Analysis Overview
SHA256
442c78bea97cb5946f1754ba2e848784a617e377208e3c7f06f3e33b1a5192a1
Threat Level: Known bad
The file 017476e0432360ddcea82be7784d62c3 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-29 19:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 19:17
Reported
2023-12-29 19:23
Platform
win7-20231129-en
Max time kernel
3s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\017476e0432360ddcea82be7784d62c3.dll,#1
C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
C:\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe
C:\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe
C:\Users\Admin\AppData\Local\qStPivP\raserver.exe
C:\Users\Admin\AppData\Local\qStPivP\raserver.exe
C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe
C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe
C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
Network
Files
memory/2088-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2088-0-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-4-0x00000000777B6000-0x00000000777B7000-memory.dmp
memory/1376-12-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-22-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-31-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-33-0x0000000002A80000-0x0000000002A87000-memory.dmp
memory/1376-42-0x0000000077B20000-0x0000000077B22000-memory.dmp
memory/1376-41-0x00000000779C1000-0x00000000779C2000-memory.dmp
memory/1376-40-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-32-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-30-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-51-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-29-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-57-0x0000000140000000-0x0000000140126000-memory.dmp
\Users\Admin\AppData\Local\A6gXC0\slc.dll
| MD5 | 426847f2f2ade9f7cd1ae6482785da5b |
| SHA1 | 61ae84672592f101ca3da5680d455e19966215f3 |
| SHA256 | 45daebdc79ada74bb65c1fa350e3a9cd2614a80281543e7c94887e11add82d26 |
| SHA512 | 7adce6ccbf8f930aa60c5e87436a0a4d25959baf3e623053312ddc3befcdaf8b9d8ae72312a6a74ba8bbe0ca69aa0c4f94c2b8bae77e8414054988f3220d4ca9 |
memory/2492-71-0x0000000000380000-0x0000000000387000-memory.dmp
memory/2492-74-0x0000000140000000-0x0000000140127000-memory.dmp
memory/2492-69-0x0000000140000000-0x0000000140127000-memory.dmp
C:\Users\Admin\AppData\Local\A6gXC0\slc.dll
| MD5 | e7aed7bf76e000a08f9c0dca631f955f |
| SHA1 | 059d89c62fd9a2ac77e72f84228df6ea67d24a89 |
| SHA256 | 84ff05ce8dd3ee9e90af1dd94e1367a103a3176b9990b92d0aafe60a71216c73 |
| SHA512 | c5494e2693c5c13888036687f51b721c9e5f40824cf5aee2a0df6336d3515c44d1e85cc8cffa0cdcc888772ecf7c052d23f922707b2f397e452de8ebb5ea75eb |
C:\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe
| MD5 | 851a7861442df6b3e001570ed7f4aa62 |
| SHA1 | 7f6700e3c83b09f6fbbc0940226fd3cdc59e2da6 |
| SHA256 | 5e0dd77b527df8700a841447554b26fcaa3334b7fc2be6c87c723a5e4038bbe4 |
| SHA512 | e2b1e5dbb0b6d365baaa0d5b38cac3d82d3de492190f97dea7f70c8797bddea33c448f92a53e05e215b8de999cf0c10183b047eed56a39657b4f190bc7330798 |
\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe
| MD5 | 908b10eff3f57115ca45c436e372dd0a |
