Overview
overview
10Static
static
029b714502...39.dll
windows10_x64
10061dfb6a25...52.dll
windows10_x64
1006d55f75d7...d2.dll
windows10_x64
1024401ac43b...65.dll
windows10_x64
3260e2d5769...40.dll
windows10_x64
1026cd036960...18.dll
windows10_x64
102a0a88a2e5...4a.dll
windows10_x64
32f33217d51...94.dll
windows10_x64
10336cdd146b...da.dll
windows10_x64
10417c1828d9...73.dll
windows10_x64
104d3095c796...ee.dll
windows10_x64
1054e526fe05...4c.dll
windows10_x64
16402b33d72...3b.dll
windows10_x64
1064c044cb3e...db.dll
windows10_x64
10671f477c30...4e.dll
windows10_x64
1067785724b6...ce.dll
windows10_x64
36c6934613a...fb.dll
windows10_x64
106f63742c25...fd.dll
windows10_x64
10813a9b03c6...48.dll
windows10_x64
10839ac59a78...e3.dll
windows10_x64
1085d0b72fe8...39.dll
windows10_x64
10a34cb4049e...c4.dll
windows10_x64
10a55c19c552...60.dll
windows10_x64
10a98e988f03...48.dll
windows10_x64
10acc31f97c3...27.dll
windows10_x64
10b194eec1e5...c7.dll
windows10_x64
10bac73f9cce...00.dll
windows10_x64
10c5d2f0da18...0c.dll
windows10_x64
10d559ee0a26...7e.dll
windows10_x64
1db5276c0d5...79.dll
windows10_x64
10e5efde9740...15.dll
windows10_x64
10fe028e6f99...1c.dll
windows10_x64
10Resubmissions
01-11-2021 12:31
211101-pp5r3ahha4 1031-10-2021 09:03
211031-k1bwxacfaq 1014-10-2021 01:44
211014-b6aflafeg4 10Analysis
-
max time kernel
3875s -
max time network
3890s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
31-10-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral2
Sample
061dfb6a251e536f700a295239652dafab34aee5e5145320d1d57e3fca5e5d52.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral3
Sample
06d55f75d7c76d6924c0b8439fa3cda28b89284204a6db982e4baf3a37fb35d2.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral4
Sample
24401ac43b6dbb7048cb27425b4f0f76a9b20b6b4fffa33ff8091c3c11ef8365.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral5
Sample
260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral6
Sample
26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral7
Sample
2a0a88a2e5f9cafa10a48d63bdfcdf965b72c25978ab46cf28e795dbedc9624a.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral8
Sample
2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral9
Sample
336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral10
Sample
417c1828d98ba4f05f7a2edb71a9105f0aebf3d554393970b96e59d4db7b4473.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral11
Sample
4d3095c7965c7bdd32b81b72c95f767134915cf08ebe1237721ed5208de4beee.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral12
Sample
54e526fe059a3f25cdaed954e32f44eadffb3e51548658409468dcf2d63b634c.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral13
Sample
6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral14
Sample
64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral15
Sample
671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral16
Sample
67785724b67ecd79b7cd4c64a249794b9abda8b680fe52a0ce85bb83ddfb6cce.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral17
Sample
6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral18
Sample
6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral19
Sample
813a9b03c6c1caec4eca8a867dcfbda7860bca6a5d481acb4c131c1a868d4b48.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral20
Sample
839ac59a78a0f2c446edb3cccbaf0bc5781605a1f848878f9e96cd5e0e425fe3.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral21
Sample
85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral22
Sample
a34cb4049eb43d455d8619607cc6e1a8c380e9d8507306e9c5bc17eaed6459c4.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral23
Sample
a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral24
Sample
a98e988f03fd5be37c66878017a3dcd741adf75bf1df1ed6dde2c15ee213bb48.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral25
Sample
acc31f97c3124a317f2939944777e103311f4b0c51788d2e562c24a08e2afe27.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral26
Sample
b194eec1e599feeadfd463b06727e8b3c73a72a4c20017e5cfaf89fbf6d365c7.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral27
Sample
bac73f9ccebf93009a6037145a9c71a2e8b916956f6a7e6a4f4b53b4b50b7a00.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral28
Sample
c5d2f0da18fb33a25b53fd8b9b98f0bfa95458e3c0feb687852f469167a0110c.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral29
Sample
d559ee0a26fa500cd57fac25d58ba4319a794f329c8711e89afac3c281f9dd7e.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral30
Sample
db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral31
Sample
