025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c

Analysis

max time kernel
128s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-12-2022 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c.exe
Size

1.1MB
MD5

a0f0a5939391e1e6435891fcbd3c1f8f
SHA1

240a65e3b2fc037e23b631689bdf2b56089b5ff1
SHA256

025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c
SHA512

e8f8acb13fc39a61e277ec562fb72a3381a6a2b6c912aa17b121010cc04b16b0406f69fafd36029106e6a258155f9a01470af551d63ed8e25dd908960e40030c
SSDEEP

24576:Xo3ciGhHIfz+y/iHemincy/2JIGJZwYKl6cE5CjmXNeEh:XEGZIfzuHeminIN9Q61CjsN9

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

1 4692 rundll32.exe
2 4692 rundll32.exe
11 4692 rundll32.exe

flow	pid	process
1	4692	rundll32.exe
2	4692	rundll32.exe
11	4692	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\en-US\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\en-US.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\en-US\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exesvchost.exe

pid process

4692 rundll32.exe
3256 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4692	rundll32.exe
3256	svchost.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4692 set thread context of 4904 4692 rundll32.exe rundll32.exe

description	pid	process	target process
PID 4692 set thread context of 4904	4692	rundll32.exe	rundll32.exe

Drops file in Program Files directory 19 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\en-US.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eula.ini	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\distribute_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\end_review.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LogTransport2.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ended_review_or_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 46 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009955cb53100054656d7000003a0009000400efbe0c554b889955cb532e0000000000000000000000000000000000000000000000000046131400540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exerundll32.exe

pid process

3256 svchost.exe
3256 svchost.exe
4692 rundll32.exe
4692 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 4692 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4904 rundll32.exe

pid	process
3256	svchost.exe
3256	svchost.exe
4692	rundll32.exe
4692	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4692	rundll32.exe

pid	process
4904	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c.exerundll32.exesvchost.exe

description	pid	process	target process
PID 2716 wrote to memory of 4692	2716	025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c.exe	rundll32.exe
PID 2716 wrote to memory of 4692	2716	025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c.exe	rundll32.exe
PID 2716 wrote to memory of 4692	2716	025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c.exe	rundll32.exe
PID 4692 wrote to memory of 4904	4692	rundll32.exe	rundll32.exe
PID 4692 wrote to memory of 4904	4692	rundll32.exe	rundll32.exe
PID 4692 wrote to memory of 4904	4692	rundll32.exe	rundll32.exe
PID 3256 wrote to memory of 492	3256	svchost.exe	rundll32.exe
PID 3256 wrote to memory of 492	3256	svchost.exe	rundll32.exe
PID 3256 wrote to memory of 492	3256	svchost.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c.exe
"C:\Users\Admin\AppData\Local\Temp\025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp",Dsdupihuqo
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4692

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 22323
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4904

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1608

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\en-us.dll",OQ4rWlpHUg==
2⤵
PID:492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\130__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml
Filesize
669B

MD5
e158b071291619785347b00b1c8d9808

SHA1
725fd51848acae7b288f85839d24b351431fc2dc

SHA256
fe0f20efc8c4c66522b7bb62de1235225ddfb5f5ba336121f44c58ade801d4de

SHA512
e7d604815309eb6a24a8a1a144328eab68ac5e34da2fa1c35d126cdbab5cb50f73dadc675eeddbfd0b849fd0518db24bb098544bec26ccfcee0570e81b87161f

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\6ad6114fddb5b38e8504b0183a428c4b_16efa387-a50f-4c14-af28-bdcb77494366
Filesize
1KB

MD5
a7a381aa22cc03afaf1817419a76f4aa

SHA1
f73115fd60cc4a5f51ec3563c340fe48cd455e50

SHA256
da7cc077beb57aa89904af9b7f3b6a501cd4826216fdd377af72f13e74e75552

SHA512
4aea6ea9b528e8a7ae8a61e73715806dd4d81299256d5e450d69cc16c7f5017f0d3a7f151798b5f0320b77c3ec9199e71d8d25714e8f86ccd55537b8e4a05e7b

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\AirSpace.Etw.man
Filesize
412KB

MD5
39e5270caae15015c8203fec413669c7

SHA1
f44f5617f2bc496fb497a1e8ad13997ccecf0f6d

SHA256
2e6cbfc09039d76897eaf701179ba2011d2ea134ca8b6c6e9792a0843006a5f1

SHA512
9bdab6d4cea87cd1172a77554c0059dbd5f7f29ca754e4ed21aa99bc4b16f40fc28e32c81f0ab3ea49158c12cc6c5318a81bd942b916c0b1241b2c6818b2657a

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\C2RManifest.osmuxmui.msi.16.en-us.xml
Filesize
10KB

MD5
220ae72aa2505c9276da2056b7e34936

SHA1
6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

SHA256
afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

SHA512
cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\Darpeiwtweqqp.tmp
Filesize
3.5MB

MD5
ef2ad31d369ce42bdd8515f4b4d465c9

SHA1
7c1784dfed51885d73daf1d72ca74e8018725c5c

SHA256
430d1c057a02cf2bc90eda17908d099842fe255f847a3f690a68faee65287226

SHA512
a04a4bb0606b2e6a96c49e5575fc10c44c2fde42860963e36f0dc9a90d30eec5aa15b69a4433c241eca98c82205fcd25de85dde755c3e87f8cb09885fe9fdbf5

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\MasterDescriptor.en-us.xml
Filesize
28KB

