Analysis Overview
SHA256
b9a2afe692a14758fe22e04ec1d379839fcee981e7c82d4c884af960394ccf9a
Threat Level: Known bad
The file deac37150b94c6871f020007e2d20de8 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 15:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 15:44
Reported
2023-12-24 04:27
Platform
win7-20231215-en
Max time kernel
45s
Max time network
137s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\FQ\\C2EZWT~1\\sigverif.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 2644 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1264 wrote to memory of 2644 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1264 wrote to memory of 2644 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1264 wrote to memory of 2300 | N/A | N/A | C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe |
| PID 1264 wrote to memory of 2300 | N/A | N/A | C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe |
| PID 1264 wrote to memory of 2300 | N/A | N/A | C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe |
| PID 1264 wrote to memory of 1936 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1264 wrote to memory of 1936 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1264 wrote to memory of 1936 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1264 wrote to memory of 1908 | N/A | N/A | C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe |
| PID 1264 wrote to memory of 1908 | N/A | N/A | C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe |
| PID 1264 wrote to memory of 1908 | N/A | N/A | C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe |
| PID 1264 wrote to memory of 1716 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1264 wrote to memory of 1716 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1264 wrote to memory of 1716 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1264 wrote to memory of 1388 | N/A | N/A | C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe |
| PID 1264 wrote to memory of 1388 | N/A | N/A | C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe |
| PID 1264 wrote to memory of 1388 | N/A | N/A | C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\deac37150b94c6871f020007e2d20de8.dll,#1
C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe
C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe
C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe
C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe
C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe
C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe
Network
Files
memory/2664-1-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/2664-0-0x0000000000330000-0x0000000000337000-memory.dmp
memory/1264-4-0x00000000778B6000-0x00000000778B7000-memory.dmp
memory/1264-5-0x00000000029A0000-0x00000000029A1000-memory.dmp
memory/2664-8-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-14-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-20-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-26-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-27-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-32-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-35-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-34-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-38-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-41-0x0000000002680000-0x0000000002687000-memory.dmp
memory/1264-49-0x0000000077C20000-0x0000000077C22000-memory.dmp
memory/1264-48-0x0000000077AC1000-0x0000000077AC2000-memory.dmp
memory/1264-47-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-39-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-37-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-36-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-58-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-33-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-64-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-31-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-30-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-29-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/2300-77-0x0000000000100000-0x0000000000107000-memory.dmp
memory/2300-81-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2300-76-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1264-28-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-24-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-25-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-23-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-22-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-21-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-19-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-18-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-17-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-15-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-16-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-13-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-12-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-11-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-10-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-7-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1264-9-0x0000000140000000-0x00000001401F8000-memory.dmp