| SHA1 | 0459b0d200c3e536a0ccf6ecb13628138ff1c702 |
| SHA256 | 8e74f21167df8e75f6e5d0c1b6fdee3f4bed3af4811f90ee6cf28acc8e3e71c9 |
| SHA512 | 9b47619b9e25a2c8b55aba133616ea89884a25b7eca55bd800887e298472b9c39dd58b09fbd6a1deddc741c605fd8e2b4f264c5633e1864f2a79090f1f35cafb |
memory/1376-28-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-27-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-26-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-25-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-24-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-23-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-21-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-20-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-19-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-18-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-17-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-16-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-15-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-14-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-13-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-11-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-10-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-9-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
memory/2088-8-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1376-7-0x0000000140000000-0x0000000140126000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\xyH0FpNM\fvenotify.exe
| MD5 | efa6660d66cadf088cf6332ddc7b3c47 |
| SHA1 | eeac71f013857823de44f2e46045dcddf2ab6b1d |
| SHA256 | 24fd6aa1b69b8f1c88e7d7cf9b9cb5d3ef39b6d0ed623aefcb5d09587dfc5420 |
| SHA512 | 33cea10930c79db2f33f55d90bc1e327f762ed22a0d3213e78910108818b8a7e99ad8e68be04f3a14e382d547e2f5367a6c8190944982904035719851597d5b7 |
\Users\Admin\AppData\Local\qStPivP\WTSAPI32.dll
| MD5 | 9f5f8c9886bc0312fb14cf81870964c4 |
| SHA1 | c08c94c8a6165a431599052d4d45d5411dfde6ca |
| SHA256 | bf86493506c133c5ac89a70d0f233fc79f678d981a82f7ce9e7237305db27459 |
| SHA512 | 19b9139b9743280dbc26e245b73c3c22bc7b351f4919a37438888c4fcbf4b75218f875752f6ba550d206dd926e88569f2450be4669b9cfd71a4feae348eed531 |
memory/636-91-0x0000000140000000-0x0000000140127000-memory.dmp
memory/636-88-0x0000000000420000-0x0000000000427000-memory.dmp
C:\Users\Admin\AppData\Local\qStPivP\WTSAPI32.dll
| MD5 | d6cd9197c1450e2c9f56cc828cc5425e |
| SHA1 | e7a1678b9c0405eefcef5056ef446f048b5c9ddc |
| SHA256 | 591bfb171c80c9763d982957c2b44c8e710fe358f1a2c8c239676e60a3722180 |
| SHA512 | c5a0f46bbd2680c0732083296a83b4d5e097d4486b62e4f736e0e65e8cad4fd7853e470ed5b0b00d5c542648bab702360466967e184fa6717a083678387c73d3 |
C:\Users\Admin\AppData\Local\qStPivP\raserver.exe
| MD5 | 94a4bd796518cc17d93ac428169d05d3 |
| SHA1 | ede6ba9fb90f6d11c66df5491a958875d1f246d3 |
| SHA256 | 497a78101ec3db281c8a0f05fd87d1a83ddc37ac3b1d0f387170277015ee21e8 |
| SHA512 | 550e8e612550c318cc2c33c18701b7050c7d464a8df08a4c0350a82fc0fe2b4d38cf102eba427d187ff3a5dc0ee19a6a507294bae92cc93d16a39877066a6f90 |
\Users\Admin\AppData\Local\qStPivP\raserver.exe
| MD5 | 5f699aa5c4535998bbfb329cf7b74529 |
