Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2022, 11:59
Static task
static1
Behavioral task
behavioral1
Sample
a0f0a5939391e1e6435891fcbd3c1f8f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a0f0a5939391e1e6435891fcbd3c1f8f.exe
Resource
win10v2004-20221111-en
General
-
Target
a0f0a5939391e1e6435891fcbd3c1f8f.exe
-
Size
1.1MB
-
MD5
a0f0a5939391e1e6435891fcbd3c1f8f
-
SHA1
240a65e3b2fc037e23b631689bdf2b56089b5ff1
-
SHA256
025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c
-
SHA512
e8f8acb13fc39a61e277ec562fb72a3381a6a2b6c912aa17b121010cc04b16b0406f69fafd36029106e6a258155f9a01470af551d63ed8e25dd908960e40030c
-
SSDEEP
24576:Xo3ciGhHIfz+y/iHemincy/2JIGJZwYKl6cE5CjmXNeEh:XEGZIfzuHeminIN9Q61CjsN9
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 10 548 rundll32.exe 11 548 rundll32.exe 39 548 rundll32.exe 41 548 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EPDF_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\EPDF_RHP..dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EPDF_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\EPDF_RHP..dll䔀" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EPDF_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 548 rundll32.exe 4844 svchost.exe 2856 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 548 set thread context of 4972 548 rundll32.exe 91 -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\AddressBook2x.png rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\AcroRd32Info.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.sfx rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\comment.svg rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\A12_Spinner_int_2x.gif rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\EPDF_RHP..dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json rundll32.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\CPDF_RHP.aapp rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1560 2056 WerFault.exe 81 -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\164EA35EE456218B8D798F571F7A4E869B8F40FF rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\164EA35EE456218B8D798F571F7A4E869B8F40FF\Blob = 030000000100000014000000164ea35ee456218b8d798f571f7a4e869b8f40ff2000000001000000b0020000308202ac30820215a003020102020823a999f05891d4e5300d06092a864886f70d01010b050030733132303006035504030c294d6963726f736f667420526f6f742043657274696f696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313232353133303131325a170d3234313232343133303131325a30733132303006035504030c294d6963726f736f667420526f6f742043657274696f696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d003081890281810094aee0fbb23a5a66a7117a5d991f34b00dd74cb9647bd6e016bdc47ca5653b6390323ee41d3236606f9804d0bb49559b0dc50ceccbcff5a86e937daca87c50a535b48a81114c0e55e75c5f1a4e370d861021d3b236e830dfffe0ed75a04e2641207bb11eede980aa29faf6e8de8fd8b1c32f0d27f4d257e00b6bba84e857e4f10203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f667420526f6f742043657274696f696361746520417574686f726974792032303131300d06092a864886f70d01010b0500038181008f1ff10af2911652c5105c149e4b8906957c50e1639713f77eabcbd0175efb5165f536d002a0ada9bd6627f44c8cd63d29509f470941b061102f65570e78067e5a933b8604b0b3d51782be51b7f888e24d81a705972fc25d3180ee39dfd7731e1dc3e5c8ef84cdd6a73f06355d0450897401129876d707d24d1dcf8d06780546 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4844 svchost.exe 4844 svchost.exe 548 rundll32.exe 548 rundll32.exe 548 rundll32.exe 548 rundll32.exe 548 rundll32.exe 548 rundll32.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 548 rundll32.exe 548 rundll32.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 548 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4972 rundll32.exe 548 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2056 wrote to memory of 548 2056 a0f0a5939391e1e6435891fcbd3c1f8f.exe 82 PID 2056 wrote to memory of 548 2056 a0f0a5939391e1e6435891fcbd3c1f8f.exe 82 PID 2056 wrote to memory of 548 2056 a0f0a5939391e1e6435891fcbd3c1f8f.exe 82 PID 548 wrote to memory of 4972 548 rundll32.exe 91 PID 548 wrote to memory of 4972 548 rundll32.exe 91 PID 548 wrote to memory of 4972 548 rundll32.exe 91 PID 4844 wrote to memory of 2856 4844 svchost.exe 95 PID 4844 wrote to memory of 2856 4844 svchost.exe 95 PID 4844 wrote to memory of 2856 4844 svchost.exe 95 PID 548 wrote to memory of 1272 548 rundll32.exe 97 PID 548 wrote to memory of 1272 548 rundll32.exe 97 PID 548 wrote to memory of 1272 548 rundll32.exe 97 PID 548 wrote to memory of 4080 548 rundll32.exe 99 PID 548 wrote to memory of 4080 548 rundll32.exe 99 PID 548 wrote to memory of 4080 548 rundll32.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0f0a5939391e1e6435891fcbd3c1f8f.exe"C:\Users\Admin\AppData\Local\Temp\a0f0a5939391e1e6435891fcbd3c1f8f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp",Dsdupihuqo2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:548 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 223473⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4972
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1272
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4080
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 5322⤵
- Program crash
PID:1560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2056 -ip 20561⤵PID:3860
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3232
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows sidebar\shared gadgets\epdf_rhp..dll",MwIxaFVOT2Q=2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2856
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
792KB
MD559b0ff6238e534e9fcedd10414761d0b
SHA195b1f7e5f3d187f9c9258bf342e4565111f91701
SHA256ae7e2a943cb5b7fd40fb2eafd874bcc9e95db2e4c124c5e396668706d1bbf0c2
SHA5123fa79f884a49802edf846a9e42c179102318835a9713af3e5dd91d5f8169a26cd21ae2448c5b0b6805da2172c8c757ba4ea9dcd0664c65e94ae3b6274c70b727
-
Filesize
792KB
MD559b0ff6238e534e9fcedd10414761d0b
SHA195b1f7e5f3d187f9c9258bf342e4565111f91701
SHA256ae7e2a943cb5b7fd40fb2eafd874bcc9e95db2e4c124c5e396668706d1bbf0c2
SHA5123fa79f884a49802edf846a9e42c179102318835a9713af3e5dd91d5f8169a26cd21ae2448c5b0b6805da2172c8c757ba4ea9dcd0664c65e94ae3b6274c70b727
-
Filesize
39KB
MD593b791b81e660e839ef91e881d0d40ba
SHA1f28bf43cb01d5d6f0714b40c0183c0f920704b7a
SHA25694e7e8449e52aa41decd74e1fa8bc6d688a1fc1e6dcbd015ff19ece64dedfe32
SHA5123bfff8518d32d599f29c254b9f1de7337d49aa027ff0c0c3345698695a87ddc145c13855e7a7a434f7d29eaa60ce44161b47e40a95df8c54c686dadaf894ec63
-
Filesize
27KB
MD5e9ed7134ebf28fea3f7aa5691a28438a
SHA1ea1e55c279ed9f8dae333ae436204d8d67d46adf
SHA2568fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28
SHA512535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9
-
Filesize
3.5MB
MD503ec5fe582804756ee389baa6e1f3baa
SHA1d8d6fe7935ec598e177587a89dec1eaaf86c7149
SHA2567afcec960e7c0f5ee5d76a9ef10a328a865bb15c4c29bca18dfd054079adda59
SHA512734bdc7438e18cf044491d812cf804b0555242e26c27553cc35ae60ba2e30698e6137be68b68ab514342d38cc8cdc0192da339f20eece447e6861698db75da46
-
Filesize
3.5MB
MD503ec5fe582804756ee389baa6e1f3baa
SHA1d8d6fe7935ec598e177587a89dec1eaaf86c7149
SHA2567afcec960e7c0f5ee5d76a9ef10a328a865bb15c4c29bca18dfd054079adda59
SHA512734bdc7438e18cf044491d812cf804b0555242e26c27553cc35ae60ba2e30698e6137be68b68ab514342d38cc8cdc0192da339f20eece447e6861698db75da46
-
Filesize
28KB
MD53fa8c6dc1f72c3f9f8670a3e236459f2
SHA1fcca30e9c5f861ac907150c76ca5f2174d214b7b
SHA256dca1bd2f368d6165695ac6f48239722b9d38226bef45764a0076bbfa184cb0a7
SHA512af6654f32cf0638204293e0117ff43e59f68537e391d3f4b1c7758632767eaa474d7cb44f3b4b7f9ba6cdefda9ec9368cf07814aed4e79949001bd44ede262ec
-
Filesize
58KB
MD530d7062e069bc0a9b34f4034090c1aae
SHA1e5fcedd8e4cc0463c0bc6912b1791f2876e28a61
SHA25624e77f244b0743e311b0fc97f06513a0cecf6560e92f9c6f164288a152d32000
SHA51285dd6c916d48804a24dbbad0f4b4842453ac31a692905f8f2f34112eaa1bbf062a825d45ed5d800bbc4663a28b0b5003ebd5fa54991cf846f1028e929ea06de6
-
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json
Filesize121B
MD570bdaa5c409965a452e47aa001033c53
SHA1594fad49def244b2a459ddd86bf1763e190917e3
SHA256433ea519024b5837e58afc7f968df10b5fc3144b4da790c68a72c40740bdfa58
SHA51262f25a4e598f3592cb8bb789ae4127c067fbcb3c738983f8da49996c9bdc981cebe266c666a416abe5cda8f321c8d62aa60da87dc77aef1843035dcb5400dbcc
-
Filesize
792KB
MD59e3ff54c77c7d43bfdf8cff1d31c3c51
SHA19681f127f0300093ac15d8a3fc16c289f0b9c045
SHA2562c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d
SHA512d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec
-
Filesize
792KB
MD59e3ff54c77c7d43bfdf8cff1d31c3c51
SHA19681f127f0300093ac15d8a3fc16c289f0b9c045
SHA2562c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d
SHA512d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec
-
Filesize
792KB
MD559b0ff6238e534e9fcedd10414761d0b
SHA195b1f7e5f3d187f9c9258bf342e4565111f91701
SHA256ae7e2a943cb5b7fd40fb2eafd874bcc9e95db2e4c124c5e396668706d1bbf0c2
SHA5123fa79f884a49802edf846a9e42c179102318835a9713af3e5dd91d5f8169a26cd21ae2448c5b0b6805da2172c8c757ba4ea9dcd0664c65e94ae3b6274c70b727