Analysis Overview
SHA256
9d0e8397fb43fa3f9c5cf6cfff056b1f65f3f6634398d210c008698499967585
Threat Level: Known bad
The file 059559658c6c1cd49d30a8f43d1d45b2 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-29 22:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 22:27
Reported
2023-12-30 04:29
Platform
win7-20231215-en
Max time kernel
6s
Max time network
144s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\059559658c6c1cd49d30a8f43d1d45b2.dll,#1
C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
C:\Users\Admin\AppData\Local\CFC\msinfo32.exe
C:\Users\Admin\AppData\Local\CFC\msinfo32.exe
C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\iVNfEiE\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\iVNfEiE\ComputerDefaults.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Users\Admin\AppData\Local\eLVXeLo0\dialer.exe
C:\Users\Admin\AppData\Local\eLVXeLo0\dialer.exe
Network
Files
memory/2080-0-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/2080-1-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1320-4-0x0000000077736000-0x0000000077737000-memory.dmp
memory/1320-7-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-9-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-13-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-23-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-29-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-36-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-40-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-43-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-48-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-49-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-53-0x0000000002710000-0x0000000002717000-memory.dmp
memory/1320-47-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-57-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-59-0x00000000779A0000-0x00000000779A2000-memory.dmp
memory/1320-58-0x0000000077841000-0x0000000077842000-memory.dmp
memory/1320-46-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-45-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-68-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-44-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-42-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-74-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-73-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-41-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-39-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-38-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-37-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-35-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-34-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-33-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-32-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-31-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-30-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-28-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-27-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-26-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-25-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-24-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-22-0x0000000140000000-0x00000001401BE000-memory.dmp
\Users\Admin\AppData\Local\CFC\msinfo32.exe
| MD5 | 2e23ff0050229465a8a0770c00c9c4d0 |
| SHA1 | 763f21ff18596ccb58b150bc313f0768a6add641 |
| SHA256 | e7e7196bc209b9573086b8c81af9e139f285c18d51e00754b44dac8c350f3bcf |
| SHA512 | c5431c764201c00055adf9fd4d828f28da470536d4c60ecefc2f29548d49e0c94e7e660879a5e72f6454640a25c21410a28f8d59e0ee95cc4da7d830f57cb2e0 |
