Analysis Overview
SHA256
087969229afb71f85e0cc4a0673393a8b07f8a792078ad03c476166959428a4b
Threat Level: Shows suspicious behavior
The file 087969229afb71f85e0cc4a0673393a8b07f8a792078ad03c476166959428a4b was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
Maps connected drives based on registry
UPX packed file
Enumerates physical storage devices
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:24
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4752 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4752 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4752 wrote to memory of 3276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20240903-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3024 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3024 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3024 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3024 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3024 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3024 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3024 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmlProc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmlProc.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 224
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20241010-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 224
Network
Files
memory/2376-0-0x0000000010000000-0x000000001000A000-memory.dmp
memory/2376-1-0x0000000010000000-0x000000001000A000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 636 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 636 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 636 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\md5dll.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4160 -ip 4160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4160-0-0x0000000010000000-0x000000001000A000-memory.dmp
memory/4160-2-0x0000000010000000-0x000000001000A000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20241023-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2836 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2836 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2836 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2836 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2836 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2836 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2836 wrote to memory of 2852 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\InSes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\InSes.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2348 wrote to memory of 1156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 1156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 1156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 1156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 1156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 1156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 1156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4836 wrote to memory of 2544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4836 wrote to memory of 2544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4836 wrote to memory of 2544 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 2544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 572
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20241010-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 3056 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmdProc.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 456 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 456 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 456 wrote to memory of 4160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmlProc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmlProc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\msvcp110.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\msvcp110.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 220
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
97s
Max time network
98s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 112 wrote to memory of 316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 112 wrote to memory of 316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 112 wrote to memory of 316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\msvcr110.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\msvcr110.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 316 -ip 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 448 wrote to memory of 3976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 448 wrote to memory of 3976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 448 wrote to memory of 3976 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3976 -ip 3976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 692
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20240903-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$_1_\RtHelp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$_1_\RtHelp.exe
"C:\Users\Admin\AppData\Local\Temp\$_1_\RtHelp.exe"
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$_1_\RtHelp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$_1_\RtHelp.exe
"C:\Users\Admin\AppData\Local\Temp\$_1_\RtHelp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20241010-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2124 wrote to memory of 2608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2124 wrote to memory of 2608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\InSes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\InSes.dll,#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3476 wrote to memory of 3596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3476 wrote to memory of 3596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3476 wrote to memory of 3596 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\InSes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\InSes.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20241010-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszB647.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe | N/A |
Loads dropped DLL
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nszB647.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\087969229afb71f85e0cc4a0673393a8b07f8a792078ad03c476166959428a4b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\087969229afb71f85e0cc4a0673393a8b07f8a792078ad03c476166959428a4b.exe
"C:\Users\Admin\AppData\Local\Temp\087969229afb71f85e0cc4a0673393a8b07f8a792078ad03c476166959428a4b.exe"
C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe
"C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe" --InstSupp --Supp 168 --Ver 169
C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe
"C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe" --PreCheck 168 --Uid 0043F214072C3A4094712DF128230BED --Ver 169
C:\Windows\system32\taskeng.exe
taskeng.exe {ED732976-C813-4157-B284-9384578E27E6} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:S4U:
C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe
C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe
C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe
"C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ATgBhAHYAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcADkANABBADcANAA3AEYAOQAtAEYANwAzADMALQBGAEMANABFAC0AQgAzADQAMgAtADQANQBCADQAQgAyADYAQgAxAEEAOAAwAFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 272
C:\Users\Admin\AppData\Local\Temp\nszB647.tmp
"C:\Users\Admin\AppData\Local\Temp\nszB647.tmp" /S _?=C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80
C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe
"C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Runner.exe" --Uninstall
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5334-debug-plugin.log-machine.net | udp |
| US | 8.8.8.8:53 | browser.id312.soft-cdn.com | udp |
| US | 44.221.84.105:80 | browser.id312.soft-cdn.com | tcp |
| US | 44.221.84.105:80 | browser.id312.soft-cdn.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsoED3D.tmp\System.dll
| MD5 | 3e6bf00b3ac976122f982ae2aadb1c51 |
| SHA1 | caab188f7fdc84d3fdcb2922edeeb5ed576bd31d |
| SHA256 | 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe |
| SHA512 | 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706 |
C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\RtHelp.exe
| MD5 | 524804c86da18b53fcb2b30bdaa80dff |
| SHA1 | f8d5c3da864a442cb327dbe6fdd6ddd630bd2830 |
| SHA256 | 596139d6377efda71e4d9126035e5f009dfd09242b72ecd9a31103c02d82e9bf |
| SHA512 | bc16d178ec6b7c2907e5d7a30318a4777f25b6cad6bc2dcb6f8226a9d825db07302447cb0ad7a0a1c63a3c04a4bb96b21abc7379c04c8593ff23f5276bafe6c5 |
C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\Modules\ManXec.dll
| MD5 | 4a65b708f29e3169fdf27acf670b3ba1 |
| SHA1 | eb5284242f22710d585108a35327944a6ab49786 |
| SHA256 | 97f9a7d0bea9a19b3a87813aa80dc5afe2c25103579b0baaf555d275845afbbc |
| SHA512 | 2cdd16ec4be6b0e8de58f51555bde2ebeb228ff992f56c8e0a502bb70fdadd98ab6d459bb02581050deeff36ee2d2fe22f12bb9a8c3fb91648ccca33d4e3a7cf |
C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\MSVCP110.dll
| MD5 | 3e29914113ec4b968ba5eb1f6d194a0a |
| SHA1 | 557b67e372e85eb39989cb53cffd3ef1adabb9fe |
| SHA256 | c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a |
| SHA512 | 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43 |
C:\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\MSVCR110.dll
| MD5 | 4ba25d2cbe1587a841dcfb8c8c4a6ea6 |
| SHA1 | 52693d4b5e0b55a929099b680348c3932f2c3c62 |
| SHA256 | b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49 |
| SHA512 | 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6 |
\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\Modules\CmlProc.dll
| MD5 | 382e18b922ff9db6fd868a7d30f4755a |
| SHA1 | be44d626095cdf29b1e1faeca701bba2aac4f947 |
| SHA256 | 014b807f93085b4180117702981e6e56339759704feec96992ab8695e6079ad0 |
| SHA512 | afe3104df8e6323d073027c50519713c13fc1ebf56277225a4dc6becd92f1087c7523b5fdd150bb5ff6fc827692afab2abbd24f60a9fff2a7299d3ac11c6931f |
\Users\Admin\AppData\Local\Temp\454CB05C-8CB2-F849-8E0D-7340698E4054\Modules\InSes.dll
| MD5 | be7743545f785c091ffd235492f12174 |
| SHA1 | 7052bd6c2920b744b190b081cb5ca4eca5789cba |
| SHA256 | 775657c265c9a1ae51049884f09eb39cccbe593949d6c889cb473cc361f15576 |
| SHA512 | c237ee740d5aa3f7b20b5c8df38cc529970a7649c8a7bc0d3bd59a3610c0ffea296f0b764f616e55dd50591713b1f7dc9f6667b6337fd40fec1c034a89835730 |
\Users\Admin\AppData\Local\Temp\nsoED3D.tmp\md5dll.dll
| MD5 | 7059f133ea2316b9e7e39094a52a8c34 |
| SHA1 | ee9f1487c8152d8c42fecf2efb8ed1db68395802 |
