3f2a7fca065978286a763c27c2e4e4a91fa69d81bdedd265db2004f9cddeecf2

Analysis

max time kernel
135s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
25-11-2022 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f2a7fca065978286a763c27c2e4e4a91fa69d81bdedd265db2004f9cddeecf2.exe
Size

1004KB
MD5

0c70cfc1549b5d7f1e77ff7181b976fe
SHA1

8903d45d7a2a714619ed89bba79c839341323e9a
SHA256

3f2a7fca065978286a763c27c2e4e4a91fa69d81bdedd265db2004f9cddeecf2
SHA512

7dde11fb27a09d9bed283fab9d2cc3b963146d72d9cbe7d3282d0a70f8fa7dba12096fc096300e48bde26f9299a7f6201eaa9b77e3201cafe11e8efe7c5eacd6
SSDEEP

24576:2SzAquPjDjVgawTo+o2/97K5cXXEJ/TSuZnVAnb6qLsCo:JzAquPXjrAo2/sCG/TSudVAZI

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

3 3352 rundll32.exe
4 3352 rundll32.exe
13 3352 rundll32.exe

flow	pid	process
3	3352	rundll32.exe
4	3352	rundll32.exe
13	3352	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\JP2KLib\Parameters\ServiceDll = "C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\JP2KLib.dllꘀ"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\JP2KLib\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3352 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3352	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3352 set thread context of 3228 3352 rundll32.exe rundll32.exe

description	pid	process	target process
PID 3352 set thread context of 3228	3352	rundll32.exe	rundll32.exe

Drops file in Program Files directory 29 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\UnifiedShare.aapp	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\back-arrow-disabled.svg	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\forms_received.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\WCChromeNativeMessagingHost.exe	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\aic_file_icons_highcontrast.png	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\DVA.api	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\index.html	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\open_original_form.gif	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\organize.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000007955595d100054656d7000003a0009000400efbe2155a8847955595d2e0000000000000000000000000000000000000000000000000087e22101540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3352 rundll32.exe
3352 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 3352 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3228 rundll32.exe
3352 rundll32.exe

pid	process
3352	rundll32.exe
3352	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3352	rundll32.exe

pid	process
3228	rundll32.exe
3352	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3f2a7fca065978286a763c27c2e4e4a91fa69d81bdedd265db2004f9cddeecf2.exerundll32.exe

description	pid	process	target process
PID 4940 wrote to memory of 3352	4940	3f2a7fca065978286a763c27c2e4e4a91fa69d81bdedd265db2004f9cddeecf2.exe	rundll32.exe
PID 4940 wrote to memory of 3352	4940	3f2a7fca065978286a763c27c2e4e4a91fa69d81bdedd265db2004f9cddeecf2.exe	rundll32.exe
PID 4940 wrote to memory of 3352	4940	3f2a7fca065978286a763c27c2e4e4a91fa69d81bdedd265db2004f9cddeecf2.exe	rundll32.exe
PID 3352 wrote to memory of 3228	3352	rundll32.exe	rundll32.exe
PID 3352 wrote to memory of 3228	3352	rundll32.exe	rundll32.exe
PID 3352 wrote to memory of 3228	3352	rundll32.exe	rundll32.exe
PID 3352 wrote to memory of 4880	3352	rundll32.exe	schtasks.exe
PID 3352 wrote to memory of 4880	3352	rundll32.exe	schtasks.exe
PID 3352 wrote to memory of 4880	3352	rundll32.exe	schtasks.exe
PID 3352 wrote to memory of 2060	3352	rundll32.exe	schtasks.exe
PID 3352 wrote to memory of 2060	3352	rundll32.exe	schtasks.exe
PID 3352 wrote to memory of 2060	3352	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3f2a7fca065978286a763c27c2e4e4a91fa69d81bdedd265db2004f9cddeecf2.exe
"C:\Users\Admin\AppData\Local\Temp\3f2a7fca065978286a763c27c2e4e4a91fa69d81bdedd265db2004f9cddeecf2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3352

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20149
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3228

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4880

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2060

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5036

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2820

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3004

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4904

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4308

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\reference assemblies\microsoft\jp2klib.dll",jVM6MXVQZmg=
2⤵
PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\100__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml

Filesize
466B

MD5
865d649c74b05aae53850125d6c23b41

SHA1
2b4ab47d5eee5a74cfb70f8231502d97dd2d97e6

SHA256
547242ffdf9a49692c655c9af71b90a815a20a78f4121538552bd73e05eeb978

SHA512
7fd6ac21920c68848517573d4048171ee7948aa87e682c71c01ff4e96c099b2d1166df8c4f0ae3dde738b96b6dba67cf66b3cc913588bcf28cee3908e2a9b5a8

