Malware Analysis Report

2025-03-15 04:42

Sample ID 240713-cwpm7stgkg
Target Software for cs2.rar
SHA256 a01ab799c1014dd391fad6f2092d7672b52050dad548d1e63ad9b09131113e43
Tags
redline infostealer spyware persistence privilege_escalation discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a01ab799c1014dd391fad6f2092d7672b52050dad548d1e63ad9b09131113e43

Threat Level: Known bad

The file Software for cs2.rar was found to be: Known bad.

Malicious Activity Summary

redline infostealer spyware persistence privilege_escalation discovery stealer

RedLine

RedLine payload

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Event Triggered Execution: Component Object Model Hijacking

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-13 02:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\afvpn.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\afvpn.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:28

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

95s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Software for cs2.rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Software for cs2.rar"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win10v2004-20240709-en

Max time kernel

91s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4480 set thread context of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe

"C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
CH 185.196.9.26:6302 tcp
US 8.8.8.8:53 26.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/4480-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/4480-1-0x0000000000AA0000-0x0000000000B38000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 eff77d05a7a65c261d47dd04e229e436
SHA1 01c353121838091a200a262f3058216c1a6ee603
SHA256 a53b4db904c5e24c735de639b80a2300a96566247440510e92fc644ec92ce5df
SHA512 e3d6ebba507260884ef60e0c80bc55b50f3801e7c89a83005f0d9445994e020031fa19091b337b0d7f1d0ba1df2275ffa62c6163f4097bb172f247240be37da2

memory/2060-8-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4480-10-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/2060-11-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/2060-12-0x0000000005550000-0x0000000005AF4000-memory.dmp

memory/2060-13-0x0000000005040000-0x00000000050D2000-memory.dmp

memory/2060-14-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/2060-15-0x0000000005100000-0x000000000510A000-memory.dmp

memory/2060-16-0x0000000006120000-0x0000000006738000-memory.dmp

memory/2060-17-0x0000000005B00000-0x0000000005C0A000-memory.dmp

memory/2060-18-0x00000000052D0000-0x00000000052E2000-memory.dmp

memory/2060-19-0x0000000005360000-0x000000000539C000-memory.dmp

memory/2060-20-0x00000000053A0000-0x00000000053EC000-memory.dmp

memory/2060-21-0x0000000005C10000-0x0000000005C76000-memory.dmp

memory/2060-22-0x0000000006B70000-0x0000000006D32000-memory.dmp

memory/2060-23-0x0000000007270000-0x000000000779C000-memory.dmp

memory/2060-24-0x0000000007150000-0x00000000071A0000-memory.dmp

memory/2060-26-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4480-27-0x0000000074AC0000-0x0000000075270000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:28

Platform

win7-20240705-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\ErrorReport.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\ErrorReport.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\Loader.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 4812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4060 wrote to memory of 4812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4060 wrote to memory of 4812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\Loader.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\Loader.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win7-20240704-en

Max time kernel

11s

Max time network

19s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\vcomp140.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\vcomp140.dll",#1

Network

N/A

Files

memory/1072-0-0x0000000000180000-0x0000000000181000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\vcomp140.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\vcomp140.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2528-0-0x00000232D4710000-0x00000232D4711000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

124s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\vcruntime140.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\vcruntime140.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:28

Platform

win7-20240705-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\49F631DB-450A-4108-8F5C-434AF3FEE6DC.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\49F631DB-450A-4108-8F5C-434AF3FEE6DC.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:28

Platform

win7-20240704-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Software for cs2.rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Software for cs2.rar"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Software for cs2.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Software for cs2.rar

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Software for cs2.rar"

Network

N/A

Files

memory/1540-42-0x000007FEFABD0000-0x000007FEFAC04000-memory.dmp

memory/1540-41-0x000000013F0D0000-0x000000013F1C8000-memory.dmp

memory/1540-43-0x000007FEF5FB0000-0x000007FEF6266000-memory.dmp

memory/1540-44-0x000007FEF4510000-0x000007FEF55C0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:28

Platform

win7-20240708-en

Max time kernel

117s

Max time network

119s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\mchammer_x64.dll"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2F27D2C8-2AA0-48A2-B082-00AA006BA2BA} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\CLSID = "{8010C341-6D4C-4390-B828-E4D246C3DDB2}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB0F363-3A6E-485D-B39C-00AA006BA2BA} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB0F363-3A6E-485D-B39C-00AA006BA2BA}\ = "MCHammer Property Page" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB0F363-3A6E-485D-B39C-00AA006BA2BA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software for cs2\\data\\mchammer_x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB0F363-3A6E-485D-B39C-00AA006BA2BA}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2F27D2C8-2AA0-48A2-B082-00AA006BA2BA}\ = "MCHammer Property Page 3" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2F27D2C8-2AA0-48A2-B082-00AA006BA2BA}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8010C341-6D4C-4390-B828-E4D246C3DDB2} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2F27D2C8-2AA0-48A2-B082-00AA006BA2BA}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software for cs2\\data\\mchammer_x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2F27D2C8-2AA0-48A2-B082-00AA006BA2BA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software for cs2\\data\\mchammer_x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8010C341-6D4C-4390-B828-E4D246C3DDB2} C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\FilterData = 0200000000002000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000700000006175647300001000800000aa00389b7100000000000000000000000000000000 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\ = "Wave Hammer Surround" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB0F363-3A6E-485D-B39C-00AA006BA2BA}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA}\ = "MCHammer Property Page 2" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\FriendlyName = "VEGAS Wave Hammer Surround" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software for cs2\\data\\mchammer_x64.dll" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\mchammer_x64.dll"

Network

N/A

Files

memory/2720-0-0x0000000000140000-0x0000000000156000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

104s

Command Line

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\mchammer_x64.dll"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software for cs2\\data\\mchammer_x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB0F363-3A6E-485D-B39C-00AA006BA2BA} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB0F363-3A6E-485D-B39C-00AA006BA2BA}\ = "MCHammer Property Page" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB0F363-3A6E-485D-B39C-00AA006BA2BA}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2F27D2C8-2AA0-48A2-B082-00AA006BA2BA} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8010C341-6D4C-4390-B828-E4D246C3DDB2} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\ = "Wave Hammer Surround" C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\FilterData = 0200000000002000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000700000006175647300001000800000aa00389b7100000000000000000000000000000000 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB0F363-3A6E-485D-B39C-00AA006BA2BA}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA}\ = "MCHammer Property Page 2" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software for cs2\\data\\mchammer_x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2F27D2C8-2AA0-48A2-B082-00AA006BA2BA}\ = "MCHammer Property Page 3" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2F27D2C8-2AA0-48A2-B082-00AA006BA2BA}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB0F363-3A6E-485D-B39C-00AA006BA2BA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software for cs2\\data\\mchammer_x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\FriendlyName = "VEGAS Wave Hammer Surround" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8010C341-6D4C-4390-B828-E4D246C3DDB2} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2F27D2C8-2AA0-48A2-B082-00AA006BA2BA}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{8010C341-6D4C-4390-B828-E4D246C3DDB2}\CLSID = "{8010C341-6D4C-4390-B828-E4D246C3DDB2}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70046AFD-C0B1-4EB0-9D13-00AA006BA2BA} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2F27D2C8-2AA0-48A2-B082-00AA006BA2BA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Software for cs2\\data\\mchammer_x64.dll" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\mchammer_x64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/916-0-0x0000000002DE0000-0x0000000002DF6000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:28

Platform

win7-20240705-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\protects.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\protects.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\protects.dll",#1

Network

N/A

Files

memory/2752-0-0x0000000010000000-0x0000000010330000-memory.dmp

memory/2752-1-0x0000000010000000-0x0000000010330000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:28

Platform

win10v2004-20240709-en

Max time kernel

91s

Max time network

93s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\49F631DB-450A-4108-8F5C-434AF3FEE6DC.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\49F631DB-450A-4108-8F5C-434AF3FEE6DC.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\afvpn.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\afvpn.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:28

Platform

win7-20240704-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\nfapi.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\nfapi.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:27

Platform

win7-20240704-en

Max time kernel

34s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Software for cs2\Cheat.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Software for cs2\Cheat.exe

"C:\Users\Admin\AppData\Local\Temp\Software for cs2\Cheat.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 112

Network

N/A

Files

memory/2716-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:28

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

144s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\ErrorReport.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\ErrorReport.dll",#1

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 36.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win7-20240704-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\Loader.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\Loader.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\Loader.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win10v2004-20240709-en

Max time kernel

92s

Max time network

94s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\nfapi.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\x64\nfapi.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 36.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Software for cs2\Cheat.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4408 set thread context of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Software for cs2\Cheat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Software for cs2\Cheat.exe

"C:\Users\Admin\AppData\Local\Temp\Software for cs2\Cheat.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 24.58.20.217.in-addr.arpa udp
GB 46.226.163.38:80 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 38.163.226.46.in-addr.arpa udp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4408-0-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/1248-1-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1248-2-0x000000007453E000-0x000000007453F000-memory.dmp

memory/1248-3-0x0000000005AA0000-0x0000000006044000-memory.dmp

memory/1248-4-0x00000000053A0000-0x0000000005432000-memory.dmp

memory/1248-5-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1248-6-0x0000000005330000-0x000000000533A000-memory.dmp

memory/1248-7-0x00000000086B0000-0x0000000008CC8000-memory.dmp

memory/1248-8-0x00000000081F0000-0x00000000082FA000-memory.dmp

memory/1248-9-0x0000000008140000-0x0000000008152000-memory.dmp

memory/1248-10-0x00000000081A0000-0x00000000081DC000-memory.dmp

memory/1248-11-0x0000000008300000-0x000000000834C000-memory.dmp

memory/1248-12-0x0000000008F40000-0x0000000008FA6000-memory.dmp

memory/1248-13-0x00000000095F0000-0x0000000009666000-memory.dmp

memory/1248-14-0x00000000095B0000-0x00000000095CE000-memory.dmp

memory/1248-15-0x000000000A4C0000-0x000000000A682000-memory.dmp

memory/1248-16-0x000000000ADC0000-0x000000000B2EC000-memory.dmp

memory/1248-18-0x0000000074530000-0x0000000074CE0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win7-20240704-en

Max time kernel

13s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe

"C:\Users\Admin\AppData\Local\Temp\Software for cs2\If doesnt work open it.exe"

Network

N/A

Files

memory/2556-0-0x000000007451E000-0x000000007451F000-memory.dmp

memory/2556-1-0x0000000000CF0000-0x0000000000D88000-memory.dmp

\Users\Admin\AppData\Roaming\d3d9.dll

MD5 eff77d05a7a65c261d47dd04e229e436
SHA1 01c353121838091a200a262f3058216c1a6ee603
SHA256 a53b4db904c5e24c735de639b80a2300a96566247440510e92fc644ec92ce5df
SHA512 e3d6ebba507260884ef60e0c80bc55b50f3801e7c89a83005f0d9445994e020031fa19091b337b0d7f1d0ba1df2275ffa62c6163f4097bb172f247240be37da2

memory/2556-6-0x0000000074510000-0x0000000074BFE000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win10v2004-20240709-en

Max time kernel

92s

Max time network

132s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\protects.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1612 wrote to memory of 3540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\protects.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\data\protects.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 35.58.20.217.in-addr.arpa udp

Files

memory/3540-0-0x0000000010000000-0x0000000010330000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-13 02:25

Reported

2024-07-13 02:29

Platform

win7-20240705-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\vcruntime140.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Software for cs2\vcruntime140.dll",#1

Network

N/A

Files

N/A