| SHA1 | 3a2f5f87cd883e4eb4aeb250f0ffdf7078175f5c |
| SHA256 | 41c0451f7e2a9ef229389d5e5ee05d537132d56d5b8adcfe6d094c8b4dc47e37 |
| SHA512 | 62712bb005dbb3dbde55b644fb7002c39b1e1a3d4230fbfd4a1856bdc7160993374b1bc242644b2a61fae77b1b6eec3b4b2ba84e1dd88873890e32eb51d09b5e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\BjkfbdMMZ\raserver.exe
| MD5 | 427164573ab0ad5cc4cca9714704388b |
| SHA1 | 063c6fbf3ca377d4669c5bfc381901fe031877d3 |
| SHA256 | 0b258282621d0bab48ac6731fd0bf7ef4c2ef1352fd3c69c3ea014b224f23ae0 |
| SHA512 | 4a658a2628172229a6485536bd1fe72911cd00209f6f22a65cde0ba3c3294e8d8bc22f11c692c3146d631268d5d8391abb144ddc4c10884fe7174ce3645bcff7 |
\Users\Admin\AppData\Local\vt1FDm\UxTheme.dll
| MD5 | 7e49a31a2abe6ca3ee878b97421f23a3 |
| SHA1 | 337b081978c310f3dd65bb8838dd4a09d78e35db |
| SHA256 | 352e8913f91918c22d9d731ec50ab97658c210acfca1baa06214509f13e5ca77 |
| SHA512 | 93c07592aa7762b96193b8eff8acaf0770c213f7868dc5a7326b483f08c6681e8d7252752850938ef74669edc930338de20e6cb2c4de1aa756a99415a20d76c0 |
memory/2772-108-0x0000000140000000-0x0000000140127000-memory.dmp
memory/2772-106-0x00000000000E0000-0x00000000000E7000-memory.dmp
C:\Users\Admin\AppData\Local\vt1FDm\UxTheme.dll
| MD5 | a491f37f08a8b09f90d7561205dbc690 |
| SHA1 | ccd89123981d767442ba26d5f1590c20bc520ecd |
| SHA256 | 0d437c11e6e4c24d14f9e9463171fee2dbf80042bcab049a40e7a3694a066a66 |
| SHA512 | ac2f2b96a32790947b7bb170bf08e8c5419a13e8f7bfde24423b619d9b03790f6f842655a5852bdc24365ff4a3f00322df2411d1c91dc85d5ef2ee395965b8d6 |
C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe
| MD5 | 56e928c04bfe67fc11252fca637f5908 |
| SHA1 | 15ce8e79ccb32c3fd5b804b3e9f4dc5c2f47a475 |
| SHA256 | 3d81e3fc02cd493fef044e7595d2c34a865f149ac90a5c10fd3dd81bf4af438c |
| SHA512 | c29341ce94988cfa75d5b6338ef7b320448c055df5f7b06444d7c6ea9ec7cafe9bca3283bbeb80ec8a55dc45479bbeee300b7e53348c3c45e10cad70af7c601c |
C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe
| MD5 | a4193ea7fb50ecd2e9753895ea65bdc6 |
| SHA1 | a52ca1b631db0b4f927c0821abc709e49ed8310a |
| SHA256 | bb6f0a4d5b29c8394ae098d4ce9b25849f9587fe5820f7f06cca57eef5240920 |
| SHA512 | 5d5ca7cc6eadce069734eba9ca549bec4463040c0dab4bb4caf1d4199c5fc39892bfd4f6747b5e661609e894105f1e650b22819c81541e2ad3a1d71e03084029 |
\Users\Admin\AppData\Local\vt1FDm\SndVol.exe
| MD5 | 91d35f998d06e4f0851b403ef9d345ba |
| SHA1 | 66cb105defc487f9ce203c86c4fd58e417bea5fc |
| SHA256 | 2a251a261d2c43bdbf6a5d79a0f174e7c3ae24f063c804d4a53ef494f4abdf4e |
| SHA512 | 62ed3b136157693e43d37a599a018261637c46e5db48edfab6cc4332f212ad0543c72b04f66fb9f33cb0893060e00b9b6dcce6b7ba948f612de76cb2781f7a23 |
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\QOvPRyNi\SndVol.exe
| MD5 | 324c7d3342a3b0ff363d007ad5774cde |
| SHA1 | adb12faad353b37618778f75a3b3a4a424fa8901 |
| SHA256 | 31ee212c53d0d3dd2323c4036c761c97e94a22003e4cf7cb10088bd861282d74 |
| SHA512 | 52ec6d05bef3de55f2d988b58a0cb24c90a397a6388133e5fbf93203edf5c9725744a82191cef6eda79d198b93f06062675d9a0d363f82f280e815119296448c |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
| MD5 | c2d86fa691dd94bb1ed6735120394b55 |
| SHA1 | 9911ea7b9956be6a9143a7f9ac07823070a8d0e4 |
| SHA256 | d238712a9aecc2b7216aac1705412addfc2e227549137703446b9e80a8a07c74 |
| SHA512 | 4349d8b84403994eb1ff2f2c2e282083490d614de332d918449bbb4a0822a373f688fceaab76396818acef6b0c6bd4b1b4f8f4b085893d92cce01e71f478889a |
memory/1376-131-0x00000000777B6000-0x00000000777B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\xyH0FpNM\slc.dll
| MD5 | 837198683a145ec0b913664019e83f73 |
| SHA1 | a9a81f972b01ac9e7e28fb7f429cf30fc90bc4a5 |
| SHA256 | b8a603064a90cfa83fee07db4c06179fca34737f1c18684bd1a1e6d0120b9387 |
| SHA512 | d0591d1cbc61dd3f043db61ead37729d15dd86d825c7ece0a6e4202ab39c7d335836cfe15c23aa05f2216fdde087b587606057817776061cebc8e67ca3d4d0e0 |
memory/2772-141-0x00000000000E0000-0x00000000000E7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\BjkfbdMMZ\WTSAPI32.dll
| MD5 | a0fbf5a93265ef8ae596209113430ebc |
| SHA1 | bb593b6b6fd4f1fb67afd7400606e213063d7fd5 |
| SHA256 | 5efac9c69975ae0f9f178407490bbffe19dc07ae03ac811d4ac01e5c498c7b46 |
| SHA512 | 2bcab8a3ce0b10fee86d043dbc6e13ae3a588500c353466ca70f4c37e24828905797836573dc291ce5aab12ec7a2d9f724a87259668274e4ecf472d91709cc6b |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\QOvPRyNi\UxTheme.dll
| MD5 | cb8efb99cb2b75695b596c57d20f7d70 |
| SHA1 | f7efe1212b0c1e5675a63fbf6ebdd735bd2ac213 |
| SHA256 | 13bc85e674d511d5ec35690f42b2fc2617fa77c5460c5a050156474cb14f4ac6 |
| SHA512 | 24279948da1a18df9b1441323345d94006325ad3a6708d586aeeaa57295c8987044b5e42d063b0427acfa03582d5b7a208ead588367970ea93ab9eff284bcc0b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 19:17
Reported
2023-12-29 19:23
Platform
win10v2004-20231215-en
Max time kernel
153s
Max time network
162s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\mU20k\\IE4USH~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 3092 | N/A | N/A | C:\Windows\system32\MoUsoCoreWorker.exe |
| PID 3436 wrote to memory of 3092 | N/A | N/A | C:\Windows\system32\MoUsoCoreWorker.exe |
| PID 3436 wrote to memory of 4228 | N/A | N/A | C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe |
| PID 3436 wrote to memory of 4228 | N/A | N/A | C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe |
| PID 3436 wrote to memory of 3040 | N/A | N/A | C:\Windows\system32\ie4ushowIE.exe |
| PID 3436 wrote to memory of 3040 | N/A | N/A | C:\Windows\system32\ie4ushowIE.exe |
| PID 3436 wrote to memory of 3016 | N/A | N/A | C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe |
| PID 3436 wrote to memory of 3016 | N/A | N/A | C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe |
| PID 3436 wrote to memory of 384 | N/A | N/A | C:\Windows\system32\dwm.exe |
| PID 3436 wrote to memory of 384 | N/A | N/A | C:\Windows\system32\dwm.exe |
| PID 3436 wrote to memory of 4468 | N/A | N/A | C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe |
| PID 3436 wrote to memory of 4468 | N/A | N/A | C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\017476e0432360ddcea82be7784d62c3.dll,#1
C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe
C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe
C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe
C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
memory/3048-0-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3048-2-0x000001E70CA00000-0x000001E70CA07000-memory.dmp
memory/3436-5-0x00007FFD09E0A000-0x00007FFD09E0B000-memory.dmp
memory/3436-4-0x0000000002C90000-0x0000000002C91000-memory.dmp
memory/3436-7-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3048-8-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-9-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-10-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-11-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-12-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-13-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-14-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-15-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-17-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-18-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-19-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-21-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-22-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-20-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-23-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-24-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-28-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-27-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-31-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-30-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-33-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-32-0x0000000003280000-0x0000000003287000-memory.dmp
memory/3436-29-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-40-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-25-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-41-0x00007FFD0B1E0000-0x00007FFD0B1F0000-memory.dmp
memory/3436-26-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-16-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-50-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3436-52-0x0000000140000000-0x0000000140126000-memory.dmp
C:\Users\Admin\AppData\Local\M0UOXkdys\XmlLite.dll
| MD5 | 6096d8f2691f521c5471e3831f488dee |
| SHA1 | 007d807b79a94996687a857d9033439aa35ddacd |
| SHA256 | a306c80116053da01af073f3b8e4110ed508f57ee93defc6526f5323468dedcb |
| SHA512 | 3062f62e73b18740eca5386f1e6e3c5c1fb65e29ec938a4848f72f5be66134ca76bed52af2618459b85392f0ec4274d58bcb4585b9480b29f82e0b7516e22faa |
C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe
| MD5 | 5798d6e8309c1d87997a7d2b8a256f28 |
| SHA1 | f30a2583fd14d2cdf3478f2ee0ac9abc273f12eb |
| SHA256 | 8f8a5f82327324df4e30a27bb87dd0da120b9a46f078e360bc68d66e2c07138a |
| SHA512 | 9a152df70ff8e03c01d079591b0367bc1148943e521d175303de32cb134956dbcc1d8e961f6a3e370fc36ec78bcc5eab015d69e86e524bbf8c4f11bd478a860b |
C:\Users\Admin\AppData\Local\M0UOXkdys\XmlLite.dll
| MD5 | 10a2bc5895c41998ca5fd710990cfd84 |
| SHA1 | f8b261cd7242352c67b15c5bb31b832f2d7c11b0 |
| SHA256 | 548759fe1cfd85af75bf80ad8e8a17277e4ae43dd36160e03c6f0a2757399878 |
| SHA512 | 5bdc1b2709bd355c0485c18490375d3c3bc8f1a858af113405875afebb56bba9a839370a9fc6bf785ef9c2bf40d1fed926b233419aafb72b48729b3eb9b99d43 |
