Analysis Overview
SHA256
45fc0a1d1213cb8479f0ec7f3e2aa552411c2c4da173ed0aaef5c56e207e515c
Threat Level: Known bad
The file 0f0d1dda6227706e8d61177dffa5cbdf was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 04:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 04:49
Reported
2023-12-31 22:14
Platform
win7-20231215-en
Max time kernel
151s
Max time network
135s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\g5N\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ley\Netplwiz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\g5N\cmstp.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ley\Netplwiz.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ogMPsei\\sdclt.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\g5N\cmstp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ley\Netplwiz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1256 wrote to memory of 2648 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1256 wrote to memory of 2648 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1256 wrote to memory of 2648 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1256 wrote to memory of 2040 | N/A | N/A | C:\Users\Admin\AppData\Local\g5N\cmstp.exe |
| PID 1256 wrote to memory of 2040 | N/A | N/A | C:\Users\Admin\AppData\Local\g5N\cmstp.exe |
| PID 1256 wrote to memory of 2040 | N/A | N/A | C:\Users\Admin\AppData\Local\g5N\cmstp.exe |
| PID 1256 wrote to memory of 792 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 1256 wrote to memory of 792 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 1256 wrote to memory of 792 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 1256 wrote to memory of 980 | N/A | N/A | C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe |
| PID 1256 wrote to memory of 980 | N/A | N/A | C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe |
| PID 1256 wrote to memory of 980 | N/A | N/A | C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe |
| PID 1256 wrote to memory of 2808 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 1256 wrote to memory of 2808 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 1256 wrote to memory of 2808 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 1256 wrote to memory of 2820 | N/A | N/A | C:\Users\Admin\AppData\Local\ley\Netplwiz.exe |
| PID 1256 wrote to memory of 2820 | N/A | N/A | C:\Users\Admin\AppData\Local\ley\Netplwiz.exe |
| PID 1256 wrote to memory of 2820 | N/A | N/A | C:\Users\Admin\AppData\Local\ley\Netplwiz.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f0d1dda6227706e8d61177dffa5cbdf.dll,#1
C:\Users\Admin\AppData\Local\g5N\cmstp.exe
C:\Users\Admin\AppData\Local\g5N\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe
C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe
C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
C:\Users\Admin\AppData\Local\ley\Netplwiz.exe
C:\Users\Admin\AppData\Local\ley\Netplwiz.exe
Network
Files
memory/1068-0-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1068-1-0x0000000001AC0000-0x0000000001AC7000-memory.dmp
memory/1256-4-0x0000000077706000-0x0000000077707000-memory.dmp
memory/1256-5-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
memory/1256-8-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-9-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-12-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-15-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-17-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-19-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-20-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-21-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-24-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-26-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-27-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-28-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-25-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-30-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-31-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-35-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-37-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-36-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-39-0x0000000002AA0000-0x0000000002AA7000-memory.dmp
memory/1256-34-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-33-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-32-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-29-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-45-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-46-0x0000000077911000-0x0000000077912000-memory.dmp
memory/1256-47-0x0000000077A70000-0x0000000077A72000-memory.dmp
