7a74b5da33fd7f1500766e4d69d1ac5e4ac82ef604dc2af07a48c3d861a8b23a

Analysis

max time kernel
123s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15/01/2023, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a74b5da33fd7f1500766e4d69d1ac5e4ac82ef604dc2af07a48c3d861a8b23a.exe
Size

1.1MB
MD5

e7f26f8b6aa600da29cd092ffccb420f
SHA1

6f8bde7af72f91fbe3345aaf25086fdff755d429
SHA256

7a74b5da33fd7f1500766e4d69d1ac5e4ac82ef604dc2af07a48c3d861a8b23a
SHA512

6e9295e5c87393ec2761851cf6ef39ea9c3e856416b9594d0c50eae21c3992a925f1d94feb5e4b33fd1b86f6b398646395cb087c2a5d01567bc0880d8259b7aa
SSDEEP

24576:soVgTfR7hsRZpzg6F+THVHyxuN5cDJCRuuYyFp+udQp+YyM7P:sJz/2WTHVHyxuSG1YyFp+udQpoM7P

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
8	4916	rundll32.exe
9	4916	rundll32.exe
14	4916	rundll32.exe
22	4916	rundll32.exe
74	4224	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviewers\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\reviewers.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviewers\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
4916	rundll32.exe
1716	svchost.exe
3816	rundll32.exe
4224	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db	rundll32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 4916 set thread context of 4168	4916	rundll32.exe	86
PID 4916 set thread context of 680	4916	rundll32.exe	96
PID 4916 set thread context of 3792	4916	rundll32.exe	103
PID 4916 set thread context of 3052	4916	rundll32.exe	106
PID 4916 set thread context of 2516	4916	rundll32.exe	109
PID 4916 set thread context of 4356	4916	rundll32.exe	114
PID 4916 set thread context of 3712	4916	rundll32.exe	119
PID 4916 set thread context of 4252	4916	rundll32.exe	122
PID 4916 set thread context of 4764	4916	rundll32.exe	125
PID 4916 set thread context of 1672	4916	rundll32.exe	130
PID 4916 set thread context of 868	4916	rundll32.exe	133
PID 4916 set thread context of 4768	4916	rundll32.exe	137
PID 4224 set thread context of 4272	4224	rundll32.exe	141

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-high-contrast.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\snapshot_blob.bin	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win8.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ADelRCP.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\RTC.der	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3284	2276	WerFault.exe	79

