025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2022, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f0a5939391e1e6435891fcbd3c1f8f.exe
Size

1.1MB
MD5

a0f0a5939391e1e6435891fcbd3c1f8f
SHA1

240a65e3b2fc037e23b631689bdf2b56089b5ff1
SHA256

025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c
SHA512

e8f8acb13fc39a61e277ec562fb72a3381a6a2b6c912aa17b121010cc04b16b0406f69fafd36029106e6a258155f9a01470af551d63ed8e25dd908960e40030c
SSDEEP

24576:Xo3ciGhHIfz+y/iHemincy/2JIGJZwYKl6cE5CjmXNeEh:XEGZIfzuHeminIN9Q61CjsN9

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
10	548	rundll32.exe
11	548	rundll32.exe
39	548	rundll32.exe
41	548	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EPDF_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\EPDF_RHP..dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EPDF_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\EPDF_RHP..dll䔀"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EPDF_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
548	rundll32.exe
4844	svchost.exe
2856	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 548 set thread context of 4972	548	rundll32.exe	91

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\AddressBook2x.png	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\AcroRd32Info.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\A12_Spinner_int_2x.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\EPDF_RHP..dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\CPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1560	2056	WerFault.exe	81

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\164EA35EE456218B8D798F571F7A4E869B8F40FF	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\164EA35EE456218B8D798F571F7A4E869B8F40FF\Blob = 030000000100000014000000164ea35ee456218b8d798f571f7a4e869b8f40ff2000000001000000b0020000308202ac30820215a003020102020823a999f05891d4e5300d06092a864886f70d01010b050030733132303006035504030c294d6963726f736f667420526f6f742043657274696f696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313232353133303131325a170d3234313232343133303131325a30733132303006035504030c294d6963726f736f667420526f6f742043657274696f696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d003081890281810094aee0fbb23a5a66a7117a5d991f34b00dd74cb9647bd6e016bdc47ca5653b6390323ee41d3236606f9804d0bb49559b0dc50ceccbcff5a86e937daca87c50a535b48a81114c0e55e75c5f1a4e370d861021d3b236e830dfffe0ed75a04e2641207bb11eede980aa29faf6e8de8fd8b1c32f0d27f4d257e00b6bba84e857e4f10203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f667420526f6f742043657274696f696361746520417574686f726974792032303131300d06092a864886f70d01010b0500038181008f1ff10af2911652c5105c149e4b8906957c50e1639713f77eabcbd0175efb5165f536d002a0ada9bd6627f44c8cd63d29509f470941b061102f65570e78067e5a933b8604b0b3d51782be51b7f888e24d81a705972fc25d3180ee39dfd7731e1dc3e5c8ef84cdd6a73f06355d0450897401129876d707d24d1dcf8d06780546	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4844	svchost.exe
4844	svchost.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
548	rundll32.exe
548	rundll32.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe
4844	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4972	rundll32.exe
548	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 548	2056	a0f0a5939391e1e6435891fcbd3c1f8f.exe	82
PID 2056 wrote to memory of 548	2056	a0f0a5939391e1e6435891fcbd3c1f8f.exe	82
PID 2056 wrote to memory of 548	2056	a0f0a5939391e1e6435891fcbd3c1f8f.exe	82
PID 548 wrote to memory of 4972	548	rundll32.exe	91
PID 548 wrote to memory of 4972	548	rundll32.exe	91
PID 548 wrote to memory of 4972	548	rundll32.exe	91
PID 4844 wrote to memory of 2856	4844	svchost.exe	95
PID 4844 wrote to memory of 2856	4844	svchost.exe	95
PID 4844 wrote to memory of 2856	4844	svchost.exe	95
PID 548 wrote to memory of 1272	548	rundll32.exe	97
PID 548 wrote to memory of 1272	548	rundll32.exe	97
PID 548 wrote to memory of 1272	548	rundll32.exe	97
PID 548 wrote to memory of 4080	548	rundll32.exe	99
PID 548 wrote to memory of 4080	548	rundll32.exe	99
PID 548 wrote to memory of 4080	548	rundll32.exe	99

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a0f0a5939391e1e6435891fcbd3c1f8f.exe
"C:\Users\Admin\AppData\Local\Temp\a0f0a5939391e1e6435891fcbd3c1f8f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp",Dsdupihuqo
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:548
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 22347
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4972
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 532
  2⤵
  - Program crash
  PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2056 -ip 2056
1⤵
PID:3860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3232

