Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\msimg32.dll"

Details

Is windows:	true
Is dropped:	false
PID:	7824
Target ID:	0
Parent PID:	4084
Name:	loaddll32.exe
Path:	C:\Windows\System32\loaddll32.exe
Commandline:	loaddll32.exe "C:\Users\user\Desktop\msimg32.dll"
Size:	126464
MD5:	51E6071F9CBA48E79F10C84515AAE618
Time:	04:36:41
Date:	21/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x500000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Installs a raw input device (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7832
Target ID:	1
Parent PID:	7824
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	04:36:41
Date:	21/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	7884
Target ID:	3
Parent PID:	7824
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	04:36:41
Date:	21/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa40000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\msimg32.dll,AlphaBlend

Details

Is windows:	true
Is dropped:	false
PID:	7892
Target ID:	4
Parent PID:	7824
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe C:\Users\user\Desktop\msimg32.dll,AlphaBlend
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	04:36:41
Date:	21/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xce0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	7904
Target ID:	5
Parent PID:	7884
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\msimg32.dll",#1
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	04:36:41
Date:	21/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xce0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\msimg32.dll,AppendCaptureDeviceList

Details

Is windows:	true
Is dropped:	false
PID:	7988
Target ID:	6
Parent PID:	7824
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe C:\Users\user\Desktop\msimg32.dll,AppendCaptureDeviceList
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	04:36:45
Date:	21/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xce0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\msimg32.dll,AppendDeviceList

Details

Is windows:	true
Is dropped:	false
PID:	8024
Target ID:	7
Parent PID:	7824
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe C:\Users\user\Desktop\msimg32.dll,AppendDeviceList
Size:	61440
MD5:	889B99C52A60DD49227C5E485A016679
Time:	04:36:48
Date:	21/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xce0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.3dmm2.com/doom/

unknown

http://icculus.org/physfs/

unknown

http://icculus.org/physfs/4

unknown

Details

Name:	http://icculus.org/physfs/4
TargetID:	0
From Memory:	true
Current Path:	C:\Windows\System32\loaddll32.exe
Source:	loaddll32.exe, 00000000.00000002.1848030857.00000000647E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1815870196.00000000647E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1817751739.00000000647E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1830346417.00000000647E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1831068963.00000000647E4000.00000002.00000001.01000000.00000003.sdmp, msimg32.dll

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://icculus.org/physfs/T

unknown

Details

Name:	http://icculus.org/physfs/T
TargetID:	0
From Memory:	true
Current Path:	C:\Windows\System32\loaddll32.exe
Source:	loaddll32.exe, 00000000.00000002.1848030857.00000000647E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1815870196.00000000647E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1817751739.00000000647E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1830346417.00000000647E4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1831068963.00000000647E4000.00000002.00000001.01000000.00000003.sdmp, msimg32.dll

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://icculus.org/physfs/t

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

6487A000

unkown

page readonly

4D40000

heap

page read and write

64979000

unkown

page readonly

648A1000

unkown

page write copy

64979000

unkown

page readonly

647E4000

unkown

page readonly

3150000

heap

page read and write

64877000

unkown

page read and write

70C000

stack

page read and write

648A1000

unkown

page write copy

860000

heap

page read and write

64878000

unkown

page write copy

647E4000

unkown

page readonly

648B7000

unkown

page readonly

64979000

unkown

page readonly

6493E000

unkown

page readonly

64877000

unkown

page read and write

6487A000

unkown

page readonly

2D3A000

heap

page read and write

647DA000

unkown

page write copy

648A0000

unkown

page read and write

8BF000

heap

page read and write

64878000

unkown

page write copy

AD0000

heap

page read and write

64871000

unkown

page write copy

64979000

unkown

page readonly

64878000

unkown

page write copy

64877000

unkown

page read and write

6493E000

unkown

page readonly

648B7000

unkown

page readonly

647E4000

unkown

page readonly

648A1000

unkown

page write copy

99E000

stack

page read and write

7D3000

heap

page read and write

7BA000

heap

page read and write

49F0000

heap

page read and write

647E4000

unkown

page readonly

648A0000

unkown

page read and write

4D0000

heap

page read and write

710000

heap

page read and write

645C1000

unkown

page execute read

9CB000

stack

page read and write

47A0000

heap

page read and write

BE3000

heap

page read and write

8A5000

heap

page read and write

64877000

unkown

page read and write

86B000

heap

page read and write

8EE000

stack

page read and write

64871000

unkown

page write copy

6493E000

unkown

page readonly

2DFC000

stack

page read and write

64871000

unkown

page write copy

303B000

stack

page read and write

6493E000

unkown

page readonly

760000

heap

page read and write

645C0000

unkown

page readonly

647E4000

unkown

page readonly

645C1000

unkown

page execute read

C40000

heap

page read and write

648B7000

unkown

page readonly

3AC000

stack

page read and write

A20000

heap

page read and write

648A0000

unkown

page read and write

BC0000

heap

page read and write

8E0000

heap

page read and write

33FF000

stack

page read and write

648A0000

unkown

page read and write

648A0000

unkown

page read and write

9B0000

heap

page read and write

647DA000

unkown

page write copy

645C0000

unkown

page readonly

3EB000

stack

page read and write

BCA000

heap

page read and write

96E000

stack

page read and write

A9F000

stack

page read and write

31D3000

heap

page read and write

33BE000

stack

page read and write

2D53000

heap

page read and write

C00000

heap

page read and write

645C1000

unkown

page execute read

2D30000

heap

page read and write

31BA000

heap

page read and write

3080000

heap

page read and write

648B7000

unkown

page readonly

7B0000

heap

page read and write

6487A000

unkown

page readonly

4E0000

heap

page read and write

730000

heap

page read and write

C30000

heap

page read and write

64871000

unkown

page write copy

64877000

unkown

page read and write

64979000

unkown

page readonly

30B0000

heap

page read and write

645C0000

unkown

page readonly

650000

heap

page read and write

6493E000

unkown

page readonly

2E20000

heap

page read and write

31B0000

heap

page read and write

98C000

stack

page read and write

648A1000

unkown

page write copy

647DA000

unkown

page write copy

7D0000

heap

page read and write

312E000

stack

page read and write

645C1000

unkown

page execute read

7C0000

heap

page read and write

85F000

stack

page read and write

64878000

unkown

page write copy

30A0000

heap

page read and write

62B000

stack

page read and write

75E000

stack

page read and write

648A1000

unkown

page write copy

64871000

unkown

page write copy

645C0000

unkown

page readonly

7B0000

heap

page read and write

92F000

stack

page read and write

2EA0000

heap

page read and write

3470000

heap

page read and write

9AF000

stack

page read and write

645C0000

unkown

page readonly

74B000

stack

page read and write

647DA000

unkown

page write copy

319F000

stack

page read and write

6487A000

unkown

page readonly

647DA000

unkown

page write copy

648B7000

unkown

page readonly

645C1000

unkown

page execute read

64878000

unkown

page write copy

46C000

stack

page read and write

6487A000

unkown

page readonly

86F000

heap

page read and write

There are 120 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
msimg32.dll

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportmsimg32.dll

Processes

URLs

Memdumps

IOC Report
msimg32.dll