\Users\Admin\AppData\Local\CFC\MFC42u.dll
| MD5 | 2e4e2ccd69ee04addf973c1e9141ca46 |
| SHA1 | e0fd23c8869d8e13915ba4df8b1f46b254d323f9 |
| SHA256 | 8c14518b89587350664e9b59569c0823fcb8ebd02c0c50c60170fb6e3c884c0a |
| SHA512 | dda782f58be9e38d55b2f10572df56edccd87e1934080f2b6fd228009d8dac6cb83a2e1cbf75aabd14bd98c416aebd0c90fe2cda8b602ad603d819fd62aad1cb |
C:\Users\Admin\AppData\Local\CFC\MFC42u.dll
| MD5 | b287e3b2ae308cdb16f1392bf62aa4f3 |
| SHA1 | ea8c91fd57fe523496475e967e5949dda6012798 |
| SHA256 | b2f8d0447d1a6563ba43306469d0cd5ef44ae401a7e2c5989951660626fb60cf |
| SHA512 | 0803ca62c04f88929247781dc06ebb00d2cbf14279af3f3fd939f174e8f5d9f8226edd62ebd5ded2569454ca0c046b679817325e8f57ffb8bd9231b2ed8ac43b |
memory/1648-88-0x00000000000F0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\CFC\msinfo32.exe
| MD5 | 51a680a738a1c92a223a5321198bc765 |
| SHA1 | d2a6197a644a8767f36282996302017f549c866b |
| SHA256 | e789061d60b0864b573306eb719f9b11025ab4332fed607ff068684c26fae8fc |
| SHA512 | 57666c1553869817950b00a24cac571e9e0801e87721094a9b9e5929d2d45bd179e1b87b01ce60790fe58c93c64efd003cf66378ab6d823598b07e1e66132e8b |
memory/1320-21-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-20-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-19-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-18-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-17-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-16-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-15-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-14-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-12-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-11-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-10-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/2080-8-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/1320-5-0x0000000002740000-0x0000000002741000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Axy7N\msinfo32.exe
| MD5 | 43fb0b3fd2ca6c54b0180319d18969c0 |
| SHA1 | e898d7f4a602eb4ab2dc6b6bbfca709705fd6779 |
| SHA256 | 437905e8fcb6d42ae1edb311c87b3b353102bf6b8d6a60aa5bb244dc40bcffc4 |
| SHA512 | f2098639a4b6fd9d0c36cf8ecdc66b313f68ec1c91734f455734f8d7fc3a35114648dd464460dae92dd336308c1b31b88a4dfd5fdb5712fb395e8267d06927a0 |
memory/1320-96-0x0000000077736000-0x0000000077737000-memory.dmp
C:\Users\Admin\AppData\Local\iVNfEiE\appwiz.cpl
| MD5 | 70401156f286f63920f0b55a2d0fdb6d |
| SHA1 | a77bf0aff534d4f9f3dbb1404715c1795eca4b80 |
| SHA256 | 9a92559c1573dccb4d0da9cc3d25892f7af26339f5d91a7092644db33ca77d61 |
| SHA512 | e557a99151678cf1901f06e30aa4ed5fac6dfdac2bdf3ec1859e75832db9d0df7fdcff7e46aae345896a3e58a743a4a2f1f4bad494c1ef9a420528a688128af5 |
C:\Users\Admin\AppData\Local\iVNfEiE\ComputerDefaults.exe
| MD5 | 86bd981f55341273753ac42ea200a81e |
| SHA1 | 14fe410efc9aeb0a905b984ac27719ff0dd10ea7 |
| SHA256 | 40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3 |
| SHA512 | 49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143 |
\Users\Admin\AppData\Local\iVNfEiE\appwiz.cpl
| MD5 | 943947b449875436934b3c261fa798aa |
| SHA1 | 69b1339194854d5d9d54c9e5e36d06a3e522c64c |
| SHA256 | f69bc763cb6db7a7cd89450a989eb7154b1f48d9ef0018c9482cf3b974ba261d |
| SHA512 | b94395e2d281e5bb3705d733640b033cb1012f4ed1acd7b6ff57cdc9c0993f4996ac3017ce873cb8869e7926633275885cf8dee487fd876169820aee84289feb |
memory/1468-104-0x0000000000080000-0x0000000000087000-memory.dmp
C:\Users\Admin\AppData\Local\iVNfEiE\ComputerDefaults.exe
| MD5 | 4a7b5e7ca3f35ba6045370489ebad43c |
| SHA1 | 7fbb8044a20e2d3a11e1de46e425189ed060acbb |
| SHA256 | cf941568aeece135f4d459636e4e21ba662f7f82a76b63440fa7a1486c060270 |
