e246d3db76ed1bece853623acfe07a76fdc7bcb2d51f9d2110e6e9e5de22759a

Analysis

max time kernel
133s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2022, 20:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ab75e895c519bf7b419f74fcd1c10704ba4900b7b355bd158d4f05d91899d5c.exe
Size

1.1MB
MD5

141b792875059eeb52d16c29c73ff7c6
SHA1

5cea32e23cf8e965fde8ec18b2b5dc77a9e0fa9b
SHA256

0ab75e895c519bf7b419f74fcd1c10704ba4900b7b355bd158d4f05d91899d5c
SHA512

6cbf0891953e4dde57168e8a475c025ead813773f4215c73528da7443f880d96355cc2d89d26d8ec893bd4e1b305f0985aea42a47d1d8e751cf320b5f428a65f
SSDEEP

24576:o12/s8LTn44mVihYySqkuFEZHIGJ3thWV5U/cpISQbp64ns691iGi:o12kcn49VihrFEl5h0tQbpns6ri

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	4260	rundll32.exe
16	4260	rundll32.exe
89	4260	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Pages_R_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\Pages_R_RHP..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Pages_R_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
4260	rundll32.exe
3852	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4260 set thread context of 3420	4260	rundll32.exe	92

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\adobepdf.xdc	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Pages_R_RHP..dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Accessibility.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Home.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ccloud_retina.png	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\3difr.x3d	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cloud_icon.png	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\organize.svg	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\review_shared.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\DataMatrix.pmp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\main-cef.css	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Measure.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\tesselate.x3d	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3060	4656	WerFault.exe	80

Checks processor information in registry 2 TTPs 43 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3420	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4260	4656	0ab75e895c519bf7b419f74fcd1c10704ba4900b7b355bd158d4f05d91899d5c.exe	81
PID 4656 wrote to memory of 4260	4656	0ab75e895c519bf7b419f74fcd1c10704ba4900b7b355bd158d4f05d91899d5c.exe	81
PID 4656 wrote to memory of 4260	4656	0ab75e895c519bf7b419f74fcd1c10704ba4900b7b355bd158d4f05d91899d5c.exe	81
PID 4260 wrote to memory of 3420	4260	rundll32.exe	92
PID 4260 wrote to memory of 3420	4260	rundll32.exe	92
PID 4260 wrote to memory of 3420	4260	rundll32.exe	92

C:\Users\Admin\AppData\Local\Temp\0ab75e895c519bf7b419f74fcd1c10704ba4900b7b355bd158d4f05d91899d5c.exe
"C:\Users\Admin\AppData\Local\Temp\0ab75e895c519bf7b419f74fcd1c10704ba4900b7b355bd158d4f05d91899d5c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp",Dsdupihuqo
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 22361
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3420
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 528
  2⤵
  - Program crash
  PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4656 -ip 4656
1⤵
PID:2556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3852
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows sidebar\shared gadgets\pages_r_rhp..dll",o2FCOFpCOXg=
  2⤵
  PID:3976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Pages_R_RHP..dll

Filesize
792KB

MD5
49a2bba6ea963229187f394a7c2c8c5d

SHA1
74763f53ad0091973d9c118c41d98f68fc421877

SHA256
30b6d869343a9a0e62bc76f96ccd4c4216c8cfdce4eba87f1d6aa9f52af87f91

SHA512
064836dbf0009d86ad1e35a81fd278b8dbc30d4f5c143e7281f17b45c8454516af8a08c59637a6233bc01558f627f23814247853d3fd41ee812de739550d92e4

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Pages_R_RHP..dll

Filesize
792KB

MD5
49a2bba6ea963229187f394a7c2c8c5d

SHA1
74763f53ad0091973d9c118c41d98f68fc421877

SHA256
30b6d869343a9a0e62bc76f96ccd4c4216c8cfdce4eba87f1d6aa9f52af87f91

SHA512
064836dbf0009d86ad1e35a81fd278b8dbc30d4f5c143e7281f17b45c8454516af8a08c59637a6233bc01558f627f23814247853d3fd41ee812de739550d92e4

