IOC Report
8TuwlFKxC5.dll

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll"

Details

Is windows:	true
Is dropped:	false
PID:	5688
Target ID:	0
Parent PID:	1028
Name:	loaddll32.exe
Path:	C:\Windows\System32\loaddll32.exe
Commandline:	loaddll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll"
Size:	126464
MD5:	51E6071F9CBA48E79F10C84515AAE618
Time:	03:48:01
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x450000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Potential WinAPI Calls Via CommandLine	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,FreeLibraryMemoryAndExitThread

Details

Is windows:	true
Is dropped:	false
PID:	1520
Target ID:	3
Parent PID:	5688
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,FreeLibraryMemoryAndExitThread
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	03:48:01
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4c0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Potential WinAPI Calls Via CommandLine	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	4592
Target ID:	4
Parent PID:	5908
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	03:48:01
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4c0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Potential WinAPI Calls Via CommandLine	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,NtUnloadDllMemoryAndExitThread

Details

Is windows:	true
Is dropped:	false
PID:	432
Target ID:	6
Parent PID:	5688
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe C:\Users\user\Desktop\8TuwlFKxC5.dll,NtUnloadDllMemoryAndExitThread
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	03:48:04
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4c0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Potential WinAPI Calls Via CommandLine	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",FreeLibraryMemoryAndExitThread

Details

Is windows:	true
Is dropped:	false
PID:	4564
Target ID:	7
Parent PID:	5688
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",FreeLibraryMemoryAndExitThread
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	03:48:13
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4c0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Potential WinAPI Calls Via CommandLine	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",NtUnloadDllMemoryAndExitThread

Details

Is windows:	true
Is dropped:	false
PID:	5356
Target ID:	8
Parent PID:	5688
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",NtUnloadDllMemoryAndExitThread
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	03:48:13
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4c0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Potential WinAPI Calls Via CommandLine	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7104
Target ID:	1
Parent PID:	5688
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:48:01
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	5908
Target ID:	2
Parent PID:	5688
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8TuwlFKxC5.dll",#1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	03:48:01
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

2920000

heap

page read and write

3400000

heap

page read and write

4E00000

heap

page read and write

6E0DB000

unkown

page readonly

6E0B1000

unkown

page execute read

327C000

stack

page read and write

320F000

heap

page read and write

6E0B0000

unkown

page readonly

2F3B000

stack

page read and write

30D0000

heap

page read and write

AB0000

heap

page read and write

4D60000

heap

page read and write

6E0DB000

unkown

page readonly

3270000

heap

page read and write

340A000

heap

page read and write

303B000

stack

page read and write

6E0E5000

unkown

page write copy

6E0B1000

unkown

page execute read

33D0000

heap

page read and write

3100000

heap

page read and write

2660000

heap

page read and write

5D0000

heap

page read and write

6E0EC000

unkown

page readonly

32D0000

heap

page read and write

2CA0000

heap

page read and write

35BA000

heap

page read and write

8FC000

stack

page read and write

6E0DB000

unkown

page readonly

6E0B1000

unkown

page execute read

3450000

heap

page read and write

303C000

stack

page read and write

5E0000

heap

page read and write

30D0000

heap

page read and write

6E0B0000

unkown

page readonly

31FA000

heap

page read and write

2DFB000

stack

page read and write

2A1A000

heap

page read and write

30E0000

heap

page read and write

36B0000

heap

page read and write

6E0EC000

unkown

page readonly

ABF000

heap

page read and write

25DC000

stack

page read and write

2FF0000

heap

page read and write

97E000

stack

page read and write

33B0000

heap

page read and write

6E0DB000

unkown

page readonly

DAF000

stack

page read and write

32E0000

heap

page read and write

6E0B0000

unkown

page readonly

6E0DB000

unkown

page readonly

31F0000

heap

page read and write

6E0B1000

unkown

page execute read

3880000

heap

page read and write

4C50000

heap

page read and write

ABB000

heap

page read and write

56C000

stack

page read and write

CAF000

stack

page read and write

6E0E5000

unkown

page write copy

6E0EC000

unkown

page readonly

2F7C000

stack

page read and write

93E000

stack

page read and write

6E0E8000

unkown

page read and write

323B000

stack

page read and write

2FE0000

heap

page read and write

30B0000

heap

page read and write

4F50000

heap

page read and write

6E0B0000

unkown

page readonly

ACD000

heap

page read and write

6E0E5000

unkown

page write copy

6E0B1000

unkown

page execute read

6E0E8000

unkown

page read and write

2970000

heap

page read and write

307C000

stack

page read and write

30A0000

heap

page read and write

6E0E8000

unkown

page read and write

327A000

heap

page read and write

6E0EC000

unkown

page readonly

980000

heap

page read and write

6E0E8000

unkown

page read and write

6E0B0000

unkown

page readonly

6E0E8000

unkown

page read and write

6E0EC000

unkown

page readonly

35B0000

heap

page read and write

6E0E5000

unkown

page write copy

4470000

heap

page read and write

259B000

stack

page read and write

AC7000

heap

page read and write

2840000

heap

page read and write

2A10000

heap

page read and write

3140000

heap

page read and write

AD4000

heap

page read and write

6E0E5000

unkown

page write copy

There are 82 hidden memdumps, click here to show them.