memory/4228-62-0x00000237B41F0000-0x00000237B41F7000-memory.dmp
memory/4228-61-0x0000000140000000-0x0000000140127000-memory.dmp
memory/4228-67-0x0000000140000000-0x0000000140127000-memory.dmp
C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe
| MD5 | 994781cb4455e854e8a56d0d86729418 |
| SHA1 | 120998cfad2fe8ef6213a3883e4dab288a35bb37 |
| SHA256 | 048a9900741ff3fa27aa0d47c78202aa19824733ff9800d6cb302c87c2529420 |
| SHA512 | a76d895bfca20939fdd3c2092c1d16a334f5ddfb4fafb6283627a9a1b1afa66fe44d59311f10f4ae7acbf1492bfee038e9dbad058c65e2e458003e3d4afdfc22 |
C:\Users\Admin\AppData\Local\Xmke\VERSION.dll
| MD5 | afc5d6acf9fe46db2055363762df8cb2 |
| SHA1 | 098d3185228e3cc9d8f80a83a957aa6983b320d4 |
| SHA256 | 4d60a60d6b290863176389e6c029cafa4dd03ca07db7c5fd8cf0eee479c372b5 |
| SHA512 | 0edc56ca9381475b65f38b4bebe09bcb3b26488f316b33db23a20c6d0fe2443fb1e5f7d5decd25bdce61d79ea158ba1b6ef161d58f0859723844ba6a98fc5b23 |
memory/3016-80-0x000001FAF5D90000-0x000001FAF5D97000-memory.dmp
memory/3016-84-0x0000000140000000-0x0000000140127000-memory.dmp
C:\Users\Admin\AppData\Local\Xmke\VERSION.dll
| MD5 | 8856aa57a9c31bd25ca41fd7e58a3faa |
| SHA1 | a0b667482771a97e269232539c5bb8e25dde2ac4 |
| SHA256 | 114debababba8166086ef482c0aaf85f62b23aa10cf0516ec1563543a6e8be7e |
| SHA512 | 3810c3192f6e9c2b65e2a275191e259868638c9cccdf3fb262028194bc1bb2d1dfc7cf851251bdf86f342e8eb3e9602cba0f4e638396f50d7a04660ba2459546 |
C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe
| MD5 | 22bbbaea87d84f8ea435d55620d8b903 |
| SHA1 | 7dfc373050fffd3d2a3d7ce1f718b3e940b0c931 |
| SHA256 | 55f06d181995eb462551ee1b9538464f08a465bdea10cbf3325338db240d4c21 |
| SHA512 | 7aabbdbf33096980c5617bf5f0247650cbea3d1ea5f6f7e8924fc5b06379a28e1417b8115df0a7dedc45a36841021f58d6bd4e1da6e93d73f2cc028ae11e09d1 |
C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe
| MD5 | 20c3e4c84ab7086f24d852bfebc35881 |
| SHA1 | 067750987872d1b8822b5b93880694cf61fc7968 |
| SHA256 | f3b3f537cff90e40986d92aa02865717633ae7406c0e0b9add37292c9a197548 |
| SHA512 | 89672ac81368de470abfef063632d4c985c963fcf0220894c36d9a06cb4b37cb4c961a0528ab528bcb25eaf06c87f7de722ee063ce202b4d0ba65fa31d04dcc4 |
C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll
| MD5 | 21514a7f978d38c6841800dedbd4f69e |
| SHA1 | 9ce6d8337b669ba8a179ed77276a25222d783205 |
| SHA256 | 95e6ff2d8a8b922c9fc03f149db07f8a0fa91ecad6f30c6da67534ca45cf8afe |
| SHA512 | ae40682596ccf15269a8f9e884d7bdcd27e6c515c7c58fe368661e7629e92e08f7fca7a52ade82fba71ea31a7033294c29626623bb032280376923b8bcd99697 |
C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll
| MD5 | b0d16ec2fd98c9bdeb0fe2fd889e9a46 |
| SHA1 | 2648b5cb2db0c93cf83e46e1831503df96d21bf0 |
| SHA256 | 2d0e9de7d2f3cad063edc19daa5418cd3930932eac7128b2da19d43806904da7 |
| SHA512 | a17ce379b2011cc6d59280f4280b211860c9bfbf930ebc4efebb5830840f16993b10c915cc5ea3ac6ea00b8a1de00ece0c4f46aac12071796c4a7bfde81ae022 |
C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll
| MD5 | 6585b45da54640f428d6ee10032658f0 |
| SHA1 | 1bba686537e5b535fb719d63553f540bc4613578 |
| SHA256 | 5e67dd45e731676f365be0f9cca039ce53adaef4a624f54bc1685dc801620b20 |
