Analysis Overview
SHA256
1128b81c3594f37f526d03bf96e6a604b0771dc0972b20ddab1a8eecbf002990
Threat Level: Known bad
The file 01072025_0620_26062025_JUSTIFICANTE DE PAGO.rar was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
VIPKeylogger
Guloader family
Vipkeylogger family
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-01 06:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-01 06:20
Reported
2025-07-01 06:25
Platform
win10v2004-20250619-en
Max time kernel
159s
Max time network
289s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
VIPKeylogger
Vipkeylogger family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\expired\fortjet.ini | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 224 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
| PID 224 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
| PID 224 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
| PID 224 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
| PID 224 wrote to memory of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe
"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe"
C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe
"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1568 -ip 1568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 2272
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.179.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.187.193:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nse5EAB.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
C:\Users\Admin\AppData\Local\Temp\nse5EAB.tmp\LangDLL.dll
| MD5 | 30b091668111ab1d6c19f16586a9eee5 |
| SHA1 | aea49d81cf9972eaf1604793c04d13ddffe2c475 |
| SHA256 | 331ca4b3a311324b463167ec43851146e57a2d90500ac3fd57a7683f6b777ffb |
| SHA512 | 6dd592af085b2e28c54d7f525916112dbf5cfe134393b0b97f8f1f64739cf90962273c51f02e8ce2c623cf6aa8355eacda5db0b0256d8f05a77ccf0f99d11648 |
memory/224-41-0x0000000004040000-0x0000000005AF3000-memory.dmp
memory/224-42-0x0000000004040000-0x0000000005AF3000-memory.dmp
memory/224-43-0x0000000010004000-0x0000000010005000-memory.dmp
memory/224-44-0x0000000004040000-0x0000000005AF3000-memory.dmp
memory/1568-45-0x0000000001730000-0x00000000031E3000-memory.dmp
memory/1568-46-0x0000000077B98000-0x0000000077B99000-memory.dmp
memory/1568-47-0x0000000077C39000-0x0000000077C3A000-memory.dmp
memory/1568-57-0x00000000004D0000-0x0000000001724000-memory.dmp
memory/1568-58-0x00000000004D0000-0x000000000051A000-memory.dmp
memory/1568-59-0x0000000035DD0000-0x0000000036374000-memory.dmp
memory/1568-60-0x0000000035BF0000-0x0000000035C8C000-memory.dmp
memory/1568-62-0x0000000001730000-0x00000000031E3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-01 06:20
Reported
2025-07-01 06:25
Platform
win11-20250619-en
Max time kernel
101s
Max time network
212s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\expired\fortjet.ini | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3668 wrote to memory of 4640 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
| PID 3668 wrote to memory of 4640 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
| PID 3668 wrote to memory of 4640 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
| PID 3668 wrote to memory of 4640 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
| PID 3668 wrote to memory of 4640 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe
"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe"
C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe
"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4640 -ip 4640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 440
Network
Files
C:\Users\Admin\AppData\Local\Temp\nsy687F.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
C:\Users\Admin\AppData\Local\Temp\nsy687F.tmp\LangDLL.dll
| MD5 | 30b091668111ab1d6c19f16586a9eee5 |
| SHA1 | aea49d81cf9972eaf1604793c04d13ddffe2c475 |
| SHA256 | 331ca4b3a311324b463167ec43851146e57a2d90500ac3fd57a7683f6b777ffb |
| SHA512 | 6dd592af085b2e28c54d7f525916112dbf5cfe134393b0b97f8f1f64739cf90962273c51f02e8ce2c623cf6aa8355eacda5db0b0256d8f05a77ccf0f99d11648 |
memory/3668-41-0x00000000042D0000-0x0000000005D83000-memory.dmp
memory/3668-42-0x00000000042D0000-0x0000000005D83000-memory.dmp
memory/3668-43-0x0000000010004000-0x0000000010005000-memory.dmp
memory/3668-44-0x00000000042D0000-0x0000000005D83000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-07-01 06:20
Reported
2025-07-01 06:25
Platform
win10v2004-20250619-en
Max time kernel
104s
Max time network
213s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5032 wrote to memory of 2384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5032 wrote to memory of 2384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5032 wrote to memory of 2384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2025-07-01 06:20
Reported
2025-07-01 06:25
Platform
win11-20250619-en
Max time kernel
100s
Max time network
211s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2636 wrote to memory of 5768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2636 wrote to memory of 5768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2636 wrote to memory of 5768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5768 -ip 5768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 448
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2025-07-01 06:20
Reported
2025-07-01 06:25
Platform
win10v2004-20250610-en
Max time kernel
104s
Max time network
213s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5724 wrote to memory of 1888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5724 wrote to memory of 1888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5724 wrote to memory of 1888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1888 -ip 1888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2025-07-01 06:20
Reported
2025-07-01 06:25
Platform
win11-20250619-en
Max time kernel
223s
Max time network
290s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4916 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4916 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4916 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1564 -ip 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 460