap-v1.0.9-x64.zip"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Вооtstrap-v1.0.9-x64.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\BiographyVisits C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\RangingTwinks C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\AnnouncementCircuits C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\PowersTried C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\RelationshipKenny C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\WaIron C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\PlaysSometimes C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1564 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\720301\Af.pif
PID 1564 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\720301\Af.pif
PID 1564 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\720301\Af.pif
PID 1564 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1564 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1564 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe

"C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Sufficient Sufficient.cmd & Sufficient.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 720301

C:\Windows\SysWOW64\findstr.exe

findstr /V "VegetarianBoobsProvinceApplications" Continuing

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Networks + ..\Immigration + ..\Cgi + ..\Insertion + ..\Headers + ..\Plastics Q

C:\Users\Admin\AppData\Local\Temp\720301\Af.pif

Af.pif Q

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 OcijSoIdhalXXMHvmeBk.OcijSoIdhalXXMHvmeBk udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 financiauglyk.cyou udp
US 172.67.220.142:443 financiauglyk.cyou tcp
US 8.8.8.8:53 thicktoys.sbs udp
US 104.21.52.119:443 thicktoys.sbs tcp
US 8.8.8.8:53 fleez-inc.sbs udp
US 104.21.0.123:443 fleez-inc.sbs tcp
US 8.8.8.8:53 pull-trucker.sbs udp
US 104.21.7.31:443 pull-trucker.sbs tcp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 8.8.8.8:53 142.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 119.52.21.104.in-addr.arpa udp
US 8.8.8.8:53 123.0.21.104.in-addr.arpa udp
US 8.8.8.8:53 31.7.21.104.in-addr.arpa udp
US 104.21.72.16:443 3xc1aimbl0w.sbs tcp
US 8.8.8.8:53 bored-light.sbs udp
US 104.21.68.80:443 bored-light.sbs tcp
US 8.8.8.8:53 16.72.21.104.in-addr.arpa udp
US 8.8.8.8:53 300snails.sbs udp
US 104.21.8.62:443 300snails.sbs tcp
US 8.8.8.8:53 faintbl0w.sbs udp
US 172.67.176.72:443 faintbl0w.sbs tcp
US 8.8.8.8:53 62.8.21.104.in-addr.arpa udp
US 8.8.8.8:53 80.68.21.104.in-addr.arpa udp
US 8.8.8.8:53 crib-endanger.sbs udp
US 104.21.39.101:443 crib-endanger.sbs tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 101.39.21.104.in-addr.arpa udp
US 8.8.8.8:53 72.176.67.172.in-addr.arpa udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Sufficient

MD5 b47f1e1763dca7643b4bd29057f2a3f7
SHA1 2212f08c6efa9549c0de09e1aa73e99adabb50f0
SHA256 f5774c1fa7c8bb8696f79f05aa7175e3bb7f7c01a1c8498576ba62ff69fb4722
SHA512 39a1e0cee8ab3f2995dc9c20ddb48383b9eeca391d6f16e6596eff0aac0dbcc40b5d57cfbf60b559f00cd44f97d5114cc39c6fa8c3b211236cbaba806861a796

C:\Users\Admin\AppData\Local\Temp\Continuing

MD5 510efb15198403472ea2c4f8a4d038f8
SHA1 1a92c910dfa5d0e1ea88d22b112fade0f3fc3a33
SHA256 d80259d59d1e66a080af7f1d053e3640abebb8f6bfe2a5aab7612703eb9d1a85
SHA512 3982f07260cdc57bb6d9124e61c14d1216c428309418e5f532649fd18e7820e6d172016b7677ac07bfa0386ce9c554959ae7cdcbc5643fe1b1d1c1578159e784

C:\Users\Admin\AppData\Local\Temp\Kentucky

MD5 dde5bab95c3f57d28b925532086d0556
SHA1 26fdd5fe71bfe0c149b2adc1696768e850258ce4
SHA256 9367e8ba3dc3fe5c6062d501d3a881f163fb08d5ce07f9f77865b23278ceb1c9
SHA512 4617154e1e2eda03ea5b07f1204b91b23edb160ab6ee7dca97df76450960374b85b8f23822e02ee87e37c2fe9583d37c2f1b3587ba77f16ba3ff0a5e5fc8fad3

