bbd14e59c75071e5714bb0dbfb5a8a87cbb4ddabf99290f508d6b9e4f760a73a

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 18:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

009baefb032c5bd6a1b12ce847538a61.exe
Size

439KB
MD5

009baefb032c5bd6a1b12ce847538a61
SHA1

188b4afa1958a86d2c87436173cd7ea71eb9f883
SHA256

bbd14e59c75071e5714bb0dbfb5a8a87cbb4ddabf99290f508d6b9e4f760a73a
SHA512

5b61e8c128a32497ea53ab093838e5133d7631f3ab93c37e949b06cb0b9d00245d62ea4e03e9ef21ff684eaf99ca19977b3bd0403a02f54dc980045927eb2d2a
SSDEEP

6144:Ds9TSGacYJ+X2QnHVxGns7+Skgkgf7vaQHukoegDMM7b9vXsAan6JBduvZsKGjE:yTSGaRPYmnhSBLNoegDl9XD8oBd5KSE

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
6	2572	rundll32.exe
7	2572	rundll32.exe
9	2572	rundll32.exe
14	1940	rundll32.exe
15	1940	rundll32.exe
17	1940	rundll32.exe
18	1940	rundll32.exe
20	1940	rundll32.exe
21	1940	rundll32.exe
24	1940	rundll32.exe
26	1940	rundll32.exe
27	1940	rundll32.exe

