Analysis Overview
SHA256
60df94d0fa102fe714906ec53efafa0308a79d6caf9e8688edc8525123a7b1e3
Threat Level: Known bad
The file 38f8f403c494cd304763615d922a67fb was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Dridex payload
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-25 19:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-25 19:44
Reported
2023-12-26 18:29
Platform
win7-20231129-en
Max time kernel
142s
Max time network
117s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\7oKdN\wusa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7oKdN\wusa.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\4TVQXFM5\\irftp.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\7oKdN\wusa.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7oKdN\wusa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7oKdN\wusa.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1380 wrote to memory of 2636 | N/A | N/A | C:\Windows\system32\wusa.exe |
| PID 1380 wrote to memory of 2636 | N/A | N/A | C:\Windows\system32\wusa.exe |
| PID 1380 wrote to memory of 2636 | N/A | N/A | C:\Windows\system32\wusa.exe |
| PID 1380 wrote to memory of 1780 | N/A | N/A | C:\Users\Admin\AppData\Local\7oKdN\wusa.exe |
| PID 1380 wrote to memory of 1780 | N/A | N/A | C:\Users\Admin\AppData\Local\7oKdN\wusa.exe |
| PID 1380 wrote to memory of 1780 | N/A | N/A | C:\Users\Admin\AppData\Local\7oKdN\wusa.exe |
| PID 1380 wrote to memory of 2284 | N/A | N/A | C:\Windows\system32\irftp.exe |
| PID 1380 wrote to memory of 2284 | N/A | N/A | C:\Windows\system32\irftp.exe |
| PID 1380 wrote to memory of 2284 | N/A | N/A | C:\Windows\system32\irftp.exe |
| PID 1380 wrote to memory of 1980 | N/A | N/A | C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe |
| PID 1380 wrote to memory of 1980 | N/A | N/A | C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe |
| PID 1380 wrote to memory of 1980 | N/A | N/A | C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe |
| PID 1380 wrote to memory of 2200 | N/A | N/A | C:\Windows\system32\wisptis.exe |
| PID 1380 wrote to memory of 2200 | N/A | N/A | C:\Windows\system32\wisptis.exe |
| PID 1380 wrote to memory of 2200 | N/A | N/A | C:\Windows\system32\wisptis.exe |
| PID 1380 wrote to memory of 960 | N/A | N/A | C:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe |
| PID 1380 wrote to memory of 960 | N/A | N/A | C:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe |
| PID 1380 wrote to memory of 960 | N/A | N/A | C:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll
C:\Users\Admin\AppData\Local\7oKdN\wusa.exe
C:\Users\Admin\AppData\Local\7oKdN\wusa.exe
C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe
C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe
C:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe
C:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe
C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
Network
Files
memory/2992-1-0x00000000002A0000-0x00000000002A7000-memory.dmp
memory/2992-0-0x000007FEF73D0000-0x000007FEF74A4000-memory.dmp
memory/1380-3-0x0000000077AE6000-0x0000000077AE7000-memory.dmp
memory/1380-17-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-26-0x0000000002E80000-0x0000000002E87000-memory.dmp
memory/1380-29-0x0000000077E80000-0x0000000077E82000-memory.dmp
memory/1380-28-0x0000000077E50000-0x0000000077E52000-memory.dmp
memory/1380-27-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-19-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-18-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-16-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-15-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-14-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-13-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-12-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-11-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-10-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-9-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-8-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-7-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-6-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp
memory/1380-38-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1380-40-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/2992-41-0x000007FEF73D0000-0x000007FEF74A4000-memory.dmp
\Users\Admin\AppData\Local\7oKdN\WTSAPI32.dll
| MD5 | 6b8215702b2b611702961429f547f1b0 |
| SHA1 | ebac71e0f0a3f6eb64e96589a1637721b5281d73 |
| SHA256 | a5a38bfc8e0cd0c149b6085f58e31bf3ba370940312f32fef389ae4d397d0812 |
| SHA512 | efb28c94c36d42a792f962de89ab20d71dd81f5f2b6e930d1e38f73d019cc85eec37714da02d3b0e8e5f0739e9fd90707c9d3a01ddd9219832ff4785675162f3 |
memory/1780-59-0x000007FEF73D0000-0x000007FEF74A5000-memory.dmp
memory/1780-57-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1780-55-0x000007FEF73D0000-0x000007FEF74A5000-memory.dmp
C:\Users\Admin\AppData\Local\7oKdN\wusa.exe
| MD5 | c15b3d813f4382ade98f1892350f21c7 |
| SHA1 | a45c5abc6751bc8b9041e5e07923fa4fc1b4542b |
| SHA256 | 8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3 |
| SHA512 | 6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c |
memory/1380-65-0x0000000077AE6000-0x0000000077AE7000-memory.dmp
memory/1980-73-0x000007FEF6DF0000-0x000007FEF6ECB000-memory.dmp
memory/1980-77-0x000007FEF6DF0000-0x000007FEF6ECB000-memory.dmp
memory/1980-75-0x0000000000180000-0x0000000000187000-memory.dmp
\Users\Admin\AppData\Local\w6tj4DYpk\MFC42u.dll
| MD5 | 21c04396d9700c641f6b4d10d437d0ac |
| SHA1 | aeb6bed31e5b9cefad233b9f866953cbb533566e |
| SHA256 | 0a30274f4042c5e5179f1bd4f6b34d6da3cc048101a3b21634a9d7184e846492 |
| SHA512 | 3d03767a555885b920887e267d2f8ee60bf8ab9da5d79b6bfae1798425af366dd78ee4ff83b8f9e3e1ec8a16f005a355c8ac0e81c8542ea85ed506da298e4acf |
C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe
| MD5 | 0cae1fb725c56d260bfd6feba7ae9a75 |
| SHA1 | 102ac676a1de3ec3d56401f8efd518c31c8b0b80 |
| SHA256 | 312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d |
| SHA512 | db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec |
C:\Users\Admin\AppData\Local\w6tj4DYpk\irftp.exe
| MD5 | 9e533dfa44971dd83d8b41872ce85aa7 |
| SHA1 | a9a2e75303b64639ea29ed479cd4c9ab08a74614 |
| SHA256 | 1549c27b806996a0bb0ee2dc2ea793d9b080f47c47d5f1e8a6b66548b214a46f |
| SHA512 | 1e19ff23efb06d02bcaf97a5999942365d1399f8d433c9743a4658af51157fae4c4d0abcfd4625c34df4f8c98a46e2b1d4f9ab73de8a19e6520a1ffd263b6fd1 |
memory/960-91-0x000007FEF6DF0000-0x000007FEF6EC5000-memory.dmp
memory/960-93-0x0000000000110000-0x0000000000117000-memory.dmp
memory/960-94-0x000007FEF6DF0000-0x000007FEF6EC5000-memory.dmp
\Users\Admin\AppData\Local\o003sK3rh\OLEACC.dll
| MD5 | 4081bb4b625db5ef7d7b382cf3382dc1 |
| SHA1 | 56c5d23dedd55e02e0f40165f01d41e3bf252703 |
| SHA256 | 5eb7adaca9d4c400ecd61afdf1315b4389a788b73b992b6b9b5b191729d2c6a4 |
| SHA512 | a6d32ebaeee27fe5b21f85d89b386392ac91a8cf723b6822a444446cb4028a8be6a2604416648f498c0d166a60918f1c2953b743928fbe66433d596cd9ee372d |
C:\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe
| MD5 | d3bfe2cdc51a5dcb521f13789a5afab6 |
| SHA1 | 658979a43cd87918e7b44b264d559e35638cd38a |
| SHA256 | f42b797ddf5cf69b85a5fc11c7d3a054c39378bfe41f8398370def0ee91907bb |
| SHA512 | 3b4526a60fe24043ccd6645587ed2e80adf85e8585c8ab5112a18a1914fce5e0cdf2cf30ea0b87f24eae08802278b0371eb54d39bda101d93c299d0f94eb6ac9 |
\Users\Admin\AppData\Local\o003sK3rh\wisptis.exe
| MD5 | 7b21b17231a5b82ddfdef670ae0bfdac |
| SHA1 | ca3a23edddb340adba0b0c86108a9a5eb11c5aeb |
| SHA256 | f8c886145f5f254286eae9e829efbe0ce1bfcf27fcc0fcf802d19001a128c13e |