C:\Users\Admin\AppData\Local\Temp\Networks

MD5 abda13de932bcb2c0f12f26b68599d7f
SHA1 a27f131dea283556e76849de070dc4df2a07e408
SHA256 2d600926f2bb72023f1e9330131f795a953ebfd8286ae9b36929e6e8b903bdd3
SHA512 b0b247841dc64cc65e35a2de29710faf96819e2aa639c17f1797cc735afb6e6671250669acc27e76ccc0c427b7826fce9b0ac2168020148e0efb9bdf74f12d9e

C:\Users\Admin\AppData\Local\Temp\Immigration

MD5 cb5b2c31ede8feb58e6abe2753a6c39a
SHA1 1a28c52a991247012f16a5b5869a7adfae08f104
SHA256 725080ee2795da5d11778bfa65a3d4e6f5a2d5b23bd96877814aa2da4f410976
SHA512 c312cdc9d56f0ecb4d411a6ee2fa0ae3edc7c8d8fbb05c967e5552052d35661f59aac21bb6538c954b0cb0a308e9ff6a3a122e87d7ce8c27f4b7984bc90b2a2e

C:\Users\Admin\AppData\Local\Temp\Cgi

MD5 39620223462a6f9ce0752f5ca3c2f4aa
SHA1 22f3a0b4e7c0e9527cd56b76526cd2ead3365709
SHA256 c98c5bd18e9426a25e1f2c8d447a1467fb3146f020d2652be69317c3f062f29e
SHA512 f8ba5839645ce29d051f7ce6318aa3af573806f1b2d7d10e957b1b1ebed198f405c03fe6adb4a4b0edd0a5c307f49929f5106659ddedacee994a7a967b4450ea

C:\Users\Admin\AppData\Local\Temp\Headers

MD5 7caa8114f6b6811129eaa1279455b788
SHA1 2dba419876bd031b990d40049c48bc916449f797
SHA256 90295dfd575ead9a4a8e95c850eae249300ab930d188a32378dbf5945c8a708c
SHA512 0e6ac3ae43a258f76984b1a3224c9bc9e9ce4eeaa2824d73220bec0828bde0025bd5342df3384143ccde9768763a06b0f8f8506f648d54850fc171e9f37707e9

C:\Users\Admin\AppData\Local\Temp\Insertion

MD5 c4758caf508433c8552e2e42b5b26703
SHA1 8e8c261160459aeff69a991bd9eadd0a0c5a8894
SHA256 8063f6b97a66957d5366d306e55584e6e8cd3801f46a4f69700addab78d3421f
SHA512 088ace94863287fb82803bac41d4a17d77e6e23a65f1868204f46121aec70a3713368c35ca60fd392ca6e30dca5045eb70dad7fa53cb9e7d59e3d02f6eba9be0

C:\Users\Admin\AppData\Local\Temp\Plastics

MD5 4a9d11868425359ae68808dd1354da69
SHA1 9446d29147e6538caef24faa4c63f3405e448eab
SHA256 6f133efcf577fc97e301992c9ef7ed3008ad6023403cd48960cc546632d62bc4
SHA512 35b8dc30d8cd1b30be893db7cdc719bdc149ebeaa9613c62acf67068cce2c22939767449739b8f03fa58806c1e6fe9fbfd21aa906f422d75d608e093b3d2f9e0

C:\Users\Admin\AppData\Local\Temp\720301\Af.pif

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\720301\Q

MD5 492a40dc62f5c0c66b904bbfe7479433
SHA1 176e0292b637e5dbb12f2c51303a1ebea250ccb2
SHA256 a9ab82ef3f7873f747adb0f83c72d2400758c88979c98997f5742d1714c3f967
SHA512 cea5235a8a8d410a3c8fdb530adec2e7e8dd7519b85e236e541f3d725efefbd3aaff496a55625528ab167699976f2970f47bc182b7dd55cd3e82eab4e5fb391f

memory/1716-205-0x0000000000610000-0x0000000000669000-memory.dmp

memory/1716-207-0x0000000000610000-0x0000000000669000-memory.dmp

memory/1716-206-0x0000000000610000-0x0000000000669000-memory.dmp

memory/1716-210-0x0000000000610000-0x0000000000669000-memory.dmp

memory/1716-209-0x0000000000610000-0x0000000000669000-memory.dmp

memory/1716-208-0x0000000000610000-0x0000000000669000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\libssl-3-x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\libssl-3-x64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20241023-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\get-fonts\binding.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2556 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2556 wrote to memory of 2592 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\get-fonts\binding.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2556 -s 156

