dc42d929e9402f39102abeb6393c320db50d887401e5f24bdaa2d6a78c8c1d95

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2023, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc42d929e9402f39102abeb6393c320db50d887401e5f24bdaa2d6a78c8c1d95.exe
Size

3.4MB
MD5

1c88d1d6898565210e98d0029ea599cd
SHA1

993ca10e82c0207b33f0d90fd7c62a0cb662be02
SHA256

dc42d929e9402f39102abeb6393c320db50d887401e5f24bdaa2d6a78c8c1d95
SHA512

8fe6ce390f98dfc6eb29dd8c51c6ff6cdf5097d7d6474437d7090dfb80a29f4c577c227305b2c186a53a38cbf2831a4cf5292427b0d6aab1900cb7b4f372aeed
SSDEEP

98304:BP982AzK03PdWf/i6UNPQBA96qRSv9UeZWgGA:BPXA+036i6UNP2A965bU

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	5000	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
5000	rundll32.exe
5000	rundll32.exe

Suspicious use of SetThreadContext 19 IoCs

description	pid	Process	procid_target
PID 5000 set thread context of 1420	5000	rundll32.exe	93
PID 5000 set thread context of 4632	5000	rundll32.exe	95
PID 5000 set thread context of 224	5000	rundll32.exe	96
PID 5000 set thread context of 4368	5000	rundll32.exe	97
PID 5000 set thread context of 2704	5000	rundll32.exe	98
PID 5000 set thread context of 3472	5000	rundll32.exe	99
PID 5000 set thread context of 4964	5000	rundll32.exe	100
PID 5000 set thread context of 1256	5000	rundll32.exe	101
PID 5000 set thread context of 832	5000	rundll32.exe	102
PID 5000 set thread context of 4220	5000	rundll32.exe	103
PID 5000 set thread context of 4616	5000	rundll32.exe	104
PID 5000 set thread context of 3532	5000	rundll32.exe	105
PID 5000 set thread context of 5040	5000	rundll32.exe	106
PID 5000 set thread context of 1508	5000	rundll32.exe	107
PID 5000 set thread context of 4836	5000	rundll32.exe	108
PID 5000 set thread context of 1636	5000	rundll32.exe	109
PID 5000 set thread context of 1924	5000	rundll32.exe	110
PID 5000 set thread context of 2672	5000	rundll32.exe	111
PID 5000 set thread context of 4076	5000	rundll32.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3472	1548	WerFault.exe	82

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe
5000	rundll32.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
1420	rundll32.exe
4632	rundll32.exe
224	rundll32.exe
4368	rundll32.exe
2704	rundll32.exe
3472	rundll32.exe
4964	rundll32.exe
1256	rundll32.exe
832	rundll32.exe
4220	rundll32.exe
4616	rundll32.exe
3532	rundll32.exe
5040	rundll32.exe
1508	rundll32.exe
4836	rundll32.exe
1636	rundll32.exe
1924	rundll32.exe
2672	rundll32.exe
4076	rundll32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 5000	1548	dc42d929e9402f39102abeb6393c320db50d887401e5f24bdaa2d6a78c8c1d95.exe	87
PID 1548 wrote to memory of 5000	1548	dc42d929e9402f39102abeb6393c320db50d887401e5f24bdaa2d6a78c8c1d95.exe	87
PID 1548 wrote to memory of 5000	1548	dc42d929e9402f39102abeb6393c320db50d887401e5f24bdaa2d6a78c8c1d95.exe	87
PID 5000 wrote to memory of 1420	5000	rundll32.exe	93
PID 5000 wrote to memory of 1420	5000	rundll32.exe	93
PID 5000 wrote to memory of 1420	5000	rundll32.exe	93
PID 5000 wrote to memory of 4632	5000	rundll32.exe	95
PID 5000 wrote to memory of 4632	5000	rundll32.exe	95
PID 5000 wrote to memory of 4632	5000	rundll32.exe	95
PID 5000 wrote to memory of 224	5000	rundll32.exe	96
PID 5000 wrote to memory of 224	5000	rundll32.exe	96
PID 5000 wrote to memory of 224	5000	rundll32.exe	96
PID 5000 wrote to memory of 4368	5000	rundll32.exe	97
PID 5000 wrote to memory of 4368	5000	rundll32.exe	97
PID 5000 wrote to memory of 4368	5000	rundll32.exe	97
PID 5000 wrote to memory of 2704	5000	rundll32.exe	98
PID 5000 wrote to memory of 2704	5000	rundll32.exe	98
PID 5000 wrote to memory of 2704	5000	rundll32.exe	98
PID 5000 wrote to memory of 3472	5000	rundll32.exe	99
PID 5000 wrote to memory of 3472	5000	rundll32.exe	99
PID 5000 wrote to memory of 3472	5000	rundll32.exe	99
PID 5000 wrote to memory of 4964	5000	rundll32.exe	100
PID 5000 wrote to memory of 4964	5000	rundll32.exe	100
PID 5000 wrote to memory of 4964	5000	rundll32.exe	100
PID 5000 wrote to memory of 1256	5000	rundll32.exe	101
PID 5000 wrote to memory of 1256	5000	rundll32.exe	101
PID 5000 wrote to memory of 1256	5000	rundll32.exe	101
PID 5000 wrote to memory of 832	5000	rundll32.exe	102
PID 5000 wrote to memory of 832	5000	rundll32.exe	102
PID 5000 wrote to memory of 832	5000	rundll32.exe	102
PID 5000 wrote to memory of 4220	5000	rundll32.exe	103
PID 5000 wrote to memory of 4220	5000	rundll32.exe	103
PID 5000 wrote to memory of 4220	5000	rundll32.exe	103
PID 5000 wrote to memory of 4616	5000	rundll32.exe	104
PID 5000 wrote to memory of 4616	5000	rundll32.exe	104
PID 5000 wrote to memory of 4616	5000	rundll32.exe	104
PID 5000 wrote to memory of 3532	5000	rundll32.exe	105
PID 5000 wrote to memory of 3532	5000	rundll32.exe	105
PID 5000 wrote to memory of 3532	5000	rundll32.exe	105
PID 5000 wrote to memory of 5040	5000	rundll32.exe	106
PID 5000 wrote to memory of 5040	5000	rundll32.exe	106
PID 5000 wrote to memory of 5040	5000	rundll32.exe	106
PID 5000 wrote to memory of 1508	5000	rundll32.exe	107
PID 5000 wrote to memory of 1508	5000	rundll32.exe	107
PID 5000 wrote to memory of 1508	5000	rundll32.exe	107
PID 5000 wrote to memory of 4836	5000	rundll32.exe	108
PID 5000 wrote to memory of 4836	5000	rundll32.exe	108
PID 5000 wrote to memory of 4836	5000	rundll32.exe	108
PID 5000 wrote to memory of 1636	5000	rundll32.exe	109
PID 5000 wrote to memory of 1636	5000	rundll32.exe	109
PID 5000 wrote to memory of 1636	5000	rundll32.exe	109
PID 5000 wrote to memory of 1924	5000	rundll32.exe	110
PID 5000 wrote to memory of 1924	5000	rundll32.exe	110
PID 5000 wrote to memory of 1924	5000	rundll32.exe	110
PID 5000 wrote to memory of 2672	5000	rundll32.exe	111
PID 5000 wrote to memory of 2672	5000	rundll32.exe	111
PID 5000 wrote to memory of 2672	5000	rundll32.exe	111
PID 5000 wrote to memory of 4076	5000	rundll32.exe	112
PID 5000 wrote to memory of 4076	5000	rundll32.exe	112
PID 5000 wrote to memory of 4076	5000	rundll32.exe	112

C:\Users\Admin\AppData\Local\Temp\dc42d929e9402f39102abeb6393c320db50d887401e5f24bdaa2d6a78c8c1d95.exe
"C:\Users\Admin\AppData\Local\Temp\dc42d929e9402f39102abeb6393c320db50d887401e5f24bdaa2d6a78c8c1d95.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qioeifrhiweaeq.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1420
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4632
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:224
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4368
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:2704
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3472
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4964
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1256
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:832
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4220
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4616
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3532
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:5040
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1508
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4836
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1636
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1924
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:2672
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30856
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 560
  2⤵
  - Program crash
  PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1548 -ip 1548
1⤵
PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Qioeifrhiweaeq.dll

Filesize
3.2MB

MD5
857f799c3775fc191ee2b6ee8ee081ee

SHA1
26c2b9efb6b9b12429e4859d794283a297df1a5b

SHA256
5c780e63810431a98b3c05c255f81bab209e12d669ee44f58ea222577af49acb

SHA512
6d2caa68585bf032e14b2080a166f64626ead0926d84f8ef2f06d7046c944cc55916447de15ac06dc8d4c37f5b9f6272a778c28dd1111489de43bb13e3796063

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qioeifrhiweaeq.dll

Filesize
3.2MB

MD5
857f799c3775fc191ee2b6ee8ee081ee

SHA1
26c2b9efb6b9b12429e4859d794283a297df1a5b

SHA256
5c780e63810431a98b3c05c255f81bab209e12d669ee44f58ea222577af49acb

SHA512
6d2caa68585bf032e14b2080a166f64626ead0926d84f8ef2f06d7046c944cc55916447de15ac06dc8d4c37f5b9f6272a778c28dd1111489de43bb13e3796063

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qioeifrhiweaeq.dll

Filesize
3.2MB

MD5
857f799c3775fc191ee2b6ee8ee081ee

SHA1
26c2b9efb6b9b12429e4859d794283a297df1a5b

SHA256
5c780e63810431a98b3c05c255f81bab209e12d669ee44f58ea222577af49acb

SHA512
6d2caa68585bf032e14b2080a166f64626ead0926d84f8ef2f06d7046c944cc55916447de15ac06dc8d4c37f5b9f6272a778c28dd1111489de43bb13e3796063

Download Submit
memory/224-218-0x00007FF95C1C0000-0x00007FF95C1C1000-memory.dmp

Filesize
4KB

Download
memory/224-222-0x0000015CEB5E0000-0x0000015CEB890000-memory.dmp

Filesize
2.7MB

Download
memory/224-226-0x0000015CEB5E0000-0x0000015CEB890000-memory.dmp

Filesize
2.7MB

Download
memory/832-350-0x000002D316A80000-0x000002D316D30000-memory.dmp

Filesize
2.7MB

Download
memory/832-345-0x000002D316A80000-0x000002D316D30000-memory.dmp

Filesize
2.7MB

Download
memory/1256-325-0x000002207D0B0000-0x000002207D360000-memory.dmp

Filesize
2.7MB

Download
memory/1256-329-0x000002207D0B0000-0x000002207D360000-memory.dmp

Filesize
2.7MB

Download
memory/1420-184-0x000001C819030000-0x000001C8192E0000-memory.dmp

Filesize
2.7MB

Download
memory/1420-177-0x00007FF95C1C0000-0x00007FF95C1C1000-memory.dmp

Filesize
4KB

Download
memory/1420-179-0x000001C818EC0000-0x000001C819000000-memory.dmp

Filesize
1.2MB

Download
memory/1420-182-0x000001C819030000-0x000001C8192E0000-memory.dmp

Filesize
2.7MB

Download
memory/1420-181-0x0000000000C00000-0x0000000000E9E000-memory.dmp

Filesize
2.6MB

Download
memory/1420-178-0x000001C818EC0000-0x000001C819000000-memory.dmp

Filesize
1.2MB

Download
memory/1420-180-0x000001C819030000-0x000001C8192E0000-memory.dmp

Filesize
2.7MB

Download
memory/1508-453-0x000001B618950000-0x000001B618C00000-memory.dmp

Filesize
2.7MB

Download
memory/1508-449-0x000001B618950000-0x000001B618C00000-memory.dmp

Filesize
2.7MB

Download
memory/1548-141-0x0000000000400000-0x00000000009E5000-memory.dmp

Filesize
5.9MB

Download
memory/1548-134-0x0000000002AA0000-0x0000000002FB7000-memory.dmp

Filesize
5.1MB

Download
memory/1636-490-0x0000021D29820000-0x0000021D29AD0000-memory.dmp

Filesize
2.7MB

Download
memory/1636-494-0x0000021D29820000-0x0000021D29AD0000-memory.dmp

Filesize
2.7MB

Download
memory/1924-510-0x000001DAB0760000-0x000001DAB0A10000-memory.dmp

Filesize
2.7MB

Download
memory/1924-515-0x000001DAB0760000-0x000001DAB0A10000-memory.dmp

Filesize
2.7MB

Download
memory/2672-531-0x0000020C61230000-0x0000020C614E0000-memory.dmp

Filesize
2.7MB

Download
memory/2672-535-0x0000020C61230000-0x0000020C614E0000-memory.dmp

Filesize
2.7MB

Download
memory/2704-267-0x0000025E9ACB0000-0x0000025E9AF60000-memory.dmp

Filesize
2.7MB

Download
memory/2704-263-0x0000025E9ACB0000-0x0000025E9AF60000-memory.dmp

Filesize
2.7MB

Download
memory/3472-288-0x0000016BFBAC0000-0x0000016BFBD70000-memory.dmp

Filesize
2.7MB

Download
memory/3472-284-0x0000016BFBAC0000-0x0000016BFBD70000-memory.dmp

Filesize
2.7MB

Download
memory/3532-404-0x0000021BCF080000-0x0000021BCF330000-memory.dmp

Filesize
2.7MB

Download
memory/3532-412-0x0000021BCF080000-0x0000021BCF330000-memory.dmp

Filesize
2.7MB

Download
memory/4220-366-0x000001D89B7B0000-0x000001D89BA60000-memory.dmp

Filesize
2.7MB

Download
memory/4220-370-0x000001D89B7B0000-0x000001D89BA60000-memory.dmp

Filesize
2.7MB

Download
memory/4368-247-0x0000018108E50000-0x0000018109100000-memory.dmp

Filesize
2.7MB

Download
memory/4368-242-0x0000018108E50000-0x0000018109100000-memory.dmp

Filesize
2.7MB

Download
memory/4616-391-0x000002778C020000-0x000002778C2D0000-memory.dmp

Filesize
2.7MB

Download
memory/4616-387-0x000002778C020000-0x000002778C2D0000-memory.dmp

Filesize
2.7MB

Download
memory/4632-201-0x000001E4203E0000-0x000001E420690000-memory.dmp

Filesize
2.7MB

Download
memory/4632-204-0x000001E4203E0000-0x000001E420690000-memory.dmp

Filesize
2.7MB

Download
memory/4632-198-0x00007FF95C1C0000-0x00007FF95C1C1000-memory.dmp

Filesize
4KB

Download
memory/4632-199-0x000001E420290000-0x000001E4203D0000-memory.dmp

Filesize
1.2MB

Download
memory/4632-202-0x000001E4203E0000-0x000001E420690000-memory.dmp

Filesize
2.7MB

Download
memory/4632-200-0x000001E420290000-0x000001E4203D0000-memory.dmp

Filesize
1.2MB

Download
memory/4836-473-0x000001FA2D8F0000-0x000001FA2DBA0000-memory.dmp

Filesize
2.7MB

Download
memory/4836-469-0x000001FA2D8F0000-0x000001FA2DBA0000-memory.dmp

Filesize
2.7MB

Download
memory/4964-304-0x000002BADF1B0000-0x000002BADF460000-memory.dmp

Filesize
2.7MB

Download
memory/4964-309-0x000002BADF1B0000-0x000002BADF460000-memory.dmp

Filesize
2.7MB

Download
memory/5000-217-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-206-0x0000000002500000-0x0000000002844000-memory.dmp

Filesize
3.3MB

Download
memory/5000-207-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-209-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-210-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-211-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-213-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-214-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/5000-215-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-216-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-197-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-195-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-194-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/5000-193-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-191-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-190-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-189-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-187-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-186-0x0000000002500000-0x0000000002844000-memory.dmp

Filesize
3.3MB

Download
memory/5000-176-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-173-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/5000-175-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-196-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-174-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-170-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-172-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-169-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-168-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-166-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-165-0x0000000002500000-0x0000000002844000-memory.dmp

Filesize
3.3MB

Download
memory/5000-164-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-161-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-139-0x0000000002500000-0x0000000002844000-memory.dmp

Filesize
3.3MB

Download
memory/5000-140-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/5000-163-0x0000000004150000-0x0000000004290000-memory.dmp

Filesize
1.2MB

Download
memory/5000-162-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/5000-160-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-155-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-154-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-153-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/5000-152-0x00000000034F0000-0x0000000004040000-memory.dmp

Filesize
11.3MB

Download
memory/5000-151-0x0000000002500000-0x0000000002844000-memory.dmp

Filesize
3.3MB

Download
memory/5040-432-0x000002511D520000-0x000002511D7D0000-memory.dmp

Filesize
2.7MB

Download
memory/5040-428-0x000002511D520000-0x000002511D7D0000-memory.dmp

Filesize
2.7MB

Download