| SHA512 | 0ad7c7ce50cce630ffbeeff44fef4f53d25ba4df0cd8a073b7d68c8f1203617c37a4b4f3307b5bdf16104fb02cb90121af68713ea92f9696732def06ddc3bfce |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HBEqyAV58vO\wisptis.exe
| MD5 | e105c5ff1c41341c6cfc983dfa2d3b85 |
| SHA1 | 395c5490edd03084518326c48d693467384365a2 |
| SHA256 | ddff5dc9314ef3520a7b6249265d3aa38dc7450a19715ab416d6a93d853a6e1f |
| SHA512 | cc6dd71fcc60edc5573e82dc088a96e6442cf742766005e2677dbf9e144bb5ced15920bbd29acb9ad7d74ffa377ed954ce2736a516c0ca0a83b9dee5295f5d87 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HBEqyAV58vO\wisptis.exe
| MD5 | 0034faf01b54f76acc34ccb8c467ca45 |
| SHA1 | 09d48ea6405d3da85cda38090d7e73a1d6efab9e |
| SHA256 | 811da14b086003b32b1e58407b6c03d9e527837ee87e45c93b11d30f51ac19d3 |
| SHA512 | 090a432374bc0d765da6aed8c1e5dad42e6875f7d0e577a2e3059bb07550ed3be4d6b0cab304771895e2f346d2f1351d9f647f9e63222b8946c8eb87cbba3282 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk
| MD5 | 18d942ddafc8649cc693b08f60cd624f |
| SHA1 | 57c8c65c1c29af9cb4decc7e49748d07afe5cfe0 |
| SHA256 | 5bc2ab6b99d23447c1c627424f5fd62fb3eac661d08db99cce59860721d232bd |
| SHA512 | 9dedad08c2235bc2aba6e33c687baa0764587377729cb3a34b9f2d136362d4c7b7e57fde8659f054d1479e4730ed420c18bddf2fcc7a9edefc6a5be83a70fd71 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HBEqyAV58vO\OLEACC.dll
| MD5 | e3068892fb3a7dbca335b9d80fef74bc |
| SHA1 | 79c16222b4ee3f3293c2f8458858953008cff8d3 |
| SHA256 | e387fcb89cf3ea1aa3480f6c9c7fd7fd8b5b21b3b92a2c33fad8b69f6fbd7399 |
| SHA512 | 4ff3d136ea31550a93efc379942dd163210c4dab4ddea0eebc9b7d6b4c3a198a505d019525a57dab21ae257e7a68e3954307937bd6646f30cd911e0d9ecfd578 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-25 19:44
Reported
2023-12-26 18:28
Platform
win10v2004-20231215-en
Max time kernel
123s
Max time network
151s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\s1cW\SysResetErr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\s1cW\SysResetErr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\bKvR\\EASEOF~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\s1cW\SysResetErr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll
C:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exe
C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
C:\Users\Admin\AppData\Local\s1cW\SysResetErr.exe
C:\Users\Admin\AppData\Local\s1cW\SysResetErr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.179.17.96.in-addr.arpa | udp |
| GB | 96.17.179.56:80 | tcp | |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/5000-2-0x0000000002C40000-0x0000000002C47000-memory.dmp
memory/5000-0-0x00007FFFA6030000-0x00007FFFA6104000-memory.dmp
memory/3528-3-0x0000000002210000-0x0000000002211000-memory.dmp
memory/3528-6-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-5-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-9-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-15-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-18-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-20-0x00000000021C0000-0x00000000021C7000-memory.dmp
memory/3528-19-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-17-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-16-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-29-0x00007FFFB4AF0000-0x00007FFFB4B00000-memory.dmp
memory/3528-28-0x00007FFFB4B00000-0x00007FFFB4B10000-memory.dmp
memory/3528-27-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-38-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-14-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-13-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-12-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-11-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-10-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3528-8-0x00007FFFB2DDA000-0x00007FFFB2DDB000-memory.dmp
memory/3528-7-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/5000-41-0x00007FFFA6030000-0x00007FFFA6104000-memory.dmp
memory/3324-49-0x0000019417F10000-0x0000019417F17000-memory.dmp
memory/3324-53-0x00007FFF96B90000-0x00007FFF96C65000-memory.dmp
memory/3324-48-0x00007FFF96B90000-0x00007FFF96C65000-memory.dmp
C:\Users\Admin\AppData\Local\ym9AL\BitLockerWizard.exe
| MD5 | 6d30c96f29f64b34bc98e4c81d9b0ee8 |
| SHA1 | 4a3adc355f02b9c69bdbe391bfb01469dee15cf0 |
| SHA256 | 7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74 |
| SHA512 | 25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8 |
memory/4500-65-0x00007FFF96A00000-0x00007FFF96AD5000-memory.dmp
memory/4500-69-0x00007FFF96A00000-0x00007FFF96AD5000-memory.dmp
memory/4500-64-0x000001974B890000-0x000001974B897000-memory.dmp
C:\Users\Admin\AppData\Local\jPkY0esy4\EaseOfAccessDialog.exe
| MD5 | e75ee992c1041341f709a517c8723c87 |
| SHA1 | 471021260055eac0021f0abffa2d0ba77a2f380e |
| SHA256 | 0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc |
| SHA512 | 48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a |
C:\Users\Admin\AppData\Local\s1cW\DUI70.dll
| MD5 | 95879dc04c070ffd34dd6f919dcca9e5 |
| SHA1 | 7c219b2ec7e5b36718b74482a7fb595efd352e8d |
| SHA256 | 8f0f9db9cacf53a7431e15b6cec4a7e1b04768e3c63d51f695d435fec162c91c |
| SHA512 | 6b8535299944f4a58ba3d1dcfb0cb9576190f61a1de82c8ba404dff02c56da86f5d6ad5ce39b6c61af06cb3a65fd2fc41001404bdde30a15d74795cc25bcec1b |
memory/2388-81-0x000002CF065F0000-0x000002CF065F7000-memory.dmp
memory/2388-85-0x00007FFF96C10000-0x00007FFF96D2A000-memory.dmp
memory/2388-80-0x00007FFF96C10000-0x00007FFF96D2A000-memory.dmp
C:\Users\Admin\AppData\Local\s1cW\DUI70.dll
| MD5 | 0e4d6d7d7476c37ce10a2114ac131b7b |
| SHA1 | 7bedd9d9242eca144b2229f108e2b01b40aaceee |
| SHA256 | 974a1c627fbf4444f77d4428d0670c08f0d8941e1267cf096a9d44e5455bc4d9 |
| SHA512 | 9aae1cf586a0dfd135e71b3a23ee8053903b5e78fe0a3875f05c501bf8ed5aaf46c45e99e85cce6a04d15af482ff36ec7f2dee928e6d2b1b72b59b9ee786ecc0 |
C:\Users\Admin\AppData\Local\s1cW\SysResetErr.exe
| MD5 | 090c6f458d61b7ddbdcfa54e761b8b57 |
| SHA1 | c5a93e9d6eca4c3842156cc0262933b334113864 |
| SHA256 | a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd |
| SHA512 | c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk
| MD5 | 8c53567d7d2badc28cea4c5b7db4a216 |
| SHA1 | 5e6e1eb1eaaee2ede7f7d453a08232e4464fd019 |
| SHA256 | 50f64b8a9035fe61351ced2cf15dd71c78d54a5c0c7a735f846a14cb75f32503 |
| SHA512 | 44e611b77a1501c050abd68f732f2b03565cc2cfbd69746d57e273454c26e371e7bdcb9bb16b1f3e8fed198ddb87c397c32874c49a7f076c5e92d16d6df01afc |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\k4PQ3h5QDMw\FVEWIZ.dll
| MD5 | f3cf3095deda254d0e720a0611b7ccc2 |
| SHA1 | ed7d209366fa5b995431c3805fd9c7968270f297 |
| SHA256 | bfd3c2bbaa7937eebdce8a2f38226c83a4eb3cf6141b166fa03d86df7167b5b5 |
| SHA512 | 2db7d73a151a5d66f0ed835d6290f6a9c8e38f0721172d45b249f55719a59dc1f4ada655c5d5e395edcda09eaf6d296dfab2c0d5c164ea46f89cfc4a3c5f7f88 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\bKvR\OLEACC.dll
| MD5 | d9748e3d357c10790848b4c72a399ee3 |
| SHA1 | dc5102abaaa0ed30a203081b8379d9eaacf43d6c |
| SHA256 | 90ea8ebc4731dce515c81086d129cef665de7677cf2d26722e60afd11f291e2f |
| SHA512 | cd8db322c28746c4310ebe692b11e91842c358e489e0763c5ef6924957bf809dec5322b1fead19aa684c5485803cf5ee8b40f310b85f7f90fc74a066a6b333f5 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\oXWulZtz\DUI70.dll
| MD5 | 320b2d02496d8c66fd1e47c6c63adaae |
| SHA1 | 3cf934c9a4087eeb50501a004822b53c74c7b6db |
| SHA256 | dd725ec6e8b7110735ffadbbc8cd499e211c8283c471ca48c615ce02588c77fd |
| SHA512 | 8ffa8072736126c8fbb0ccb340dd193f391ce16c618ccbd1fd6535b6b2a5432245fb81c828da90dfa08db903bb5dd4d6ae26490609a75e774ffeef29f68f3ae5 |