Analysis Overview
SHA256
9ffd0ac05d13744074cb2f6b94d51655e5d5a08e0043f27c7400fdd5fe887cce
Threat Level: Known bad
The file 0f2a6647e91d05a44aad4c4062a4d73c was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 04:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 04:53
Reported
2023-12-31 22:58
Platform
win7-20231215-en
Max time kernel
200s
Max time network
40s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\HvnvNNEl\\SystemPropertiesProtection.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f2a6647e91d05a44aad4c4062a4d73c.dll,#1
C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe
C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe
C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe
C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe
Network
Files
memory/2676-0-0x00000000006B0000-0x00000000006B7000-memory.dmp
memory/2676-1-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-4-0x0000000076FC6000-0x0000000076FC7000-memory.dmp
memory/1244-5-0x0000000002690000-0x0000000002691000-memory.dmp
memory/2676-8-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-15-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-18-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-20-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-25-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-27-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-30-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-33-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-38-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-42-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-48-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-50-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-49-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-51-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-52-0x0000000002670000-0x0000000002677000-memory.dmp
memory/1244-47-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-46-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-45-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-44-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-43-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-41-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-59-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-60-0x00000000770D1000-0x00000000770D2000-memory.dmp
memory/1244-61-0x0000000077230000-0x0000000077232000-memory.dmp
memory/1244-40-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-39-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-37-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-36-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-35-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-34-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-32-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-31-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-29-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-28-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-26-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-24-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-23-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-22-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-21-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-19-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-17-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-16-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-14-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-13-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-12-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-11-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-10-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-9-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-7-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-70-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1244-75-0x0000000140000000-0x00000001401D1000-memory.dmp
C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe
| MD5 | a6862c047107693aedfc41d41a58f0d2 |
| SHA1 | 9d2a83b7e1c2b3e82a3869da0735115771f830f7 |
| SHA256 | 4418457f41dac23099b00039a8f4318862b1f55953ab978656a8dae6d3b1daeb |
| SHA512 | 310489128111cc4eb81448a15f5bbd5f9caf68e598082f1343436d84e999f0757b54585b6876d32392aa2bc7091758e3e27dcf0dcec0aa691924174f94533208 |
C:\Users\Admin\AppData\Local\JgtNew1\P2PCOLLAB.dll
| MD5 | dee2a7275177bf5047d87335d1ec9c4d |
| SHA1 | 5e92745a17e18a96adca2b7f25eb69e2625bfa35 |