memory/1256-23-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-22-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-18-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-16-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-14-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-13-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-11-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-10-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1068-7-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-56-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-62-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/1256-66-0x0000000140000000-0x00000001401F5000-memory.dmp
C:\Users\Admin\AppData\Local\g5N\cmstp.exe
| MD5 | 74c6da5522f420c394ae34b2d3d677e3 |
| SHA1 | ba135738ef1fb2f4c2c6c610be2c4e855a526668 |
| SHA256 | 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6 |
| SHA512 | bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a |
\Users\Admin\AppData\Local\g5N\cmstp.exe
| MD5 | f3fa89d3e65cf09838afc7f0acace8be |
| SHA1 | a6ecc88348c2fce6efe4905fdda2581accd129be |
| SHA256 | af52bcb97910c553d71c0063d25bd6916d840ce5930a430be582b15734033b3d |
| SHA512 | aa290ed03685d62e1397b4747a265bb4bb62f6671dc80156ff00b0647d7d0e34003bf36d9da452c1dca655af4067c14a7e5edb6b73be8f06eeb5fe7c937c75a3 |
\Users\Admin\AppData\Local\g5N\VERSION.dll
| MD5 | c2b80ad57b6e05cb2004a238c815b88c |
| SHA1 | 79ed45379325cbd3e5ac608b38a0fb123362c424 |
| SHA256 | 101a36b8edca6e4839befb4cae816f155d1addf78cadb87643d35e0767973b16 |
| SHA512 | b5d156dff9348d8a198a5ceb7f6fcbad91fa73c5b437f3757d0ea440bc6e8dc3203adfa596acb00d21a783baed54c00c03f5b8cb2aa5350fa290c29899cb3b6a |
C:\Users\Admin\AppData\Local\g5N\VERSION.dll
| MD5 | aaee53093494f1bbb8233fe99ebdb417 |
| SHA1 | ce44088be02bc476cd1242df6744038b2bcdf943 |
| SHA256 | a60429397d79acb802a98f9168d799ae43743accacb8582b08b92fa6b568efd1 |
| SHA512 | d80159375cc96fb82f0e1c8f727891b4ddfa61d5fc7a2c6fc391dfdc6f5350c40c9a0eb56b076d329e7d0f173072c6e9c372b354bbc99d5c231e5670dbb46e4c |
memory/2040-74-0x0000000000410000-0x0000000000417000-memory.dmp
memory/2040-75-0x0000000140000000-0x00000001401F6000-memory.dmp
memory/2040-100-0x0000000140000000-0x00000001401F6000-memory.dmp
memory/1256-101-0x0000000077706000-0x0000000077707000-memory.dmp
\Users\Admin\AppData\Local\0ZzP\sdclt.exe
| MD5 | cdebd55ffbda3889aa2a8ce52b9dc097 |
| SHA1 | 4b3cbfff5e57fa0cb058e93e445e3851063646cf |
| SHA256 | 61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd |
| SHA512 | 2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13 |
C:\Users\Admin\AppData\Local\0ZzP\ReAgent.dll
| MD5 | c375dc2a3768cb99421ab8009e5a6699 |
| SHA1 | df853ecbe4e5812db67fec750b1f7f432e1dcc6c |
| SHA256 | c4cb7130a748e1b108bb0c807314d8c1a457a32cf0687f2bceef9c9463862e98 |
| SHA512 | 0629ca8832d5281eb4b2abf50343337e6cec246a9bfb467504b47b82bace75df4c708ef19e6c25170e1702372a7a3d45fd5d494dea6912e2542271b6802e4479 |
memory/980-109-0x0000000000090000-0x0000000000097000-memory.dmp
memory/980-115-0x0000000140000000-0x00000001401F6000-memory.dmp
\Users\Admin\AppData\Local\ley\Netplwiz.exe
| MD5 | e43ec3c800d4c0716613392e81fba1d9 |
| SHA1 | 37de6a235e978ecf3bb0fc2c864016c5b0134348 |
| SHA256 | 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c |
| SHA512 | 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08 |
C:\Users\Admin\AppData\Local\ley\NETPLWIZ.dll
| MD5 | ef4ffd6950c4fff0a7f71f564a096857 |
| SHA1 | a0bd5e65f03b1dc48f704a06227bbf41f65184ab |
| SHA256 | c80523149e07e04e5052c5ddac46d8730a9ce2a057586774d18283b30fcb41e2 |
| SHA512 | bb114ae80403735a04f51066fb4e54f64700ef1533c8dfae3bd60567e0f3b0c6f7d402b57eac424b216fee7a80e7c1a143194a27be1e3ed80595ce4476d0da3f |
memory/2820-127-0x0000000000270000-0x0000000000277000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk
| MD5 | a70226623783e80cc4074895ffaf4ab9 |
| SHA1 | 54039c6b4c4cf692bb42fda2a3600eebf3c26ba8 |
| SHA256 | f11454346f890f2d5c3d5723976936eb37c11cb2a169785e2bfbe8abde335589 |
| SHA512 | 629d27c9919586766c688b36331c3b3f9948203596adfa76dbd18e2e5f8a89e5c4704f47f787b7628ac42238c8c559f89f361ba84a47523a5f281bd8c49ba335 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nKfLfH631FK\VERSION.dll
| MD5 | a21b763c5826a6a37e6e680ba9970054 |
| SHA1 | 97d4f1965ccae05d145ac26e91b663bdf70141bb |
| SHA256 | a468cff080e1b61c14f6aa7d7e555ee69b3faf20ffc324d00edbb7d5d422ab2a |
| SHA512 | 8c24edd2deca2dd7a9ffc90e472b55e72127725546ba6a7baaaf0a0d254f20334ce1cbb62db09e2a3eed70073c9b8a0307a42c419647cf53183b7d6a66cbec3c |
C:\Users\Admin\AppData\Roaming\Identities\ogMPsei\ReAgent.dll
| MD5 | cc4ccc6390c80bc943b79c0bbc049193 |
| SHA1 | 8a374a5337ac3561c30161901420a76c6f05aa93 |
| SHA256 | 2ca87e4dacb260aed051758463f6ef8b1738f0e07b897db8b9e919009f50f140 |
| SHA512 | 77b7f2beb215ade147899ec7bfc8bb3cb7f959d7d35725fa2d11ad86ac668f11726565d76869b4eec84641afbb59bad33fd45a0b05c53cebea21f1f50f292210 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 04:49
Reported
2023-12-31 22:14
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\7WUxNu\LockScreenContentServer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vZB5tLRp\phoneactivate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MiK5ZBTE\mmc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\7WUxNu\LockScreenContentServer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vZB5tLRp\phoneactivate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MiK5ZBTE\mmc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\x9UJwYU9F62\\phoneactivate.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\7WUxNu\LockScreenContentServer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\vZB5tLRp\phoneactivate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\MiK5ZBTE\mmc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f0d1dda6227706e8d61177dffa5cbdf.dll,#1
C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\phoneactivate.exe
C:\Windows\system32\phoneactivate.exe
C:\Users\Admin\AppData\Local\7WUxNu\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\7WUxNu\LockScreenContentServer.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
C:\Users\Admin\AppData\Local\MiK5ZBTE\mmc.exe
C:\Users\Admin\AppData\Local\MiK5ZBTE\mmc.exe
C:\Users\Admin\AppData\Local\vZB5tLRp\phoneactivate.exe
C:\Users\Admin\AppData\Local\vZB5tLRp\phoneactivate.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| GB | 88.221.135.217:80 | tcp |
Files
memory/3952-0-0x00000184CC9E0000-0x00000184CC9E7000-memory.dmp
memory/3952-1-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-4-0x0000000006BD0000-0x0000000006BD1000-memory.dmp
memory/3496-6-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3952-7-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-9-0x00007FFB6724A000-0x00007FFB6724B000-memory.dmp
memory/3496-10-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-11-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-8-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-14-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-18-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-21-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-26-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-27-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-28-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-30-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-36-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-38-0x0000000006BB0000-0x0000000006BB7000-memory.dmp
memory/3496-37-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-35-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-45-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-55-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-57-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-46-0x00007FFB68DE0000-0x00007FFB68DF0000-memory.dmp
memory/3496-34-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-33-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/588-68-0x0000028232E30000-0x0000028232E37000-memory.dmp
memory/588-72-0x0000000140000000-0x000000014023B000-memory.dmp
memory/588-66-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3496-32-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-31-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/2320-83-0x000001D24F430000-0x000001D24F437000-memory.dmp
memory/2320-89-0x0000000140000000-0x000000014023B000-memory.dmp
memory/5040-101-0x0000000140000000-0x00000001401F6000-memory.dmp
memory/5040-105-0x0000000140000000-0x00000001401F6000-memory.dmp
memory/5040-103-0x00000000029D0000-0x00000000029D7000-memory.dmp
memory/3496-29-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-24-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-25-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-23-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-22-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-20-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-19-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-17-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-16-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-15-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-13-0x0000000140000000-0x00000001401F5000-memory.dmp
memory/3496-12-0x0000000140000000-0x00000001401F5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\39\UxTheme.dll
| MD5 | 3fb37605b0247604d9ddf3e83db67f34 |
| SHA1 | 78d5e7a46ef0f01de9a0c360de8cc120a8ab8eff |
| SHA256 | 7d54c6ca2cb78a0adb0f76fdf863064e0b0c4f3ab3135d6f119977f873dd0663 |
| SHA512 | fb104657844778c97b4d908e821163bf34fd0ee5e604ff2ae46ab06e03a1d6f0c14e1fc0fe364003c2dba78fdc0671f88dc22767ecb720e9c531bcdb9d81e4c9 |