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\btime\binding.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\btime\binding.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240729-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\vk_swiftshader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 1376 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2092 wrote to memory of 1376 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2092 wrote to memory of 1376 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\vk_swiftshader.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2092 -s 80

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\vulkan-1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2572 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2572 wrote to memory of 2036 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\vulkan-1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2572 -s 88

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20241023-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Вооtstrap-v1.0.9-x64.zip"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Вооtstrap-v1.0.9-x64.zip"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Release\locales\locales\de.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Release\locales\locales\de.ps1

Network

N/A

Files

memory/1956-4-0x000007FEF536E000-0x000007FEF536F000-memory.dmp

memory/1956-5-0x000000001B570000-0x000000001B852000-memory.dmp

memory/1956-7-0x00000000022C0000-0x00000000022C8000-memory.dmp

memory/1956-8-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/1956-6-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/1956-9-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/1956-11-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/1956-10-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/1956-12-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

151s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Release\locales\locales\de.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Release\locales\locales\de.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x498 0x4d8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/4548-0-0x00007FF9F4E43000-0x00007FF9F4E45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w2ehn3eb.f4v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4548-1-0x00000197A8600000-0x00000197A8622000-memory.dmp

memory/4548-11-0x00007FF9F4E40000-0x00007FF9F5901000-memory.dmp

memory/4548-12-0x00007FF9F4E40000-0x00007FF9F5901000-memory.dmp

memory/4548-13-0x00007FF9F4E40000-0x00007FF9F5901000-memory.dmp

memory/4548-16-0x00007FF9F4E40000-0x00007FF9F5901000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\btime\binding.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2840 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2840 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\btime\binding.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2840 -s 156

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\de.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\de.ps1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x508 0x504

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp

Files

memory/2148-0-0x00007FFC0DCD3000-0x00007FFC0DCD5000-memory.dmp

memory/2148-1-0x000001D67B4D0000-0x000001D67B4F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v5tfbppd.hcf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2148-11-0x00007FFC0DCD0000-0x00007FFC0E791000-memory.dmp

memory/2148-12-0x00007FFC0DCD0000-0x00007FFC0E791000-memory.dmp

memory/2148-13-0x00007FFC0DCD0000-0x00007FFC0E791000-memory.dmp

memory/2148-16-0x00007FFC0DCD0000-0x00007FFC0E791000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\mkl_mc3.1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\mkl_mc3.1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\RelationshipKenny C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\WaIron C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\PlaysSometimes C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\BiographyVisits C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\RangingTwinks C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\AnnouncementCircuits C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
File opened for modification C:\Windows\PowersTried C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\720301\Af.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2300 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2300 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2300 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2300 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2300 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2300 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2300 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2300 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2300 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\720301\Af.pif
PID 2300 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\720301\Af.pif
PID 2300 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\720301\Af.pif
PID 2300 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\720301\Af.pif
PID 2300 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2300 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2300 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2300 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe

"C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Sufficient Sufficient.cmd & Sufficient.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 720301

C:\Windows\SysWOW64\findstr.exe

findstr /V "VegetarianBoobsProvinceApplications" Continuing

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Networks + ..\Immigration + ..\Cgi + ..\Insertion + ..\Headers + ..\Plastics Q