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\Darpeiwtweqqp.tmp

Filesize
3.5MB

MD5
cce021fc3fb7908bc6058c895534ffc2

SHA1
359c72683c863524ae3c8a9b513cecfe5335bd62

SHA256
0e94dfaa44d8591d070794a6b1154362746ce695c6c84d5b939d2e8985cb0776

SHA512
27216bde20d366c5ad9c9d23132f2ea027d766d0021375f5aa67b53d0f5459204eb7437470e0a4482d24f03ab9ac5478145dd69a8da57c3a2e1657cd1221cf71

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\Darpeiwtweqqp.tmp

Filesize
3.5MB

MD5
cce021fc3fb7908bc6058c895534ffc2

SHA1
359c72683c863524ae3c8a9b513cecfe5335bd62

SHA256
0e94dfaa44d8591d070794a6b1154362746ce695c6c84d5b939d2e8985cb0776

SHA512
27216bde20d366c5ad9c9d23132f2ea027d766d0021375f5aa67b53d0f5459204eb7437470e0a4482d24f03ab9ac5478145dd69a8da57c3a2e1657cd1221cf71

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
820B

MD5
09eb72768015735e81d549d7a5087631

SHA1
0dc0de9d9f1f94a73b760e13dbfb033d58b2962c

SHA256
803200facef08eb731bceb63813c1c873628a271ada9661dda6bb4b638ccb5f8

SHA512
240680b7e01215938623781f3431fb5ae8a2630590285a824f7e41e63e8e06f6fa79e641f4ace6d9dcb96f0c3fe3e928f5ac0eb2992158bda8cb83e95c7e916a

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe.xml

Filesize
9KB

MD5
996f11041df0526341cebbbd40a98390

SHA1
37f652515ef8c662840086d743f7f68d327cce52

SHA256
bb39de067132d2ccbb7a3c066743010f070a3c3856f42ccc892da0b40012771e

SHA512
6cafa4b3bd8c56d20859a4f8fb7109e3ca4c690d0746b13f9f2eaa19d88bfca469dc45d71fb91f5658f9cd300f285aafb9e212ebd7c1496aadb6046da4e56c03

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe.xml

Filesize
840B

MD5
2528a361d2ecf923788b3f69833696ec

SHA1
38980657507f08069bc9a05ef8ec17da33410c30

SHA256
7b9699e0d489996eaeb9620d5e5b15cb5f523144a8dbf2a73412329711bd6b7c

SHA512
532f760ba48c2051537edea47506efea1ea8204e51dc61173692da9eab58b5a0bd934b7fa2ce07798e9d468acede6a4926b234dcef3ee0685676505079681202

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml

Filesize
3KB

MD5
2dd9bafcbda61d5d509e48086cd0a986

SHA1
821e66af11451535cdc249ec1493e5bca4d2cad2

SHA256
2da208b3e33831803c1b830244636ca3d6cbc54fdd7e4add03059795c169002e

SHA512
6f79656269570b309a5697b007245dff4983e6c20b9c3857ba1cc088ad4f7aec3b465e5fafc4f97b584cca88f6984ef90bbbdc499c20440f0f15da04ea79d528

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json

Filesize
121B

MD5
656d587b76da4f43efb839ef9a83026e

SHA1
daf648eb7f98cfcec644be29d92c1990c1e56b2c

SHA256
e02fa7cef7c82a24fdcb99658cc8522ba93d7cffb2abffd7f2c633835a968e7d

SHA512
19251a2c09553896a67eac9afee213fd400c436661997de859df6960194a19a728ec0aa1ea11ca1095bd7fde4cc6142ac4973d6d4d600172372f25d6e8031ac7

Download Submit
C:\ProgramData\{5BFBD38D-1E0D-2E81-7E4A-517A4E87BDFF}\wlidsvcconfig.xml

Filesize
12KB

MD5
f9f25c79e2df9c8c8209b5d052a557b0

SHA1
2d4a14e2df96245a599bacb530e396c2900a5b61

SHA256
385214231d70603caaf00c1f2e9f115be35cc603d289dd878069f9933aa591b5

SHA512
7c9d68d4f96cef25f4703fe4db68fda9689308df759ef05666421c74f0e57b4c25fa8d1c6cf9e5a6a0e9a81d230669b8656279076e60ebfd1ba5b56770fa4ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp

Filesize
792KB

MD5
9e3ff54c77c7d43bfdf8cff1d31c3c51

SHA1
9681f127f0300093ac15d8a3fc16c289f0b9c045

SHA256
2c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d

SHA512
d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dfuqft.tmp

Filesize
792KB

MD5
9e3ff54c77c7d43bfdf8cff1d31c3c51

SHA1
9681f127f0300093ac15d8a3fc16c289f0b9c045

SHA256
2c683e8b9889636eb8279bdb6cf9181e939021acb2cbbed109b27aab6f47861d

SHA512
d7b6ff58a48ce21250e13ffd1f57f041615e83cfd3fc2627ea0951a32ad8141fbe760765faada136cf3ab31c9165a0ad0f88ef95f35f58735d169046c257fcec

Download Submit
\??\c:\program files (x86)\windows sidebar\shared gadgets\pages_r_rhp..dll

Filesize
792KB

MD5
49a2bba6ea963229187f394a7c2c8c5d

SHA1
74763f53ad0091973d9c118c41d98f68fc421877

SHA256
30b6d869343a9a0e62bc76f96ccd4c4216c8cfdce4eba87f1d6aa9f52af87f91

SHA512
064836dbf0009d86ad1e35a81fd278b8dbc30d4f5c143e7281f17b45c8454516af8a08c59637a6233bc01558f627f23814247853d3fd41ee812de739550d92e4

Download Submit
memory/3420-150-0x0000000000010000-0x00000000002BE000-memory.dmp

Filesize
2.7MB

Download
memory/3420-147-0x00000174BED10000-0x00000174BEE50000-memory.dmp

Filesize
1.2MB

Download
memory/3420-148-0x00000174BED10000-0x00000174BEE50000-memory.dmp

Filesize
1.2MB

Download
memory/3420-151-0x00000174BD290000-0x00000174BD54F000-memory.dmp

Filesize
2.7MB

Download
memory/3852-165-0x00000000037E0000-0x0000000004337000-memory.dmp

Filesize
11.3MB

Download
memory/3852-156-0x00000000037E0000-0x0000000004337000-memory.dmp

Filesize
11.3MB

Download
memory/3852-172-0x00000000037E0000-0x0000000004337000-memory.dmp

Filesize
11.3MB

Download
memory/3976-167-0x00000000046C0000-0x0000000005217000-memory.dmp

Filesize
11.3MB

Download
memory/3976-168-0x00000000046C0000-0x0000000005217000-memory.dmp

Filesize
11.3MB

Download
memory/3976-169-0x00000000046C0000-0x0000000005217000-memory.dmp

Filesize
11.3MB

Download
memory/4260-142-0x00000000055B0000-0x00000000056F0000-memory.dmp

Filesize
1.2MB

Download
memory/4260-152-0x0000000004990000-0x00000000054E7000-memory.dmp

Filesize
11.3MB

Download
memory/4260-149-0x0000000005629000-0x000000000562B000-memory.dmp

Filesize
8KB

Download
memory/4260-145-0x00000000055B0000-0x00000000056F0000-memory.dmp

Filesize
1.2MB

Download
memory/4260-144-0x00000000055B0000-0x00000000056F0000-memory.dmp

Filesize
1.2MB

Download
memory/4260-143-0x00000000055B0000-0x00000000056F0000-memory.dmp

Filesize
1.2MB

Download
memory/4260-141-0x00000000055B0000-0x00000000056F0000-memory.dmp

Filesize
1.2MB

Download
memory/4260-140-0x00000000055B0000-0x00000000056F0000-memory.dmp

Filesize
1.2MB

Download
memory/4260-139-0x0000000004990000-0x00000000054E7000-memory.dmp

Filesize
11.3MB

Download
memory/4260-138-0x0000000004990000-0x00000000054E7000-memory.dmp

Filesize
11.3MB

Download
memory/4656-137-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4656-136-0x00000000022F0000-0x0000000002422000-memory.dmp

Filesize
1.2MB

Download
memory/4656-133-0x00000000021F6000-0x00000000022E2000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads