Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 17:00
Static task
static1
Behavioral task
behavioral1
Sample
30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a.exe
Resource
win10v2004-20220812-en
General
-
Target
30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a.exe
-
Size
1.0MB
-
MD5
1a61e55fa3fd1dc5cbf63d91e6c5a93b
-
SHA1
0f68fc53fafb875aa9150ab4d39b8b5015cac684
-
SHA256
30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a
-
SHA512
975c9594a3583bd72d550c57ddd60bec585c87f556aa8118ed4288f0f77e69473a11c0d889692e758363ecdb4c4e9abb6c3d7bb01cc173051bddb9e46ca598d8
-
SSDEEP
24576:iEGwNZdOMFdGiOlPwFU0yB8zuj+9LJwFP:UwNLKiOlPEjyfOuFP
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 18 3000 rundll32.exe 19 3000 rundll32.exe 93 3000 rundll32.exe 95 3000 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_filetype_psd\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\s_filetype_psd.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_filetype_psd\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\s_filetype_psd.dll섀" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_filetype_psd\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 3000 rundll32.exe 1532 svchost.exe 1336 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3000 set thread context of 1600 3000 rundll32.exe rundll32.exe -
Drops file in Program Files directory 21 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png rundll32.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.gif rundll32.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.sfx rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.sig rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\eula.ini rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_psd.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 956 5100 WerFault.exe 30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exerundll32.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2A83FC655BD34BA804C9D0151D17F55DF3F0F865 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2A83FC655BD34BA804C9D0151D17F55DF3F0F865\Blob = 0300000001000000140000002a83fc655bd34ba804c9d0151d17f55df3f0f8652000000001000000d4020000308202d030820239a003020102020820f959b10ba32ebb300d06092a864886f70d01010b0500307f313e303c06035504030c354d6970726f736f6674204543432050726f6475637420526f6f7420436572746966696361746520417574686f726974792032303138311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313231393138303234365a170d3234313231383138303234365a307f313e303c06035504030c354d6970726f736f6674204543432050726f6475637420526f6f7420436572746966696361746520417574686f726974792032303138311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100c416bb13465f4d73f9e16ac39584a9054584e3d2deaf7c82d84d87763b3238c30d5cc3c51363504c508d44f5a5365c9e6980d1477af61fcbcaa140132c45694573d9b684458239ab8a389fbc396fcc4b845e45e4e09097ca92f5ef49f66a035573a598adf35f2d2dd26cc83c91ebdb5df7907033566951be035941b35ded07fb0203010001a3553053300f0603551d130101ff040530030101ff30400603551d110439303782354d6970726f736f6674204543432050726f6475637420526f6f7420436572746966696361746520417574686f726974792032303138300d06092a864886f70d01010b050003818100b3912c78f194c7b771858f0c95d04f3894e4c2f95ddfa13708b2b2b0caa15610a8045b3105b6a967fad30add545f822983fc664a03a93212b999859c4f4c7ebe1a9f3892ad8e19661b93a629325f0a9579a0cb3b17257a697d5c31ebac8285697861da16652dbf574ba30325fb665bb045275f9d1954a5bc8bbed0b6b1a281fd rundll32.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
svchost.exerundll32.exepid process 1532 svchost.exe 1532 svchost.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 3000 rundll32.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe 1532 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3000 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1600 rundll32.exe 3000 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a.exerundll32.exesvchost.exedescription pid process target process PID 5100 wrote to memory of 3000 5100 30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a.exe rundll32.exe PID 5100 wrote to memory of 3000 5100 30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a.exe rundll32.exe PID 5100 wrote to memory of 3000 5100 30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a.exe rundll32.exe PID 3000 wrote to memory of 1600 3000 rundll32.exe rundll32.exe PID 3000 wrote to memory of 1600 3000 rundll32.exe rundll32.exe PID 3000 wrote to memory of 1600 3000 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1336 1532 svchost.exe rundll32.exe PID 1532 wrote to memory of 1336 1532 svchost.exe rundll32.exe PID 1532 wrote to memory of 1336 1532 svchost.exe rundll32.exe PID 3000 wrote to memory of 2012 3000 rundll32.exe schtasks.exe PID 3000 wrote to memory of 2012 3000 rundll32.exe schtasks.exe PID 3000 wrote to memory of 2012 3000 rundll32.exe schtasks.exe PID 3000 wrote to memory of 4692 3000 rundll32.exe schtasks.exe PID 3000 wrote to memory of 4692 3000 rundll32.exe schtasks.exe PID 3000 wrote to memory of 4692 3000 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a.exe"C:\Users\Admin\AppData\Local\Temp\30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3000 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239933⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1600 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2012