| SHA256 | 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f |
| SHA512 | 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51 |
memory/2252-77-0x0000000000310000-0x000000000031A000-memory.dmp
memory/2252-75-0x0000000000310000-0x000000000031A000-memory.dmp
memory/2252-71-0x0000000000310000-0x000000000031A000-memory.dmp
memory/2252-66-0x0000000000310000-0x000000000031A000-memory.dmp
memory/2252-78-0x0000000000310000-0x000000000031A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsoED3D.tmp\UpdHelper.dll
| MD5 | 452ce0b8d77359961b7918cbb98a4dba |
| SHA1 | 4d14210d41ac4ee0d3644dbdb35822d6bd28c126 |
| SHA256 | 6e5f58aac49eb4662467f301309fc1b85d588fa71ab281dc8cd57b22850ed7e4 |
| SHA512 | d7300aab2ef365310334ccf7781f9e1d0b38709f3f740ac4267215b1a8bfcf5889ae72a83fa986ea0542622ce348982beaa17b3ee3c10a67e8dab32cb9aa8d7c |
C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Modules\CmdProc.dll
| MD5 | e14e6451afc15dd24ebe40e4a2ac20b4 |
| SHA1 | 505665bfc33c035ec949646a374251e4750a9331 |
| SHA256 | aab10a2a93e4aab741e0b3919378503af08f54b9e8fdf29d3c0bce5585ab2bbb |
| SHA512 | 48bfa23bd0a299d858cabc739cc12108de2ef3c69acf4944e3b72ba4581be00c6edbb9edf3cbae8518ea59074415754928d9b863db388c29df6bda4eedd84e0f |
C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Modules\WblSupp.dll
| MD5 | deda30850741f7c4e2be5e9dc1942e60 |
| SHA1 | 15ef5aac2cc10e9a612b71242a5fb68f707f4e53 |
| SHA256 | 3138311dcbee19a032c76ca0c7174d3ff37e91873f17e18d80fe6c6bd6cdff60 |
| SHA512 | bca086e5b03c5e9deaf4aa35cd3a1b2630d243d5bcb3001498ee077a9ed14d2e506a43f00af0025115a267b9a5fd8be6307300b68530645b9f096f291c365594 |
C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Modules\NavSupp.dll
| MD5 | 1ca77480274d6128af16a97f36fd6d7f |
| SHA1 | ac4ed629cf20d61c75c47f89a74e79c116e7b8b1 |
| SHA256 | 0469799f18dee94b7777333bef55182f4512c976036971ca15f44c32fd436408 |
| SHA512 | dc3fdafe57a6d121d027576e9badf5f22140a0069f5eb1c559f546ba2edef7d737f3f040cf02c7f6697be504dbdf34a2fb13fa350852740539132d46711dfff9 |
C:\Users\Admin\AppData\Local\94A747F9-F733-FC4E-B342-45B4B26B1A80\Modules\7z.dll
| MD5 | 04ad4b80880b32c94be8d0886482c774 |
| SHA1 | 344faf61c3eb76f4a2fb6452e83ed16c9cce73e0 |
| SHA256 | a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338 |
| SHA512 | 3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb |
memory/2252-151-0x0000000000310000-0x000000000031A000-memory.dmp
memory/2252-152-0x0000000000310000-0x000000000031A000-memory.dmp
memory/2252-153-0x0000000000310000-0x000000000031A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nszB647.tmp
| MD5 | ba2d5da1135d9a18801f0fc3e9e9e3af |
| SHA1 | 42a56d26f37bf4698bdcf783a4bf9df97a0745c9 |
| SHA256 | bee22e6101f5e3d28a3e4969c01521d004f64b3101964193cad1dbca86016bbc |
| SHA512 | a343d75fad3ea481e82d3d2ef458cb2b1b1296cf6c295143c066b247331d11650fe107cca5c7e1ad4acfe667c35037f490466a3c2bfcbaaa15c8555c8c42578e |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1080 wrote to memory of 4528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1080 wrote to memory of 4528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1080 wrote to memory of 4528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4528 -ip 4528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
98s
Max time network
142s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 1368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3016 wrote to memory of 1368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3016 wrote to memory of 1368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\InSes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\InSes.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1316 wrote to memory of 1432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1316 wrote to memory of 1432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1316 wrote to memory of 1432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\msvcp110.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\msvcp110.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1432 -ip 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20240903-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1856 wrote to memory of 2252 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1856 wrote to memory of 2252 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1856 wrote to memory of 2252 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1856 wrote to memory of 2252 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1856 wrote to memory of 2252 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1856 wrote to memory of 2252 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1856 wrote to memory of 2252 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\ManXec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\ManXec.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\msvcr110.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\msvcr110.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 220