| SHA256 | 30d7e2d020dad5d79ee615059f245b98017217639650f06f41e03dc0c2865458 |
| SHA512 | 4859e02de5bf7bbd68fdecd3dd4669a382e382bfd6dd76d152de35af0c94672456f2c186c0fde6045d2d76b877a4729bd1f39d3a189b5d9a38dd1c217a38d65b |
\Users\Admin\AppData\Local\JgtNew1\p2phost.exe
| MD5 | 23dc3fbdc43b88775ce0bc1e1cb4f72a |
| SHA1 | eb0d1d23364c371dfd299460f5f0aa97bd983774 |
| SHA256 | d475a9019d7acbdd50bb1cace4d77e68b5be37115867ffdbf3d43fd0007256cd |
| SHA512 | 3375c36a85f64647552833004970ac1f69505384d94f6f444aa4be5310522f7eee881124fa94ba3ce724cafb4afc8f9105b1d50b88671d46836aa9c2c097ebfa |
memory/1244-87-0x0000000076FC6000-0x0000000076FC7000-memory.dmp
memory/2552-89-0x0000000000200000-0x0000000000207000-memory.dmp
\Users\Admin\AppData\Local\JgtNew1\P2PCOLLAB.dll
| MD5 | 0802826b4653e96e35bcbbc832e65c60 |
| SHA1 | a47d52c9d1456f55e6345232a2343b0107fa239e |
| SHA256 | e2fe6673a18f0c204f669b70337f610de3db1fcc1bfdbeebb214de57fb780e21 |
| SHA512 | 98cbc9cbb87700b4772df3ef9e685d14ca6f6cf8ddfe7604ea4808ca7cddcccbc7da87aa07782952d30a4791af6ed0ac077357f724b5b38340689eb472ab4f30 |
C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe
| MD5 | 04c478751e41006d9cedb9dec78187f8 |
| SHA1 | eacf21af3e895ef671fc05b3bcd2224de0a64ea4 |
| SHA256 | 36c01c8e27cd92518e63720412458b1a453f79433beca2d591c6849b1658019f |
| SHA512 | 78e973189f923694254617f100d893bfff4e0f68644d6737dbdf7053f31b75e44c078238f78cd7d5c3b2d283ac5ae09c110c366c53af3ae418ed440215149221 |
C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe
| MD5 | 05138d8f952d3fff1362f7c50158bc38 |
| SHA1 | 780bc59fcddf06a7494d09771b8340acffdcc720 |
| SHA256 | 753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd |
| SHA512 | 27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255 |
C:\Users\Admin\AppData\Local\sRUBS\SYSDM.CPL
| MD5 | d5f2fc851fdaa9201aa8ad194643e268 |
| SHA1 | fd5a41d0144d93515e63400224013b180388e559 |
| SHA256 | c0f07c24b82bab53e0af94f54f167f5920cdf8842df3742fcd0a95a298b9493b |
| SHA512 | bd8ced7fd4c1cdae60214fe5d7b2d94a51f51f070b6130e7e5b46be9a1a0f31baefcde7a533e26690faa7aa71220ace351401c66f4973cb383994ecc118e6dc2 |
memory/2132-123-0x0000000000080000-0x0000000000087000-memory.dmp
\Users\Admin\AppData\Local\O6w3\fvenotify.exe
| MD5 | e61d644998e07c02f0999388808ac109 |
| SHA1 | 183130ad81ff4c7997582a484e759bf7769592d6 |
| SHA256 | 15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa |
| SHA512 | 310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272 |
C:\Users\Admin\AppData\Local\O6w3\slc.dll
| MD5 | d364e4db7c5ec9195b5a1f631cd31a5c |
| SHA1 | 7a6b8678cb7a1c710ba15f1fa5ceb2077c8e9511 |
| SHA256 | cb020ba0ae18f80a718185503344c1507b475ce4778eb12be3fe8e16e3c7a33a |
| SHA512 | 4dd926a843f8a587bbce0794b549671424be91fa3db9e27b2d7c1c4ef9103cea5c5400b85a896792ea367906acdf60bc6a7616e59bc6b7a453f69e2e250b311a |
memory/1540-141-0x00000000000C0000-0x00000000000C7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk
| MD5 | 1cdd4facb9d944b68633c2f194d576f5 |
| SHA1 | 1dad729e2318de7c3187c4923456b90291dbd218 |
| SHA256 | ed315c2f89a9b3589b31c084d18dbf3e620b43821096e5f92aefa05bd39bbcf5 |
| SHA512 | 652923795e5c13a07199eb258560499edad79feac4636f3b7bba4142bae5aa37afc9f491885c85a41c6c8db0c6f99e73e27db0ca82dea1f5da2bd094e70f4665 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\O7RKY4WqK\P2PCOLLAB.dll
| MD5 | 76d4919238affd444966cfb447d3de23 |
| SHA1 | a2096a95e79069de82aac2c82aacbdc7aba564f3 |
| SHA256 | a822ecf2a8966e5df9934f06bbb6fd7968669f856d9a9a0d353c84f4ffe26ac7 |
| SHA512 | 2edce51d24c91dec8f85a4bba5c665bf5603f0b28b9a49d3d4d57a038a6425b1c84ed28e6f4c5803080df57afd1abb887cb1a9049850ae96fbcf063717793b9c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 04:53
Reported
2023-12-31 22:57
Platform
win10v2004-20231215-en
Max time kernel
88s
Max time network
152s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\YELKF9~1\\SYSTEM~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f2a6647e91d05a44aad4c4062a4d73c.dll,#1
C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe
C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe
C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe
C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe
C:\Windows\system32\FileHistory.exe
C:\Windows\system32\FileHistory.exe
C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe
C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/4936-1-0x0000023E85110000-0x0000023E85117000-memory.dmp
memory/4936-0-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
memory/3452-6-0x00007FF93B85A000-0x00007FF93B85B000-memory.dmp