C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe
| MD5 | b9717042f141308df5f7f3c7d4d4ed07 |
| SHA1 | 210ec93a0c81d09d8052e63ec66ae357d482a31b |
| SHA256 | 33be45b91bac6e9d43754ee7f5cb0f466ded5490578ea6f1e8c953850f4c70c0 |
| SHA512 | d7bb31274145906049e05bef1722c78a9a50e8150c6cc4eb844568db4267b864e6a120a03af663a20a9c46fb794eba0f27ea237bbb5d91ed14093598c5f863d0 |
C:\Users\Admin\AppData\Local\ueZuSbV\VERSION.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1908-100-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/1908-101-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1908-106-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe
| MD5 | e8e95ae5534553fc055051cee99a7f55 |
| SHA1 | 4e0f668849fd546edd083d5981ed685d02a68df4 |
| SHA256 | 9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec |
| SHA512 | 5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6 |
\Users\Admin\AppData\Local\ueZuSbV\VERSION.dll
| MD5 | 175f946cbf9d5d83935954661602a1f8 |
| SHA1 | 8882840b914444fc072da44b8236a22699566f94 |
| SHA256 | 0ab87944f4a2ebb2381f71a06c9d60180c37d2c467620b6a967c3a9e0bcab8bb |
| SHA512 | 6537f656ca41ae9efcda89227f1d24d91f28491758db5947232cb9b3cbf21668d0408f8ccd5c293aa6c872e1a62467927ab88552788bb1301bdd4a63d0b5c281 |
\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe
| MD5 | 6efb6e82714e11b7e67865bf814ece93 |
| SHA1 | 31c2613b26793daee4d97f34aaebc58a31b9253d |
| SHA256 | c948313f4d6969b0a212577b4af8e4ebaeb0d3fea1fb1a9f1f2f45a8b4493f95 |
| SHA512 | acaad443df07b1d7be19b80b93a0cd14d2d9bc8246fe475d4aee040e11eea22e0bd42610eff58bc2d81d2d5ba55ee9b6c2973d4ecde9d4f313f1ca9816528531 |
C:\Users\Admin\AppData\Local\jeKL\UxTheme.dll
| MD5 | 2a946d11466ddc75e1c74a3d569505cf |
| SHA1 | 291def04fe1bb2340483592b4a0c6f0430c77498 |
| SHA256 | d7b372133c284a3ac1eb2db7b7ecc7ad4beefc06d046bba64f0f377951f86156 |
| SHA512 | ad0f8e4c49ab44a1b2db1a2b10df498feb353d7feb197ca91b845e2a3030c5acb7f261a5ed3b6302a930028d03aa1e4328b4616f4769ba8642c9803be6579c8d |
memory/1388-118-0x00000000001B0000-0x00000000001B7000-memory.dmp
C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe
| MD5 | db7c1b84548aca9d303b28dd2c2e0d17 |
| SHA1 | 0a6559e35d73c1f47e5197ad640478a2ccc62ea3 |
| SHA256 | fa6ecd0fc3541bc48f12a59c5a42a6f4af69f29071c0b1a29a7f698654e0f219 |
| SHA512 | a48a8a929488ebb64781b478dec43028dd988b5713c9e805b6ff861195ed4f12ffb7b41a3c72e9fc1d5516dcbf57690ab8f099fb2a59bb0907cabef59dbd3e55 |
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\E2\SoundRecorder.exe
| MD5 | 0c9601edb5c26d816a4ade92604aeb30 |
| SHA1 | 505ddffb06f07e8f7ce193e86204f4b6f15a1728 |
| SHA256 | e425496039ac6d193fd71b75f20a3f3475a0af1aeebf1205345b16a23f6f5def |
| SHA512 | baee81ebdd97fb10ea6072b735938550b8f16fbc36712e79e52e08055236798395a3ce7172e820ef83d164c414bc24752b74a9e99ef49512f028fef9260333d1 |
memory/1264-141-0x00000000778B6000-0x00000000778B7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-22 15:44
Reported
2023-12-24 04:27
Platform
win10v2004-20231215-en
Max time kernel
98s
Max time network
155s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\moZL7\sdclt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\moZL7\sdclt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\5E3UIA~1\\sdclt.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\moZL7\sdclt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 3348 | N/A | N/A | C:\Windows\system32\wbengine.exe |
| PID 3552 wrote to memory of 3348 | N/A | N/A | C:\Windows\system32\wbengine.exe |
| PID 3552 wrote to memory of 4492 | N/A | N/A | C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe |
| PID 3552 wrote to memory of 4492 | N/A | N/A | C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe |
| PID 3552 wrote to memory of 3200 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 3552 wrote to memory of 3200 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 3552 wrote to memory of 648 | N/A | N/A | C:\Users\Admin\AppData\Local\moZL7\sdclt.exe |
| PID 3552 wrote to memory of 648 | N/A | N/A | C:\Users\Admin\AppData\Local\moZL7\sdclt.exe |
| PID 3552 wrote to memory of 4708 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 3552 wrote to memory of 4708 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 3552 wrote to memory of 1580 | N/A | N/A | C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe |
| PID 3552 wrote to memory of 1580 | N/A | N/A | C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\deac37150b94c6871f020007e2d20de8.dll,#1
C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe
C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
C:\Users\Admin\AppData\Local\moZL7\sdclt.exe
C:\Users\Admin\AppData\Local\moZL7\sdclt.exe
C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe
C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/456-1-0x0000015BD1A60000-0x0000015BD1A67000-memory.dmp
memory/456-0-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-4-0x00000000025E0000-0x00000000025E1000-memory.dmp
memory/456-7-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-6-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-9-0x00007FF9C739A000-0x00007FF9C739B000-memory.dmp
memory/3552-11-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-12-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-13-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-14-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-15-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-10-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-8-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-16-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-20-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-25-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-30-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-32-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-34-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-37-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-40-0x0000000000C10000-0x0000000000C17000-memory.dmp
memory/3552-39-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-47-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-48-0x00007FF9C78E0000-0x00007FF9C78F0000-memory.dmp
memory/3552-38-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-36-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-35-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-59-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-57-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-33-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/4492-69-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/4492-74-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/4492-68-0x000001D69E690000-0x000001D69E697000-memory.dmp
memory/3552-31-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-28-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-29-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-27-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-26-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-24-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-23-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-22-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-21-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-19-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-18-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3552-17-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/648-85-0x0000026967C40000-0x0000026967C47000-memory.dmp
memory/648-91-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1580-106-0x00000267E73A0000-0x00000267E73A7000-memory.dmp
memory/1580-110-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1580-104-0x00000267E74F0000-0x00000267E76E9000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk
| MD5 | 410e9dda3899daec560597e1a2089af7 |
| SHA1 | 9458a4e231b1cdcf4074d4657e02e883bf0e4868 |
| SHA256 | 8ef93b655645f595b8b8188d2531f7f4750e3d1912812f1ed6b5e691cc11fb62 |
| SHA512 | 34fce71c8dad4324793ab1fec5227e9a935baa3e332c7b2f688412b926b262fc7fab3f2f639853ae7a456cc8acc992be5783f6789e86829e223b30c7f9b87661 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\dK\SPP.dll
| MD5 | 8fae34af42f84b2579dfe7b8597bac5d |
| SHA1 | ac10b24681744e83f65356dc3c75ab9f4a67d556 |
| SHA256 | c05a1e78ea9ac5ebe178c19af69c6f6142a4b461db19a087febea2d5ca8b6483 |
| SHA512 | 366b84a762ea97788d3e32ae5eae3d04a0d9659e40497fb7fc2d5a6bf94bbd7e0822cc69e624ec42f9d0abfd6e5ba177cb9bea40db0fe5ac89f6495958de2210 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5E3UiaFIPt\ReAgent.dll
| MD5 | 5f04e842eeb866dfc780944f9aefa0c4 |
| SHA1 | 69b79de26f4179d92e3b276711fa51b95120572f |
| SHA256 | d59f31c5d50df792fe322e23c59a2df5035b2da0a6bab2d74245116287bcf398 |
| SHA512 | a86d2709ff51cc9b074bcd476fa8d97f769e791b4f18d183b8af63272108269de633ef354278949fbcc351539ee491f75bb1133e010be3e17b5de5a4573a128f |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\1BbZP\VERSION.dll
| MD5 | 72c68d2e4d307a9d661d573eb3602614 |
| SHA1 | 608ebe396145a6b33676266255dd28f3a2961df8 |
| SHA256 | 63d7daae2811fa2c777ec92b9fcaf6254697bbf3d6259bcf1e7fcdb57ca5a768 |
| SHA512 | 24201d951323ac4f75324cbc1b3e5803a0b845f4823b30021e0ea4ac41216a4544a4a90a19ccd46104c5a979a762026cbd56ac5bdd9ed7318a4cd3501c0d5033 |