Loads dropped DLL 27 IoCs

pid	Process
2108	rundll32.exe
2788	rundll32.exe
2572	rundll32.exe
2716	rundll32.exe
2948	rundll32.exe
2940	rundll32.exe
2832	rundll32.exe
2788	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2716	rundll32.exe
2948	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
2572	rundll32.exe
2112	009baefb032c5bd6a1b12ce847538a61.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftData = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Microsoft Help\\MicrosoftData\\Microsoftdata.DLL\",DllRegisterServer"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeyboardBackupVerifier = "rundll32.exe \"C:\\ProgramData\\KeyboardBackupVerifier.dll\",DllRegisterServer"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Update = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Microsoft Help\\MicrosoftUpdate\\Microsoftupdt32.DLL\",DllRegisterServer"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	rundll32.exe
Key created	\Registry\User\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Key created	\Registry\User\S-1-5-21-928733405-3780110381-2966456290-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	rundll32.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Kddxqaunke	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Kddxqaunke\CLSID	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-20	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Kddxqaunke\CLSID\ = "{3f951ea0-452d-4f77-bce1-1d5ad34b9ef9}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftData = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Microsoft Help\\MicrosoftData\\Microsoftdata.DLL\",DllRegisterServer"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kddxqaunke\CLSID	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Kddxqaunke	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Kddxqaunke\CLSID	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftData = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Microsoft Help\\MicrosoftData\\Microsoftdata.DLL\",DllRegisterServer"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kddxqaunke\CLSID\ = "{3f951ea0-452d-4f77-bce1-1d5ad34b9ef9}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Kddxqaunke\CLSID\ = "{3f951ea0-452d-4f77-bce1-1d5ad34b9ef9}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Kddxqaunke	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT	rundll32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kddxqaunke\CLSID\ = "{3f951ea0-452d-4f77-bce1-1d5ad34b9ef9}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Software	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{23183b90-abee-48ed-bc90-55591d84bb91}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kddxqaunke\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Kddxqaunke	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f951ea0-452d-4f77-bce1-1d5ad34b9ef9}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Software\Kddxqaunke\CLSID	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Software\Kddxqaunke	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Software\Kddxqaunke\CLSID	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Software\Kddxqaunke\CLSID\ = "{3f951ea0-452d-4f77-bce1-1d5ad34b9ef9}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2832	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2108	2112	009baefb032c5bd6a1b12ce847538a61.exe	28
PID 2112 wrote to memory of 2108	2112	009baefb032c5bd6a1b12ce847538a61.exe	28
PID 2112 wrote to memory of 2108	2112	009baefb032c5bd6a1b12ce847538a61.exe	28
PID 2112 wrote to memory of 2108	2112	009baefb032c5bd6a1b12ce847538a61.exe	28
PID 2112 wrote to memory of 2108	2112	009baefb032c5bd6a1b12ce847538a61.exe	28
PID 2112 wrote to memory of 2108	2112	009baefb032c5bd6a1b12ce847538a61.exe	28
PID 2112 wrote to memory of 2108	2112	009baefb032c5bd6a1b12ce847538a61.exe	28
PID 2108 wrote to memory of 2788	2108	rundll32.exe	29
PID 2108 wrote to memory of 2788	2108	rundll32.exe	29
PID 2108 wrote to memory of 2788	2108	rundll32.exe	29
PID 2108 wrote to memory of 2788	2108	rundll32.exe	29
PID 2108 wrote to memory of 2788	2108	rundll32.exe	29
PID 2108 wrote to memory of 2788	2108	rundll32.exe	29
PID 2108 wrote to memory of 2788	2108	rundll32.exe	29
PID 2108 wrote to memory of 2948	2108	rundll32.exe	30
PID 2108 wrote to memory of 2948	2108	rundll32.exe	30
PID 2108 wrote to memory of 2948	2108	rundll32.exe	30
PID 2108 wrote to memory of 2948	2108	rundll32.exe	30
PID 2108 wrote to memory of 2948	2108	rundll32.exe	30
PID 2108 wrote to memory of 2948	2108	rundll32.exe	30
PID 2108 wrote to memory of 2948	2108	rundll32.exe	30
PID 2108 wrote to memory of 2716	2108	rundll32.exe	34
PID 2108 wrote to memory of 2716	2108	rundll32.exe	34
PID 2108 wrote to memory of 2716	2108	rundll32.exe	34
PID 2108 wrote to memory of 2716	2108	rundll32.exe	34
PID 2108 wrote to memory of 2716	2108	rundll32.exe	34
PID 2108 wrote to memory of 2716	2108	rundll32.exe	34
PID 2108 wrote to memory of 2716	2108	rundll32.exe	34
PID 2108 wrote to memory of 2940	2108	rundll32.exe	32
PID 2108 wrote to memory of 2940	2108	rundll32.exe	32
PID 2108 wrote to memory of 2940	2108	rundll32.exe	32
PID 2108 wrote to memory of 2940	2108	rundll32.exe	32
PID 2108 wrote to memory of 2940	2108	rundll32.exe	32
PID 2108 wrote to memory of 2940	2108	rundll32.exe	32
PID 2108 wrote to memory of 2940	2108	rundll32.exe	32
PID 2108 wrote to memory of 2832	2108	rundll32.exe	31
PID 2108 wrote to memory of 2832	2108	rundll32.exe	31
PID 2108 wrote to memory of 2832	2108	rundll32.exe	31
PID 2108 wrote to memory of 2832	2108	rundll32.exe	31
PID 2108 wrote to memory of 2832	2108	rundll32.exe	31
PID 2108 wrote to memory of 2832	2108	rundll32.exe	31
PID 2108 wrote to memory of 2832	2108	rundll32.exe	31
PID 2112 wrote to memory of 2572	2112	009baefb032c5bd6a1b12ce847538a61.exe	33
PID 2112 wrote to memory of 2572	2112	009baefb032c5bd6a1b12ce847538a61.exe	33
PID 2112 wrote to memory of 2572	2112	009baefb032c5bd6a1b12ce847538a61.exe	33
PID 2112 wrote to memory of 2572	2112	009baefb032c5bd6a1b12ce847538a61.exe	33
PID 2112 wrote to memory of 2572	2112	009baefb032c5bd6a1b12ce847538a61.exe	33
PID 2112 wrote to memory of 2572	2112	009baefb032c5bd6a1b12ce847538a61.exe	33
PID 2112 wrote to memory of 2572	2112	009baefb032c5bd6a1b12ce847538a61.exe	33
PID 2788 wrote to memory of 2364	2788	rundll32.exe	35
PID 2788 wrote to memory of 2364	2788	rundll32.exe	35
PID 2788 wrote to memory of 2364	2788	rundll32.exe	35
PID 2788 wrote to memory of 2364	2788	rundll32.exe	35
PID 2788 wrote to memory of 2364	2788	rundll32.exe	35
PID 2788 wrote to memory of 2364	2788	rundll32.exe	35
PID 2788 wrote to memory of 2364	2788	rundll32.exe	35
PID 2716 wrote to memory of 1940	2716	rundll32.exe	36
PID 2716 wrote to memory of 1940	2716	rundll32.exe	36
PID 2716 wrote to memory of 1940	2716	rundll32.exe	36
PID 2716 wrote to memory of 1940	2716	rundll32.exe	36
PID 2716 wrote to memory of 1940	2716	rundll32.exe	36
PID 2716 wrote to memory of 1940	2716	rundll32.exe	36
PID 2716 wrote to memory of 1940	2716	rundll32.exe	36
PID 2716 wrote to memory of 1608	2716	rundll32.exe	38