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	svchost.exe
1716	svchost.exe
1716	svchost.exe
1716	svchost.exe
1716	svchost.exe
1716	svchost.exe
1716	svchost.exe
1716	svchost.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
1716	svchost.exe
1716	svchost.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
1716	svchost.exe
1716	svchost.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
1716	svchost.exe
1716	svchost.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
1716	svchost.exe
1716	svchost.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
1716	svchost.exe
1716	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeDebugPrivilege	1716	svchost.exe
Token: SeDebugPrivilege	4224	rundll32.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
4168	rundll32.exe
4916	rundll32.exe
680	rundll32.exe
4916	rundll32.exe
3792	rundll32.exe
4916	rundll32.exe
3052	rundll32.exe
4916	rundll32.exe
2516	rundll32.exe
4356	rundll32.exe
4916	rundll32.exe
3712	rundll32.exe
4916	rundll32.exe
4252	rundll32.exe
4916	rundll32.exe
4764	rundll32.exe
1672	rundll32.exe
4916	rundll32.exe
868	rundll32.exe
4916	rundll32.exe
4768	rundll32.exe
4272	rundll32.exe
4224	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 4916	2276	7a74b5da33fd7f1500766e4d69d1ac5e4ac82ef604dc2af07a48c3d861a8b23a.exe	80
PID 2276 wrote to memory of 4916	2276	7a74b5da33fd7f1500766e4d69d1ac5e4ac82ef604dc2af07a48c3d861a8b23a.exe	80
PID 2276 wrote to memory of 4916	2276	7a74b5da33fd7f1500766e4d69d1ac5e4ac82ef604dc2af07a48c3d861a8b23a.exe	80
PID 1716 wrote to memory of 3816	1716	svchost.exe	85
PID 1716 wrote to memory of 3816	1716	svchost.exe	85
PID 1716 wrote to memory of 3816	1716	svchost.exe	85
PID 4916 wrote to memory of 4168	4916	rundll32.exe	86
PID 4916 wrote to memory of 4168	4916	rundll32.exe	86
PID 4916 wrote to memory of 4168	4916	rundll32.exe	86
PID 4916 wrote to memory of 3652	4916	rundll32.exe	90
PID 4916 wrote to memory of 3652	4916	rundll32.exe	90
PID 4916 wrote to memory of 3652	4916	rundll32.exe	90
PID 4916 wrote to memory of 4668	4916	rundll32.exe	92
PID 4916 wrote to memory of 4668	4916	rundll32.exe	92
PID 4916 wrote to memory of 4668	4916	rundll32.exe	92
PID 4916 wrote to memory of 680	4916	rundll32.exe	96
PID 4916 wrote to memory of 680	4916	rundll32.exe	96
PID 4916 wrote to memory of 680	4916	rundll32.exe	96
PID 4916 wrote to memory of 608	4916	rundll32.exe	99
PID 4916 wrote to memory of 608	4916	rundll32.exe	99
PID 4916 wrote to memory of 608	4916	rundll32.exe	99
PID 4916 wrote to memory of 4940	4916	rundll32.exe	101
PID 4916 wrote to memory of 4940	4916	rundll32.exe	101
PID 4916 wrote to memory of 4940	4916	rundll32.exe	101
PID 4916 wrote to memory of 3792	4916	rundll32.exe	103
PID 4916 wrote to memory of 3792	4916	rundll32.exe	103
PID 4916 wrote to memory of 3792	4916	rundll32.exe	103
PID 4916 wrote to memory of 1400	4916	rundll32.exe	104
PID 4916 wrote to memory of 1400	4916	rundll32.exe	104
PID 4916 wrote to memory of 1400	4916	rundll32.exe	104
PID 4916 wrote to memory of 3052	4916	rundll32.exe	106
PID 4916 wrote to memory of 3052	4916	rundll32.exe	106
PID 4916 wrote to memory of 3052	4916	rundll32.exe	106
PID 4916 wrote to memory of 3948	4916	rundll32.exe	107
PID 4916 wrote to memory of 3948	4916	rundll32.exe	107
PID 4916 wrote to memory of 3948	4916	rundll32.exe	107
PID 4916 wrote to memory of 2516	4916	rundll32.exe	109
PID 4916 wrote to memory of 2516	4916	rundll32.exe	109
PID 4916 wrote to memory of 2516	4916	rundll32.exe	109
PID 4916 wrote to memory of 1056	4916	rundll32.exe	110
PID 4916 wrote to memory of 1056	4916	rundll32.exe	110
PID 4916 wrote to memory of 1056	4916	rundll32.exe	110
PID 4916 wrote to memory of 1712	4916	rundll32.exe	112
PID 4916 wrote to memory of 1712	4916	rundll32.exe	112
PID 4916 wrote to memory of 1712	4916	rundll32.exe	112
PID 4916 wrote to memory of 4356	4916	rundll32.exe	114
PID 4916 wrote to memory of 4356	4916	rundll32.exe	114
PID 4916 wrote to memory of 4356	4916	rundll32.exe	114
PID 4916 wrote to memory of 3040	4916	rundll32.exe	115
PID 4916 wrote to memory of 3040	4916	rundll32.exe	115
PID 4916 wrote to memory of 3040	4916	rundll32.exe	115
PID 4916 wrote to memory of 116	4916	rundll32.exe	117
PID 4916 wrote to memory of 116	4916	rundll32.exe	117
PID 4916 wrote to memory of 116	4916	rundll32.exe	117
PID 4916 wrote to memory of 3712	4916	rundll32.exe	119
PID 4916 wrote to memory of 3712	4916	rundll32.exe	119
PID 4916 wrote to memory of 3712	4916	rundll32.exe	119
PID 4916 wrote to memory of 1312	4916	rundll32.exe	120
PID 4916 wrote to memory of 1312	4916	rundll32.exe	120
PID 4916 wrote to memory of 1312	4916	rundll32.exe	120
PID 4916 wrote to memory of 4252	4916	rundll32.exe	122
PID 4916 wrote to memory of 4252	4916	rundll32.exe	122
PID 4916 wrote to memory of 4252	4916	rundll32.exe	122
PID 4916 wrote to memory of 4536	4916	rundll32.exe	123