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1864 wrote to memory of 3204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1864 wrote to memory of 3204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1864 wrote to memory of 3204 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmnUtls.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmnUtls.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3204 -ip 3204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2284 wrote to memory of 3348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2284 wrote to memory of 3348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2284 wrote to memory of 3348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\ManXec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\ManXec.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsa8F96.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe | N/A |
Loads dropped DLL
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsa8F96.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\087969229afb71f85e0cc4a0673393a8b07f8a792078ad03c476166959428a4b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\087969229afb71f85e0cc4a0673393a8b07f8a792078ad03c476166959428a4b.exe
"C:\Users\Admin\AppData\Local\Temp\087969229afb71f85e0cc4a0673393a8b07f8a792078ad03c476166959428a4b.exe"
C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe
"C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe" --InstSupp --Supp 168 --Ver 169
C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe
"C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe" --PreCheck 168 --Uid 244C7805C91F7843AE4DDA3C7D6B45FD --Ver 169
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2180 -ip 2180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 608
C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe
C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2180 -ip 2180
C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe
"C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe" --UpNav YgByAG8AdwBzAGUAcgAuAGkAZAAzADEAMgAuAHMAbwBmAHQALQBjAGQAbgAuAGMAbwBtAC8ATgBhAHYAUABrAGcALgBwAGgAcAA/AHAAPQAwACYAcwA9ADUA --DownNav QwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAEQARQBCADkAMwA3AEQAMwAtAEEANgAyADcALQA0ADUANAAxAC0AOQBDADAANQAtADYARABGADEARQA4ADAANwAxADMARgA3AFwAVQBwAGQAYQB0AGUAXABFAHgAdABQAGsAZwAwAA==
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4872 -ip 4872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 540
C:\Users\Admin\AppData\Local\Temp\nsa8F96.tmp
"C:\Users\Admin\AppData\Local\Temp\nsa8F96.tmp" /S _?=C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5116 -ip 5116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 616
C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe
"C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Runner.exe" --Uninstall
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5334-debug-plugin.log-machine.net | udp |
| US | 8.8.8.8:53 | browser.id312.soft-cdn.com | udp |
| US | 44.221.84.105:80 | browser.id312.soft-cdn.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 44.221.84.105:80 | browser.id312.soft-cdn.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsmB1FB.tmp\System.dll
| MD5 | 3e6bf00b3ac976122f982ae2aadb1c51 |
| SHA1 | caab188f7fdc84d3fdcb2922edeeb5ed576bd31d |
| SHA256 | 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe |
| SHA512 | 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706 |
C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\RtHelp.exe
| MD5 | 524804c86da18b53fcb2b30bdaa80dff |
| SHA1 | f8d5c3da864a442cb327dbe6fdd6ddd630bd2830 |
| SHA256 | 596139d6377efda71e4d9126035e5f009dfd09242b72ecd9a31103c02d82e9bf |
| SHA512 | bc16d178ec6b7c2907e5d7a30318a4777f25b6cad6bc2dcb6f8226a9d825db07302447cb0ad7a0a1c63a3c04a4bb96b21abc7379c04c8593ff23f5276bafe6c5 |
C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\Modules\ManXec.dll
| MD5 | 4a65b708f29e3169fdf27acf670b3ba1 |
| SHA1 | eb5284242f22710d585108a35327944a6ab49786 |
| SHA256 | 97f9a7d0bea9a19b3a87813aa80dc5afe2c25103579b0baaf555d275845afbbc |
| SHA512 | 2cdd16ec4be6b0e8de58f51555bde2ebeb228ff992f56c8e0a502bb70fdadd98ab6d459bb02581050deeff36ee2d2fe22f12bb9a8c3fb91648ccca33d4e3a7cf |
C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\MSVCP110.dll
| MD5 | 3e29914113ec4b968ba5eb1f6d194a0a |
| SHA1 | 557b67e372e85eb39989cb53cffd3ef1adabb9fe |
| SHA256 | c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a |
| SHA512 | 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43 |
C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\MSVCR110.dll
| MD5 | 4ba25d2cbe1587a841dcfb8c8c4a6ea6 |
| SHA1 | 52693d4b5e0b55a929099b680348c3932f2c3c62 |
| SHA256 | b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49 |
| SHA512 | 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6 |
C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\Modules\InSes.dll
| MD5 | be7743545f785c091ffd235492f12174 |
| SHA1 | 7052bd6c2920b744b190b081cb5ca4eca5789cba |
| SHA256 | 775657c265c9a1ae51049884f09eb39cccbe593949d6c889cb473cc361f15576 |
| SHA512 | c237ee740d5aa3f7b20b5c8df38cc529970a7649c8a7bc0d3bd59a3610c0ffea296f0b764f616e55dd50591713b1f7dc9f6667b6337fd40fec1c034a89835730 |
C:\Users\Admin\AppData\Local\Temp\67C9687D-6F82-D54D-8108-151A292A6912\Modules\CmlProc.dll
| MD5 | 382e18b922ff9db6fd868a7d30f4755a |
| SHA1 | be44d626095cdf29b1e1faeca701bba2aac4f947 |
| SHA256 | 014b807f93085b4180117702981e6e56339759704feec96992ab8695e6079ad0 |
| SHA512 | afe3104df8e6323d073027c50519713c13fc1ebf56277225a4dc6becd92f1087c7523b5fdd150bb5ff6fc827692afab2abbd24f60a9fff2a7299d3ac11c6931f |
C:\Users\Admin\AppData\Local\Temp\nsmB1FB.tmp\md5dll.dll
| MD5 | 7059f133ea2316b9e7e39094a52a8c34 |
| SHA1 | ee9f1487c8152d8c42fecf2efb8ed1db68395802 |