| SHA512 | 2070b74c7c457a39aa56447a166863f6db9d09d80690cc71f5295e36a70c2d254963b97a8a06fb5ac354d6246589112a3d926563b5d6587a59cb7d5ded3410fd |
C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll
| MD5 | c091d844941b361df762c89e57920116 |
| SHA1 | 8d29420979ba0a787dd15d68d6af07a9dd2db2e4 |
| SHA256 | a91781d29c6c30a430514991fbb0df808d28a75bbf9a0325bd6be9f843ade3aa |
| SHA512 | 101b999888019a17cd1a2b74ff722eb77cebe4b58b97d28757cf4c088be9d4e80e22a71de39574e72f18844b0e831035f7e98e62fd84ba0f03d5544c475a5b2d |
memory/4468-103-0x0000000140000000-0x0000000140127000-memory.dmp
memory/4468-99-0x000001F469B70000-0x000001F469B77000-memory.dmp
C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll
| MD5 | c4b41df8931b6353ddf2da18ddc76e9e |
| SHA1 | 269a7ae60cb1bfdc2378e3845d6c3261052dc12f |
| SHA256 | 6f68ddf53c7d90f40ce7e1446e6a72fd97ca36f62f6eea38d5a331a563e9d4b2 |
| SHA512 | 88c01cc49c46beab8ff9c3fbf58bc31b4621efee754df31302605859e0c2e671127c4f1c2bb9d3c00f001a5bce531777e2a6f948c05c70cac508510f596c6467 |
C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe
| MD5 | 5c27608411832c5b39ba04e33d53536c |
| SHA1 | f92f8b7439ce1de4c297046ed1d3ff9f20bc97af |
| SHA256 | 0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565 |
| SHA512 | 1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\wfZbTn\dwm.exe
| MD5 | c50ea7490866ff7e7ae4256eb55f0261 |
| SHA1 | 3cbdb8cc6415e847670bb28cfdf45076551c0f0e |
| SHA256 | 50ea683500d42c02ea7c42e047a6f3b77fc3d09bbe50144e04d176627256b184 |
| SHA512 | ba96a75e4a54f682943999c51550044edf8c99f846a2363d54d7c0bdc444038bce2183769539c6562fbe27ae86343c3a542b59c16cf58eb9627e8e2c22332194 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk
| MD5 | 536baf1f96d7ada7018620ea51441c5b |
| SHA1 | 6aad011d42375eb68faa60e3b0e901596529eef7 |
| SHA256 | 990379399172149d9842b416eddaddfc521d25a8870ebc7b07f9ac987ca90983 |
| SHA512 | d40a0bf91b8e2073190f12f7460417c0fd66bed36d39b52ad1260c8d7567f1445b13479381c3580c80d35a9f691f9834a6aa0a6302a393d84fd7d1ddc7eefe96 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\fOqG4CXzx\XmlLite.dll
| MD5 | 9ad373dec65387a0f825167ac6f53011 |
| SHA1 | 9af6f90f439eb9a1c5382e4108def543d54ba004 |
| SHA256 | 690345c90bcb5668f1d4d64b779b722e654d4d5b665ba21157c80b6aac942314 |
| SHA512 | 3892e8a8c5644d1c3f9215b3a3311a6882b70e988c1e4e83adbb9a422b003105c1dc62a7a24ddbd16eac3f7cce46226a9b2182dd29eca1b5eaf6e0d0048defed |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\mU20k\VERSION.dll
| MD5 | 16a74b844d1f3277d1b75490a853a28a |
| SHA1 | b950e2fe55ed18e89b6717866024e26d3a8876e7 |
| SHA256 | 78296eeff56307a35478ddea5902a6fd8e3794635dcb7d718809545680a83623 |
| SHA512 | b08ccc7b9f7354255aa45c43bae16a705bea89c2f1ac9904b541799f22afa7c801d04905cf52a43fc8f1a25c5de21dccce98a7ac15c5660a5d2d2c774f1bcf9d |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\wfZbTn\dxgi.dll
| MD5 | 44a884e87359dfe3b64dfb2f511d2f64 |
| SHA1 | bdff65ff64c46b86aa1d64625ac9608cbf465e70 |
| SHA256 | 228b12016dfb6a383206a73d6dd8a15b79081aa59f300f91bde748e2cc34f0d6 |
| SHA512 | eeb5025de4af3758d8bc795ad558a454890dedee60e037f6e61723c69bb3a23bed60051dba0aa96041fce94e338d8970a519b73b269bd88283c9050475ede0fd |