e5efde974017a12a573548f12b5473887601c897e8660eb57803c18523f72815.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral32
Sample
fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll
Resource
win10-en-20211014
windows10_x64
General
-
Target
260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll
-
Size
1.0MB
-
MD5
10c150a949585ba3603cce27707331f0
-
SHA1
9eeb1747902951835245545b7b3b1e6408c708c2
-
SHA256
260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840
-
SHA512
668ea267488635b88ef6a929501f8f6b34a02ccb2fa01a311caf89f5c683f0dd6877d8714ddf8b6b24e7a447c40f2cf5c42698638a52ff7b27e6c47ce4f4578b
Malware Config
Extracted
qakbot
402.363
tr
1633334141
75.75.179.226:443
185.250.148.74:443
122.11.220.212:2222
120.150.218.241:995
103.148.120.144:443
140.82.49.12:443
40.131.140.155:995
206.47.134.234:2222
73.230.205.91:443
190.198.206.189:2222
103.157.122.198:995
81.250.153.227:2222
167.248.100.227:443
96.57.188.174:2078
217.17.56.163:2222
217.17.56.163:2078
41.228.22.180:443
136.232.34.70:443
68.186.192.69:443
167.248.111.245:443
81.241.252.59:2078
94.200.181.154:443
47.22.148.6:443
208.89.170.179:443
73.77.87.137:443
96.46.103.226:443
187.116.124.82:995
73.130.180.25:443
73.52.50.32:443
120.151.47.189:443
109.12.111.14:443
216.201.162.158:443
73.25.124.140:2222
181.118.183.94:443
174.54.58.170:443
24.152.219.253:995
124.123.42.115:2222
76.25.142.196:443
45.46.53.140:2222
37.210.152.224:995
173.21.10.71:2222
68.13.157.69:0
75.89.195.186:995
67.165.206.193:993
71.74.12.34:443
24.119.214.7:443
75.66.88.33:443
73.151.236.31:443
89.101.97.139:443
159.2.51.200:2222
78.191.36.142:995
75.188.35.168:443
95.77.223.148:443
105.198.236.99:443
110.174.64.179:995
47.40.196.233:2222
201.93.111.2:995
187.56.71.109:995
187.101.25.96:32100
174.54.193.186:443
86.8.177.143:443
76.84.230.103:443
174.59.35.191:443
173.63.245.129:443
24.139.72.117:443
72.252.201.69:443
68.117.229.117:443
167.248.117.81:443
75.163.81.130:995
76.84.32.159:443
147.92.51.49:443
167.248.99.149:443
68.204.7.158:443
76.84.226.17:443
68.13.157.69:443
167.248.126.223:443
69.30.186.190:443
72.196.22.184:443
167.248.23.224:443
98.22.92.139:995
209.50.20.255:443
97.98.130.50:443
196.117.75.181:995
77.57.204.78:443
191.191.38.8:443
176.251.215.116:443
96.46.103.109:2222
188.210.210.122:443
37.117.191.19:2222
90.197.155.33:443
197.90.137.161:61201
70.37.217.196:443
24.32.174.175:443
76.84.225.21:443
78.145.153.73:995
69.30.190.105:995
167.248.81.60:443
69.80.113.148:443
2.99.100.134:2222
217.17.56.163:443
39.52.236.68:995
71.190.231.182:443
62.23.194.38:443
62.23.194.41:995
173.25.166.81:443
199.27.127.129:443
24.229.150.54:995
189.210.115.207:443
174.59.226.6:443
73.130.237.36:443
69.253.197.100:443
174.59.242.9:443
177.130.82.197:2222
67.214.30.12:995
24.55.112.61:443
174.59.120.69:443
47.181.84.61:443
73.130.239.166:443
217.165.163.21:995
93.8.66.216:443
73.52.114.202:443
186.18.205.199:995
38.10.202.214:443
78.191.44.76:443
96.83.180.29:443
124.123.42.115:2078
105.159.144.186:995
27.223.92.142:995
109.190.253.11:2222
217.17.56.163:465
38.10.201.211:443
92.148.59.207:2222
92.157.171.41:2222
186.87.135.68:995
80.6.192.58:443
187.156.138.172:443
82.77.137.101:995
173.234.155.233:443
5.238.148.193:61202
182.176.112.182:443
96.37.113.36:993
162.244.227.34:443
92.59.35.196:2222
196.218.227.241:995
68.207.102.78:443
2.188.27.77:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 608 regsvr32.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat explorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 explorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE explorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies explorer.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 explorer.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\t4[1] explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3948 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b312639a89833586a82ee61e84b8ec7f5a4d8d99e4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b302634a69833586a82ee61e84b8ec7f5a5d6de944955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b312639a89833586a82ee61e84b8ec7f5a3d0d89d4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\7c78058b = 262c9e0b14822d5b645fc726f67a9fc33bdc61d6ae37cc22e02fff130a93700130f1 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b302b3aa59833586a82ee61e84b8ec7f5a5d4df994955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154293a0d2d755e97afac47a83dc5d392f3ba3d136546981e166dedf4e780141f64bffde4fa3101b37b5781d70921de8ba2423b0b5fe061497427e22570533c1c2d29589960cb2cb76f7c7f23de1a8078578ccbf3302ddb0a27da79aaef5d30c3e9fde6ad946a114 