Analysis Overview
SHA256
2a64743382f57d6e2ec30660f46c2a65a12c1b9c897260a07c8b30e971cee291
Threat Level: Known bad
The file 1INSTAlIER!____Pswrd---1231.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Registers COM server for autorun
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-25 16:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
130s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3168 wrote to memory of 1128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3168 wrote to memory of 1128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3168 wrote to memory of 1128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\amsvcp120.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\amsvcp120.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
128s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 224 wrote to memory of 4536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 224 wrote to memory of 4536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 224 wrote to memory of 4536 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\Qt5Core.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\Qt5Core.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 648
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.116.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
131s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 196 wrote to memory of 3264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 196 wrote to memory of 3264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 196 wrote to memory of 3264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\msvcp120.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\msvcp120.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 225.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:32
Platform
win10-20240404-en
Max time kernel
91s
Max time network
84s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\xpsrchvw.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\xpsrchvw.exe | N/A |
| N/A | N/A | C:\Windows\System32\xpsrchvw.exe | N/A |
| N/A | N/A | C:\Windows\System32\xpsrchvw.exe | N/A |
| N/A | N/A | C:\Windows\System32\xpsrchvw.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3764 wrote to memory of 792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3764 wrote to memory of 792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3764 wrote to memory of 792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\opengl32sw.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\opengl32sw.dll,#1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\xpsrchvw.exe
"C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\StartRestore.xps"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:34
Platform
win10-20240404-en
Max time kernel
114s
Max time network
137s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 616 set thread context of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\InstaIler.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 616 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\InstaIler.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 616 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\InstaIler.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 616 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\InstaIler.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 616 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\InstaIler.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 616 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\InstaIler.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\InstaIler.exe
"C:\Users\Admin\AppData\Local\Temp\InstaIler.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | peanuearthflaxes.shop | udp |
| US | 104.21.51.162:443 | peanuearthflaxes.shop | tcp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 8.8.8.8:53 | 162.51.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.95.21.104.in-addr.arpa | udp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 172.67.192.138:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 172.67.147.169:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 69.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/616-4-0x00007FF6AC3E0000-0x00007FF6AE312000-memory.dmp
memory/1352-5-0x0000000003080000-0x00000000030CE000-memory.dmp
memory/1352-7-0x0000000003080000-0x00000000030CE000-memory.dmp
memory/1352-9-0x0000000003080000-0x00000000030CE000-memory.dmp
memory/616-8-0x00007FF6AC3E0000-0x00007FF6AE312000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
129s
Max time network
142s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3772 wrote to memory of 4508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3772 wrote to memory of 4508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3772 wrote to memory of 4508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\libEGL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
130s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\wsepno.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
128s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\wshbth.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
127s
Max time network
138s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4028 wrote to memory of 4192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4028 wrote to memory of 4192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4028 wrote to memory of 4192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\libEGL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
129s
Max time network
138s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4732 wrote to memory of 3280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4732 wrote to memory of 3280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4732 wrote to memory of 3280 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\ssleay32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dll\ssleay32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
122s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 2120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3532 wrote to memory of 2120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3532 wrote to memory of 2120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\msvcr120.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\msvcr120.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
128s
Max time network
137s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3716 wrote to memory of 216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3716 wrote to memory of 216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3716 wrote to memory of 216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\libeay32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\libeay32.dll,#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:34
Platform
win10-20240404-en
Max time kernel
114s
Max time network
140s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4444 wrote to memory of 3932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4444 wrote to memory of 3932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4444 wrote to memory of 3932 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\ssleay32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\ssleay32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
130s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\files\libs\wsecedit.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.110.86.104.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-25 16:27
Reported
2024-04-25 16:33
Platform
win10-20240404-en
Max time kernel
123s
Max time network
138s
Command Line
Signatures
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WSHController | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WSHController\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{563DC060-B09A-11D2-A24D-00104BD35090} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\Version | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{563DC060-B09A-11D2-A24D-00104BD35090}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{563DC060-B09A-11D2-A24D-00104BD35090}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{563DC062-B09A-11D2-A24D-00104BD35090} | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\files\libs\wshcon.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |