Malware Analysis Report

2024-11-15 10:22

Sample ID 241105-e11x5svgmj
Target e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
SHA256 e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf
Tags
discovery guloader remcos remotehost collection downloader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf

Threat Level: Known bad

The file e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe was found to be: Known bad.

Malicious Activity Summary

discovery guloader remcos remotehost collection downloader rat spyware stealer

Remcos

Remcos family

Guloader,Cloudeye

Guloader family

NirSoft WebBrowserPassView

NirSoft MailPassView

Detected Nirsoft tools

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 04:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 04:25

Reported

2024-11-05 04:27

Platform

win7-20240903-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\kvindagtigt.ini C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe

"C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 528

Network

N/A

Files

C:\Program Files (x86)\Common Files\kvindagtigt.ini

MD5 f298228d2d42ced0a00b0c5320000835
SHA1 fb06f02ddcda4c9ec752a688ee617064db3a49eb
SHA256 e399afe89f97eae7bcdae626913da1618f4f42ba11887217cdbf524720532ab2
SHA512 464da89f9e1d5935810443b20c3d19f77585d964df89f5cb427482a03c8ef6274d06cbc01533d92c691ffd55e1725ba5f427d023a45a5128bced0eee11e083fe

\Users\Admin\AppData\Local\Temp\nsi6143.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

memory/2728-296-0x0000000003A90000-0x00000000054EF000-memory.dmp

memory/2728-297-0x0000000003A90000-0x00000000054EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 04:25

Reported

2024-11-05 04:27

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Remcos

rat remcos

Remcos family

remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\kvindagtigt.ini C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3288 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 3288 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 3288 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 3288 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 3288 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 4848 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 4848 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 4848 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 4848 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 4848 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 4848 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 4848 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 4848 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe
PID 4848 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe

"C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe"

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe

"C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe"

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe /stext "C:\Users\Admin\AppData\Local\Temp\rbdlwbdekaryrkurznvcgebcflu"

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe /stext "C:\Users\Admin\AppData\Local\Temp\bdjvxtoxyikdtyqviyqwjjvloseqrho"

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe

C:\Users\Admin\AppData\Local\Temp\e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf.exe /stext "C:\Users\Admin\AppData\Local\Temp\lxooylyzuqcidfezzjdxuvqcpgwrksejsa"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 212.162.149.38:80 212.162.149.38 tcp
US 8.8.8.8:53 38.149.162.212.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 162.251.122.106:2404 tcp
US 162.251.122.106:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 106.122.251.162.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

C:\Program Files (x86)\Common Files\kvindagtigt.ini

MD5 f298228d2d42ced0a00b0c5320000835
SHA1 fb06f02ddcda4c9ec752a688ee617064db3a49eb
SHA256 e399afe89f97eae7bcdae626913da1618f4f42ba11887217cdbf524720532ab2
SHA512 464da89f9e1d5935810443b20c3d19f77585d964df89f5cb427482a03c8ef6274d06cbc01533d92c691ffd55e1725ba5f427d023a45a5128bced0eee11e083fe

C:\Users\Admin\AppData\Local\Temp\nsg7C07.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

memory/3288-294-0x00000000045D0000-0x000000000602F000-memory.dmp

memory/3288-295-0x0000000077A51000-0x0000000077B71000-memory.dmp

memory/3288-296-0x00000000746A5000-0x00000000746A6000-memory.dmp

memory/3288-297-0x00000000045D0000-0x000000000602F000-memory.dmp

memory/4848-298-0x0000000001AA0000-0x00000000034FF000-memory.dmp

memory/4848-299-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/4536-306-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4856-311-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5096-317-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5096-316-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5096-321-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4848-320-0x0000000001AA0000-0x00000000034FF000-memory.dmp

memory/4856-312-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4536-310-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4856-309-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4856-308-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4536-305-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5096-307-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4536-326-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rbdlwbdekaryrkurznvcgebcflu

MD5 16dfb23eaa7972c59c36fcbc0946093b
SHA1 1e9e3ff83a05131575f67e202d352709205f20f8
SHA256 36c49c94327c8cadcad4c0d2b3a8f5162fc7bb86624923484476c5f7b960bc4c
SHA512 a8b38b5e7bf886b78c5c7f01234b44647a252d4dfbcc06c99b863f8e160e3cfc151b2a83b8b49e09d13e8547419467da4bffbb8dee5fc6740032eb7c839d89dc

memory/4848-328-0x0000000034620000-0x0000000034639000-memory.dmp

memory/4848-331-0x0000000034620000-0x0000000034639000-memory.dmp

memory/4848-332-0x0000000034620000-0x0000000034639000-memory.dmp

memory/4848-333-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/4848-336-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/4848-339-0x0000000000840000-0x0000000001A94000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 1f8bb0670a04e9d0a107e652fc5e3349
SHA1 3e7f71f4ca516a8236204dea279552348a554eab
SHA256 1780707ee5b24f87af0f34dac546fb2ebb57b78d6676625eb7b0cff92915b459
SHA512 dbfea78c6e9dddfcec383a789d7cfcaa4ef03e57fd6a38be4de3ed83cc2265f381a2304f669c171791ae1a9d82fdfc5e2008d24d199d625b9569a87c9b91e3c6

memory/4848-342-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/4848-345-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/4848-348-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/4848-351-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/4848-354-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/4848-366-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/4848-369-0x0000000000840000-0x0000000001A94000-memory.dmp

memory/4848-372-0x0000000000840000-0x0000000001A94000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-05 04:25

Reported

2024-11-05 04:27

Platform

win7-20241010-en

Max time kernel

12s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-05 04:25

Reported

2024-11-05 04:27

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3256 wrote to memory of 432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3256 wrote to memory of 432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 432 -ip 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A