| SHA512 | 6fd561e71cd2e2546bcd62af32547f87fd011ff48913abd01649692aa7b6d2d5741b1ac05220fef44d1261cabba73701e36524c9c6399242a973d308a838310c |
C:\Users\Admin\AppData\Local\eLVXeLo0\TAPI32.dll
| MD5 | 5d1241b02473f088141207cf0bdb7294 |
| SHA1 | 54e40bff76768410cd154f0401d55a87b759eedb |
| SHA256 | 68ea0184ca49facc9eb9a601ae4a600604f4faed70f124d01ed61c1f26ed64a6 |
| SHA512 | 051e55f68459b93424c00ad33289ab4a325939c3326776cfb995118fb6c158df00f151698e7c6984f9cc41f1ec2067c85d01cd37fd9438c9584fdbef2fa92c47 |
memory/2512-122-0x0000000000170000-0x0000000000177000-memory.dmp
\Users\Admin\AppData\Local\eLVXeLo0\TAPI32.dll
| MD5 | 3d823de3065e2ec2a64d1e925c0817c8 |
| SHA1 | ad5032619123cbe5273b269b154fdd306c37d0cc |
| SHA256 | 7a4d15007142183beac31d4a68b306ec291026e07d547e4aae52fa20e7da814c |
| SHA512 | 747df9445b58bcde4ffb490c0e5c661b934ad25e592af38c15cc2b0cc10aaa5127c56379edb2acde06fda1874c2f7b6f3c0709a0b4c81627ea42a0755f26e918 |
C:\Users\Admin\AppData\Local\eLVXeLo0\dialer.exe
| MD5 | e43ac67f469306670df7d9a8edd098cd |
| SHA1 | a19b9a3f7927872e7cdee45be471fce95d7fca41 |
| SHA256 | 07fe5d249222f0b306bcbd2bc9586170426add97bb47797ac82647bc5341e0ff |
| SHA512 | f8e7044f3cdefce21177a155ef28783f729cd9cae4faa5bb5f8a0725ca424c673c400045f6e20e56b7d211239c03ff08a8db209a6c12cf48aaeb8caf50f047ac |
C:\Users\Admin\AppData\Local\eLVXeLo0\dialer.exe
| MD5 | 5befcad875be6ca438f9e90ffd0c5e5b |
| SHA1 | 29744924dd7efd50349df044d41ed7476c3983fb |
| SHA256 | 93379ea6e97bf491305f03d544f7e24e0e140db5806f1e0030e714e236db211c |
| SHA512 | bead71b2f320b1a1189d131d9de2f5f65e7105eeca6d7b4f405c482b279bc9f412b894e1342a013964aba87cc838d72f317165797214723ec7895804aed9eaa9 |
\Users\Admin\AppData\Local\eLVXeLo0\dialer.exe
| MD5 | 46523e17ee0f6837746924eda7e9bac9 |
| SHA1 | d6b2a9cc6bd3588fa9804ada5197afda6a9e034b |
| SHA256 | 23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382 |
| SHA512 | c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk
| MD5 | 69b754b6e32bf8840a5ce64a7a2d0c4b |
| SHA1 | dceea94c6566c99d6b553d9bddf48831060db031 |
| SHA256 | 195807b6cd6f0f574b2f9af79640103dc456fd4e76af77a6800a4d59214efd5d |
| SHA512 | a49908c48f1ba489e115267f990d1fd8ac205c0708b6a41ed386a9cf1c8007b1e96ba0efa70ae0256dd97dca750274a600a3b76670e773bec0da0dda08282748 |
C:\Users\Admin\AppData\Roaming\Adobe\Axy7N\MFC42u.dll
| MD5 | 81034b9eda4df9b3bebd4f90915c7948 |
| SHA1 | 21fc9dd6fffac544bb2a1d719f3d70c6df803e92 |
| SHA256 | 2ef8456a0c82b692525fb1db24888be3d978b77c17919bee0f1e33f7a557aa88 |
| SHA512 | 6485a514b24fb203d4b9524a42cbc061438049c0eff6dedd07825d908185362caddedd2ce99e2357deaded2ccaf87d75e69e82d5c0d3959d694d07967e41ce98 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\hb4\appwiz.cpl
| MD5 | bbdf4c42ddbfdc4df9efbcc6770363bd |
| SHA1 | 50668a03e70b6bc2245f8b7666715ede7f2b995f |
| SHA256 | 6080f62e5d6b3a079218e19dca75b59bbee764e9ff86e5cd603bdf68c3c094c3 |
| SHA512 | e473d945080c8bccc47cbfe88d537c95a811725db472ca32737d3231e709916e201a18c8a7addb4cf2854bf9f8eb851f4552829f365e1b13b02de072a8f86e70 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\siJY0q\TAPI32.dll
| MD5 | 14e290539bf51b19d7f64b8594a9f84e |
| SHA1 | 33773c34a2a6be28874f7067da8e40fedc2d1dc8 |
| SHA256 | d5ebfa578f8271fbcf5e1ef136c8107f34a825cf86e0847ecd25a0274ec8c4ad |
| SHA512 | 9292ebf9eea4d58f704118f26c8294ed66352a342324fd0a33983eecbd60745b00003361b10367246f8ce503e7be3e63700da5f683146f751f34b3e8902025c8 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 22:27
Reported
2023-12-30 04:30
Platform
win10v2004-20231215-en
Max time kernel
42s
Max time network
175s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\B5Beu\sppsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\B5Beu\sppsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\srA\\rdpinput.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\B5Beu\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3572 wrote to memory of 2360 | N/A | N/A | C:\Users\Admin\AppData\Local\B5Beu\sppsvc.exe |
| PID 3572 wrote to memory of 2360 | N/A | N/A | C:\Users\Admin\AppData\Local\B5Beu\sppsvc.exe |
| PID 3572 wrote to memory of 1544 | N/A | N/A | C:\Windows\system32\rdpinput.exe |
| PID 3572 wrote to memory of 1544 | N/A | N/A | C:\Windows\system32\rdpinput.exe |
| PID 3572 wrote to memory of 3272 | N/A | N/A | C:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exe |
| PID 3572 wrote to memory of 3272 | N/A | N/A | C:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exe |
| PID 3572 wrote to memory of 688 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 3572 wrote to memory of 688 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 3572 wrote to memory of 1008 | N/A | N/A | C:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exe |
| PID 3572 wrote to memory of 1008 | N/A | N/A | C:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\059559658c6c1cd49d30a8f43d1d45b2.dll,#1
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\B5Beu\sppsvc.exe
C:\Users\Admin\AppData\Local\B5Beu\sppsvc.exe
C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
C:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exe
C:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exe
C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
C:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exe
C:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 92.123.241.104:80 | tcp | |
| US | 92.123.241.104:80 | tcp |
Files
memory/928-0-0x000002183ED00000-0x000002183ED07000-memory.dmp
memory/928-1-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-5-0x00007FF9B35BA000-0x00007FF9B35BB000-memory.dmp
memory/928-9-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-12-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-15-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-18-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-22-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-25-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-29-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-32-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-36-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-39-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-42-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-46-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-48-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-47-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-50-0x0000000000BD0000-0x0000000000BD7000-memory.dmp
memory/3572-49-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-45-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-57-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-67-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-58-0x00007FF9B5300000-0x00007FF9B5310000-memory.dmp
memory/3572-69-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-44-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-43-0x0000000140000000-0x00000001401BE000-memory.dmp
C:\Users\Admin\AppData\Local\B5Beu\sppsvc.exe
| MD5 | 254e7737e4902d9b9d93171c5aa317c7 |
| SHA1 | 493d0ff75f466fc53177b9d57490652fe83f6807 |
| SHA256 | c64019fb450e23ced6f45d15a4a3cfc400e56b9cf3f7ee4e8bc2b4d57da853de |
| SHA512 | d748da01e76061a617263de1cf0c3afc4e59c4f2b0f9b1a91a0ca8a4f7b5efcc71705405a15e2db78b4070408a48a0f3491e985e40ca5e827ac4b600312ea43e |
memory/3572-40-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-41-0x0000000140000000-0x00000001401BE000-memory.dmp
C:\Users\Admin\AppData\Local\B5Beu\XmlLite.dll
| MD5 | f903724267294c29208c1f69a7511d99 |
| SHA1 | e320893ca3dc92cb8c6f5f74df3e1b5e912f1eb7 |
| SHA256 | a3a40141f2d3a1e23084875b0de8404969a8194194f9d3595dae90b9a4d4b520 |
| SHA512 | 2cdcfe8d9acd773b1a481459094b7f480ea21c82a7ce3dc774150d5a17a9a877a16699ac1f2cdaffb3a3efe59dfbf436011b03f0f557fc14f422e6a9edcec882 |
C:\Users\Admin\AppData\Local\B5Beu\XmlLite.dll
| MD5 | a544261814e633b30180d75cd1a42f05 |
| SHA1 | 8ccd8e04944bd3a8cb8e975ee0ae4fc228b5f574 |
| SHA256 | 425864e57ea092dab46e93f2dd5c6b6f7fac7b1ef67a2a0023fa6dd722e923a9 |
| SHA512 | 7a1975cac4788188fda9ca0f37b47801651fe5f9239afc2081b0fd3613b148687101157f3ca2d35b5269f40e608d4bfaee7b7383d428b589eb3785e8153a7617 |
memory/2360-78-0x0000027C34DF0000-0x0000027C34DF7000-memory.dmp
memory/2360-84-0x0000000140000000-0x00000001401BF000-memory.dmp
C:\Users\Admin\AppData\Local\B5Beu\sppsvc.exe
| MD5 | 82b797c8a2a9378e9672b9bc02f7a967 |
| SHA1 | 2d0f190ef047c73d1eae28184380ac7d060d6310 |
| SHA256 | 2b5a135f1c1562c0767c4c0b9cc70b6212bbc2c100e6f8eb1d52ffbe3d3ffc2c |
| SHA512 | 60d49ee552cdcf8e7aad66de97505beb9c8a7d16d52e116f4490d0beb0f6d804caacc0f6e408c6c3cf44e2207814b50d713e445e17b1469d0551d0a166e92974 |
memory/2360-79-0x0000000140000000-0x00000001401BF000-memory.dmp
memory/3572-38-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-37-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-35-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-34-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-33-0x0000000140000000-0x00000001401BE000-memory.dmp
C:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exe
| MD5 | fe0f4766373bd27d04cdb78726476d8a |
| SHA1 | e58c6eb469d837401a82167170a3a539157bd46c |
| SHA256 | b914d7eff271fc0492c5ebc80b3955783f295855f2a679d55bb7160e3e66f349 |
| SHA512 | c027f80bb350e180323af4ae2fa895510f398d76146f710c94f8a7161c313691e1ae4afae28bac31997b55ff2cf7271f7d0cc7934a44d9b53c74f275bd4e5784 |
C:\Users\Admin\AppData\Local\Kd5UzB4\WTSAPI32.dll
| MD5 | 2f8a00456c416525d80c72bfbad08b34 |
| SHA1 | f557ddbe612f4b17494dce8de4180770c340a83b |
| SHA256 | 170dc36981091eac6d54c57207986c7bb8053193a7facae41b557240506ee3b7 |
| SHA512 | 3b243ca667154ce341190f5c769870cbc18c9062424ea1a463fa8bd5efa48a693a9da73396101b534828a823ba3a27a424d2a9767fcba84e4ef37c3fefaa1eaa |
C:\Users\Admin\AppData\Local\Kd5UzB4\WTSAPI32.dll
| MD5 | 2c19fb06ca62fd4099678c02c9fba201 |
| SHA1 | 60af72931ba0d20d9247dc12c04d2a5869e89f84 |
| SHA256 | 1730a94ea0243d03ed46b879e1e7e09e0aa7dcbb39b1a64e4ddba7e0c609263b |
| SHA512 | 6f307eed70b303734794c2e917aa3a501aacd5c3d8aea2ffd26d30c1475ff9f5a5b8930a50d05b1e31ca761b7ac2330589f13fe27cd3d963d6fbe94c168f1abc |
memory/3272-96-0x0000025352F30000-0x0000025352F37000-memory.dmp
C:\Users\Admin\AppData\Local\Kd5UzB4\rdpinput.exe
| MD5 | c374d5f290695b8919b97931b27d96dc |
| SHA1 | d698d1377c00733b6c0850ccd3367ae35b126715 |
| SHA256 | 339a0c5209d75b92551994c83eb7ce8d40275cf7040c296f2eb1f779291bab20 |
| SHA512 | eab018f8de8333193f709bb996c6a09ba447b2c40a3e52fa86a8cd97cdda0ec1d0b597931ca6eeb7f86f382347a5df04a592eaaf08c25cd7b425c6143affab22 |
memory/3572-31-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-30-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-28-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-27-0x0000000140000000-0x00000001401BE000-memory.dmp
C:\Users\Admin\AppData\Local\iGN5IX1\NETPLWIZ.dll
| MD5 | 5fe3a5ce7cbcc5fcdd58122676849cf1 |
| SHA1 | e8c3eb85012b37155be0e4d7e4a9ee531bc4158f |
| SHA256 | 627ab1219913c52521441a16d89547789f1093c226589d170b14b8f1515a5319 |
| SHA512 | a03358bb30f7569a2fe51a5d09344e338e186f26117907185540933567353eb34632689e91f08ded9d62b1ddc44ce922ce31f5b162a4b9c5f0706ee4c5fe8969 |
memory/1008-112-0x000001A6C8D20000-0x000001A6C8D27000-memory.dmp
C:\Users\Admin\AppData\Local\iGN5IX1\NETPLWIZ.dll
| MD5 | 6ede39840bbe9203d6d5d6dce4583943 |
| SHA1 | 8c4cceeaa05be0498fa14e1dfc00801c2085a88f |
| SHA256 | b1e933d61d9498be7375ea6126d5bfd1ea802e42f2f27f0bc526170c62b3bd8d |
| SHA512 | d11633ded412decdf8b27366c01f77980b1242b003876a756ed2d540d7d1ab117baf42b7b043d31c4fb89881915c076a0d86b4bb2b9dc6589547e7956ce6f0c1 |
C:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exe
| MD5 | fc15b372d668a4fee150206054e24a66 |
| SHA1 | ef3254aba0705724b0bd972cb90fde5d92389ef0 |
| SHA256 | dda4eec7fc685a73fe97b1aa43912577c3d2708556564ce03070130c1fcac6bf |
| SHA512 | 57d090713435a56c1c85971638d65929c71428be99e7ba12364194c8424c3a1dffbd2d2b31f94f7cf41f148ef4f16425bdc2469d775ae114c174e508aeeedf3d |
C:\Users\Admin\AppData\Local\iGN5IX1\Netplwiz.exe
| MD5 | 977ea11b8f0596f02281d94135e123cb |
| SHA1 | ba6a741f80fd805a3b251b176a7f20f74580c2f8 |
| SHA256 | a268f70301ea1ec2593b160031b06420236d2e889cb33d91ff44087ae2c8668d |
| SHA512 | b8e264ce39e0bcc51bf55b5d57a1d15b1d4ae764d45b1737de15f35af18dcfb39f60197044f24c159d36120120960af2ba73cf9af19168d49f53f85d82d137ef |
memory/3572-26-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-24-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-23-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-21-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-20-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-19-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-17-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-16-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-13-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-14-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-11-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-10-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-8-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-7-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/3572-4-0x00000000027A0000-0x00000000027A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk
| MD5 | ab695c69ed6e44f9846aef603479874e |
| SHA1 | beae09d9355f4ab3f334ca7547d29ca2084bbfd5 |
| SHA256 | 476d9dae2e1c5229ef834d4ad1408fca121523ee96f139712bc9d161f7219d16 |
| SHA512 | 964f2abb90f0a21fb3dd5b92b7d6634687c4193faabe3baca083e93d4ac15534c4d5897acc3adec0242b7d1140b73cf59bca6d01800f330d5367be534fc55134 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\TX4\XmlLite.dll
| MD5 | 89b53d7c96eda3586eced5f89c3498d2 |
| SHA1 | 86c03b853d09b1bc0cd7b4c1e5939b39fa3e2104 |
| SHA256 | 47fd1e2e3c3772779a2adbe84a4848244cb07cfbaed8ef61d4550ad2bd90f1a8 |
| SHA512 | ed7b3571cb2138663528d948a17b53c082c483625aae3cbf4fbd3983be338f971f2aab98330259e55cf7d9f1c7144384b328210ee8ef6d87fbb6c70f9798ba6f |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\srA\WTSAPI32.dll
| MD5 | 44a775d3f7d1ac832fd79638db6c6d3e |
| SHA1 | 00ec879ff9b8ab7131211c04f68115f8d43d8f58 |
| SHA256 | 41c4b8a19dea1b1e980b02eff6f4cd844c64ea1e8a504eef2ff93f0c343a0172 |
| SHA512 | 6d5780c5c78e6c597327b319acc3dc9866e2cb0419f629da567efe9ef7c0682899ca70081903911e839b32bef3c76991e938f82371e00724ce41831fce059159 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3336304223-2978740688-3645194410-1000\Go\NETPLWIZ.dll
| MD5 | b6509f8611bb561cbf17996d4c65af07 |
| SHA1 | 49ddc37cf5d9f2c5a6b28ca037ff05f8a103929e |
| SHA256 | 4299ac69c5e7e0401a416eb4062d9debaa59c37bbf13caa437db5b411e7ebace |
| SHA512 | 3842af66373246532c10fe8b08f95c5ad69bf8a1881a034c11ca962123e34219aca016948325edc5ecfead05a51a6b1616db9e5df4f60e74fa8a769ed808a245 |