Malware Analysis Report

2024-11-15 06:25

Sample ID 240706-j9ajrsvckd
Target !ŞetUp_75931--#PaSꞨKḙy#$$.rar
SHA256 2a3a098e787dbbac200416572adab711ce59a1f7712d67b43f081bdae209ef73
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a3a098e787dbbac200416572adab711ce59a1f7712d67b43f081bdae209ef73

Threat Level: Known bad

The file !ŞetUp_75931--#PaSꞨKḙy#$$.rar was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Checks SCSI registry key(s)

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 08:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\unrar.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 2056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\unrar.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\unrar.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Language\en-US\avicap32.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Language\en-US\avicap32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win7-20240704-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1772 set thread context of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1772 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1772 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1772 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1772 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1772 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1772 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1772 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 3068 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3068 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3068 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3068 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3068 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3068 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3068 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3068 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/1772-0-0x00000000008D0000-0x00000000009DB000-memory.dmp

memory/1772-1-0x0000000074350000-0x00000000743E7000-memory.dmp

memory/1772-2-0x0000000077280000-0x0000000077429000-memory.dmp

memory/1772-9-0x0000000074350000-0x00000000743E7000-memory.dmp

memory/1772-8-0x0000000074362000-0x0000000074364000-memory.dmp

memory/1772-10-0x0000000074350000-0x00000000743E7000-memory.dmp

memory/1772-13-0x000000004A600000-0x000000004A6EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b58cee0

MD5 510ba4de69ac46444e238cfed5bc867c
SHA1 cc8ada9609e5ad829320e55b11367c987ca1b400
SHA256 229fbf1c5cf783bf448f57f789d12617089f316786d919813f19a7307d235044
SHA512 223cfd77ee75d5f5654ff23b4eb8a05a2aaaab868f1421cbab10e950bbb45f3e84d640f54feac35b06bcf8b155a777c772190f7331e74ce4cd2a2d214781f3a5

memory/3068-17-0x0000000074350000-0x00000000743E7000-memory.dmp

memory/1772-14-0x00000000008D0000-0x00000000009DB000-memory.dmp

memory/1772-12-0x0000000000400000-0x0000000000711000-memory.dmp

memory/3068-18-0x0000000077280000-0x0000000077429000-memory.dmp

memory/3068-19-0x0000000074350000-0x00000000743E7000-memory.dmp

memory/3068-20-0x0000000074350000-0x00000000743E7000-memory.dmp

memory/3068-22-0x0000000074350000-0x00000000743E7000-memory.dmp

memory/2660-23-0x0000000077280000-0x0000000077429000-memory.dmp

memory/2660-24-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2660-25-0x0000000000400000-0x0000000000459000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win7-20240220-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\barchan.pptx"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\barchan.pptx"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1120-0-0x000000002DDA1000-0x000000002DDA2000-memory.dmp

memory/1120-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1120-2-0x000000007212D000-0x0000000072138000-memory.dmp

memory/1120-5-0x000000007212D000-0x0000000072138000-memory.dmp

memory/1120-6-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1120-7-0x000000007212D000-0x0000000072138000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\unrar.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 3136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 392 wrote to memory of 3136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 392 wrote to memory of 3136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\unrar.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\unrar.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win7-20240705-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Language\en-US\AutoWorkplaceN.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Language\en-US\AutoWorkplaceN.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Language\en-US\avicap32.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Language\en-US\avicap32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win10v2004-20240704-en

Max time kernel

95s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2224 set thread context of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 bittercoldzzdwu.shop udp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 179.25.21.104.in-addr.arpa udp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 downloadfile123.xyz udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2224-0-0x00000000024C0000-0x00000000025AC000-memory.dmp

memory/2224-1-0x0000000073E20000-0x0000000073E34000-memory.dmp

memory/2224-2-0x00007FFEA1E10000-0x00007FFEA2005000-memory.dmp

memory/2224-8-0x0000000073E32000-0x0000000073E34000-memory.dmp

memory/2224-9-0x0000000073E20000-0x0000000073E34000-memory.dmp

memory/2224-10-0x0000000073E20000-0x0000000073E34000-memory.dmp

memory/2224-14-0x00000000024C0000-0x00000000025AC000-memory.dmp

memory/1096-16-0x0000000073E20000-0x0000000073E34000-memory.dmp

memory/2224-13-0x000000004A500000-0x000000004A60B000-memory.dmp

memory/2224-12-0x0000000000400000-0x0000000000711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e0949f2

MD5 ebbd5c96ca5bb25476a002289a01892e
SHA1 be811343b60ae6f2f45b96654e859330be0f0bea
SHA256 00665eb1c208a5398ce8392dda4b723a1303c0c115ebe792c3a0fe4d206ca994
SHA512 da13dc57e07c6b1ade1cc6aad2e84469357c3ca4f02319e93512289922e1c36a06d317c5b96df8a45b105bc4c35dd310d9a002d8940c3763ed5576310d6f2c37

memory/1096-18-0x00007FFEA1E10000-0x00007FFEA2005000-memory.dmp

memory/1096-19-0x0000000073E20000-0x0000000073E34000-memory.dmp

memory/1096-20-0x0000000073E20000-0x0000000073E34000-memory.dmp

memory/1096-22-0x0000000073E20000-0x0000000073E34000-memory.dmp

memory/1280-23-0x00007FFEA1E10000-0x00007FFEA2005000-memory.dmp

memory/1280-24-0x0000000000DE0000-0x0000000000E39000-memory.dmp

memory/1280-25-0x00000000000EB000-0x00000000000F2000-memory.dmp

memory/1280-26-0x0000000000DE0000-0x0000000000E39000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win10v2004-20240704-en

Max time kernel

91s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Language\en-US\AutoWorkplaceN.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Language\en-US\AutoWorkplaceN.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win7-20240705-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madHcNet32.dll,#1

Signatures

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2796 wrote to memory of 2928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madHcNet32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madHcNet32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win7-20240704-en

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mvrSettings32.dll,#1

Signatures

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2816 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mvrSettings32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mvrSettings32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win10v2004-20240704-en

Max time kernel

124s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mvrSettings32.dll,#1

Signatures

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 884 wrote to memory of 4880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 884 wrote to memory of 4880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 884 wrote to memory of 4880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mvrSettings32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mvrSettings32.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1280,i,4226873509039249198,15952596839998010243,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:21

Platform

win7-20240704-en

Max time kernel

0s

Max time network

1s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Language\chrome_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Language\chrome_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\Language\chrome_[1MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:21

Platform

win10v2004-20240704-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Language\chrome_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Language\chrome_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\Language\chrome_[1MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win10v2004-20240508-en

Max time kernel

41s

Max time network

49s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\barchan.pptx" /ou ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\barchan.pptx" /ou ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/1296-0-0x00007FFDF4710000-0x00007FFDF4720000-memory.dmp

memory/1296-2-0x00007FFDF4710000-0x00007FFDF4720000-memory.dmp

memory/1296-3-0x00007FFDF4710000-0x00007FFDF4720000-memory.dmp

memory/1296-4-0x00007FFDF4710000-0x00007FFDF4720000-memory.dmp

memory/1296-1-0x00007FFE3472D000-0x00007FFE3472E000-memory.dmp

memory/1296-6-0x00007FFE34690000-0x00007FFE34885000-memory.dmp

memory/1296-5-0x00007FFE34690000-0x00007FFE34885000-memory.dmp

memory/1296-8-0x00007FFE34690000-0x00007FFE34885000-memory.dmp

memory/1296-7-0x00007FFDF4710000-0x00007FFDF4720000-memory.dmp

memory/1296-10-0x00007FFE34690000-0x00007FFE34885000-memory.dmp

memory/1296-11-0x00007FFE34690000-0x00007FFE34885000-memory.dmp

memory/1296-9-0x00007FFE34690000-0x00007FFE34885000-memory.dmp

memory/1296-12-0x00007FFDF23F0000-0x00007FFDF2400000-memory.dmp

memory/1296-13-0x00007FFE34690000-0x00007FFE34885000-memory.dmp

memory/1296-14-0x00007FFE34690000-0x00007FFE34885000-memory.dmp

memory/1296-15-0x00007FFDF23F0000-0x00007FFDF2400000-memory.dmp

memory/1296-33-0x00007FFDF4710000-0x00007FFDF4720000-memory.dmp

memory/1296-36-0x00007FFDF4710000-0x00007FFDF4720000-memory.dmp

memory/1296-35-0x00007FFDF4710000-0x00007FFDF4720000-memory.dmp

memory/1296-34-0x00007FFDF4710000-0x00007FFDF4720000-memory.dmp

memory/1296-37-0x00007FFE34690000-0x00007FFE34885000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madHcNet32.dll,#1

Signatures

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madHcNet32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\madHcNet32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-06 08:21

Reported

2024-07-06 08:24

Platform

win7-20240705-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 1648 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2152 wrote to memory of 1648 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2152 wrote to memory of 1648 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2152 -s 80

Network

N/A

Files

N/A