Analysis Overview
SHA256
c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2
Threat Level: Known bad
The file crowdstrike-hotfix.zip was found to be: Known bad.
Malicious Activity Summary
HawkEye
Remcos
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-19 19:18
Signatures
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win7-20240708-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1008 wrote to memory of 2232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 2232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 2232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 2232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 2232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 2232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 2232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\rtl120.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\rtl120.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win7-20240704-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vclx120.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vclx120.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 268
Network
Files
memory/2696-0-0x0000000050310000-0x0000000050349000-memory.dmp
memory/2696-1-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2696-2-0x0000000050120000-0x000000005030D000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win7-20240708-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2180 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2180 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2180 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2180 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2180 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2180 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\datastate.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\datastate.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win10-20240611-en
Max time kernel
129s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1384 wrote to memory of 2228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1384 wrote to memory of 2228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1384 wrote to memory of 2228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\datastate.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\datastate.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win7-20240708-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2384 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2384 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2384 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2384 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2384 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2384 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2384 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\madexcept_.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\madexcept_.dll,#1
Network
Files
memory/1720-0-0x0000000059800000-0x000000005986E000-memory.dmp
memory/1720-2-0x0000000057000000-0x000000005703F000-memory.dmp
memory/1720-3-0x0000000050120000-0x000000005030D000-memory.dmp
memory/1720-1-0x0000000050000000-0x0000000050116000-memory.dmp
memory/1720-4-0x0000000057800000-0x0000000057812000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win7-20240704-en
Max time kernel
140s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 224
Network
Files
memory/3064-0-0x0000000061E00000-0x0000000061ECA000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win10-20240404-en
Max time kernel
141s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2768 wrote to memory of 4140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2768 wrote to memory of 4140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2768 wrote to memory of 4140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vclx120.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vclx120.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 696
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.17.178.52.in-addr.arpa | udp |
Files
memory/4140-0-0x0000000050310000-0x0000000050349000-memory.dmp
memory/4140-1-0x0000000050000000-0x0000000050116000-memory.dmp
memory/4140-2-0x0000000050120000-0x000000005030D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win10-20240404-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
HawkEye
Remcos
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\input.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2772 set thread context of 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\SysWOW64\dxdiag.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer | C:\Windows\SysWOW64\dxdiag.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dxdiag.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dxdiag.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
Network
| Country | Destination | Domain | Proto |
| FR | 213.5.130.58:443 | tcp | |
| US | 8.8.8.8:53 | 58.130.5.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| FR | 213.5.130.58:443 | tcp | |
| FR | 213.5.130.58:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FR | 213.5.130.58:443 | tcp | |
| FR | 213.5.130.58:443 | tcp | |
| FR | 213.5.130.58:443 | tcp | |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| FR | 213.5.130.58:443 | tcp | |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
Files
memory/2772-0-0x00000000737C0000-0x000000007393B000-memory.dmp
memory/2772-1-0x00007FFE9D460000-0x00007FFE9D63B000-memory.dmp
memory/2772-12-0x00000000737D2000-0x00000000737D4000-memory.dmp
memory/2772-13-0x00000000737C0000-0x000000007393B000-memory.dmp
memory/2772-14-0x00000000737C0000-0x000000007393B000-memory.dmp
memory/2772-17-0x0000000059800000-0x000000005986E000-memory.dmp
memory/2772-23-0x0000000050310000-0x0000000050349000-memory.dmp
memory/3380-24-0x00000000737C0000-0x000000007393B000-memory.dmp
memory/2772-22-0x0000000061E00000-0x0000000061ECA000-memory.dmp
memory/2772-21-0x0000000050120000-0x000000005030D000-memory.dmp
memory/2772-20-0x0000000057800000-0x0000000057812000-memory.dmp
memory/2772-19-0x0000000057000000-0x000000005703F000-memory.dmp
memory/2772-18-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2772-16-0x0000000000400000-0x000000000064B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e95c3989
| MD5 | b7f5a46de5f5d13fce38256ab738d652 |
| SHA1 | 33482a8273ecbc6d72bae6f4994710c2b9cc268a |
| SHA256 | cb71fb3b9fc51d26367c482db92a745d9bf0b8c9843e5fb336fb378988522183 |
| SHA512 | 870300dfdeccc00c4dbcbf7943ed0c1825197bd881f3433430131d7b29bc3e2200459901783e4eb2942611d351d158d7c2423d9b13ea7d8263c4f00eee513235 |
memory/3380-26-0x00007FFE9D460000-0x00007FFE9D63B000-memory.dmp
memory/3380-28-0x00000000737C0000-0x000000007393B000-memory.dmp
memory/3380-29-0x00000000737C0000-0x000000007393B000-memory.dmp
memory/3380-31-0x00000000737C0000-0x000000007393B000-memory.dmp
memory/4668-32-0x00007FFE9D460000-0x00007FFE9D63B000-memory.dmp
memory/4668-33-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4668-35-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4668-37-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4668-38-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4668-39-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4668-40-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4668-41-0x0000000000400000-0x0000000000483000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
| MD5 | 6be01e88e7d2124fb718797d720f1540 |
| SHA1 | 5fc31e3a5d75067d7ddba4919e4f0516f0bcf28c |
| SHA256 | a1c3df8b5863709007d8958e831d0956006de375df7771cef6952427585a3c59 |
| SHA512 | a092fa72ac04d23e24d687763a42ea8fa315d59aec6345ed25def7a2cb1ee8e919d5f088c3eec45bdd13e6fefe9b985dc557e366d197b97ed7117f340f522e70 |
memory/4668-46-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4668-47-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4668-48-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4668-49-0x0000000000400000-0x0000000000483000-memory.dmp
memory/4668-50-0x0000000000400000-0x0000000000483000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win10-20240611-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 540 wrote to memory of 5052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 540 wrote to memory of 5052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 540 wrote to memory of 5052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 616
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 26.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
memory/5052-0-0x0000000061E00000-0x0000000061ECA000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win7-20240705-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 1224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2028 wrote to memory of 1224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcl120.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcl120.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win10-20240404-en
Max time kernel
133s
Max time network
145s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 752 wrote to memory of 824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 752 wrote to memory of 824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 752 wrote to memory of 824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcl120.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vcl120.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win7-20240708-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1712 wrote to memory of 2312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\maddisAsm_.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\maddisAsm_.dll,#1
Network
Files
memory/2312-0-0x0000000057800000-0x0000000057812000-memory.dmp
memory/2312-1-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2312-2-0x0000000057000000-0x000000005703F000-memory.dmp
memory/2312-3-0x0000000050120000-0x000000005030D000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win10-20240404-en
Max time kernel
132s
Max time network
135s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4768 wrote to memory of 3080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4768 wrote to memory of 3080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4768 wrote to memory of 3080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\rtl120.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\rtl120.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win10-20240404-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2804 wrote to memory of 4552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2804 wrote to memory of 4552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2804 wrote to memory of 4552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\madbasic_.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\madbasic_.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
memory/4552-0-0x0000000057000000-0x000000005703F000-memory.dmp
memory/4552-1-0x0000000050120000-0x000000005030D000-memory.dmp
memory/4552-2-0x0000000050000000-0x0000000050116000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4236 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4236 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4236 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\maddisAsm_.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\maddisAsm_.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.239.69.13.in-addr.arpa | udp |
Files
memory/2580-3-0x0000000050120000-0x000000005030D000-memory.dmp
memory/2580-1-0x0000000057000000-0x000000005703F000-memory.dmp
memory/2580-0-0x0000000057800000-0x0000000057812000-memory.dmp
memory/2580-2-0x0000000050000000-0x0000000050116000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 524 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 524 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 524 wrote to memory of 2716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\madexcept_.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\madexcept_.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.17.178.52.in-addr.arpa | udp |
Files
memory/2716-0-0x0000000059800000-0x000000005986E000-memory.dmp
memory/2716-2-0x0000000057000000-0x000000005703F000-memory.dmp
memory/2716-3-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2716-1-0x0000000057800000-0x0000000057812000-memory.dmp
memory/2716-4-0x0000000050120000-0x000000005030D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win7-20240705-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2312 set thread context of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| FR | 213.5.130.58:443 | tcp | |
| FR | 213.5.130.58:443 | tcp | |
| FR | 213.5.130.58:443 | tcp | |
| FR | 213.5.130.58:443 | tcp |
Files
memory/2312-0-0x00000000742F0000-0x0000000074464000-memory.dmp
memory/2312-1-0x00000000771F0000-0x0000000077399000-memory.dmp
memory/2312-12-0x0000000074302000-0x0000000074304000-memory.dmp
memory/2312-13-0x00000000742F0000-0x0000000074464000-memory.dmp
memory/2312-14-0x00000000742F0000-0x0000000074464000-memory.dmp
memory/2312-22-0x0000000061E00000-0x0000000061ECA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ba3c5cc
| MD5 | ee89543e1bae0212c0db3050557fdf5b |
| SHA1 | fbf03c20f62f7890b2f0d2e1bd6f36da5f353ddc |
| SHA256 | 61aa62303003deeca437005836b2aadca774664ec499f1e57767f9a51cdc03c7 |
| SHA512 | 0535c9ad517ba4814c072d59d2850e75b28b8257a31738d5749d19b77b60424be38cfd72fd96261a3ed25461e383d530046ef8f4f241ceb810d15f8b987199e5 |
memory/616-24-0x00000000742F0000-0x0000000074464000-memory.dmp
memory/2312-23-0x0000000050310000-0x0000000050349000-memory.dmp
memory/2312-21-0x0000000057800000-0x0000000057812000-memory.dmp
memory/2312-20-0x0000000050120000-0x000000005030D000-memory.dmp
memory/2312-19-0x0000000057000000-0x000000005703F000-memory.dmp
memory/2312-18-0x0000000059800000-0x000000005986E000-memory.dmp
memory/2312-17-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2312-16-0x0000000000400000-0x000000000064B000-memory.dmp
memory/616-26-0x00000000771F0000-0x0000000077399000-memory.dmp
memory/616-71-0x00000000742F0000-0x0000000074464000-memory.dmp
memory/616-72-0x00000000742F0000-0x0000000074464000-memory.dmp
memory/616-74-0x00000000742F0000-0x0000000074464000-memory.dmp
memory/1592-75-0x00000000771F0000-0x0000000077399000-memory.dmp
memory/1592-76-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-80-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-82-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-83-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-84-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-85-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-86-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-87-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-88-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-89-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-90-0x00000000000C0000-0x0000000000143000-memory.dmp
memory/1592-91-0x00000000000C0000-0x0000000000143000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-19 19:18
Reported
2024-07-19 19:21
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2552 wrote to memory of 2344 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2552 wrote to memory of 2344 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2552 wrote to memory of 2344 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2552 wrote to memory of 2344 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2552 wrote to memory of 2344 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2552 wrote to memory of 2344 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2552 wrote to memory of 2344 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\madbasic_.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\madbasic_.dll,#1
Network
Files
memory/2344-0-0x0000000057000000-0x000000005703F000-memory.dmp
memory/2344-1-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2344-2-0x0000000050120000-0x000000005030D000-memory.dmp