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7a74b5da33fd7f1500766e4d69d1ac5e4ac82ef604dc2af07a48c3d861a8b23a.exe
"C:\Users\Admin\AppData\Local\Temp\7a74b5da33fd7f1500766e4d69d1ac5e4ac82ef604dc2af07a48c3d861a8b23a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4168
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4668
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4940
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1400
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3948
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:2516
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1712
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:116
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3712
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1312
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4252
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4536
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4764
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4700
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3948
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1208
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4768
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 540
  2⤵
  - Program crash
  PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2276 -ip 2276
1⤵
PID:4844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\reviewers.dll",SgdDbjZVNA==
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:3816
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\reviewers.dll",SgdDbjZVNA==
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - outlook_office_path
  - outlook_win_path
  PID:4224
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18657
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4272
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.dll

Filesize
774KB

MD5
882d38d11769c7e9582f3f6c26a067fd

SHA1
1113b5e1c435750c0946cc601e1e35ed8ec3388e

SHA256
f617ffc2141989a64597e29ee3945b9ec66d200a1021d71cdd43c2f4b1d1a18f

SHA512
79a094c5944c07857a9fe443efa7606fe499fdbef83ce52bcda884c428a0179ce7de02d3118540257a7519e0634e5b9d224b4fb6507073cf329b8f1026cc5cad

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.dll

Filesize
774KB

MD5
882d38d11769c7e9582f3f6c26a067fd

SHA1
1113b5e1c435750c0946cc601e1e35ed8ec3388e

SHA256
f617ffc2141989a64597e29ee3945b9ec66d200a1021d71cdd43c2f4b1d1a18f

SHA512
79a094c5944c07857a9fe443efa7606fe499fdbef83ce52bcda884c428a0179ce7de02d3118540257a7519e0634e5b9d224b4fb6507073cf329b8f1026cc5cad

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.dll

Filesize
774KB

MD5
882d38d11769c7e9582f3f6c26a067fd

SHA1
1113b5e1c435750c0946cc601e1e35ed8ec3388e

SHA256
f617ffc2141989a64597e29ee3945b9ec66d200a1021d71cdd43c2f4b1d1a18f

SHA512
79a094c5944c07857a9fe443efa7606fe499fdbef83ce52bcda884c428a0179ce7de02d3118540257a7519e0634e5b9d224b4fb6507073cf329b8f1026cc5cad

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.BioEnrollment_10.0.19041.1023_neutral__cw5n1h2txyewy.xml

Filesize
3KB

MD5
3e0786e68ac00141fd51790c561c60ef

SHA1
96f2bdc8310d74e466bd8ef0931baaa2f276de03

SHA256
1545f3cf4b4c17d52c387e560dcb777e1748757c1dbb18788080d9dac64a82a6

SHA512
cdcecba2775b627e9e6fce205166e2f0f9af9550ed838689c586c707c29d6d7e7a5daa03814b0c95f5da3b8b2d2366b77e5011a8cad8fac448feaa96679353f2

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe.xml

Filesize
17KB

MD5
1b8d789d46feb22b7fa9b011ac51f00f

SHA1
742b5b78b5d63450b5b5bde48ae90330f988c57e

SHA256
7c46108992cf848638182bf80bf19965f5052deed8a958804b6bdf828c167dec

SHA512
c524cac4cc8993c4f3c5d458f639314e07736bcd834179d23e929697d1c7d55b3cd1375108c2fc34133a9df3e297c1ea633e2676af9bf8e073774b4534693cf0