memory/3452-8-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-9-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-10-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-11-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-13-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-12-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-15-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-14-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/4936-7-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-16-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-17-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-18-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-19-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-22-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-23-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-24-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-25-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-26-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-21-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-20-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-28-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-30-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-33-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-32-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-31-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-29-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-37-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-39-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-40-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-43-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-45-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-46-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-47-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-48-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-49-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-52-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-51-0x0000000000DE0000-0x0000000000DE7000-memory.dmp
memory/3452-50-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-44-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-42-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-59-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-41-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-38-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-63-0x00007FF93BC80000-0x00007FF93BC90000-memory.dmp
memory/3452-36-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-69-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-71-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-35-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3452-34-0x0000000140000000-0x00000001401D1000-memory.dmp
C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe
| MD5 | b066236196d54182b3c7eec85f3613ce |
| SHA1 | 7a5d9c1f4efd9d678fa3c405ffdd121979f56daa |
| SHA256 | fec73ca5cafdc07a1a251422717f398f8ae6c243c4b4ade8c9eed4de4f22a3e7 |
| SHA512 | de86d5b5f175f39fe0de4440595f6f5463f10df7e1e7c65b51d607dc3f0332bb9c56a3fed22c7462e320dcb755c9fc79e2fe984549a1e62a108ce67cb8546523 |
memory/3452-27-0x0000000140000000-0x00000001401D1000-memory.dmp
C:\Users\Admin\AppData\Local\LX4DP5\WINMM.dll
| MD5 | a3163da5627e5b28470e43ee48395348 |
| SHA1 | 833722176ae345480a799c9d38327719c2d346cc |
| SHA256 | 4692377b2dc7a2b9f5ba0a2455e962a34a9e05cad2435e80865bfa4d551736d7 |
| SHA512 | 0a0b4ade48b546c15c7a2cf7f74be35bcb70ee214df383b998bed3d53156fd850897080764837607c3977f682a08ec5de3e3af34dd38e52f664e3e0cdfb21dd9 |
memory/4464-81-0x0000000140000000-0x00000001401D3000-memory.dmp
memory/4464-80-0x0000021E75540000-0x0000021E75547000-memory.dmp
C:\Users\Admin\AppData\Local\LX4DP5\WINMM.dll
| MD5 | b0f636dcf44d67fb27f9ff791b5189ab |
| SHA1 | e1135ce92280914fa1c4cdb24812eb8b8fd74f90 |
| SHA256 | 828a1a13b1ea52c4e7eb7c96a1932702a4a01b8c469df613fe305a55c84cf5fa |
| SHA512 | fd0374b2c23116a7f2518c687b04482aee0dc28be43f0e40d4bef3c0d273b61ccee4632643b1451205e956117ca43b200ed1fbf9aa7f77d010c2dfd3c72b47a3 |
C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe
| MD5 | 1d5006a3b0934a808323bf1925992e00 |
| SHA1 | ea965ef787f93c47aba18cc3e1263e91c0fce813 |
| SHA256 | 28028ac82cd8517efcaf7700efd5c93652fdadbba241db3e5b1c8b759a17212d |
| SHA512 | cc25d01b55318393590948977a254a79ad0e214deea571b4cf6c5668ec3ff9693fad0fdab551ab8a99cd56f56d57d0fc91b2f26ecdeab091f4ae870a3d5b8a94 |
C:\Users\Admin\AppData\Local\KpIiS50\ReAgent.dll
| MD5 | 37b0e1cf9142423e9a8672e8e6a2f945 |
