Malware Analysis Report

2024-11-30 21:26

Sample ID 231222-vnrfyadha5
Target fb8ef1d9b849463e08f469bc0ab5ab58
SHA256 19988509d5eafd5dbd7ece29cfbe82adec569eea950c757aca5053e34c0ab652
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19988509d5eafd5dbd7ece29cfbe82adec569eea950c757aca5053e34c0ab652

Threat Level: Known bad

The file fb8ef1d9b849463e08f469bc0ab5ab58 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 17:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 17:08

Reported

2023-12-24 08:38

Platform

win10v2004-20231215-en

Max time kernel

62s

Max time network

166s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb8ef1d9b849463e08f469bc0ab5ab58.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\IVdzMcn\\wscript.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kLCxF\EaseOfAccessDialog.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\T5yJOKTt5\wscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ugamhhU\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 3444 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3420 wrote to memory of 3444 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3420 wrote to memory of 4336 N/A N/A C:\Users\Admin\AppData\Local\kLCxF\EaseOfAccessDialog.exe
PID 3420 wrote to memory of 4336 N/A N/A C:\Users\Admin\AppData\Local\kLCxF\EaseOfAccessDialog.exe
PID 3420 wrote to memory of 4140 N/A N/A C:\Windows\system32\wscript.exe
PID 3420 wrote to memory of 4140 N/A N/A C:\Windows\system32\wscript.exe
PID 3420 wrote to memory of 4592 N/A N/A C:\Users\Admin\AppData\Local\T5yJOKTt5\wscript.exe
PID 3420 wrote to memory of 4592 N/A N/A C:\Users\Admin\AppData\Local\T5yJOKTt5\wscript.exe
PID 3420 wrote to memory of 644 N/A N/A C:\Windows\system32\dwm.exe
PID 3420 wrote to memory of 644 N/A N/A C:\Windows\system32\dwm.exe
PID 3420 wrote to memory of 3328 N/A N/A C:\Users\Admin\AppData\Local\ugamhhU\dwm.exe
PID 3420 wrote to memory of 3328 N/A N/A C:\Users\Admin\AppData\Local\ugamhhU\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb8ef1d9b849463e08f469bc0ab5ab58.dll,#1

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\kLCxF\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\kLCxF\EaseOfAccessDialog.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\T5yJOKTt5\wscript.exe

C:\Users\Admin\AppData\Local\T5yJOKTt5\wscript.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\ugamhhU\dwm.exe

C:\Users\Admin\AppData\Local\ugamhhU\dwm.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp

Files

memory/4308-0-0x0000025E96810000-0x0000025E96817000-memory.dmp

memory/4308-1-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-5-0x00007FF9F182A000-0x00007FF9F182B000-memory.dmp

memory/3420-4-0x0000000002260000-0x0000000002261000-memory.dmp

memory/4308-8-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-9-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-10-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-11-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-12-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-13-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-14-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-7-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-18-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-20-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-19-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-22-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-25-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-27-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-30-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-33-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-36-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-39-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-43-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-44-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-47-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-49-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-48-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-50-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-51-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-53-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-52-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-55-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-57-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-60-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-63-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-65-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-64-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-69-0x00000000008D0000-0x00000000008D7000-memory.dmp

memory/3420-62-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-61-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-59-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-77-0x00007FF9F22C0000-0x00007FF9F22D0000-memory.dmp

memory/3420-58-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-56-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-54-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-46-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-45-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-42-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-41-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/4336-97-0x0000025DA8260000-0x0000025DA8267000-memory.dmp

memory/3420-40-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-38-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-37-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-35-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-34-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-32-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/4592-114-0x000001D4633B0000-0x000001D4633B7000-memory.dmp

memory/3420-31-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-29-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3328-135-0x000001D514940000-0x000001D514947000-memory.dmp

memory/3420-28-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-26-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-23-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-24-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-21-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-17-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-15-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3420-16-0x0000000140000000-0x00000001402E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 491b00d841270ff775380a96094227f9
SHA1 740de435a8ccb85620e22065afec80889c4f108c
SHA256 06a396676bae7cb0c5b785b80cb2207f0fdc56796a04128110689bd2008a1cc9
SHA512 075bd44f44590e7da3357ac55f3829723164df8746cc57b94deae8515742f1f49198755369fac0ae64c7c33c0021c0df225f269684f45531d5c99d0692cd3bc4

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\3QrB4\OLEACC.dll

MD5 d212d026e6fb7643def7dcd1723b501c
SHA1 1ab54c8c1ad60e4350c6029ce4c738e90e0f67cc
SHA256 3424209deee7a833fc5e504d37ed282a5f287cd600dce1bffaa46b2ed78245b0
SHA512 be3eb83bc0f375c838c96e221a29a7a23dfa39c5b685dabb7cec9407171458c713d9adbce8feb2ff5a3ea99b7e011ec0de63e14031b36558bc3a49bfd94f148d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\IVdzMcn\VERSION.dll

MD5 331e98defeb6cc255eb8f24afe44957b
SHA1 2fc7da85b0bc6194f8eec81a1156be7582710a4c
SHA256 29e5d85b84dd1b7791d5f5892d786491b24a9e780924232e4c9a4e94c08973df
SHA512 6be0e98269fb019c86a9ee7016ad6b1c8a500279255c390188e4374ef81c63e2f083d682c09fe30cc3287478dc2fafd3b6bd0270eb440a0553b89cc3289fc9db

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\7xBJqBz\dxgi.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 17:08

Reported

2023-12-24 08:38

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb8ef1d9b849463e08f469bc0ab5ab58.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\RI9p\xpsrchvw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\uOd4YjcIc\dpnsvr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\PdD\taskmgr.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\YaiU07E\\dpnsvr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uOd4YjcIc\dpnsvr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PdD\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RI9p\xpsrchvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 2120 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1236 wrote to memory of 2120 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1236 wrote to memory of 2120 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1236 wrote to memory of 2364 N/A N/A C:\Users\Admin\AppData\Local\RI9p\xpsrchvw.exe
PID 1236 wrote to memory of 2364 N/A N/A C:\Users\Admin\AppData\Local\RI9p\xpsrchvw.exe
PID 1236 wrote to memory of 2364 N/A N/A C:\Users\Admin\AppData\Local\RI9p\xpsrchvw.exe
PID 1236 wrote to memory of 2836 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1236 wrote to memory of 2836 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1236 wrote to memory of 2836 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1236 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\uOd4YjcIc\dpnsvr.exe
PID 1236 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\uOd4YjcIc\dpnsvr.exe
PID 1236 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\uOd4YjcIc\dpnsvr.exe
PID 1236 wrote to memory of 756 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1236 wrote to memory of 756 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1236 wrote to memory of 756 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1236 wrote to memory of 1464 N/A N/A C:\Users\Admin\AppData\Local\PdD\taskmgr.exe
PID 1236 wrote to memory of 1464 N/A N/A C:\Users\Admin\AppData\Local\PdD\taskmgr.exe
PID 1236 wrote to memory of 1464 N/A N/A C:\Users\Admin\AppData\Local\PdD\taskmgr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb8ef1d9b849463e08f469bc0ab5ab58.dll,#1

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\RI9p\xpsrchvw.exe

C:\Users\Admin\AppData\Local\RI9p\xpsrchvw.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\uOd4YjcIc\dpnsvr.exe

C:\Users\Admin\AppData\Local\uOd4YjcIc\dpnsvr.exe

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\taskmgr.exe

C:\Users\Admin\AppData\Local\PdD\taskmgr.exe

C:\Users\Admin\AppData\Local\PdD\taskmgr.exe

Network

N/A

Files

memory/2020-0-0x0000000000230000-0x0000000000237000-memory.dmp

memory/2020-1-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-4-0x0000000077826000-0x0000000077827000-memory.dmp

memory/1236-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/1236-8-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-9-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-10-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-15-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-19-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-18-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-21-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-23-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-27-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-25-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-31-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-30-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-34-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-38-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-41-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-45-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-51-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-55-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-59-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-64-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-69-0x0000000002AD0000-0x0000000002AD7000-memory.dmp

memory/1236-65-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-62-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-63-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-77-0x0000000077A31000-0x0000000077A32000-memory.dmp

memory/1236-78-0x0000000077B90000-0x0000000077B92000-memory.dmp

memory/1236-61-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-60-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-57-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-58-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-56-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-54-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-53-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-52-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-50-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-49-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-48-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-47-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-46-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-44-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-42-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-43-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-40-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-39-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-36-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-37-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-35-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-32-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-33-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-29-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-28-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-26-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-24-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-22-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-20-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-17-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-16-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-13-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-14-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-12-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1236-11-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/2020-7-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/2364-105-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2892-130-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1236-172-0x0000000077826000-0x0000000077827000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\EZ8\WINMM.dll

MD5 af9f44e6186cdddae594dd4896277b87
SHA1 32c128d361fe19d5ffee9a6990c2ecc063954566
SHA256 74fd2750982827b5c971d5df206d6dc42def68aa73ee2e6df214315c9ae6cdf8
SHA512 31aca13d469a8d11a00c9050ad00c1f52589c6b333a1142cc96eafe7f3e75b0a3482a029eb190779c3d73fcb50a3ae657e5dd38b32bcdc23f045248c3615e29a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\YaiU07E\WINMM.dll

MD5 88ff0f95811f34dee4dda0c7315fdfa0
SHA1 1b86cb4ec5b49248ad09a939a886c7163466ba49
SHA256 081ebd5fc026239914280e33ee880f6a5b122cf32711af185002b3434b30a9d6
SHA512 a11e6fe2948192407b9888aed87b5797524f52dfdcec56c481aac253125ab45cac9e09182997d2670380aeeab2382bf55b82a531526c7602f0ee63d3121575be

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\HxFEs8xz\Secur32.dll

MD5 6d7802aa9a18e218f23ed1554933d1bc
SHA1 d4f102bf8da38f9952c2a3a1d9247f0e1ac3562f
SHA256 14be8cd5f285affbdc573f7d4cd0e6fcd24f7f08521b3d8e65369cb0182ce004
SHA512 eb175959e24945f221550841cea92509cd4776bd219b4771e8bf66ede06631a6560ff4bdd3bfb54989bb1c9d41c569969bb8cb3d1e478116930acc1d9dddedd7