C:\Users\Admin\AppData\Local\Temp\720301\Af.pif

Af.pif Q

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 OcijSoIdhalXXMHvmeBk.OcijSoIdhalXXMHvmeBk udp
US 8.8.8.8:53 financiauglyk.cyou udp
US 104.21.94.71:443 financiauglyk.cyou tcp
US 8.8.8.8:53 thicktoys.sbs udp
US 172.67.198.129:443 thicktoys.sbs tcp
US 8.8.8.8:53 fleez-inc.sbs udp
US 172.67.150.243:443 fleez-inc.sbs tcp
US 8.8.8.8:53 pull-trucker.sbs udp
US 172.67.135.173:443 pull-trucker.sbs tcp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 172.67.173.191:443 3xc1aimbl0w.sbs tcp
US 8.8.8.8:53 bored-light.sbs udp
US 172.67.192.57:443 bored-light.sbs tcp
US 8.8.8.8:53 300snails.sbs udp
US 104.21.8.62:443 300snails.sbs tcp
US 8.8.8.8:53 faintbl0w.sbs udp
US 104.21.96.94:443 faintbl0w.sbs tcp
US 8.8.8.8:53 crib-endanger.sbs udp
US 172.67.144.50:443 crib-endanger.sbs tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 104.21.82.174:443 marshal-zhukov.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Sufficient

MD5 b47f1e1763dca7643b4bd29057f2a3f7
SHA1 2212f08c6efa9549c0de09e1aa73e99adabb50f0
SHA256 f5774c1fa7c8bb8696f79f05aa7175e3bb7f7c01a1c8498576ba62ff69fb4722
SHA512 39a1e0cee8ab3f2995dc9c20ddb48383b9eeca391d6f16e6596eff0aac0dbcc40b5d57cfbf60b559f00cd44f97d5114cc39c6fa8c3b211236cbaba806861a796

C:\Users\Admin\AppData\Local\Temp\Continuing

MD5 510efb15198403472ea2c4f8a4d038f8
SHA1 1a92c910dfa5d0e1ea88d22b112fade0f3fc3a33
SHA256 d80259d59d1e66a080af7f1d053e3640abebb8f6bfe2a5aab7612703eb9d1a85
SHA512 3982f07260cdc57bb6d9124e61c14d1216c428309418e5f532649fd18e7820e6d172016b7677ac07bfa0386ce9c554959ae7cdcbc5643fe1b1d1c1578159e784

C:\Users\Admin\AppData\Local\Temp\Kentucky

MD5 dde5bab95c3f57d28b925532086d0556
SHA1 26fdd5fe71bfe0c149b2adc1696768e850258ce4
SHA256 9367e8ba3dc3fe5c6062d501d3a881f163fb08d5ce07f9f77865b23278ceb1c9
SHA512 4617154e1e2eda03ea5b07f1204b91b23edb160ab6ee7dca97df76450960374b85b8f23822e02ee87e37c2fe9583d37c2f1b3587ba77f16ba3ff0a5e5fc8fad3

C:\Users\Admin\AppData\Local\Temp\Networks

MD5 abda13de932bcb2c0f12f26b68599d7f
SHA1 a27f131dea283556e76849de070dc4df2a07e408
SHA256 2d600926f2bb72023f1e9330131f795a953ebfd8286ae9b36929e6e8b903bdd3
SHA512 b0b247841dc64cc65e35a2de29710faf96819e2aa639c17f1797cc735afb6e6671250669acc27e76ccc0c427b7826fce9b0ac2168020148e0efb9bdf74f12d9e

C:\Users\Admin\AppData\Local\Temp\Immigration

MD5 cb5b2c31ede8feb58e6abe2753a6c39a
SHA1 1a28c52a991247012f16a5b5869a7adfae08f104
SHA256 725080ee2795da5d11778bfa65a3d4e6f5a2d5b23bd96877814aa2da4f410976
SHA512 c312cdc9d56f0ecb4d411a6ee2fa0ae3edc7c8d8fbb05c967e5552052d35661f59aac21bb6538c954b0cb0a308e9ff6a3a122e87d7ce8c27f4b7984bc90b2a2e

C:\Users\Admin\AppData\Local\Temp\Cgi

MD5 39620223462a6f9ce0752f5ca3c2f4aa
SHA1 22f3a0b4e7c0e9527cd56b76526cd2ead3365709
SHA256 c98c5bd18e9426a25e1f2c8d447a1467fb3146f020d2652be69317c3f062f29e
SHA512 f8ba5839645ce29d051f7ce6318aa3af573806f1b2d7d10e957b1b1ebed198f405c03fe6adb4a4b0edd0a5c307f49929f5106659ddedacee994a7a967b4450ea