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\115__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml

Filesize
646B

MD5
a3f5a2683540ae3aa0c0da2c023bce1f

SHA1
5f7f3484fdfc18978d167caa7d1a2bd09052a340

SHA256
2ab1f00eaed85c5076cd9dc2cbb3b4bc9b7456b8ab37dd85476f110b94e0dc91

SHA512
3c86579436a5c7c672c5648c7a661d5bdcfe7d3150fbcd9a18165dc0ddb1257c11fd5f4997e7665de8ecd73097d52aa1eb79582c4c0d0bc462a80acfd60fb8ea

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\Isduwyyttes.tmp

Filesize
3.5MB

MD5
677f5dd5a9c28e9125a2c4e653e68451

SHA1
0539e310c27d2cae7afc31f911d5addb74fb1329

SHA256
767e6c270ec3584bc062d314270bc18c27b9d7297ed0418fb4d0649e46f0f2e4

SHA512
bf3a1298e4cff83304868230d962aebd995864b554c9f5a828cd2e5c10cf5d84958e75adf7b2053ea8727a42a83cbb021ff39cd865eb99cfaef1b65aa10b3793

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\behavior.xml

Filesize
1KB

MD5
6c23b0f54e5c427ff8f3db170b62616f

SHA1
44f1d0f71cbab0e05d9a563bf9e92759898ca4e9

SHA256
7cfdc107f1bc076ca39ee36960bbb1d64a6c9faac9ba73a106f6e85224da4a1b

SHA512
f511e1aa2f7dcac52ad5452ef8e9e403a77b55a6e9c7bf8248db00e85cee61f1e28ebe6470084a1f22cf64664b8a9ec84975afda1e26e348b4948de4583313a6

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\edb.chk

Filesize
8KB

MD5
22f028ef9dcc1aecb23207d5a7c173a0

SHA1
60291ca93ed75c2fc3e9f830addacca30d106c30

SHA256
00a6c55ae455ba170683715db7d03f6608db4a4ee359834dd8f6a381f8df507e

SHA512
923472d339d997e2abffccc56e41aa20ca7b010ed4d74dfde60bd43b9331bb031f8453a829664d2950bfdb57a4353ce398d8c749edabf5aea85b4a598026b38a

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\print_pref.ico

Filesize
56KB

MD5
a52a082f2b18811deaf3138d27c57af8

SHA1
317bf685e50de705818bff26f032e7f593830509

SHA256
6b4b668a30271d7853257b5752dc429b39c7b264e77ff3533196e6fd03fbeb88

SHA512
0d6f4bbb993b4e9a0069ddd0503ceb45d8a1cc6f6453cc2faf91cb137fa49e15eeaa3d77cb9954cc07701153932da51977d467c54b1e0fcfe74b6670cac47d99

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\resource.xml

Filesize
1KB

MD5
ba3f2a2801ae546e498881e8ec22a17c

SHA1
ab57705933a28c4f9e552f5a435ab8a7709fedc8

SHA256
af7a12135db48bf260cd6d7ce831810ef98ca05847c4b23086bc2e616e8b08f4

SHA512
3ae1c6d4bba1720b080c315e58c8b44685defd65031314a48c1de749e4cd13a42ccf5f0de4202019c94b0ecbd1ab9e6dbdfd39d5b6434909796f490246b6e302

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\stream.x64.en-us.dat.cat

Filesize
109KB

MD5
2800ad935a91f65e3a39d28d7ec8b12b

SHA1
2e87ae6f577e833894abaa85117f29fd8c2178db

SHA256
7a9e9a26077199809f7a69d4486b58d98b5b972a2652084de0e212bc070410bd

SHA512
3564cdd0ff8efd862f6f3e123f8a5990d255bf735ee7eed3d622ecd40dfe53b9e1ae0c623a9d0036ca73e24a7c4f91b9a0174129084536362d23b10e6c730dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmp

Filesize
767KB

MD5
d8ca174a8f3f0c225429e1be1cb6d304

SHA1
0f2e738b1a35b6072e1d23894468e45fa7dee750

SHA256
3d63ad175a34e4c89ea6eca4a1161bb5dd514a5e58302707edc03473eb1f656e

SHA512
dbf999a9f0399b3cbf93484f2e665e3beb4de369dacf4678c7b7b3ff06f45c42879c544c2404d85b88fe3aaacf117a1e28ecb68ee7ea2553b736bad03619e527

Download Submit
\??\c:\program files (x86)\reference assemblies\microsoft\jp2klib.dll

