Malware Analysis Report

2025-06-15 19:54

Sample ID 240425-tylg1acf24
Target 1INSTAlIER!____Pswrd---1231.zip
SHA256 2a64743382f57d6e2ec30660f46c2a65a12c1b9c897260a07c8b30e971cee291
Tags
lumma stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a64743382f57d6e2ec30660f46c2a65a12c1b9c897260a07c8b30e971cee291

Threat Level: Known bad

The file 1INSTAlIER!____Pswrd---1231.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer persistence

Lumma Stealer

Registers COM server for autorun

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-25 16:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

130s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\amsvcp120.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3168 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3168 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\amsvcp120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\amsvcp120.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

128s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\Qt5Core.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 224 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 224 wrote to memory of 4536 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\Qt5Core.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\Qt5Core.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 108.116.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

131s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\msvcp120.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 196 wrote to memory of 3264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 196 wrote to memory of 3264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 196 wrote to memory of 3264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\msvcp120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\msvcp120.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 225.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:32

Platform

win10-20240404-en

Max time kernel

91s

Max time network

84s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\opengl32sw.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\xpsrchvw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3764 wrote to memory of 792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3764 wrote to memory of 792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\opengl32sw.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\opengl32sw.dll,#1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\xpsrchvw.exe

"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\StartRestore.xps"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:34

Platform

win10-20240404-en

Max time kernel

114s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\InstaIler.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\InstaIler.exe

"C:\Users\Admin\AppData\Local\Temp\InstaIler.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 peanuearthflaxes.shop udp
US 104.21.51.162:443 peanuearthflaxes.shop tcp
US 8.8.8.8:53 productivelookewr.shop udp
US 104.21.11.250:443 productivelookewr.shop tcp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 104.21.95.19:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 8.8.8.8:53 162.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 250.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 41.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.95.21.104.in-addr.arpa udp
US 172.67.216.69:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 104.21.86.106:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 172.67.192.138:443 liabilitynighstjsko.shop tcp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 172.67.147.169:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 69.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 106.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 138.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 243.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 169.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/616-4-0x00007FF6AC3E0000-0x00007FF6AE312000-memory.dmp

memory/1352-5-0x0000000003080000-0x00000000030CE000-memory.dmp

memory/1352-7-0x0000000003080000-0x00000000030CE000-memory.dmp

memory/1352-9-0x0000000003080000-0x00000000030CE000-memory.dmp

memory/616-8-0x00007FF6AC3E0000-0x00007FF6AE312000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

129s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\libEGL.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 4508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3772 wrote to memory of 4508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3772 wrote to memory of 4508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

130s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\wsepno.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\wsepno.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

128s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\wshbth.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\wshbth.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

127s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\libEGL.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4028 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4028 wrote to memory of 4192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\libEGL.dll,#1

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

129s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\ssleay32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4732 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4732 wrote to memory of 3280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\ssleay32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\ssleay32.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

122s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\msvcr120.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3532 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3532 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\msvcr120.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\msvcr120.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

128s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\libeay32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3716 wrote to memory of 216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3716 wrote to memory of 216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3716 wrote to memory of 216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\libeay32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\libeay32.dll,#1

Network

Country Destination Domain Proto
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:34

Platform

win10-20240404-en

Max time kernel

114s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\ssleay32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 3932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4444 wrote to memory of 3932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4444 wrote to memory of 3932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\ssleay32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\ssleay32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

130s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\wsecedit.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\wsecedit.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 161.110.86.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-25 16:27

Reported

2024-04-25 16:33

Platform

win10-20240404-en

Max time kernel

123s

Max time network

138s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\libs\wshcon.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WSHController C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WSHController\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{563DC060-B09A-11D2-A24D-00104BD35090} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{563DC060-B09A-11D2-A24D-00104BD35090}\1.0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{563DC060-B09A-11D2-A24D-00104BD35090}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090} C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\libs\wshcon.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A