Analysis Overview
SHA256
78921f75ee30f950b9cfa43a79f92edc2589cc0e813f22ebdb4993ab5b4926ac
Threat Level: Known bad
The file infected.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-05 20:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\Newtonsoft.Json.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
92s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\AlphaFS.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3192 wrote to memory of 1576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3192 wrote to memory of 1576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3192 wrote to memory of 1576 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libgcc_s_dw2-1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libgcc_s_dw2-1.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1576 -ip 1576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
90s
Max time network
99s
Command Line
Signatures
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1380 set thread context of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1380 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1380 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1380 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1380 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1904 wrote to memory of 4500 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 1904 wrote to memory of 4500 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 1904 wrote to memory of 4500 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 1904 wrote to memory of 4500 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | 68.158.67.172.in-addr.arpa | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
Files
memory/1380-0-0x00007FFBF2560000-0x00007FFBF257C000-memory.dmp
memory/1380-4-0x00007FFBF2578000-0x00007FFBF2579000-memory.dmp
memory/1380-5-0x00007FFBF2560000-0x00007FFBF257C000-memory.dmp
memory/1380-6-0x00007FFBF2560000-0x00007FFBF257C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ef8d57fc
| MD5 | 179d2698cb7977135b9d6d37ddbb6537 |
| SHA1 | 9d73bdbca18e7553f4425e500cb2855eaf2e397b |
| SHA256 | 61d1518e85e793b86067ec99de7d20d8ff3256086cfc49c1b7e7aa2bb580dd88 |
| SHA512 | 5ace100c290c3384e0063202caf758b8604725f0255c3d18cc01feb93ee681eef8dd3be19d47de3075c52e6b68e714a28b1905e1a389ca7ffedf6a0bc9ccaf4e |
memory/1904-10-0x00007FFBF7D00000-0x00007FFBF7F09000-memory.dmp
memory/1904-11-0x00000000758D0000-0x00000000758E5000-memory.dmp
memory/1904-12-0x00000000758DE000-0x00000000758E0000-memory.dmp
memory/1904-13-0x00000000758D0000-0x00000000758E5000-memory.dmp
memory/1904-15-0x00000000758D0000-0x00000000758E5000-memory.dmp
memory/4500-16-0x00007FFBF7D00000-0x00007FFBF7F09000-memory.dmp
memory/4500-17-0x0000000000C80000-0x0000000000CD8000-memory.dmp
memory/4500-18-0x0000000000F8B000-0x0000000000F92000-memory.dmp
memory/4500-19-0x0000000000C80000-0x0000000000CD8000-memory.dmp
memory/1904-20-0x00000000758DE000-0x00000000758E0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Program\caret.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/4000-0-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp
memory/4000-2-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp
memory/4000-1-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp
memory/4000-3-0x00007FFB9A28D000-0x00007FFB9A28E000-memory.dmp
memory/4000-4-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp
memory/4000-6-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-7-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp
memory/4000-5-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-10-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-12-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-11-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-13-0x00007FFB57990000-0x00007FFB579A0000-memory.dmp
memory/4000-9-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-14-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-8-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-18-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-17-0x00007FFB57990000-0x00007FFB579A0000-memory.dmp
memory/4000-19-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-16-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-15-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 95f6efd168a1689831f7e70fc3e80364 |
| SHA1 | 72cf55207312c9aa4c11fee48c3eec41bbb1ac3d |
| SHA256 | b4c49315bca61033ca430ffeaf42757e5176ca4911e4e0c90244bf4572c45ab6 |
| SHA512 | c8ee4c6d25a08a4ffe53ab3a3590fd18c474faec16091e6f5bf7d0e01470a2135f200d322080879df46e168fc7944d860938ef238d255316a4055168d9cb7c25 |
memory/4000-31-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
memory/4000-45-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp
memory/4000-46-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp
memory/4000-48-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp
memory/4000-47-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp
memory/4000-49-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\msedge_elf.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
91s
Max time network
100s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Injecting.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
7s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Program\test.asp
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
92s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\VersionStable.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
101s
Max time network
131s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Program\caret.xls"
Network
Files
memory/3000-0-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp
memory/3000-4-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-6-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-7-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp
memory/3000-10-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-9-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-13-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-14-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-15-0x00007FF8BF310000-0x00007FF8BF320000-memory.dmp
memory/3000-12-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-16-0x00007FF8BF310000-0x00007FF8BF320000-memory.dmp
memory/3000-18-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-20-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-19-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-17-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-22-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-21-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-11-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-8-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-3-0x00007FF901663000-0x00007FF901664000-memory.dmp
memory/3000-5-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp
memory/3000-2-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp
memory/3000-1-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp
memory/3000-25-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
memory/3000-40-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp
memory/3000-39-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp
memory/3000-42-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp
memory/3000-41-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp
memory/3000-43-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Program\ErrorLog\DirectoryMonitor_[1MB]_[1].exe
"C:\Users\Admin\AppData\Local\Temp\Program\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/3044-0-0x00007FFA41813000-0x00007FFA41815000-memory.dmp
memory/3044-1-0x0000000000E80000-0x0000000001070000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\Newtonsoft.Json.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\VersionStable.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Injecting.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\AlphaFS.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
90s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\License.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Program\ErrorLog\DirectoryMonitor_[1MB]_[1].exe
"C:\Users\Admin\AppData\Local\Temp\Program\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"
Network
Files
memory/576-0-0x00007FFCB0E53000-0x00007FFCB0E55000-memory.dmp
memory/576-1-0x0000000000820000-0x0000000000A10000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2676 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2676 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2676 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libEGL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libEGL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:10
Platform
win11-20240704-en
Max time kernel
13s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\msedge_elf.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
94s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Program\test.asp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Extreme.Net.dll,#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.22:443 | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
93s
Max time network
101s
Command Line
Signatures
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3292 set thread context of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3292 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3292 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3292 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3292 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2820 wrote to memory of 2156 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2820 wrote to memory of 2156 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2820 wrote to memory of 2156 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2820 wrote to memory of 2156 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | 68.158.67.172.in-addr.arpa | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | downloadfile123.xyz | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
memory/3292-0-0x00007FFF63F90000-0x00007FFF63FAC000-memory.dmp
memory/3292-5-0x00007FFF63F90000-0x00007FFF63FAC000-memory.dmp
memory/3292-4-0x00007FFF63FA8000-0x00007FFF63FA9000-memory.dmp
memory/3292-6-0x00007FFF63F90000-0x00007FFF63FAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\605d7702
| MD5 | c4b4ded2f38b63eba7723b3748eaa1eb |
| SHA1 | b310e859c793a1f0dd7cfb47fe28bc3124ab5a8b |
| SHA256 | 03e25e9cd744a90fb83141cb454f44f703ad7e1e783aba5f0e5c56923488d5af |
| SHA512 | e0c04f4df6e95bda64f55b2ad513f7826368faa2718fd4ece0532b58191fe355868116e553608002365f02681d64c2982f7a87db4b81c06b7111d75eba1d926d |
memory/2820-10-0x00007FFF6AEB0000-0x00007FFF6B0A5000-memory.dmp
memory/2820-11-0x0000000075C30000-0x0000000075C44000-memory.dmp
memory/2820-13-0x0000000075C30000-0x0000000075C44000-memory.dmp
memory/2820-12-0x0000000075C3E000-0x0000000075C40000-memory.dmp
memory/2820-15-0x0000000075C30000-0x0000000075C44000-memory.dmp
memory/2156-16-0x00007FFF6AEB0000-0x00007FFF6B0A5000-memory.dmp
memory/2156-17-0x0000000000CE0000-0x0000000000D38000-memory.dmp
memory/2156-18-0x0000000000C4B000-0x0000000000C52000-memory.dmp
memory/2156-19-0x0000000000CE0000-0x0000000000D38000-memory.dmp
memory/2820-20-0x0000000075C3E000-0x0000000075C40000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\License.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
91s
Max time network
99s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2828 wrote to memory of 3508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2828 wrote to memory of 3508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2828 wrote to memory of 3508 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libEGL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libEGL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 452
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win11-20240704-en
Max time kernel
90s
Max time network
101s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2068 wrote to memory of 608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2068 wrote to memory of 608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2068 wrote to memory of 608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libgcc_s_dw2-1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libgcc_s_dw2-1.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 608 -ip 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 472
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-05 20:09
Reported
2024-07-05 20:12
Platform
win10v2004-20240704-en
Max time kernel
93s
Max time network
100s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Extreme.Net.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |