Malware Analysis Report

2024-11-30 05:24

Sample ID 240710-j1a4yawelm
Target New folder (2).zip
SHA256 38cc2c12d990f830b1b7f448726cd95171d28a44e06fa39cd1d7467cc13ed199
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38cc2c12d990f830b1b7f448726cd95171d28a44e06fa39cd1d7467cc13ed199

Threat Level: Known bad

The file New folder (2).zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-10 08:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10-20240611-en

Max time kernel

129s

Max time network

136s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New folder (2).zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New folder (2).zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win7-20240708-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 2416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win11-20240709-en

Max time kernel

146s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1860 wrote to memory of 756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1860 wrote to memory of 756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10-20240611-en

Max time kernel

141s

Max time network

76s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4484 wrote to memory of 320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4484 wrote to memory of 320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4484 wrote to memory of 320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 668

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/320-0-0x0000000000E20000-0x0000000000F92000-memory.dmp

memory/320-1-0x0000000000E20000-0x0000000000F92000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10-20240404-en

Max time kernel

133s

Max time network

136s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\devenum.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\ = "WaveOut and DSound Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\ = "MidiOut Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Video Compressors" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A762-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\FriendlyName = "Video Capture Sources" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\CLSID = "{083863F1-70DE-11d0-BD40-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\ = "WaveIn Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A761-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\FriendlyName = "Audio Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\FriendlyName = "Midi Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ = "ICM Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\CLSID = "{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\CLSID = "{4EFE2452-168A-11d1-BC76-00C04FB9453B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB41-F175-11d1-A392-00E0291F3959}\CLSID = "{CC7BFB41-F175-11d1-A392-00E0291F3959}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\FriendlyName = "DirectShow Filters" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Audio Capture Sources" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB46-F175-11d1-A392-00E0291F3959}\FriendlyName = "Device Control Filters" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\ = "ActiveMovie Filter Categories" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A760-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Audio Compressors" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB46-F175-11d1-A392-00E0291F3959}\CLSID = "{CC7BFB46-F175-11d1-A392-00E0291F3959}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\ = "VFW Capture Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\ = "ActiveMovie Filter Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB41-F175-11d1-A392-00E0291F3959}\FriendlyName = "External Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\ = "ACM Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\CLSID = "{860BB310-5D01-11d0-BD3B-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 1888 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2948 wrote to memory of 1888 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2948 wrote to memory of 1888 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\devenum.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\devenum.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win11-20240709-en

Max time kernel

147s

Max time network

157s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New folder (2).zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New folder (2).zip"

Network

Country Destination Domain Proto
NL 52.111.243.29:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10-20240404-en

Max time kernel

77s

Max time network

87s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4472 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4472 wrote to memory of 3028 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3028-0-0x0000000000400000-0x000000000051E000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win7-20240708-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1976 set thread context of 1920 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/1976-1-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1976-0-0x0000000003390000-0x00000000034AE000-memory.dmp

memory/1976-2-0x0000000075340000-0x00000000754DD000-memory.dmp

memory/1976-3-0x00000000772F0000-0x0000000077499000-memory.dmp

memory/1976-8-0x0000000075352000-0x0000000075354000-memory.dmp

memory/1976-9-0x0000000075340000-0x00000000754DD000-memory.dmp

memory/1920-15-0x0000000075340000-0x00000000754DD000-memory.dmp

memory/1976-14-0x0000000075340000-0x00000000754DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c1646d0a

MD5 54f2a020d4197573e9048027616e5165
SHA1 5b5d47700ff7ffbe7227f57c7a2f9895a5e078d0
SHA256 c62cec28b506dd38e34d45008d78cf995491dca4087554f4dde5d073eff2b443
SHA512 a35d782ded0902062c35a7cc1bd024f9c5e6d244eae40a855082d2877cdc38d0eb032a489b58f50599fa1614d99b941bdde3729302eb602980a9d85ba29f4d13

memory/1976-13-0x0000000003390000-0x00000000034AE000-memory.dmp

memory/1976-12-0x0000000000400000-0x0000000000669000-memory.dmp

memory/1920-17-0x00000000772F0000-0x0000000077499000-memory.dmp

memory/1920-18-0x0000000075340000-0x00000000754DD000-memory.dmp

memory/1920-19-0x0000000075340000-0x00000000754DD000-memory.dmp

memory/1920-21-0x0000000075340000-0x00000000754DD000-memory.dmp

memory/2684-22-0x00000000772F0000-0x0000000077499000-memory.dmp

memory/2684-23-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2684-24-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2684-25-0x0000000000D0D000-0x0000000000D15000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win7-20240704-en

Max time kernel

118s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\devenum.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Audio Compressors" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\FriendlyName = "DirectShow Filters" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\ = "MidiOut Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A760-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\FriendlyName = "Audio Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{CC7BFB46-F175-11d1-A392-00E0291F3959}\FriendlyName = "Device Control Filters" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\ = "ACM Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Audio Capture Sources" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\CLSID = "{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A761-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\CLSID = "{4EFE2452-168A-11d1-BC76-00C04FB9453B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{CC7BFB46-F175-11d1-A392-00E0291F3959}\CLSID = "{CC7BFB46-F175-11d1-A392-00E0291F3959}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\ = "WaveOut and DSound Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\ = "ActiveMovie Filter Categories" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A762-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\FriendlyName = "Midi Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ = "ICM Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\ = "ActiveMovie Filter Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{CC7BFB41-F175-11d1-A392-00E0291F3959}\FriendlyName = "External Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\ = "WaveIn Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\CLSID = "{860BB310-5D01-11d0-BD3B-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{CC7BFB41-F175-11d1-A392-00E0291F3959}\CLSID = "{CC7BFB41-F175-11d1-A392-00E0291F3959}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\ = "VFW Capture Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\FriendlyName = "Video Capture Sources" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Video Compressors" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\CLSID = "{083863F1-70DE-11d0-BD40-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\devenum.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\devenum.dll

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10-20240611-en

Max time kernel

128s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3840 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3840 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3840 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 4484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 4484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 4484 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10-20240404-en

Max time kernel

135s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 4336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 4336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1580 wrote to memory of 4336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1196 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1196 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/3652-0-0x0000000002CB0000-0x0000000002DCE000-memory.dmp

memory/3652-1-0x0000000002CB0000-0x0000000002DCE000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win7-20240704-en

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

Network

N/A

Files

memory/800-0-0x0000000002000000-0x000000000211E000-memory.dmp

memory/800-1-0x0000000002000000-0x000000000211E000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10v2004-20240709-en

Max time kernel

63s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 5112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1776 wrote to memory of 5112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1776 wrote to memory of 5112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 652

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/5112-0-0x0000000002030000-0x00000000021A2000-memory.dmp

memory/5112-1-0x0000000002030000-0x00000000021A2000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3644 set thread context of 2204 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 palacecirwoos.shop udp
US 104.21.91.235:443 palacecirwoos.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 8.8.8.8:53 235.91.21.104.in-addr.arpa udp
US 8.8.8.8:53 bannngwko.shop udp
US 172.67.146.61:443 bannngwko.shop tcp
US 8.8.8.8:53 bargainnykwo.shop udp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 8.8.8.8:53 198.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 104.21.6.254:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 radiationnopp.shop udp
US 8.8.8.8:53 93.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 61.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 254.6.21.104.in-addr.arpa udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 172.67.203.63:443 answerrsdo.shop tcp
US 8.8.8.8:53 publicitttyps.shop udp
US 104.21.25.154:443 publicitttyps.shop tcp
US 8.8.8.8:53 63.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 169.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 benchillppwo.shop udp
US 172.67.160.230:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 230.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 154.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/3644-0-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/3644-1-0x0000000002C00000-0x0000000002D1E000-memory.dmp

memory/3644-2-0x00000000762A0000-0x00000000766DC000-memory.dmp

memory/3644-3-0x00007FFAD94B0000-0x00007FFAD96A5000-memory.dmp

memory/3644-8-0x00000000762B2000-0x00000000762B4000-memory.dmp

memory/3644-9-0x00000000762A0000-0x00000000766DC000-memory.dmp

memory/3644-10-0x00000000762A0000-0x00000000766DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6e6a19f6

MD5 a3b838ca8c556d15893d4072be438374
SHA1 f90c6fac9945ed33cfe10ded333eb7b7a29b5722
SHA256 443797a0ce15ac80db82b78db60b3def2547edd5121a0d9fe4e797dd4f1b210d
SHA512 b40d109f878509f1caf383d8d0acd7d46dcf8628118bcb8099bb9bc4e46a93b58b54beb8b187ba1d7c1ccc3aa501f3fc10a5b81f3bae8a82cef99387791456de

memory/3644-13-0x0000000002C00000-0x0000000002D1E000-memory.dmp

memory/2204-15-0x00000000762A0000-0x00000000766DC000-memory.dmp

memory/3644-12-0x0000000000400000-0x0000000000669000-memory.dmp

memory/2204-16-0x00007FFAD94B0000-0x00007FFAD96A5000-memory.dmp

memory/2204-17-0x00000000762A0000-0x00000000766DC000-memory.dmp

memory/2204-18-0x00000000762A0000-0x00000000766DC000-memory.dmp

memory/2204-20-0x00000000762A0000-0x00000000766DC000-memory.dmp

memory/4172-21-0x00007FFAD94B0000-0x00007FFAD96A5000-memory.dmp

memory/4172-22-0x0000000000300000-0x0000000000350000-memory.dmp

memory/4172-23-0x000000000046B000-0x0000000000472000-memory.dmp

memory/4172-24-0x0000000000300000-0x0000000000350000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

129s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New folder (2).zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New folder (2).zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win11-20240709-en

Max time kernel

90s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 248 wrote to memory of 2800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 248 wrote to memory of 2800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 248 wrote to memory of 2800 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2800 -ip 2800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 560

Network

Files

memory/2800-0-0x0000000000400000-0x0000000000572000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10-20240404-en

Max time kernel

133s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4776 set thread context of 4168 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 palacecirwoos.shop udp
US 104.21.91.235:443 palacecirwoos.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 172.67.214.52:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 172.67.146.61:443 bannngwko.shop tcp
US 8.8.8.8:53 235.91.21.104.in-addr.arpa udp
US 8.8.8.8:53 52.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 bargainnykwo.shop udp
US 172.67.146.97:443 bargainnykwo.shop tcp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 97.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 61.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 radiationnopp.shop udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 104.21.44.192:443 answerrsdo.shop tcp
US 8.8.8.8:53 publicitttyps.shop udp
US 172.67.134.88:443 publicitttyps.shop tcp
US 8.8.8.8:53 benchillppwo.shop udp
US 172.67.160.230:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 192.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 88.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 230.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 169.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 104.21.83.48:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 48.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/4776-0-0x00000000007E0000-0x00000000007E1000-memory.dmp

memory/4776-1-0x0000000002A40000-0x0000000002B5E000-memory.dmp

memory/4776-2-0x0000000076A30000-0x0000000076E4A000-memory.dmp

memory/4776-3-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

memory/4776-8-0x0000000076A42000-0x0000000076A44000-memory.dmp

memory/4776-9-0x0000000076A30000-0x0000000076E4A000-memory.dmp

memory/4776-10-0x0000000076A30000-0x0000000076E4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c88bb965

MD5 51dc17c7b4123f98556287b1d9d49c9a
SHA1 374f64d3639084c788c265e12c06bd4828e08879
SHA256 58c8bc51943d13523a1fc9b936577c730df48442d47944ee6d8684f45720eba6
SHA512 87aca4bb0ebc99bac174e91ca8c41763b0ed0edb55aaa5a50291108ee4f7df99993e8f981e331df8aa0fd3e5fa277c17af0414634ac0ce83ffc4796818798fdd

memory/4776-13-0x0000000002A40000-0x0000000002B5E000-memory.dmp

memory/4168-15-0x0000000076A30000-0x0000000076E4A000-memory.dmp

memory/4776-12-0x0000000000400000-0x0000000000669000-memory.dmp

memory/4168-16-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

memory/4168-17-0x0000000076A30000-0x0000000076E4A000-memory.dmp

memory/4168-18-0x0000000076A30000-0x0000000076E4A000-memory.dmp

memory/4168-20-0x0000000076A30000-0x0000000076E4A000-memory.dmp

memory/1304-21-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

memory/1304-22-0x0000000000CC0000-0x0000000000D10000-memory.dmp

memory/1304-23-0x0000000000CC0000-0x0000000000D10000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win11-20240709-en

Max time kernel

92s

Max time network

102s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\devenum.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\ = "ActiveMovie Filter Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\ = "MidiOut Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A761-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB46-F175-11d1-A392-00E0291F3959}\CLSID = "{CC7BFB46-F175-11d1-A392-00E0291F3959}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\FriendlyName = "Video Capture Sources" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\FriendlyName = "Midi Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB41-F175-11d1-A392-00E0291F3959}\CLSID = "{CC7BFB41-F175-11d1-A392-00E0291F3959}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Video Compressors" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A762-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\ = "WaveIn Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\ = "WaveOut and DSound Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\ = "ActiveMovie Filter Categories" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\FriendlyName = "DirectShow Filters" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\CLSID = "{083863F1-70DE-11d0-BD40-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\FriendlyName = "Audio Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\CLSID = "{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\ = "VFW Capture Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Audio Compressors" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\CLSID = "{4EFE2452-168A-11d1-BC76-00C04FB9453B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB46-F175-11d1-A392-00E0291F3959}\FriendlyName = "Device Control Filters" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\CLSID = "{860BB310-5D01-11d0-BD3B-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A760-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Audio Capture Sources" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB41-F175-11d1-A392-00E0291F3959}\FriendlyName = "External Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ = "ICM Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\ = "ACM Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 4348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3040 wrote to memory of 4348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3040 wrote to memory of 4348 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\devenum.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\devenum.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win11-20240709-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2916 wrote to memory of 560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2916 wrote to memory of 560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

Network

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win11-20240709-en

Max time kernel

91s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1656 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1656 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ProductStatistics3.dll,#1