C:\Users\Admin\AppData\Local\Temp\Insertion

MD5 c4758caf508433c8552e2e42b5b26703
SHA1 8e8c261160459aeff69a991bd9eadd0a0c5a8894
SHA256 8063f6b97a66957d5366d306e55584e6e8cd3801f46a4f69700addab78d3421f
SHA512 088ace94863287fb82803bac41d4a17d77e6e23a65f1868204f46121aec70a3713368c35ca60fd392ca6e30dca5045eb70dad7fa53cb9e7d59e3d02f6eba9be0

C:\Users\Admin\AppData\Local\Temp\Headers

MD5 7caa8114f6b6811129eaa1279455b788
SHA1 2dba419876bd031b990d40049c48bc916449f797
SHA256 90295dfd575ead9a4a8e95c850eae249300ab930d188a32378dbf5945c8a708c
SHA512 0e6ac3ae43a258f76984b1a3224c9bc9e9ce4eeaa2824d73220bec0828bde0025bd5342df3384143ccde9768763a06b0f8f8506f648d54850fc171e9f37707e9

C:\Users\Admin\AppData\Local\Temp\Plastics

MD5 4a9d11868425359ae68808dd1354da69
SHA1 9446d29147e6538caef24faa4c63f3405e448eab
SHA256 6f133efcf577fc97e301992c9ef7ed3008ad6023403cd48960cc546632d62bc4
SHA512 35b8dc30d8cd1b30be893db7cdc719bdc149ebeaa9613c62acf67068cce2c22939767449739b8f03fa58806c1e6fe9fbfd21aa906f422d75d608e093b3d2f9e0

\Users\Admin\AppData\Local\Temp\720301\Af.pif

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\720301\Q

MD5 492a40dc62f5c0c66b904bbfe7479433
SHA1 176e0292b637e5dbb12f2c51303a1ebea250ccb2
SHA256 a9ab82ef3f7873f747adb0f83c72d2400758c88979c98997f5742d1714c3f967
SHA512 cea5235a8a8d410a3c8fdb530adec2e7e8dd7519b85e236e541f3d725efefbd3aaff496a55625528ab167699976f2970f47bc182b7dd55cd3e82eab4e5fb391f

memory/1432-209-0x0000000003590000-0x00000000035E9000-memory.dmp

memory/1432-208-0x0000000003590000-0x00000000035E9000-memory.dmp

memory/1432-212-0x0000000003590000-0x00000000035E9000-memory.dmp

memory/1432-211-0x0000000003590000-0x00000000035E9000-memory.dmp

memory/1432-210-0x0000000003590000-0x00000000035E9000-memory.dmp

memory/1432-207-0x0000000003590000-0x00000000035E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3F53.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3F75.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\libssl-3-x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\libssl-3-x64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

154s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 1572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 1548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 4424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1168 wrote to memory of 2060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff9961246f8,0x7ff996124708,0x7ff996124718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,15514690555466403255,16911976690257754832,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 443a627d539ca4eab732bad0cbe7332b
SHA1 86b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA256 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 99afa4934d1e3c56bbce114b356e8a99
SHA1 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA256 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA512 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

\??\pipe\LOCAL\crashpad_1168_VJSIYHUSTBZHEJJD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 15d1ba410263a32fc28a0c662f6a575d
SHA1 a32c98539f39267e70c97a1fd26ad9c672cfb0c4
SHA256 9df35814a9435987edb2558f3c3f8c201e626a3d5b23265b5fabb919a525bb12
SHA512 8e1280411d9fa98f75b11ae7eaefe30996abb2569fc1e08efc070b808e605c9d42fa5b56210c5abda6ec0706119026823d02b8ac8ba31fe9653dcff749b56e64