| SHA256 | 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f |
| SHA512 | 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51 |
memory/2180-119-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-118-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-117-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-116-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-115-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-114-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-113-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-112-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-95-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-92-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-88-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-46-0x0000000002330000-0x000000000233A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsmB1FB.tmp\UpdHelper.dll
| MD5 | 452ce0b8d77359961b7918cbb98a4dba |
| SHA1 | 4d14210d41ac4ee0d3644dbdb35822d6bd28c126 |
| SHA256 | 6e5f58aac49eb4662467f301309fc1b85d588fa71ab281dc8cd57b22850ed7e4 |
| SHA512 | d7300aab2ef365310334ccf7781f9e1d0b38709f3f740ac4267215b1a8bfcf5889ae72a83fa986ea0542622ce348982beaa17b3ee3c10a67e8dab32cb9aa8d7c |
C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Modules\CmdProc.dll
| MD5 | e14e6451afc15dd24ebe40e4a2ac20b4 |
| SHA1 | 505665bfc33c035ec949646a374251e4750a9331 |
| SHA256 | aab10a2a93e4aab741e0b3919378503af08f54b9e8fdf29d3c0bce5585ab2bbb |
| SHA512 | 48bfa23bd0a299d858cabc739cc12108de2ef3c69acf4944e3b72ba4581be00c6edbb9edf3cbae8518ea59074415754928d9b863db388c29df6bda4eedd84e0f |
C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Modules\WblSupp.dll
| MD5 | deda30850741f7c4e2be5e9dc1942e60 |
| SHA1 | 15ef5aac2cc10e9a612b71242a5fb68f707f4e53 |
| SHA256 | 3138311dcbee19a032c76ca0c7174d3ff37e91873f17e18d80fe6c6bd6cdff60 |
| SHA512 | bca086e5b03c5e9deaf4aa35cd3a1b2630d243d5bcb3001498ee077a9ed14d2e506a43f00af0025115a267b9a5fd8be6307300b68530645b9f096f291c365594 |
C:\Users\Admin\AppData\Local\DEB937D3-A627-4541-9C05-6DF1E80713F7\Modules\NavSupp.dll
| MD5 | 1ca77480274d6128af16a97f36fd6d7f |
| SHA1 | ac4ed629cf20d61c75c47f89a74e79c116e7b8b1 |
| SHA256 | 0469799f18dee94b7777333bef55182f4512c976036971ca15f44c32fd436408 |
| SHA512 | dc3fdafe57a6d121d027576e9badf5f22140a0069f5eb1c559f546ba2edef7d737f3f040cf02c7f6697be504dbdf34a2fb13fa350852740539132d46711dfff9 |
memory/2180-170-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-171-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-172-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-173-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-174-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-175-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-176-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-177-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-182-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-181-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-180-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-179-0x0000000002330000-0x000000000233A000-memory.dmp
memory/2180-178-0x0000000002330000-0x000000000233A000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UpdHelper.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 308
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20241010-en
Max time kernel
65s
Max time network
19s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2476 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2476 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2476 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2476 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2476 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2476 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2476 wrote to memory of 3064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\CmlProc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\CmlProc.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5008 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5008 wrote to memory of 1496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\CmlProc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\CmlProc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 4584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1656 wrote to memory of 4584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1656 wrote to memory of 4584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\ManXec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\ManXec.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1552 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1552 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1552 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1552 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1552 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1552 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1552 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\ManXec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_1_\Modules\ManXec.dll,#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-09 19:24
Reported
2024-11-09 19:26
Platform
win7-20241023-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmnUtls.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Modules\CmnUtls.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 232