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe.xml

Filesize
1KB

MD5
c1e304a57b77d96dbac8ca07849f9b86

SHA1
76a2051cdd63b97419d076ee3e0972c7b11ee10c

SHA256
28bf7f3525db4ecacb36705ff7d30bee209ff200a15178bae8a2f0f27f7058b8

SHA512
86b48ef3207a257799b9d9c0e23859391dd3c5984e30d4fa761bc8853bbcc8b37193ab4bdb95b7dd36906ebdd8ad83f29811d9c76675f93f261d9d0cf7a26662

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2013Office365Win32.xml

Filesize
10KB

MD5
01c9f9a623fc35be445dde3e94c2dfaa

SHA1
a018155617cf96d2337b151513e05f6531f7aba4

SHA256
b9fad09698d5891e5f3d9e707895540f47cb0f480c21732a41fdb6ef2cc0f84d

SHA512
74303d4e827e974e59d7f4f6fc82f3092ff3d64616c3d17392987b23163761218d9516623349c87d728499011bc9867e7bd121f973f01d2cf70626c1eae8149a

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\SystemIndex.1.Crwl

Filesize
1KB

MD5
268b13adfb0f2362542d890a1db19b58

SHA1
13c3c3c4bbee7bed8de521fd8efce2da34924e43

SHA256
ef5a49b58619ec57e2e60cbc6153757b9a05b68d1af611d3623a20e4e4a27060

SHA512
24f61ea6c2f4033fa2e023784329ab6a4bfbc7bb78c62a2837430e60aabdc728fd5214e2b6f9beb126cdd717fdf5a2cbbf2d15afc90f47187b6acfd4b73d5c19

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
f8f5246fc7abc0cfa9fc73893551d48c

SHA1
54894e5dbe335fea1bb748a35038f4d02b58db8a

SHA256
f516027e6b87770b63d09fc5bfdc66a75b86e8d8312bb1db3678e3cf75f2ee70

SHA512
c83de0da61f7606e53002a4aa1db520647841becf7edcce383ab68722662a24823d2eee03ca19c50bde915bf03d0978dc8b1cec580697a27dc0edb7cfab4a479

Download Submit
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmp

Filesize
3.5MB

MD5
f8f5246fc7abc0cfa9fc73893551d48c

SHA1
54894e5dbe335fea1bb748a35038f4d02b58db8a

SHA256
f516027e6b87770b63d09fc5bfdc66a75b86e8d8312bb1db3678e3cf75f2ee70

SHA512
c83de0da61f7606e53002a4aa1db520647841becf7edcce383ab68722662a24823d2eee03ca19c50bde915bf03d0978dc8b1cec580697a27dc0edb7cfab4a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp

Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\reviewers.dll

Filesize
774KB

MD5
882d38d11769c7e9582f3f6c26a067fd

SHA1
1113b5e1c435750c0946cc601e1e35ed8ec3388e

SHA256
f617ffc2141989a64597e29ee3945b9ec66d200a1021d71cdd43c2f4b1d1a18f

SHA512
79a094c5944c07857a9fe443efa7606fe499fdbef83ce52bcda884c428a0179ce7de02d3118540257a7519e0634e5b9d224b4fb6507073cf329b8f1026cc5cad