| SHA1 | db73bfefa3b8e16dfab5d8be2459bc4279b11605 |
| SHA256 | 415198ba960aa0ceb6a1ee2edd52e48d7f17ca6a4666826e4ef73cd7a790b544 |
| SHA512 | d72d26873b54b4cd90382092b0116b0bd9c55c0f223d4f6c8c7134029030e1e32627e6e05f82be4e28a2f0729b5312e6cedf90c971ab60d7dec91ab54466354b |
C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe
| MD5 | a9c462fa1e0fa77ed85d5d08d34a8e7b |
| SHA1 | c6cc0276edfc39729fd57058aa16ea017ce84cf9 |
| SHA256 | 2f48f46e049426886362b927cd81f59b8ebfedef7670fe8901f3e1b58f2339d2 |
| SHA512 | 6b3deb328cd1db6ab872188afaf46cd38e9adb47d6637272dd8749566e7e9d6887c1197b3f62aac7e5b9c45176bd46fc83f5f4e52951a019c637097bc152658b |
C:\Users\Admin\AppData\Local\KpIiS50\ReAgent.dll
| MD5 | e8ff9cb98b675aa73469d5c8d87806ee |
| SHA1 | bdcd1389028e4dce77937390551687e77b2a0692 |
| SHA256 | 39198f9c19fc6bb1883f20483bd5c0857ec46e9e4f97fec8d9b752a3a8b2bd1d |
| SHA512 | 662f784a8e915eba142250797daf69b1480d9812886a120293bc243c08da9354373661776059767b03ab063ce6a62e1f4a7db88f46cbd47e5ff7c424d1342cc2 |
memory/2280-97-0x0000024409BF0000-0x0000024409BF7000-memory.dmp
C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe
| MD5 | 10c2dde33ee9206f99def1eef6a42e82 |
| SHA1 | 321887de6ab040a93bbc481633e9c150fd4a3e3e |
| SHA256 | adb1d0320d66d7b213bf18d4438eeb5e55518cc5116d158633b68406876167d6 |
| SHA512 | b07a9783b288ff996ddca65a289ecf2dd372907e189823b261203550c52f9f18d6e3c36aff5a0be7b22c3cb2e4b1ed99d2e9c5589adccaad2bd041beb21fcb96 |
C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe
| MD5 | 53f8ce170f30e18ba604ef15f3a16420 |
| SHA1 | a0ac3c5129a1a3fc26016da14d3af085e02127a2 |
| SHA256 | 7bccaa7f87c643c4f6a9877dc326bc9f41cbaa801e7318ba309ac912dbfc0c62 |
| SHA512 | 40d064f88587564593c94995a3447119788f4d9692c6bc428b7cdf99f4196d9c83973db65e36c8659ea1f645b3450785a3498de39dbf157b5f582b95538cfae7 |
C:\Users\Admin\AppData\Local\onQTRAc4\UxTheme.dll
| MD5 | b583faa0d469e26f7c6d878021b5be56 |
| SHA1 | 49baaeb43d24c3bb54437127a7e0abd1caa15993 |
| SHA256 | e42d1cdf4063a87b668c54648d5cb50734039f21f1b1c10d43e37cce9da1570e |
| SHA512 | 01ae84f3bbc6257aa49dcac463ff73988671934913f88d41a461e8816f7526774b73961e9770d44943efbd660cc87ef447e4b0894513fd939ba6e95af1bb9b93 |
C:\Users\Admin\AppData\Local\onQTRAc4\UxTheme.dll
| MD5 | 26871b457d1290e5c5c2130679bfac49 |
| SHA1 | c8943d2a5fb4f007e404702b3cd89ce7645cb2e4 |
| SHA256 | 49b83d98694609b587d43aa34f032df8d94ddb1104f1bf4d0131e7272538e61e |
| SHA512 | b542f93b167770767cdc69f6fa1543fc98b9d443f1a2b34828f02b3d20e99ecf6b3f5d73f67fc8e0e6baaa5e307a441747a62e74f09fb0ba493819b7da519834 |
memory/868-115-0x000002385A2D0000-0x000002385A2D7000-memory.dmp
C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe
| MD5 | 64c94bb19eac8f660a54955de4d5bedb |
| SHA1 | 078315d690daf2b0905409fd7e3ca330f853ee75 |
| SHA256 | 6202f6ec67234622217fb4c3c6e54bf03638c9f4747806063e2f044821e2c803 |
| SHA512 | 553ee7493c8350e1df2efbeceab5ca6253331b5b353678cfe4aedab69f74b251905d80331619b66919156de6168caa718fbaa2dcb9018a5e15348ff6f320f8bb |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk
| MD5 | d6b10746024c6551d7ed9cb8a6da26ba |
| SHA1 | e0d5fc78bd26a292d54d3f409af4e42117ed3d27 |
| SHA256 | 576675245248aac994f19f203b41633c12680d50e617f7c94500f694525a3583 |
| SHA512 | f8b8b3e5fc4c7754591f2a65cdc596b2b51b19582c46064107f1135ab37666b9f1bf4327d1734ecb00e9610f0f94a43e712eca288713b2fc9a4c9f9f2199da15 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\FU3enpE2\WINMM.dll
| MD5 | 7f902e047a6e7caa5f19e3384fe006a9 |
| SHA1 | 6e1934904ece222f9914261b6959c158b91301d6 |
| SHA256 | 43985b0617a5b47a9d7d70008c262b336ec3a106290265adb63280b2d715d206 |
| SHA512 | 3f4423f7e7a3bbad0afc3209a3d6fdb94a8a49cdb54bb6db600cddf550cce99a0fb6d401cfedf77af50bbea6d3140867ba8ce7655abd6bb2a9af77c0ad6b4706 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\YelKF9RFef\ReAgent.dll
| MD5 | 4d3463cedc1f6295a8b5ac4c141a5360 |
| SHA1 | ba906cf8c09dd3a552d77a2c2da7c3a05188a3a6 |
| SHA256 | e531b49bd5e1626abdadd23d9544dbf50a54d2eda19497632666857f3cc77f4e |
| SHA512 | 739ac71401566bb49acedd171e543564a1f96c941cdc2c1580120366b27d40c8cd26f22980fa1fda23d881f3bc6fc0b460a4f46ab1d530504656895f22eb0c09 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\HFNKA\UxTheme.dll
| MD5 | 730af7c9946dd4338bc04066c810de47 |
| SHA1 | 11683e614b271a1f48363afa5db3c379d54c2419 |
| SHA256 | 76bafc5a7d3638badba324f57857df10d7bb39f04620cc4b65f6af1e8c2e61e6 |
| SHA512 | 7be694c34eb51dba27e79d05532e58a24694d867001ad14ce9ea4a92ad8de3dcace9c4b0e709d12194d07af13cf4f2b0962b705497da20a526d1c51dd2bde055 |