Overview
overview
10Static
static
10InstalIŠµr...18.exe
windows10-2004-x64
10TT18.exe
windows10-2004-x64
10TTDesktop18.exe
windows10-2004-x64
10TikTokDesktop18.exe
windows10-2004-x64
10adjthjawdth.exe
windows10-2004-x64
10bxftjhksaef.exe
windows10-2004-x64
10cli.exe
windows10-2004-x64
3dujkgsf.exe
windows10-2004-x64
5fdaerghawd.exe
windows10-2004-x64
7fkydjyhjadg.exe
windows10-2004-x64
10fsyjawdr.exe
windows10-2004-x64
10gjawedrtg.exe
windows10-2004-x64
10hfaewdth.exe
windows10-2004-x64
10jgesfyhjsefa.exe
windows10-2004-x64
10jhnykawfkth.exe
windows10-2004-x64
10kfhtksfesek.exe
windows10-2004-x64
10kohjaekdfth.exe
windows10-2004-x64
7krgawdtyjawd.exe
windows10-2004-x64
10kthkksefd.exe
windows10-2004-x64
10kyhjasehs.exe
windows10-2004-x64
10kyjjrfgjjsedf.exe
windows10-2004-x64
7lfcdgbuksf.exe
windows10-2004-x64
10lkyhjksefa.exe
windows10-2004-x64
10lyjdfjthawd.exe
windows10-2004-x64
10nbothjkd.exe
windows10-2004-x64
10nhbjsekfkjtyhja.exe
windows10-2004-x64
10nothjgdwa.exe
windows10-2004-x64
7nthnaedltg.exe
windows10-2004-x64
10pghsefyjhsef.exe
windows10-2004-x64
10pyjnkasedf.exe
windows10-2004-x64
8Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 21:16
Static task
static1
ratofficevoov1stealer0174ec9d0ab5d3dd4d0bbe7415cfa10ca6653741d35cbb974bc2d1287dcd4381b4a2a8e8c9cedcratquasarmeduzastealcvidaramadey
11 signatures
Behavioral task
behavioral1
Sample
InstalIŠµr-x86/TTDesktop18.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
TT18.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
Behavioral task
behavioral3
Sample
TTDesktop18.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
Behavioral task
behavioral4
Sample
TikTokDesktop18.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
Behavioral task
behavioral5
Sample
adjthjawdth.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral6
Sample
bxftjhksaef.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral7
Sample
cli.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral8
Sample
dujkgsf.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral9
Sample
fdaerghawd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral10
Sample
fkydjyhjadg.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral11
Sample
fsyjawdr.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral12
Sample
gjawedrtg.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral13
Sample
hfaewdth.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral14
Sample
jgesfyhjsefa.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral15
Sample
jhnykawfkth.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
17 signatures
150 seconds
Behavioral task
behavioral16
Sample
kfhtksfesek.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral17
Sample
kohjaekdfth.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral18
Sample
krgawdtyjawd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
Behavioral task
behavioral19
Sample
kthkksefd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral20
Sample
kyhjasehs.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
17 signatures
150 seconds
Behavioral task
behavioral21
Sample
kyjjrfgjjsedf.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral22
Sample
lfcdgbuksf.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
11 signatures
150 seconds
Behavioral task
behavioral23
Sample
lkyhjksefa.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral24
Sample
lyjdfjthawd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral25
Sample
nbothjkd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral26
Sample
nhbjsekfkjtyhja.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral27
Sample
nothjgdwa.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral28
Sample
nthnaedltg.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral29
Sample
pghsefyjhsef.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral30
Sample
pyjnkasedf.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
dujkgsf.exe
-
Size
135KB
-
MD5
bc48cb98d8f2dacca97a2eb72f4275cb
-
SHA1
cd3dd263fc37c8c7beb1393a654b400f2f531f1c
-
SHA256
c18fb46afa17ad8578d1edd4aa6a89b42f381ca7998a4e5a096643e0f2721c49
-
SHA512
7db6992278ca008e7aafa07eb198b046a125d23ca524f15d5302b137385dd4e40a4a54ce4dabb28710b71fbcfdd2d3315fb36e591edc2b3e1737b11b9ee45a5c
-
SSDEEP
3072:1TGtOioVUSuLwYMdbQro39gSms+rkNgrQ8WZW:peoVU9JMdbQrbvtG
Score
5/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dujkgsf.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dujkgsf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedujkgsf.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedujkgsf.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dujkgsf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dujkgsf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 24 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter rundll32.exe -
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Revision = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DXFeatureLevel = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\VersionLow = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DeviceId = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IEDevTools\Options rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IEDevTools\Options rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Revision = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\AutoComplete rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\AutoComplete rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\VendorId = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\VendorId = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\VersionHigh = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Control Panel rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-DeviceId = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DXFeatureLevel = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-DeviceId = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\AutoComplete rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\PrefetchPrerender rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Download rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VersionLow = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\PrefetchPrerender rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-DXFeatureLevel = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Zoom rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\SubSysId = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\AutoComplete rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SubSysId = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\PrefetchPrerender rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DXFeatureLevel = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\PrefetchPrerender rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\CaretBrowsing rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Download rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Download rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\DeviceId = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\VersionLow = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VersionHigh = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Download rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\SubSysId = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SubSysId = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-DXFeatureLevel = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Zoom rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Download rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\FlipAhead rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Download rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
dujkgsf.exepid Process 1248 dujkgsf.exe 1248 dujkgsf.exe 1248 dujkgsf.exe 1248 dujkgsf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dujkgsf.exedescription pid Process procid_target PID 2960 wrote to memory of 1156 2960 dujkgsf.exe 83 PID 2960 wrote to memory of 1156 2960 dujkgsf.exe 83 PID 2960 wrote to memory of 1156 2960 dujkgsf.exe 83 PID 2960 wrote to memory of 3712 2960 dujkgsf.exe 89 PID 2960 wrote to memory of 3712 2960 dujkgsf.exe 89 PID 2960 wrote to memory of 3712 2960 dujkgsf.exe 89 PID 2960 wrote to memory of 2948 2960 dujkgsf.exe 92 PID 2960 wrote to memory of 2948 2960 dujkgsf.exe 92 PID 2960 wrote to memory of 2948 2960 dujkgsf.exe 92 PID 2960 wrote to memory of 440 2960 dujkgsf.exe 93 PID 2960 wrote to memory of 440 2960 dujkgsf.exe 93 PID 2960 wrote to memory of 440 2960 dujkgsf.exe 93 PID 2960 wrote to memory of 2200 2960 dujkgsf.exe 95 PID 2960 wrote to memory of 2200 2960 dujkgsf.exe 95 PID 2960 wrote to memory of 2200 2960 dujkgsf.exe 95 PID 2960 wrote to memory of 1240 2960 dujkgsf.exe 97 PID 2960 wrote to memory of 1240 2960 dujkgsf.exe 97 PID 2960 wrote to memory of 1240 2960 dujkgsf.exe 97 PID 2960 wrote to memory of 4112 2960 dujkgsf.exe 98 PID 2960 wrote to memory of 4112 2960 dujkgsf.exe 98 PID 2960 wrote to memory of 4112 2960 dujkgsf.exe 98 PID 2960 wrote to memory of 2396 2960 dujkgsf.exe 99 PID 2960 wrote to memory of 2396 2960 dujkgsf.exe 99 PID 2960 wrote to memory of 2396 2960 dujkgsf.exe 99 PID 2960 wrote to memory of 3728 2960 dujkgsf.exe 100 PID 2960 wrote to memory of 3728 2960 dujkgsf.exe 100 PID 2960 wrote to memory of 3728 2960 dujkgsf.exe 100 PID 2960 wrote to memory of 1592 2960 dujkgsf.exe 101 PID 2960 wrote to memory of 1592 2960 dujkgsf.exe 101 PID 2960 wrote to memory of 1592 2960 dujkgsf.exe 101 PID 2960 wrote to memory of 432 2960 dujkgsf.exe 102 PID 2960 wrote to memory of 432 2960 dujkgsf.exe 102 PID 2960 wrote to memory of 432 2960 dujkgsf.exe 102 PID 2960 wrote to memory of 3604 2960 dujkgsf.exe 103 PID 2960 wrote to memory of 3604 2960 dujkgsf.exe 103 PID 2960 wrote to memory of 3604 2960 dujkgsf.exe 103 PID 2960 wrote to memory of 2300 2960 dujkgsf.exe 104 PID 2960 wrote to memory of 2300 2960 dujkgsf.exe 104 PID 2960 wrote to memory of 2300 2960 dujkgsf.exe 104 PID 2960 wrote to memory of 1920 2960 dujkgsf.exe 105 PID 2960 wrote to memory of 1920 2960 dujkgsf.exe 105 PID 2960 wrote to memory of 1920 2960 dujkgsf.exe 105 PID 2960 wrote to memory of 1912 2960 dujkgsf.exe 106 PID 2960 wrote to memory of 1912 2960 dujkgsf.exe 106 PID 2960 wrote to memory of 1912 2960 dujkgsf.exe 106 PID 2960 wrote to memory of 376 2960 dujkgsf.exe 107 PID 2960 wrote to memory of 376 2960 dujkgsf.exe 107 PID 2960 wrote to memory of 376 2960 dujkgsf.exe 107 PID 2960 wrote to memory of 1628 2960 dujkgsf.exe 108 PID 2960 wrote to memory of 1628 2960 dujkgsf.exe 108 PID 2960 wrote to memory of 1628 2960 dujkgsf.exe 108 PID 2960 wrote to memory of 2444 2960 dujkgsf.exe 109 PID 2960 wrote to memory of 2444 2960 dujkgsf.exe 109 PID 2960 wrote to memory of 2444 2960 dujkgsf.exe 109 PID 2960 wrote to memory of 3192 2960 dujkgsf.exe 110 PID 2960 wrote to memory of 3192 2960 dujkgsf.exe 110 PID 2960 wrote to memory of 3192 2960 dujkgsf.exe 110 PID 2960 wrote to memory of 2088 2960 dujkgsf.exe 111 PID 2960 wrote to memory of 2088 2960 dujkgsf.exe 111 PID 2960 wrote to memory of 2088 2960 dujkgsf.exe 111 PID 2960 wrote to memory of 4244 2960 dujkgsf.exe 112 PID 2960 wrote to memory of 4244 2960 dujkgsf.exe 112 PID 2960 wrote to memory of 4244 2960 dujkgsf.exe 112 PID 2960 wrote to memory of 4556 2960 dujkgsf.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\dujkgsf.exe"C:\Users\Admin\AppData\Local\Temp\dujkgsf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\dujkgsf.exe"C:\Users\Admin\AppData\Local\Temp\dujkgsf.exe" /normal.priviledge2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:1156
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:3712
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
PID:2948
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:440
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:2200
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:1240
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:4112
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:2396
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:3728
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:1592
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:432
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:3604
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:2300
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:1920
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:1912
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:376
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:1628
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:2444
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:3192
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:2088
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:4244
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:4556
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:3944
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL inetcpl.cpl,,63⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
PID:2224
-
-