Malware Analysis Report

2025-06-16 06:37

Sample ID 240825-l658daydmf
Target Grand_Theft_Auto_VI.zip
SHA256 cffa4eb314b127eb8818700e7b431cb723d9ef334c26f3013057ef4742723ac5
Tags
execution discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cffa4eb314b127eb8818700e7b431cb723d9ef334c26f3013057ef4742723ac5

Threat Level: Likely malicious

The file Grand_Theft_Auto_VI.zip was found to be: Likely malicious.

Malicious Activity Summary

execution discovery

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 10:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:28

Platform

win11-20240802-en

Max time kernel

438s

Max time network

459s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe

"C:\Users\Admin\AppData\Local\Temp\[Open Beta] Grand_Theft_Auto_VI.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/2440-0-0x00007FFE03153000-0x00007FFE03155000-memory.dmp

memory/2440-1-0x0000000000240000-0x000000000029E000-memory.dmp

memory/2440-2-0x000000001B200000-0x000000001B31C000-memory.dmp

memory/2440-3-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp

memory/2440-4-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

memory/2440-5-0x000000001AF90000-0x000000001AFA2000-memory.dmp

memory/2440-6-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp

memory/2440-7-0x000000001BF50000-0x000000001BF82000-memory.dmp

memory/2440-8-0x000000001BF10000-0x000000001BF20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xur0fdg4.tgu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1952-28-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp

memory/1952-27-0x000002548E4A0000-0x000002548E4C2000-memory.dmp

memory/1952-29-0x00000254A6850000-0x00000254A687A000-memory.dmp

memory/1952-30-0x00000254A6850000-0x00000254A6874000-memory.dmp

memory/1952-31-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp

memory/1952-32-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp

memory/1952-35-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp

memory/2440-36-0x0000000020890000-0x00000000208C8000-memory.dmp

memory/2440-37-0x000000001DF60000-0x000000001DF6E000-memory.dmp

memory/2440-39-0x0000000020C60000-0x0000000020C68000-memory.dmp

memory/2440-38-0x000000001DFA0000-0x000000001DFA8000-memory.dmp

memory/2440-40-0x00007FFE03150000-0x00007FFE03C12000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:28

Platform

win11-20240802-en

Max time kernel

447s

Max time network

489s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wdmode.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wdmode.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wdmode.exe

"C:\Users\Admin\AppData\Local\Temp\wdmode.exe"

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.111.227.13:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:24

Platform

win11-20240802-en

Max time kernel

413s

Max time network

415s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Hardcodet.Wpf.TaskbarNotification.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Hardcodet.Wpf.TaskbarNotification.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:24

Platform

win11-20240802-en

Max time kernel

430s

Max time network

432s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Languages\Tatauro.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Languages\Tatauro.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

memory/664-0-0x00007FFEE7F43000-0x00007FFEE7F45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvomhixv.sz2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/664-9-0x0000027C5BBF0000-0x0000027C5BC12000-memory.dmp

memory/664-10-0x00007FFEE7F40000-0x00007FFEE8A02000-memory.dmp

memory/664-11-0x00007FFEE7F40000-0x00007FFEE8A02000-memory.dmp

memory/664-12-0x00007FFEE7F40000-0x00007FFEE8A02000-memory.dmp

memory/664-15-0x00007FFEE7F40000-0x00007FFEE8A02000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:25

Platform

win11-20240802-en

Max time kernel

447s

Max time network

448s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MahApps.Metro.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MahApps.Metro.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:25

Platform

win11-20240802-en

Max time kernel

435s

Max time network

437s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.WindowsAPICodePack.Shell.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.WindowsAPICodePack.Shell.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:27

Platform

win11-20240802-en

Max time kernel

439s

Max time network

441s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.WindowsAPICodePack.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.WindowsAPICodePack.dll,#1

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:28

Platform

win11-20240802-en

Max time kernel

437s

Max time network

439s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\System.Windows.Interactivity.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\System.Windows.Interactivity.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:22

Platform

win11-20240802-en

Max time kernel

439s

Max time network

442s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ControlzEx.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ControlzEx.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:24

Platform

win11-20240802-en

Max time kernel

430s

Max time network

432s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Languages\Hunsabi.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Languages\Hunsabi.ps1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/2776-0-0x00007FFB7D873000-0x00007FFB7D875000-memory.dmp

memory/2776-1-0x000002116F5D0000-0x000002116F5F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fugw21hz.jih.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2776-10-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp

memory/2776-11-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp

memory/2776-12-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp

memory/2776-15-0x00007FFB7D870000-0x00007FFB7E332000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:28

Platform

win11-20240802-en

Max time kernel

433s

Max time network

435s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\YLLibs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\YLLibs.dll,#1

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp

Files

N/A