C:\Users\Admin\AppData\Local\Temp\009baefb032c5bd6a1b12ce847538a61.exe
"C:\Users\Admin\AppData\Local\Temp\009baefb032c5bd6a1b12ce847538a61.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\nsd5939.tmp\xpauph1.tr8,DllUnregisterServer
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\nsd5939.tmp\srq3s03.cje",DllRegisterServer
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\ProgramData\KeyboardBackupVerifier.dll",DllRegisterServer
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:2364
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Microsoft Help\MicrosoftUpdate\Microsoftupdt32",DllUnregisterServer
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2948
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Microsoft Help\MicrosoftData\Microsoftdata",DllRegisterServer
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2832
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Microsoft Help\MicrosoftData\Microsoftdata",DllUnregisterServer
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies data under HKEY_USERS
    - Modifies registry class
    PID:2940
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Microsoft Help\MicrosoftUpdate\Microsoftupdt32",DllRegisterServer
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 "C:\Users\Admin\AppData\Local\Microsoft Help\MicrosoftUpdate\Microsoftupdt32.DLL",DllRegisterServer 1
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1940
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 "C:\Users\Admin\AppData\Local\Microsoft Help\MicrosoftUpdate\Microsoftupdt32.DLL",DllRegisterServer 2
      4⤵
      Loads dropped DLL
      Modifies Internet Explorer settings
      PID:1608
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\nsd5939.tmp\xpauph1.tr8,DllRegisterServer
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies system certificate store
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed6eec36faeb744547a488abbf83868e

SHA1
88ba1c7b6789c34b89be59e31ef9b96fd5e43626

SHA256
b1cf8725a8075e1ef94986d8645dc9ec6cc9b0f411fdb188e21465d1ffc87aac

SHA512
91ac5873241b2f2f1fd5a1b5e71bf2306b3bb7e5ceda81c58ab6d09959419fe75560d4f6ebb9d77619783e25e4c9c963003614eeb922d0a90fcbcdd7a232339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7446.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpddudkf.png

Filesize
146B

MD5
3173f4cf3ba50ec037968e12a05b9347

SHA1
9dd1ef2918729f2863710d867fc04f5da0244d8a

SHA256
e60d68fcc225ee272aa8f3838b1b954506729cae9a03e6f387330ad9464d1c56

SHA512
bab788d929ea5f23ff2b940a6a6f70494f3fbebe6fe2e8a6e2ef6b8aea4e439691257efedf9df990278ea0ec03e709e5856972cc8827ebd671a51c77ea10ea1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5939.tmp\bkx1gtt.03v

Filesize
120KB

MD5
36dc6a55b2d49f87e451e43f5648613c

SHA1
47f3a28a0dc2c8dca0f5dfd173d6c1c530d4ca6c

SHA256
0e28f3e17700fd567c71029aa31fc685a3c1e980ef76bf3201fe339b36401c99

SHA512
8bf46d5e2d73d2880bf41fe82dd78f8e1f3599635205bddc9582b5bfa2fb28f3082526b9cc806f17f0242ff5dd2287bbe11c18416fdb7358fc3752c488e8f05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5939.tmp\oeqteax.0xj

Filesize
215KB

MD5
75008f70db0f1c6295aa2addaa4bdbbe

SHA1
7392aa572bb1435675c7bbfaf378cd116cbbb5d0

SHA256
e2bb86324453f888ec693edc970ec0d1ddb8dc07aaf38efff2d911ba08ce6a66

SHA512
c6e70fc66a4613372447854a188704df89c1a4cffc902d434adee0c836d73e571b638fba94c2bcd07312278ea4611403ab729e033ea8ef18f95e12177fdcf905

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5939.tmp\srq3s03.cje

Filesize
97KB

MD5
b5cb822f9ba1fbd9522ec111eec4fb1f

SHA1
11b98be4d128e540c5a8a5316f6bb2ddbcb823db

SHA256
233cc751ec0e62ac516b0152fe089e0cfdcb52bbffaca6c72af000a9d86990f3

SHA512
78604c970ea5b312f16d151e89e477b729336cca6d3077284b9129451042bc63ee125f4745ef5e5858a83419a910164c96c01e8a1cf5004bd34aaffc06815b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5939.tmp\xpauph1.tr8

Filesize
97KB

MD5
fdc70217a84ba665b8e62c713282d58b

SHA1
7b410b1ef5e15714256b860e89f918e193a846ca

SHA256
bdaa1bc99d1ffd3a990d1cace9286f03fe24c081b8129adaf0f2ce155d03acf0

SHA512
0ba4d770baa66cff13ab6a40c1294233c8fb18198bb1754442686f5e78bfb73926c6fa2cd61eea366cdb724cead910864a0cd94c10542a150ce0e2ca3f01ecf7

Download Submit
\ProgramData\KeyboardBackupVerifier.dll

Filesize
35KB

MD5
e7b1617a0edb2630e792120c3b9ba95b

SHA1
85674b8aa9cbb114f62bfa31afff11dc2ac3fd60

SHA256
3956ff1d8ca674885fad7f69fe998fd12d7972ca2419a1632f161b74e0e02c0f

SHA512
06513e4573e4aca39c3895411b42f60284fe1596c1bbe5c1db3b6f8fe9b91d7543e739f4fa2ea765885cfd8bb80be148c2073d764fde3171653833c5ef329a03

Download Submit
\ProgramData\KeyboardBackupVerifier.dll

Filesize
45KB

MD5
a051afab509792cab78036f3efbb0527

SHA1
fc8a96ad1313788a7fac592c115f58db10c09814

SHA256
b5a2f00f09e6171b6b644af0a48d69d3783845f760fb239c78468534ae9b98a1

SHA512
8cd43827804445d02c7f991b4439742f5d52d78076d8028c3de533c23b07e52db6b23f4d293ce7ca56e92076bad8afbcb1b7c32d246b12cef014bff892306d83

Download Submit
\ProgramData\KeyboardBackupVerifier.dll

Filesize
51KB

MD5
4502d32fe02c891e9d9b6de9bf873361

SHA1
51892602124b25e93b62e48fd77a80e853838ff6

SHA256
6289100117b4b3d369ac1ccb290bbb20b84d3e45bd1216dc2d6dbd39f0fb7303

SHA512
57172ee2e0d20f7a72053e2aa1016456b9afc73990f93a8c1ce1b3b17a99ec89e8fae56aba2efc6a42d5c365ad9ea0ae5f9bd2c2d2e4bdb05d9180fc5454eb77

Download Submit
\ProgramData\KeyboardBackupVerifier.dll

Filesize
35KB

MD5
46c57b126c666877c59c53c7f7bae6a6

SHA1
6ee8dd0fb09edfaf5c735beb09374ede35bf2d3b

SHA256
a647e0d72b72479196122f8857e13855062b2bdbc541e70b335cf1110e4c90f2

SHA512
d73ab50c5667db4386658d7789addcf1c42779377c968070a10663debb5e9414d853965d66308cfe7f8e2722c6f98d77d28b8d749c32902db73a7e0e5cef58fc

Download Submit
\Users\Admin\AppData\Local\Microsoft Help\MicrosoftData\Microsoftdata.dll

Filesize
45KB

MD5
f5bf88ab60585efd01a1b42d05a82e6f

SHA1
f6cd415d88cdaaa3f4de024a88e49bdd245f0a84

SHA256
f37e85e6073c69eedb1834ba533607d6eadc205774b4262f8c9f8104714b64db

SHA512
eb7f757791c711f9553dbce22a6f03ae7401f7bbbd6c32f0a7a7bbf863b171d045ddd771f6156af71ba3baf064ef8098875f9765b5ae45dc96ce01c8a13921af

Download Submit
\Users\Admin\AppData\Local\Microsoft Help\MicrosoftData\Microsoftdata.dll

Filesize
90KB

MD5
89473966c1d0c2d53ecc590eae9a2eb4

SHA1
7223d0ebbe1597ef329bde0fed87759c6783e917

SHA256
996bcb893a5767a87da9996bd625e50451fa0f7c10a0167d94b1f3c1a53b83be

SHA512
8503d82717b12183f1b34955bb0c2488360a3e42a590c3493ffc16c0a2ae4d73b5b5e75d48fc826a3c91b4cf1a73f372f6bd53956a21edff111fad0424c4b59c

Download Submit
\Users\Admin\AppData\Local\Microsoft Help\MicrosoftData\Microsoftdata.dll

Filesize
115KB

MD5
bd5a87ebc0e69bb6a06f89e3ad949f6c

SHA1
29bf5110ad7c531b12129e416b0ab1d69e84f6cd

SHA256
00c29b7891bd6dec28b403aed4295129a015c73bf7c831ce5e267748595efa23

SHA512
687884e596d1c3e4dd584641af70886af88dd2fc099482bb6035d6cd568bef9500b843c22e907ed2993674b643dca930b7b2d0adc55f381654eb295b06f037bc

Download Submit
\Users\Admin\AppData\Local\Microsoft Help\MicrosoftData\Microsoftdata.dll

Filesize
122KB

MD5
0c0848d74e0ec82d6e54619a52272701

SHA1
b8fce2fd08612c611e1afbadf524e6069820d7ff

SHA256
167378eb37011e50511e6bc64c0ff201e7347a785cc79334cdb28ed3adbacbc0

SHA512
19d438135994cbef66da62867bfe2d2311b2dead8bd2b008bdd74440d04d6edeb6e3dfcf5b94d0563ef33d4fb0e0ceb6bb3b7b88f7caa2b06f2f6a1a01631bd5

Download Submit
\Users\Admin\AppData\Local\Microsoft Help\MicrosoftData\Microsoftdata.dll

Filesize
106KB

MD5
f114d7a5e0fa78941b341687abef2c68

SHA1
3e9408055fbf7bb9af49c92229787e043893454d

SHA256
9147ef284babbb9e802fcffa83d3e1bd4f2b5c1781067185a84e6e3bd3f3c886

SHA512
a4892d45fc8564312c9367e819c4c237b100e496c5b5ca5b8d094b5114b9ca1907353a271a57f3746c8ee0b40dac93ea4847e146b2dbfa358ce5c704faeb75a8

Download Submit
\Users\Admin\AppData\Local\Microsoft Help\MicrosoftData\Microsoftdata.dll

Filesize
108KB

MD5
c867e99fe98d289f9de904638cc5709d

SHA1
0ddb18a8b3584960c30260d79a821afd0bab7d9d

SHA256
ed52f98ed63f38ee68c6594ad59b9b48c7b3bfefc1bf24e78315f92464a33b64

SHA512
df1d75991a9742758eee120849d5685697dfadaf87944d180c833c1671c901c6964d98b307bb48e10ac89a838ecfe8d7a38ccc990b508410beead9e43e7afcd8

Download Submit
\Users\Admin\AppData\Local\Microsoft Help\MicrosoftData\Microsoftdata.dll

Filesize
123KB

MD5
21d6faf12e08e5b435b24f8c7c8aeb10

SHA1
93f1aa0486a5a4dbb06653405d2a3bc00b64e046

SHA256
c38c3b4116b5d2886aa4ccb8f0e339bb47b82143d6de9824c28072bdf35fcef1

SHA512
488233d6cd0cd9a6e79906fd06cdb0cd3215e209e132afb7a914e037ccc6d036639b341c231cfc564011dae34927feacb370321b4c489eca6b1787e00458a1e9

Download Submit
\Users\Admin\AppData\Local\Microsoft Help\MicrosoftUpdate\Microsoftupdt32.dll