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 808dd5593fd5fb5dc99e9cb1320a9986
SHA1 603641236b181e0090e5fcdc6140d451f8222e7d
SHA256 513b727507d9c8b404da730221b9672fafb981faacbce16963ae5831ea417186
SHA512 6e7587184a084372634b6e3a096d38db6fcdf72998e155cc0452ba6a9394ab66a09d16374fb725aa7376eac7db6df49795a2329ac28f15679cad0b049c47f3e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f8356be8a5272273c19cf665b19a3f7e
SHA1 6e9266c8f4fbe7f0d6dbb3c6d3bd5a5bda78270c
SHA256 2d6e793dce706316c60476868ea596dab4cc71d439a158fd1cc51f256519c325
SHA512 21a25a288300b6601f1903a66efa9b875989f47b3e14ff72f2c0d4d73f8e2ecd403b6d645142566c14d3bde9c66c8ebf0f8c5399d1c1b3cb17248b2e9bf9cd03

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\de.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\de.ps1

Network

N/A

Files

memory/2292-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

memory/2292-5-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

memory/2292-6-0x0000000002810000-0x0000000002818000-memory.dmp

memory/2292-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2292-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2292-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2292-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2292-11-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2292-12-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Microsoft.Web.WebView2.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Microsoft.Web.WebView2.Core.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240708-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\vibrancy-win\binding.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2568 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2568 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\vibrancy-win\binding.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2568 -s 156

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\vibrancy-win\binding.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\vibrancy-win\binding.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20241010-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2444 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2444 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2444 -s 88

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\get-fonts\binding.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\app.asar.unpacked\node_modules\get-fonts\binding.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Release\scripts\Dex.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Release\scripts\Dex.js

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Microsoft.Web.WebView2.Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Microsoft.Web.WebView2.Core.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win7-20240903-en

Max time kernel

118s

Max time network

135s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000eec48ee59be1b51fec9d03623c50b262b35afb78973177ca5c5f42120bce6311000000000e8000000002000020000000e688c6eefe015fbc8b3df865709629a3aa60df652b1f2c94233e7830f170606720000000eeefac6dc2798ce351469daada815661dd79c318255e270f2ddbdac1b76767c14000000077948f69aeb27ecb433cfe20c438407b21fa8e85229f003b3afadad566d0a23d1c399787784a8fa2016bd521ec49928f7245949510b588477e3c3c0d30b8c1e3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000009cfd9477fbd41cc000b5cb512f3f8c1f033f23d04372221e2d3d0fa38d2c666000000000e8000000002000020000000970745fe477be8883a433a4c72790adc04417672f450d4d501ca01bc045e5f91900000003be9ad292776a992adc71aec3dc90505ef2f979c9c689b0cd7ac5810d6f85087b24e55d04ed482210ab0950fe2027b64d6fca5fe919dbacba2d4c0de801946638fa3fbaeb2d1d5ebb98327a82848e9fbec915eb48a791521d109a21707a107779d26e27f42e49ad364a2690251da20606bf901c65d365369818740c5b721a77d8a421b43022db898bebd520da44b6f2c4000000035075d86bcf8621b886a6ebbf8245529bbde512658fbfd19e53d8be9604023b0788f1adea2b83d9c94be575505e1fbd9a2df75a1878ca3e5f8b88f3ba7ab0587 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60CCACD1-A1A9-11EF-A322-62CAC36041A9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e8f535b635db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437655299" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabABC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB1E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86cdf795d0890cf9710b8c88a1e70f0a
SHA1 d2742d8b45081db1e3a5dfb037d86785e2592ca2
SHA256 c752d7120384e5ba26724a52aabc6dc3df0858661e0c47064b2f52101271ac72
SHA512 25271621940f0865d66a3b437aeda26784f6cd4101d62a3d23dac8c0349a524dcbc405d0ec254d4ebf0eff6044e0e1bf98a1560fe318a2bbe088cb2dd09bded0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87db36cd7709d9313afb0ebfa81b2bef
SHA1 3ad0a5f7acd0997c213c6ee25e26a3a5f78ad7f7
SHA256 5b5827e2a603355c4928b7e369b5f6275d7f0733b814b270733c081dbb26d41d
SHA512 d7cd399db87ae8fbcb110bdf3c735e288318825fccd83120f22b78a59217f9b9218386a1828f2b9352f3b40a09cdc5d5e4dce7e85e7c07d960d1ddb071881bf0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd4e3c6b002c6aa5dcc2f7990ed93c73
SHA1 075861e9e8ac847126faf967c15a921b7629fdd9
SHA256 53045ab4a4d7e38991e02e94c2e4a5634082b37d5182bc3bf4e779fe60c0ff05
SHA512 3e5e721f51526a0beaf38567f93392e3ac6317ed289bf69456d92bbbfd963b493d2430c4426a741d82c337e6cb5f4eeaa76dddc2c565019e0fef1ff1a1b331ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 447e3fef4bf6846acd1e6e7fe53020b4
SHA1 b5f1ef74a819fd18b3f41b47022ca3ebc45fc011
SHA256 a90de7fcd3d3f274d029eb4f8507891861a4c5e0d832186b1b38db79d8718130
SHA512 c9c58745a729e75f190bee46b8706ef8b8dad614d1b74e5aecd4965f019832413e9ee91a977637400fdd37918e7439974b8671b1d01a21ec800fb6c014ca9942