Filesize
767KB

MD5
ebbdf09bea262e32ebca34d77eece25f

SHA1
e740b2fe88fa6ed127fa8e90e6a49e0fb1924bb6

SHA256
b048fd3b262afead7c97177bedc1ddfd14e97da2f290e8eea46b1099f15347d0

SHA512
0d4bd9921700ef9f3f912833172d40b25d9f5d302fc73ce3c21a3f15354107a9541758fdc0fdc8eb66c138f2c2e0cc8e9b08b5940d5156ca3f7a796c5b8f71b5

Download Submit
\Program Files (x86)\Reference Assemblies\Microsoft\JP2KLib.dll

Filesize
767KB

MD5
ebbdf09bea262e32ebca34d77eece25f

SHA1
e740b2fe88fa6ed127fa8e90e6a49e0fb1924bb6

SHA256
b048fd3b262afead7c97177bedc1ddfd14e97da2f290e8eea46b1099f15347d0

SHA512
0d4bd9921700ef9f3f912833172d40b25d9f5d302fc73ce3c21a3f15354107a9541758fdc0fdc8eb66c138f2c2e0cc8e9b08b5940d5156ca3f7a796c5b8f71b5

Download Submit
\Program Files (x86)\Reference Assemblies\Microsoft\JP2KLib.dll

Filesize
767KB

MD5
ebbdf09bea262e32ebca34d77eece25f

SHA1
e740b2fe88fa6ed127fa8e90e6a49e0fb1924bb6

SHA256
b048fd3b262afead7c97177bedc1ddfd14e97da2f290e8eea46b1099f15347d0

SHA512
0d4bd9921700ef9f3f912833172d40b25d9f5d302fc73ce3c21a3f15354107a9541758fdc0fdc8eb66c138f2c2e0cc8e9b08b5940d5156ca3f7a796c5b8f71b5

Download Submit
\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmp

Filesize
767KB

MD5
d8ca174a8f3f0c225429e1be1cb6d304

SHA1
0f2e738b1a35b6072e1d23894468e45fa7dee750

SHA256
3d63ad175a34e4c89ea6eca4a1161bb5dd514a5e58302707edc03473eb1f656e

SHA512
dbf999a9f0399b3cbf93484f2e665e3beb4de369dacf4678c7b7b3ff06f45c42879c544c2404d85b88fe3aaacf117a1e28ecb68ee7ea2553b736bad03619e527

Download Submit
memory/2060-328-0x0000000000000000-mapping.dmp

Download
memory/2820-480-0x0000000000000000-mapping.dmp

Download
memory/3004-536-0x0000000000000000-mapping.dmp

Download
memory/3228-288-0x00000235F8F10000-0x00000235F91CC000-memory.dmp

Filesize
2.7MB

Download
memory/3228-286-0x0000000000AD0000-0x0000000000D7B000-memory.dmp

Filesize
2.7MB

Download
memory/3228-280-0x00007FF7F07C5FD0-mapping.dmp

Download
memory/3352-169-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-177-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-171-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-170-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-173-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-166-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-174-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-346-0x0000000006BA0000-0x0000000007719000-memory.dmp

Filesize
11.5MB

Download
memory/3352-167-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-265-0x0000000006BA0000-0x0000000007719000-memory.dmp

Filesize
11.5MB

Download
memory/3352-189-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-188-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-187-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-186-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-185-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-184-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-183-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-182-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-179-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-181-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-180-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-178-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-172-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-176-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-175-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-165-0x0000000000000000-mapping.dmp

Download
memory/3752-554-0x0000000000000000-mapping.dmp

Download
memory/4040-441-0x0000000000000000-mapping.dmp

Download
memory/4040-535-0x0000000007320000-0x0000000007E99000-memory.dmp

Filesize
11.5MB

Download
memory/4308-429-0x00000000058D0000-0x0000000006449000-memory.dmp

Filesize
11.5MB

Download
memory/4308-572-0x00000000058D0000-0x0000000006449000-memory.dmp

Filesize
11.5MB

Download
memory/4880-310-0x0000000000000000-mapping.dmp

Download
memory/4940-160-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-135-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-168-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4940-164-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-163-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-162-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-161-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-140-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-159-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-156-0x0000000002700000-0x0000000002820000-memory.dmp

Filesize
1.1MB

Download
memory/4940-158-0x0000000000400000-0x00000000007DD000-memory.dmp

Filesize
3.9MB

Download
memory/4940-157-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-154-0x0000000002500000-0x00000000025E3000-memory.dmp

Filesize
908KB

Download
memory/4940-155-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-153-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-152-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-151-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-150-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-139-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-138-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-149-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-136-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-137-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-120-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-148-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-134-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-147-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-133-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-132-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-131-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-141-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-146-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-130-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-129-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-128-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-127-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-126-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-125-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-124-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-145-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-123-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-122-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-144-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-121-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-143-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-386-0x0000000000000000-mapping.dmp

Download