Filesize
67KB

MD5
218277a477c8c31055b7471be2401e74

SHA1
8015a193ed47ee1e95b0d714db7c60d66129cea3

SHA256
aa38d3c3b89e23bbf30e56b536d4b6144add0270ca521fcd698fb427a477a3e1

SHA512
69c41a9f1a7a420f5d4ab958d755cd5e686cdbf915d68bcf3683e23bd3b97c04fca4b89810817f001474459bffb8cb47a89181fc255cf7e5733efbe1a1a6af72

Download Submit
\Users\Admin\AppData\Local\Microsoft Help\MicrosoftUpdate\Microsoftupdt32.dll

Filesize
82KB

MD5
ad8b1136f7a69a7f2bde2c9908fe8295

SHA1
c2bc98640830c99ae8905205359b83e89a5f0a3f

SHA256
4619c1b1145758b88314bf89cdfa4156cfe543db6befb54dcaeec10a37c8cd4d

SHA512
c33c990de3f3c4f75fe6cafda49c83cec8c733b847e78048e2b8bc9158e1c5a0ac6f41625bc7823941dc4eda06b495ee358de8c6079608b0f0c00d774d7a2694

Download Submit
\Users\Admin\AppData\Local\Microsoft Help\MicrosoftUpdate\Microsoftupdt32.dll

Filesize
92KB

MD5
4b966da0bd22d7fb50d8c796294973de

SHA1
22e0e35811bd58b57ad462d932b36ce98e010c7e

SHA256
63d1e2f944db0fcdb8d0dc8920ae021770821e77a26351170cee9ddbb426a2a8

SHA512
968104acf6492739f5bb1b59f3b36a7cd1f50f6ec68c0ad8d61ae4ce5068aec0ac3e888ca8837fe66434089b4a6e457ed87b3323506f7483f0fbd31f035bd044

Download Submit
memory/1608-131-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1608-119-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1608-117-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1608-120-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1608-123-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1608-125-0x0000000002210000-0x00000000022FE000-memory.dmp

Filesize
952KB

Download
memory/1940-64-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1940-74-0x0000000073CD0000-0x0000000073D00000-memory.dmp

Filesize
192KB

Download
memory/1940-108-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1940-129-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1940-66-0x00000000021B0000-0x000000000229E000-memory.dmp

Filesize
952KB

Download
memory/1940-65-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1940-62-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/1940-70-0x0000000073CD0000-0x0000000073D00000-memory.dmp

Filesize
192KB

Download
memory/1940-68-0x0000000000A50000-0x0000000000A80000-memory.dmp

Filesize
192KB

Download
memory/2108-6-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/2112-96-0x0000000010000000-0x00000000100EE000-memory.dmp

Filesize
952KB

Download
memory/2112-95-0x0000000010000000-0x00000000100EE000-memory.dmp

Filesize
952KB

Download
memory/2364-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2364-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2364-106-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2364-107-0x0000000001FA0000-0x000000000208E000-memory.dmp

Filesize
952KB

Download
memory/2572-92-0x0000000002E60000-0x0000000002F4E000-memory.dmp

Filesize
952KB

Download
memory/2572-24-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/2716-111-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2716-26-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2716-103-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2716-55-0x0000000001F10000-0x0000000001FFE000-memory.dmp

Filesize
952KB

Download
memory/2716-112-0x0000000001F10000-0x0000000001FFE000-memory.dmp

Filesize
952KB

Download
memory/2788-34-0x0000000002350000-0x000000000243E000-memory.dmp

Filesize
952KB

Download
memory/2788-35-0x0000000002350000-0x000000000243E000-memory.dmp

Filesize
952KB

Download
memory/2788-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2832-31-0x0000000010000000-0x00000000100EE000-memory.dmp

Filesize
952KB

Download
memory/2832-105-0x0000000010000000-0x00000000100EE000-memory.dmp

Filesize
952KB

Download
memory/2940-30-0x0000000010000000-0x00000000100EE000-memory.dmp

Filesize
952KB

Download
memory/2940-52-0x0000000010000000-0x00000000100EE000-memory.dmp

Filesize
952KB

Download
memory/2948-28-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/2948-56-0x0000000002160000-0x000000000224E000-memory.dmp

Filesize
952KB

Download