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 046bc65926227d26df602533e55ed648
SHA1 2a8456b60f7afcfb1fc309c8d0307c6c71551f31
SHA256 71b73995271b61239a8c762f13bfdb5ab2e5df2015e543163b871781aeb8ea2c
SHA512 f5488ea4dcbdbec4bf49d539d7af76f2d8dd11ee7298ea5887d390c15f37e8d1e305ce0f0f7c8570580ae8fa18ed3993a28bd798aa85ac1096b1eacb1668449c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a915142b835d4d9195b63d3e47542d5a
SHA1 29a0c50626f15f804a82363ee5d40bd521fa6926
SHA256 dd74f1f453fd4c85e119c39e0342282cbaead38053a75e0d24ccf54ef918024c
SHA512 2d4c435480afca316b00c1de33791f69cdf19a9862a9c1791d1da934be92a33a547ca344beb724ffe7065f4208b2009664969e53362e1f2cdc92a710d979ddb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 065cef46cd7ea5de6cd0d24168b4a937
SHA1 b6530820e414353360e0b24acce09e29dd03a4ae
SHA256 8ff51e58951dcb6baac3bae8df08e645be23a64f10e8f2343babc43bf1f2030c
SHA512 bf3b7bf122be09a8a4d5068ea3c2c3b8cd96cf6279b1fe14401b2cdffde7fb12b7f6bbdde04e2d7d44bf5072d20c093d09ee1a3c049e65700e4b8eee276b51fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 886070d037e161c7ed13ec81f0f6409d
SHA1 3b18e83e563d345918649bf2112d18ab31c96940
SHA256 01c1c366ab12fd367f0b277a1b93420a8242002d9d52aedd29ff77a910882b3c
SHA512 ef2f23c8cef7f7f7caa4d16c3d7f61f3095ffe7947dcef9e4ef6178acd1aae429e944d3d099a25424bc494cbd57372e472b96a6ceade4fd3500826443131b885

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff6bbca8833098769190a9603cfbd74d
SHA1 744eca4bda7a14bf159601bc3e2bf055078874d0
SHA256 32f1d7c655543a4c753374f5d8d4ea6691324fa43e3457598a7252949c1b1382
SHA512 ed481855bf47ddfe0f234ddf109b76e30f0b2a157b787cbea77bf40ef7ce3fd4250c359e2483d709185488bb895024c57280541465db0c692773ca7432723cab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03e4640f3753fbf3a589d0ded16aedd1
SHA1 681189015b6bb4a859f9b6cc2bb414b2baa09b43
SHA256 b3135e7a6bf1a6ab5ac398a4e49656c89ce50d96ce330e05ec2f7f5fbde100be
SHA512 93a85c47dddfb7a3c559736166fa17f431c9d50f12f29fae03f3feff867697a2c98634383e9893ee82d496432384774f93d24150bf9cd1c695948c237a04d052