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows sidebar\shared gadgets\epdf_rhp..dll",MwIxaFVOT2Q=
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:2856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\EPDF_RHP..dll

Filesize
792KB

MD5
59b0ff6238e534e9fcedd10414761d0b

SHA1
95b1f7e5f3d187f9c9258bf342e4565111f91701

SHA256
ae7e2a943cb5b7fd40fb2eafd874bcc9e95db2e4c124c5e396668706d1bbf0c2

SHA512
3fa79f884a49802edf846a9e42c179102318835a9713af3e5dd91d5f8169a26cd21ae2448c5b0b6805da2172c8c757ba4ea9dcd0664c65e94ae3b6274c70b727

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\EPDF_RHP..dll

Filesize
792KB

MD5
59b0ff6238e534e9fcedd10414761d0b

SHA1
95b1f7e5f3d187f9c9258bf342e4565111f91701

SHA256
ae7e2a943cb5b7fd40fb2eafd874bcc9e95db2e4c124c5e396668706d1bbf0c2

SHA512
3fa79f884a49802edf846a9e42c179102318835a9713af3e5dd91d5f8169a26cd21ae2448c5b0b6805da2172c8c757ba4ea9dcd0664c65e94ae3b6274c70b727

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\C2RManifest.excelmui.msi.16.en-us.xml

Filesize
39KB

MD5
93b791b81e660e839ef91e881d0d40ba

SHA1
f28bf43cb01d5d6f0714b40c0183c0f920704b7a

SHA256
94e7e8449e52aa41decd74e1fa8bc6d688a1fc1e6dcbd015ff19ece64dedfe32

SHA512
3bfff8518d32d599f29c254b9f1de7337d49aa027ff0c0c3345698695a87ddc145c13855e7a7a434f7d29eaa60ce44161b47e40a95df8c54c686dadaf894ec63

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\C2RManifest.powerpointmui.msi.16.en-us.xml

Filesize
27KB

MD5
e9ed7134ebf28fea3f7aa5691a28438a

SHA1
ea1e55c279ed9f8dae333ae436204d8d67d46adf

SHA256
8fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28

SHA512
535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\Darpeiwtweqqp.tmp

Filesize
3.5MB

MD5
03ec5fe582804756ee389baa6e1f3baa

SHA1
d8d6fe7935ec598e177587a89dec1eaaf86c7149

SHA256
7afcec960e7c0f5ee5d76a9ef10a328a865bb15c4c29bca18dfd054079adda59

SHA512
734bdc7438e18cf044491d812cf804b0555242e26c27553cc35ae60ba2e30698e6137be68b68ab514342d38cc8cdc0192da339f20eece447e6861698db75da46

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\Darpeiwtweqqp.tmp

Filesize
3.5MB

MD5
03ec5fe582804756ee389baa6e1f3baa

SHA1
d8d6fe7935ec598e177587a89dec1eaaf86c7149

SHA256
7afcec960e7c0f5ee5d76a9ef10a328a865bb15c4c29bca18dfd054079adda59

SHA512
734bdc7438e18cf044491d812cf804b0555242e26c27553cc35ae60ba2e30698e6137be68b68ab514342d38cc8cdc0192da339f20eece447e6861698db75da46

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\netfol.ico

Filesize
28KB

MD5
3fa8c6dc1f72c3f9f8670a3e236459f2

SHA1
fcca30e9c5f861ac907150c76ca5f2174d214b7b

SHA256
dca1bd2f368d6165695ac6f48239722b9d38226bef45764a0076bbfa184cb0a7

SHA512
af6654f32cf0638204293e0117ff43e59f68537e391d3f4b1c7758632767eaa474d7cb44f3b4b7f9ba6cdefda9ec9368cf07814aed4e79949001bd44ede262ec

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\print_property.ico

Filesize
58KB

MD5
30d7062e069bc0a9b34f4034090c1aae

SHA1
e5fcedd8e4cc0463c0bc6912b1791f2876e28a61

SHA256
24e77f244b0743e311b0fc97f06513a0cecf6560e92f9c6f164288a152d32000

SHA512
85dd6c916d48804a24dbbad0f4b4842453ac31a692905f8f2f34112eaa1bbf062a825d45ed5d800bbc4663a28b0b5003ebd5fa54991cf846f1028e929ea06de6