Download Submit
memory/680-181-0x00000218F8A10000-0x00000218F8CC5000-memory.dmp

Filesize
2.7MB

Download
memory/680-179-0x00000218FA490000-0x00000218FA5D0000-memory.dmp

Filesize
1.2MB

Download
memory/680-178-0x00000218FA490000-0x00000218FA5D0000-memory.dmp

Filesize
1.2MB

Download
memory/680-183-0x00000218F8A10000-0x00000218F8CC5000-memory.dmp

Filesize
2.7MB

Download
memory/868-285-0x000002E09D260000-0x000002E09D515000-memory.dmp

Filesize
2.7MB

Download
memory/868-284-0x000002E09D260000-0x000002E09D515000-memory.dmp

Filesize
2.7MB

Download
memory/1672-272-0x0000021417140000-0x0000021417280000-memory.dmp

Filesize
1.2MB

Download
memory/1672-274-0x00000214156E0000-0x0000021415995000-memory.dmp

Filesize
2.7MB

Download
memory/1672-276-0x00000214156E0000-0x0000021415995000-memory.dmp

Filesize
2.7MB

Download
memory/1716-172-0x00000000039B0000-0x0000000004505000-memory.dmp

Filesize
11.3MB

Download
memory/1716-148-0x00000000039B0000-0x0000000004505000-memory.dmp

Filesize
11.3MB

Download
memory/2276-137-0x0000000000400000-0x0000000002C75000-memory.dmp

Filesize
40.5MB

Download
memory/2276-132-0x0000000004A87000-0x0000000004B70000-memory.dmp

Filesize
932KB

Download
memory/2276-138-0x0000000000400000-0x0000000002C75000-memory.dmp

Filesize
40.5MB

Download
memory/2276-133-0x0000000004B80000-0x0000000004CAE000-memory.dmp

Filesize
1.2MB

Download
memory/2516-214-0x0000018A2D120000-0x0000018A2D260000-memory.dmp

Filesize
1.2MB

Download
memory/2516-217-0x0000018A2B6C0000-0x0000018A2B975000-memory.dmp

Filesize
2.7MB

Download
memory/2516-219-0x0000018A2B6C0000-0x0000018A2B975000-memory.dmp

Filesize
2.7MB

Download
memory/2516-213-0x0000018A2D120000-0x0000018A2D260000-memory.dmp

Filesize
1.2MB

Download
memory/3052-206-0x0000023C6C010000-0x0000023C6C2C5000-memory.dmp

Filesize
2.7MB

Download
memory/3052-204-0x0000023C6C010000-0x0000023C6C2C5000-memory.dmp

Filesize
2.7MB

Download
memory/3052-202-0x0000023C6D8E0000-0x0000023C6DA20000-memory.dmp

Filesize
1.2MB

Download
memory/3052-203-0x0000023C6D8E0000-0x0000023C6DA20000-memory.dmp

Filesize
1.2MB

Download
memory/3712-242-0x000002C494350000-0x000002C494605000-memory.dmp

Filesize
2.7MB

Download
memory/3712-240-0x000002C495C20000-0x000002C495D60000-memory.dmp

Filesize
1.2MB

Download
memory/3712-239-0x000002C495C20000-0x000002C495D60000-memory.dmp

Filesize
1.2MB

Download
memory/3712-241-0x000002C494350000-0x000002C494605000-memory.dmp

Filesize
2.7MB

Download
memory/3792-191-0x000001987B4B0000-0x000001987B5F0000-memory.dmp

Filesize
1.2MB

Download
memory/3792-192-0x000001987B4B0000-0x000001987B5F0000-memory.dmp

Filesize
1.2MB

Download
memory/3792-193-0x0000019879BE0000-0x0000019879E95000-memory.dmp

Filesize
2.7MB

Download
memory/3792-194-0x0000019879BE0000-0x0000019879E95000-memory.dmp

Filesize
2.7MB

Download
memory/3816-158-0x0000000004540000-0x0000000005095000-memory.dmp

Filesize
11.3MB

Download
memory/3816-159-0x0000000004540000-0x0000000005095000-memory.dmp

Filesize
11.3MB

Download
memory/3816-157-0x0000000004540000-0x0000000005095000-memory.dmp

Filesize
11.3MB

Download
memory/4168-166-0x000001EC64750000-0x000001EC64890000-memory.dmp

Filesize
1.2MB

Download
memory/4168-165-0x000001EC64750000-0x000001EC64890000-memory.dmp

Filesize
1.2MB

Download
memory/4168-167-0x00000000009A0000-0x0000000000C44000-memory.dmp

Filesize
2.6MB

Download
memory/4168-168-0x000001EC62CF0000-0x000001EC62FA5000-memory.dmp

Filesize
2.7MB

Download
memory/4168-171-0x000001EC62CF0000-0x000001EC62FA5000-memory.dmp

Filesize
2.7MB

Download
memory/4224-313-0x0000000004D40000-0x0000000005895000-memory.dmp

Filesize
11.3MB

Download
memory/4224-300-0x0000000004D40000-0x0000000005895000-memory.dmp

Filesize
11.3MB

Download
memory/4252-255-0x00000160BF730000-0x00000160BF9E5000-memory.dmp

Filesize
2.7MB

Download
memory/4252-250-0x00000160C1190000-0x00000160C12D0000-memory.dmp

Filesize
1.2MB

Download
memory/4252-251-0x00000160C1190000-0x00000160C12D0000-memory.dmp

Filesize
1.2MB

Download
memory/4252-253-0x00000160BF730000-0x00000160BF9E5000-memory.dmp

Filesize
2.7MB

Download
memory/4272-310-0x0000028D64A00000-0x0000028D64CB5000-memory.dmp

Filesize
2.7MB

Download
memory/4356-231-0x0000022018BA0000-0x0000022018E55000-memory.dmp

Filesize
2.7MB

Download
memory/4356-226-0x000002201A600000-0x000002201A740000-memory.dmp

Filesize
1.2MB

Download
memory/4356-227-0x000002201A600000-0x000002201A740000-memory.dmp

Filesize
1.2MB

Download
memory/4356-229-0x0000022018BA0000-0x0000022018E55000-memory.dmp

Filesize
2.7MB

Download
memory/4764-262-0x000001D27C310000-0x000001D27C450000-memory.dmp

Filesize
1.2MB

Download
memory/4764-261-0x000001D27C310000-0x000001D27C450000-memory.dmp

Filesize
1.2MB

Download
memory/4764-263-0x000001D27A8B0000-0x000001D27AB65000-memory.dmp

Filesize
2.7MB

Download
memory/4764-265-0x000001D27A8B0000-0x000001D27AB65000-memory.dmp

Filesize
2.7MB

Download
memory/4768-294-0x0000022DE36B0000-0x0000022DE3965000-memory.dmp

Filesize
2.7MB

Download
memory/4916-174-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-267-0x0000000007390000-0x00000000074D0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-236-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-235-0x0000000007390000-0x00000000074D0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-234-0x0000000007390000-0x00000000074D0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-233-0x000000000744E000-0x0000000007450000-memory.dmp

Filesize
8KB

Download
memory/4916-244-0x000000000744E000-0x0000000007450000-memory.dmp

Filesize
8KB

Download
memory/4916-245-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-246-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-247-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-248-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-228-0x000000000744E000-0x0000000007450000-memory.dmp

Filesize
8KB

Download
memory/4916-224-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-223-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-252-0x000000000744E000-0x0000000007450000-memory.dmp

Filesize
8KB

Download
memory/4916-222-0x000000000744E000-0x0000000007450000-memory.dmp

Filesize
8KB

Download
memory/4916-221-0x0000000007390000-0x00000000074D0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-220-0x0000000007390000-0x00000000074D0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-256-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-257-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-258-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-259-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-215-0x000000000744E000-0x0000000007450000-memory.dmp

Filesize
8KB

Download
memory/4916-211-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-210-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-209-0x0000000007390000-0x00000000074D0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-208-0x0000000007390000-0x00000000074D0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-207-0x0000000005AA8000-0x0000000005AAA000-memory.dmp

Filesize
8KB

Download
memory/4916-237-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-268-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-269-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-270-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-200-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-199-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-198-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-197-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-196-0x0000000005AA0000-0x0000000005AA2000-memory.dmp

Filesize
8KB

Download
memory/4916-188-0x0000000005AA8000-0x0000000005AAA000-memory.dmp

Filesize
8KB

Download
memory/4916-189-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-187-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-186-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-185-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-139-0x0000000004D60000-0x00000000058B5000-memory.dmp

Filesize
11.3MB

Download
memory/4916-180-0x0000000005AA0000-0x0000000005AA2000-memory.dmp

Filesize
8KB

Download
memory/4916-296-0x0000000004D60000-0x00000000058B5000-memory.dmp

Filesize
11.3MB

Download
memory/4916-176-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-175-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-173-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-163-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-162-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-161-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-160-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-143-0x0000000004D60000-0x00000000058B5000-memory.dmp

Filesize
11.3MB

Download
memory/4916-140-0x0000000004D60000-0x00000000058B5000-memory.dmp

Filesize
11.3MB

Download
memory/4916-142-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-141-0x0000000005A60000-0x0000000005BA0000-memory.dmp

Filesize
1.2MB

Download