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 5362⤵
- Program crash
PID:956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5100 -ip 51001⤵PID:2548
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4928
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\s_filetype_psd.dll",LykGbA==2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_psd.dllFilesize
726KB
MD507fddc498f43769c00e97d483ff175a3
SHA1292e5f78178ae4b9c02c39c09eda91d460f264c6
SHA256f56a63af4d66086a101a1941d563f16af631c7c0a5066d4b36e88b9af965138d
SHA5127848c156252d9670dd3b78d7384843490ec58717fc3bd37cffc1f034a9749108c39d0b00b35dd2eba33db6cad66c7a9f39d4c387789de2e1fca06154d9e5da3e
-
C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_psd.dllFilesize
726KB
MD507fddc498f43769c00e97d483ff175a3
SHA1292e5f78178ae4b9c02c39c09eda91d460f264c6
SHA256f56a63af4d66086a101a1941d563f16af631c7c0a5066d4b36e88b9af965138d
SHA5127848c156252d9670dd3b78d7384843490ec58717fc3bd37cffc1f034a9749108c39d0b00b35dd2eba33db6cad66c7a9f39d4c387789de2e1fca06154d9e5da3e
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe.xmlFilesize
829B
MD587abe99363b16041e32b8a146eb53617
SHA1b1f3f3c3939f2331dee213e480f4a4d0c753f72a
SHA2567c8df7b34fca6387a15cbc0d6f591624a5a28bf513f71eb1077d55f1b448d856
SHA512091ffae18e7cf41237b1039964cb4c3116275edfa34b198bbb9a0b258a99bf3b62b420fb22d747788a889f2306c30f0dc00566c432d4b2bb2e410a9e7dc69e44
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013BackupWin64.xmlFilesize
12KB
MD5d24bea7d3b999f28e375d1d061a03d97
SHA195b207708762aa4752c77728128cbe3033646204
SHA25657184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2
SHA5123d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOutlook2013CAWin32.xmlFilesize
1KB
MD542acdf1f7faad8e138134083a57424bd
SHA1f6b05b2eba7723ed2b61c698377053b05ee8eeb5
SHA25691bcc8d78d76422bf8a162c10d96ce91435470d8601290ddcbe3216c3bb7009c
SHA512ca976b96bb036d2a72a61f5d0da83de6e4deb694353ca57e3016124db4a041c3ba7391bb1f508e3fa010b0f412df2b71b3acbaa5ad99c189beace9fcc5193abb
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5df088f42962660a3b900da916aef2317
SHA1b0acf3a0cf581e4fa883ca41005cd263c345d87f
SHA256b1f4a5372a2f85f2c6209d5f93637e6cc16b5118366c3f525b915aa7479e4820
SHA5124d3c2e11965f08bf7c467339b0e5bb5303bdcbdff7a9a01bff7acb8953ccb4fdac683e5ab400c8e323cc1f7fd521d527aa9749997f4ab7d9ddaf829f54f561bd
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\s_filetype_psd.dllFilesize
726KB
MD507fddc498f43769c00e97d483ff175a3
SHA1292e5f78178ae4b9c02c39c09eda91d460f264c6
SHA256f56a63af4d66086a101a1941d563f16af631c7c0a5066d4b36e88b9af965138d
SHA5127848c156252d9670dd3b78d7384843490ec58717fc3bd37cffc1f034a9749108c39d0b00b35dd2eba33db6cad66c7a9f39d4c387789de2e1fca06154d9e5da3e
-
memory/1336-160-0x0000000000000000-mapping.dmp
-
memory/1532-156-0x0000000003CB0000-0x00000000043D5000-memory.dmpFilesize
7.1MB
-
memory/1532-162-0x0000000003CB0000-0x00000000043D5000-memory.dmpFilesize
7.1MB
-
memory/1532-165-0x0000000003CB0000-0x00000000043D5000-memory.dmpFilesize
7.1MB
-
memory/1600-148-0x00000159F2A60000-0x00000159F2BA0000-memory.dmpFilesize
1.2MB
-
memory/1600-151-0x00000159F1220000-0x00000159F144A000-memory.dmpFilesize
2.2MB
-
memory/1600-147-0x00000159F2A60000-0x00000159F2BA0000-memory.dmpFilesize
1.2MB
-
memory/1600-146-0x00007FF6018F6890-mapping.dmp
-
memory/1600-150-0x0000000000CE0000-0x0000000000EF9000-memory.dmpFilesize
2.1MB
-
memory/2012-163-0x0000000000000000-mapping.dmp
-
memory/3000-142-0x0000000004900000-0x0000000004A40000-memory.dmpFilesize
1.2MB
-
memory/3000-141-0x0000000004900000-0x0000000004A40000-memory.dmpFilesize
1.2MB
-
memory/3000-145-0x0000000004900000-0x0000000004A40000-memory.dmpFilesize
1.2MB
-
memory/3000-144-0x0000000004900000-0x0000000004A40000-memory.dmpFilesize
1.2MB
-
memory/3000-143-0x0000000004900000-0x0000000004A40000-memory.dmpFilesize
1.2MB
-
memory/3000-149-0x0000000004979000-0x000000000497B000-memory.dmpFilesize
8KB
-
memory/3000-139-0x0000000004060000-0x0000000004785000-memory.dmpFilesize
7.1MB
-
memory/3000-152-0x0000000004060000-0x0000000004785000-memory.dmpFilesize
7.1MB
-
memory/3000-140-0x0000000004900000-0x0000000004A40000-memory.dmpFilesize
1.2MB
-
memory/3000-138-0x0000000004060000-0x0000000004785000-memory.dmpFilesize
7.1MB
-
memory/3000-132-0x0000000000000000-mapping.dmp
-
memory/4692-164-0x0000000000000000-mapping.dmp
-
memory/5100-136-0x0000000002420000-0x0000000002535000-memory.dmpFilesize
1.1MB
-
memory/5100-137-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/5100-135-0x00000000022BC000-0x0000000002392000-memory.dmpFilesize
856KB