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b33283fa79833586a82ee61e84b8ec7f5a6d7da9b4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b332739a49833586a82ee61e84b8ec7f5a5d1d8994955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b312b3ea49833586a82ee61e84b8ec7f5a4d6da9f4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b362934a99833586a82ee61e84b8ec7f5a3d9de9c4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\3316a7d = bbc595a7d2d8c1660784d9da1ca8501b1f0a6459d612329966bbeadea63a08c41de6a2278084b949afcddd8867f4924880390cd5f40f4e41a42c39109fe172e026930097b68f655ffcc64d3d56af30c416cb06a66565aa032a7b8b2b3c0a4d5b3dd6c80bb635a6cf7ce9 explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b302c38a89833586a82ee61e84b8ec7f5a5d0d19b4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b312c3ca79833586a82ee61e84b8ec7f5a4d2dc9e4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\b9cc2d64 = 663ffe4c144cfd1a690beedc997999932ec36af445fe6a3d7be63c3e67ea2c54fcb72f9b7b36ca5f293af53d8ff5712f6978bc65df80ef007300d3c5d90363 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b302634a69833586a82ee61e84b8ec7f5a5d8de9c4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b362934a99833586a82ee61e84b8ec7f5a3d7df9d4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b362f3ba59833586a82ee61e84b8ec7f5a3d0d89d4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\1704a01 = 54f414db3db69a717e5a6b3cf7d7e2b33d4ed4aaa1bdfc1122ef9082b0ed0d79ab8593579986eb8e38486680645b7e9288ce explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b362f3ba59833586a82ee61e84b8ec7f5a3d3d19f4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b332739a49833586a82ee61e84b8ec7f5a6d9d99a4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b312639a89833586a82ee61e84b8ec7f5a4d6da9f4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\c4c462ee = 8559aca92cf15b4b4b89525f1fea68ac22744a118bef2b7f1aa7 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b302c38a89833586a82ee61e84b8ec7f5a5d2d09a4955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\8e12dd56 = 1a154b93a0d2d755e97afb8e7a8dd85b312b3ea49833586a82ee61e84b8ec7f5a4d4db984955e5fc21a088984a0e34da1a8ec3a92b01bf9057d66763426ea03f78b260c7e504a32f7fa3aa9e4792b2e662ac6666b7c49b0ded2c2c027795d11be32b33357b5cf343a09d0bbacfa2bb2e7c77 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Rnfvhbqvhwqv\f15bb2a0 = 20c2268f2f589ac40b18c12fe388019d7d5649cff6404e7ccebf6cd06f7b5c91d80993ada2e470171fdbcaeae748940d4a247a496c21 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1312 rundll32.exe 1312 rundll32.exe 608 regsvr32.exe 608 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1312 rundll32.exe 608 regsvr32.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 364 wrote to memory of 1312 364 rundll32.exe 69 PID 364 wrote to memory of 1312 364 rundll32.exe 69 PID 364 wrote to memory of 1312 364 rundll32.exe 69 PID 1312 wrote to memory of 3364 1312 rundll32.exe 71 PID 1312 wrote to memory of 3364 1312 rundll32.exe 71 PID 1312 wrote to memory of 3364 1312 rundll32.exe 71 PID 1312 wrote to memory of 3364 1312 rundll32.exe 71 PID 1312 wrote to memory of 3364 1312 rundll32.exe 71 PID 3364 wrote to memory of 3948 3364 explorer.exe 72 PID 3364 wrote to memory of 3948 3364 explorer.exe 72 PID 3364 wrote to memory of 3948 3364 explorer.exe 72 PID 1084 wrote to memory of 608 1084 regsvr32.exe 77 PID 1084 wrote to memory of 608 1084 regsvr32.exe 77 PID 1084 wrote to memory of 608 1084 regsvr32.exe 77 PID 608 wrote to memory of 424 608 regsvr32.exe 78 PID 608 wrote to memory of 424 608 regsvr32.exe 78 PID 608 wrote to memory of 424 608 regsvr32.exe 78 PID 608 wrote to memory of 424 608 regsvr32.exe 78 PID 608 wrote to memory of 424 608 regsvr32.exe 78 PID 424 wrote to memory of 1536 424 explorer.exe 79 PID 424 wrote to memory of 1536 424 explorer.exe 79 PID 424 wrote to memory of 1680 424 explorer.exe 81 PID 424 wrote to memory of 1680 424 explorer.exe 81 PID 2828 wrote to memory of 2912 2828 regsvr32.exe 85 PID 2828 wrote to memory of 2912 2828 regsvr32.exe 85 PID 2828 wrote to memory of 2912 2828 regsvr32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xdjevbp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll\"" /SC ONCE /Z /ST 09:07 /ET 09:194⤵
- Creates scheduled task(s)
PID:3948
-
-
-
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"1⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Torjb" /d "0"4⤵PID:1536
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Gspumtmeynu" /d "0"4⤵PID:1680
-
-
-
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll"2⤵PID:2912
-