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json

Filesize
121B

MD5
70bdaa5c409965a452e47aa001033c53

SHA1
594fad49def244b2a459ddd86bf1763e190917e3

SHA256
433ea519024b5837e58afc7f968df10b5fc3144b4da790c68a72c40740bdfa58

SHA512
62f25a4e598f3592cb8bb789ae4127c067fbcb3c738983f8da49996c9bdc981cebe266c666a416abe5cda8f321c8d62aa60da87dc77aef1843035dcb5400dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp

Filesize
792KB

MD5
9e3ff54c77c7d43bfdf8cff1d31c3c51

SHA1
9681f127f0300093ac15d8a3fc16c289f0b9c045

SHA256
2c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d

SHA512
d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp

Filesize
792KB

MD5
9e3ff54c77c7d43bfdf8cff1d31c3c51

SHA1
9681f127f0300093ac15d8a3fc16c289f0b9c045

SHA256
2c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d

SHA512
d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec

Download Submit
\??\c:\program files (x86)\windows sidebar\shared gadgets\epdf_rhp..dll

Filesize
792KB

MD5
59b0ff6238e534e9fcedd10414761d0b

SHA1
95b1f7e5f3d187f9c9258bf342e4565111f91701

SHA256
ae7e2a943cb5b7fd40fb2eafd874bcc9e95db2e4c124c5e396668706d1bbf0c2

SHA512
3fa79f884a49802edf846a9e42c179102318835a9713af3e5dd91d5f8169a26cd21ae2448c5b0b6805da2172c8c757ba4ea9dcd0664c65e94ae3b6274c70b727

Download Submit
memory/548-142-0x0000000006250000-0x0000000006390000-memory.dmp

Filesize
1.2MB

Download
memory/548-140-0x0000000006250000-0x0000000006390000-memory.dmp

Filesize
1.2MB

Download
memory/548-146-0x00000000062C9000-0x00000000062CB000-memory.dmp

Filesize
8KB

Download
memory/548-145-0x0000000006250000-0x0000000006390000-memory.dmp

Filesize
1.2MB

Download
memory/548-138-0x0000000005510000-0x0000000006067000-memory.dmp

Filesize
11.3MB

Download
memory/548-139-0x0000000005510000-0x0000000006067000-memory.dmp

Filesize
11.3MB

Download
memory/548-141-0x0000000006250000-0x0000000006390000-memory.dmp

Filesize
1.2MB

Download
memory/548-152-0x0000000005510000-0x0000000006067000-memory.dmp

Filesize
11.3MB

Download
memory/548-144-0x0000000006250000-0x0000000006390000-memory.dmp

Filesize
1.2MB

Download
memory/548-143-0x0000000006250000-0x0000000006390000-memory.dmp

Filesize
1.2MB

Download
memory/2056-137-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2056-136-0x00000000024A0000-0x00000000025D2000-memory.dmp

Filesize
1.2MB

Download
memory/2056-135-0x0000000002307000-0x00000000023F3000-memory.dmp

Filesize
944KB

Download
memory/2856-166-0x00000000047C0000-0x0000000005317000-memory.dmp

Filesize
11.3MB

Download
memory/2856-167-0x00000000047C0000-0x0000000005317000-memory.dmp

Filesize
11.3MB

Download
memory/2856-168-0x00000000047C0000-0x0000000005317000-memory.dmp

Filesize
11.3MB

Download
memory/4844-164-0x0000000003DC0000-0x0000000004917000-memory.dmp

Filesize
11.3MB

Download
memory/4844-156-0x0000000003DC0000-0x0000000004917000-memory.dmp

Filesize
11.3MB

Download
memory/4844-171-0x0000000003DC0000-0x0000000004917000-memory.dmp

Filesize
11.3MB

Download
memory/4972-149-0x0000012592140000-0x0000012592280000-memory.dmp

Filesize
1.2MB

Download
memory/4972-148-0x0000012592140000-0x0000012592280000-memory.dmp

Filesize
1.2MB

Download
memory/4972-150-0x00000000002D0000-0x000000000057E000-memory.dmp

Filesize
2.7MB

Download
memory/4972-151-0x00000125906E0000-0x000001259099F000-memory.dmp

Filesize
2.7MB

Download