Network

Files

memory/2188-0-0x0000000000400000-0x000000000051E000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win7-20240704-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2104 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\RegisterIdr.dll,#1

Network

N/A

Files

memory/2232-0-0x0000000002230000-0x00000000023A2000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10v2004-20240709-en

Max time kernel

95s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\devenum.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\ = "ACM Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB41-F175-11d1-A392-00E0291F3959}\FriendlyName = "External Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB46-F175-11d1-A392-00E0291F3959}\FriendlyName = "Device Control Filters" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\ = "MidiOut Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\CLSID = "{4EFE2452-168A-11d1-BC76-00C04FB9453B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\CLSID = "{860BB310-5D01-11d0-BD3B-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\FriendlyName = "DirectShow Filters" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\CLSID = "{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\ = "WaveOut and DSound Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Video Compressors" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A760-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Audio Compressors" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\ = "ActiveMovie Filter Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB41-F175-11d1-A392-00E0291F3959}\CLSID = "{CC7BFB41-F175-11d1-A392-00E0291F3959}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\FriendlyName = "Midi Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\CLSID = "{083863F1-70DE-11d0-BD40-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{CC7BFB46-F175-11d1-A392-00E0291F3959}\CLSID = "{CC7BFB46-F175-11d1-A392-00E0291F3959}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\ = "VFW Capture Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\ = "ActiveMovie Filter Categories" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Merit = "6291456" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\FriendlyName = "Audio Capture Sources" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A762-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\CLSID = "{33D9A761-90C8-11d0-BD43-00A0C911CE86}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EFE2452-168A-11d1-BC76-00C04FB9453B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\FriendlyName = "Video Capture Sources" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}\FriendlyName = "Audio Renderers" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ = "ICM Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\devenum.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\ = "WaveIn Class Manager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3688 wrote to memory of 408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3688 wrote to memory of 408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3688 wrote to memory of 408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\devenum.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\devenum.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
NL 52.111.243.30:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win7-20240704-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2536 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dmutil.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win7-20240708-en

Max time kernel

118s

Max time network

124s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New folder (2).zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New folder (2).zip"

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4668 wrote to memory of 3328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4668 wrote to memory of 3328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4668 wrote to memory of 3328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeviceUxRes.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-10 08:07

Reported

2024-07-10 08:11

Platform

win11-20240709-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4800 set thread context of 536 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 104.21.91.235:443 palacecirwoos.shop tcp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 172.67.146.61:443 bannngwko.shop tcp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 104.21.6.254:443 affecthorsedpo.shop tcp
US 104.21.68.158:443 radiationnopp.shop tcp
US 8.8.8.8:53 254.6.21.104.in-addr.arpa udp
US 104.21.44.192:443 answerrsdo.shop tcp
US 104.21.25.154:443 publicitttyps.shop tcp
US 172.67.160.230:443 benchillppwo.shop tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp

Files

memory/4800-0-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/4800-1-0x0000000002C40000-0x0000000002D5E000-memory.dmp

memory/4800-2-0x0000000076700000-0x0000000076B3B000-memory.dmp

memory/4800-3-0x00007FFCDE220000-0x00007FFCDE429000-memory.dmp

memory/4800-8-0x0000000076712000-0x0000000076714000-memory.dmp

memory/4800-9-0x0000000076700000-0x0000000076B3B000-memory.dmp

memory/4800-10-0x0000000076700000-0x0000000076B3B000-memory.dmp

memory/536-12-0x0000000076700000-0x0000000076B3B000-memory.dmp

memory/4800-14-0x0000000002C40000-0x0000000002D5E000-memory.dmp

memory/4800-13-0x0000000000400000-0x0000000000669000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\255726c6

MD5 ebc5d509989e3efa3a2822a8f7eee488
SHA1 5197c049e0670203d873c437746e698a9130da1e
SHA256 663d56f08210e567379f0f9edf74d121b0a3a872442311963358d6d26e52fb42
SHA512 f73225777c76c92d3ffd1f6c15615847bd7eadea2a5d30000bf240f2caec5e149b0ee7d9565a8952b6ceecd237ff3e34ae402e88a9d150e91362306edb71dc94

memory/536-16-0x00007FFCDE220000-0x00007FFCDE429000-memory.dmp

memory/536-17-0x0000000076700000-0x0000000076B3B000-memory.dmp

memory/536-18-0x0000000076700000-0x0000000076B3B000-memory.dmp

memory/536-20-0x0000000076700000-0x0000000076B3B000-memory.dmp

memory/2816-21-0x00007FFCDE220000-0x00007FFCDE429000-memory.dmp

memory/2816-22-0x0000000000810000-0x0000000000860000-memory.dmp

memory/2816-23-0x00000000008CB000-0x00000000008D2000-memory.dmp

memory/2816-24-0x0000000000810000-0x0000000000860000-memory.dmp