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52d063533d085339383a8ef00bd46494
SHA1 b5e0335f05eb03a74da224dd087b93a01a1b8b5b
SHA256 35146c33d9440c40edb24c78c6ee600356c62963dcf136cb6dbad0fb892f921e
SHA512 4ec9b0531e13ae14a7e174fa1860dee498f7fa388e45689ba58ff90d404f006d63c4328b61c4299a5fa702f2df7fba6e26545ed3cddde92028e3978944570f94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0f9669f61e67178e5618ca942691b12
SHA1 125fb76d2e1f3c7003b43015286dcbbf9170983f
SHA256 5a9a3dad1ac219eb30681c44439fd84fe50b3c19c5f1094b3d08e6d76735922d
SHA512 6115d4f09fe0a7c7c1fce213f3c183fb92ee7d9ddf8ae8d28be855f23d04363d00b6f2ed3e603f5ad10e50e9b6ba25b2178086a156f46e44a9b1e692d0eac484

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 019510fa84b7e6bad722fdadd09e179e
SHA1 0093618721ed0a07b323f8ef8e426093a983e2e2
SHA256 fb44da2fa114134f818172035dd60736d7946dfdc3907117fe54e110a87413ca
SHA512 c32b0d174be7efbee04087f2fb8bfa0083f1ce3484e89e655492a491de9c5a9051e6bee3faafd3c0597d442477a1d53c8c713e6e8722312ad5faa46d58afe26d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09f3a37a40d6c7718f9d7ecba96372e6
SHA1 7b6c2ccf48a686935635f588bc92237fa9f0c4a9
SHA256 ffef3e4345b74d18fb80227043c500bf31307a72c50037762692e32125ed0f89
SHA512 1b7ae352e2779c02347adafb8468234272da51888bf95e4884a682aee4d4b9cb7cf06ee4b782a6d73d6d8d67757e89fc1ab9933c412281f720925cf9608a3c23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f92633ac6b05d3f9ff6ddbd6359f3a9
SHA1 137366fb1226f56ce2b380f27aa8dd42ac6e9367
SHA256 2547fc27471d170439ad73a2f29a8ef0ab5d527a79c431a88578bf9bc941429c
SHA512 2259b0c1eafee8c7bb998b463fe0d527f13013b03d68e4d5e1e1fe0159c7d31ef05a6a28bc5848434991856558ef9c83d3b9a85510160154204dcd9eebbad4f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d1835035109518c9307a296a7cfa75f
SHA1 1b3717cfe2ee4cc1f422e4c68e0c63ff8aef6061
SHA256 813b07461ecf4cce87721c21e0e17cc7d857505787428851e7f39724c037b85b
SHA512 43d3cfa55b697f94e1b2539564855ce0f4b205cda1c1dc296206e191146084dd375417eccf9720c7350200058325f9fd92d6ada2f821f1522e7cdb9d6239dc22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05bbe0cf0aeef0b76c621e6fa3dd7be1
SHA1 cb76fec9ea2886df6262d348c406e6e71ec192ad
SHA256 90a9c49de014730878f76e95efcbb5f8f1850cf4ad1e549cf6f4f83bc3c736cb
SHA512 61df4727c5773a7ce5bffaf30bb09bd55877908c7aca3d645efd6c6d8ae2fc279b1cc1a139a0dbcceb09b9e8c96950b7d04e61c77bb54466ea51aa20099b101f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4095fce3d67cadbcb9756a255d9e4db4
SHA1 0f85d24dbedad898c8798c1e5d4547ed102f2725
SHA256 4fc8ac39099e80ee7b40b8885c62fd2f14a16d3348943a070fda63f53ccae5f2
SHA512 21631fbbdcf7cd7b6aca9e8530827ac3847dd291be31ac0515e3b8fcfc7a443c471dd6cec8f86697fd51983cc34b42f78ff91ce61503d5a0cf1f860087c4f74d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdc4a27d3d7316ac675b5f49047ca6da
SHA1 06145654e77f78c7d6f18d46b8b1dfe0d3a98b6f
SHA256 640cd3fb6a4261e20b0e7b96aa600a8b334a0278154ce5d11def7c2f65509459
SHA512 c7f34c48ee5e4fd09ebaf2b69291d4d75b7bd02e15dfe45fdc3e419db96403380088124af41fc978c70c0f3677985c4ffa18a4740885d1874dd925de99332238

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-13 10:22

Reported

2024-11-13 10:26

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\locales\resources\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A