MD5
4bee7862d96900a7b0f20d709ffe5af2

SHA1
59f4073ff756ee74e83e5d9448e7d6da69f3bf08

SHA256
526cb82e083378ccc1a5465f3250f40f9e74bdbc65c58ab9210fc8a88b273e63

SHA512
ee0f19e4aa0006b4da4b16522eea9774c09b07d6fae3529992df7f5f47ee1fa49a6ec5b77370be594762ec63f1f6aee4be139e44f2f369f5590777cf95d9be31

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\ppcrlconfig600.dll
Filesize
26KB

MD5
6f6a6e38715c9b3838f95e03fa0567f3

SHA1
40bffba8deebcfa89ff78591d1697290a8f8145d

SHA256
b1eab91db2cb293c153d0cb5ebf1ac3a9d50ac75d050403e8b9e1ec68881bd5f

SHA512
b1ecc5e8aff711a0ec8aa9d8415e1b26b06bc8e5607f26baba34506c30849b091e2fb3ea7051471000640c869aa9024e09749cbeac5595c16a4806d15f3221c2

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\print_queue.ico
Filesize
55KB

MD5
0f3c6d90637f0fdc57b1d303cf8d76cd

SHA1
91cef4325b363b31e4555302a70321a2110b51cf

SHA256
4858a310c97817f76fd6430067ac3c0b54dc030f7547eb9fbdb082545e8cc261

SHA512
6f533242faef57f84c88ea6d5134f60f3fc8a9771a0106752d430875266698cd5d1d4beffd00abdd492d08d5f5365d905dd8869ced2ec0bc7c20be8430d73df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp
Filesize
792KB

MD5
9e3ff54c77c7d43bfdf8cff1d31c3c51

SHA1
9681f127f0300093ac15d8a3fc16c289f0b9c045

SHA256
2c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d

SHA512
d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\en-us.dll
Filesize
792KB

MD5
a36bac567c5de11d68e88041173260b9

SHA1
41e68f3202d37dfbe0d5bb1c596fa75d3766f18d

SHA256
ef1e47deddcad0afb1de96ea708b456b37a86ee2acba00bd015ff31d6f9be988

SHA512
0d10b418ec8179babea26bba22a4b74e2fb39b322332b3920ae1d1d7df1fdb52a57ed62331025a930bc902aa54bab8bd275ee24ced313da2a14d2810fea1fba9

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\en-US.dll
Filesize
792KB

MD5
a36bac567c5de11d68e88041173260b9

SHA1
41e68f3202d37dfbe0d5bb1c596fa75d3766f18d

SHA256
ef1e47deddcad0afb1de96ea708b456b37a86ee2acba00bd015ff31d6f9be988

SHA512
0d10b418ec8179babea26bba22a4b74e2fb39b322332b3920ae1d1d7df1fdb52a57ed62331025a930bc902aa54bab8bd275ee24ced313da2a14d2810fea1fba9

Download Submit
\Program Files (x86)\WindowsPowerShell\Modules\en-US.dll
Filesize
792KB

MD5
a36bac567c5de11d68e88041173260b9

SHA1
41e68f3202d37dfbe0d5bb1c596fa75d3766f18d

SHA256
ef1e47deddcad0afb1de96ea708b456b37a86ee2acba00bd015ff31d6f9be988

SHA512
0d10b418ec8179babea26bba22a4b74e2fb39b322332b3920ae1d1d7df1fdb52a57ed62331025a930bc902aa54bab8bd275ee24ced313da2a14d2810fea1fba9

Download Submit
\Users\Admin\AppData\Local\Temp\Dfuqft.tmp
Filesize
792KB

MD5
9e3ff54c77c7d43bfdf8cff1d31c3c51

SHA1
9681f127f0300093ac15d8a3fc16c289f0b9c045

SHA256
2c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d

SHA512
d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec

Download Submit
memory/492-377-0x0000000000000000-mapping.dmp

Download
memory/492-470-0x0000000007290000-0x0000000007DE7000-memory.dmp

Filesize
11.3MB

Download
memory/492-476-0x0000000007290000-0x0000000007DE7000-memory.dmp

Filesize
11.3MB

Download
memory/1608-448-0x0000000000000000-mapping.dmp

Download
memory/2716-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-135-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-116-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-141-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-143-0x00000000021B0000-0x00000000022A5000-memory.dmp

Filesize
980KB

Download
memory/2716-142-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-146-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2716-144-0x00000000022B0000-0x00000000023E2000-memory.dmp

Filesize
1.2MB

Download
memory/2716-147-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-151-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-152-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-154-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-155-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-156-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-157-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-158-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-134-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-160-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-161-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-117-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-118-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-119-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-166-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2716-120-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-123-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3256-362-0x0000000005A70000-0x00000000065C7000-memory.dmp

Filesize
11.3MB

Download
memory/3256-499-0x0000000005A70000-0x00000000065C7000-memory.dmp

Filesize
11.3MB

Download
memory/4092-481-0x0000000000000000-mapping.dmp

Download
memory/4692-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-185-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-183-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-182-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-263-0x0000000006DA0000-0x00000000078F7000-memory.dmp

Filesize
11.3MB

Download
memory/4692-162-0x0000000000000000-mapping.dmp

Download
memory/4692-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-164-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-279-0x0000000006DA0000-0x00000000078F7000-memory.dmp

Filesize
11.3MB

Download
memory/4692-181-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-180-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-179-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-178-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-177-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-176-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-175-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-172-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-184-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-170-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-169-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-168-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4692-165-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4904-278-0x000001C5BE7C0000-0x000001C5BEA7F000-memory.dmp

Filesize
2.7MB

Download
memory/4904-277-0x0000000000450000-0x00000000006FE000-memory.dmp

Filesize
2.7MB

Download
memory/4904-272-0x00007FF6D44A5FD0-mapping.dmp

Download