Analysis Overview
SHA256
a3b5894e80c78867b94b3056d4313604775c02074c40a17f4a8fd99cc4006303
Threat Level: Known bad
The file 1818727531779e08447d319417050652 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 12:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 12:10
Reported
2024-01-03 10:20
Platform
win7-20231215-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1bW\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1bW\cmstp.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\WEVAt\\cmstp.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\1bW\cmstp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 2380 | N/A | N/A | C:\Windows\system32\rdrleakdiag.exe |
| PID 1264 wrote to memory of 2380 | N/A | N/A | C:\Windows\system32\rdrleakdiag.exe |
| PID 1264 wrote to memory of 2380 | N/A | N/A | C:\Windows\system32\rdrleakdiag.exe |
| PID 1264 wrote to memory of 3068 | N/A | N/A | C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe |
| PID 1264 wrote to memory of 3068 | N/A | N/A | C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe |
| PID 1264 wrote to memory of 3068 | N/A | N/A | C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe |
| PID 1264 wrote to memory of 1656 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1264 wrote to memory of 1656 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1264 wrote to memory of 1656 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1264 wrote to memory of 476 | N/A | N/A | C:\Users\Admin\AppData\Local\1bW\cmstp.exe |
| PID 1264 wrote to memory of 476 | N/A | N/A | C:\Users\Admin\AppData\Local\1bW\cmstp.exe |
| PID 1264 wrote to memory of 476 | N/A | N/A | C:\Users\Admin\AppData\Local\1bW\cmstp.exe |
| PID 1264 wrote to memory of 1820 | N/A | N/A | C:\Windows\system32\tcmsetup.exe |
| PID 1264 wrote to memory of 1820 | N/A | N/A | C:\Windows\system32\tcmsetup.exe |
| PID 1264 wrote to memory of 1820 | N/A | N/A | C:\Windows\system32\tcmsetup.exe |
| PID 1264 wrote to memory of 1224 | N/A | N/A | C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe |
| PID 1264 wrote to memory of 1224 | N/A | N/A | C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe |
| PID 1264 wrote to memory of 1224 | N/A | N/A | C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1818727531779e08447d319417050652.dll,#1
C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Users\Admin\AppData\Local\1bW\cmstp.exe
C:\Users\Admin\AppData\Local\1bW\cmstp.exe
C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe
C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe
Network
Files
memory/1648-1-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1648-0-0x0000000000290000-0x0000000000297000-memory.dmp
memory/1264-4-0x0000000076FF6000-0x0000000076FF7000-memory.dmp
memory/1264-5-0x0000000002990000-0x0000000002991000-memory.dmp
memory/1648-8-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-9-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-11-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-16-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-19-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-21-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-25-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-29-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-30-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-31-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-34-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-36-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-37-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-39-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-40-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-42-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-48-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-49-0x0000000002970000-0x0000000002977000-memory.dmp
memory/1264-47-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-46-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-61-0x0000000077260000-0x0000000077262000-memory.dmp
memory/1264-60-0x0000000077101000-0x0000000077102000-memory.dmp
memory/1264-56-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-44-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-45-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-43-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-67-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-41-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-38-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-73-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3068-85-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/1264-35-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-33-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-32-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-28-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-27-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-26-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-24-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-23-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-22-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-20-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-18-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-17-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-15-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-14-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-13-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-12-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-10-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-7-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1264-96-0x0000000076FF6000-0x0000000076FF7000-memory.dmp
\Users\Admin\AppData\Local\1bW\cmstp.exe
| MD5 | 74c6da5522f420c394ae34b2d3d677e3 |
| SHA1 | ba135738ef1fb2f4c2c6c610be2c4e855a526668 |
| SHA256 | 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6 |
| SHA512 | bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a |
C:\Users\Admin\AppData\Local\1bW\VERSION.dll
| MD5 | c46e0f697e2ef3582c7dc2f88f5dff9a |
| SHA1 | be5272d49c1b945d16c607778c499063193ae0b6 |
| SHA256 | ed56eed222371f38f377f54dc456bc007796d754cad219b0d4a401a2058fd853 |
| SHA512 | 8c02dac2052ac805e2c87d20859b9a0b9d991a88d6f38271866e7be99915c0d0c7cab0b627beb24d78da8ad3b09b0b200187accce3e03bf8ac3cf4a3c09b13f1 |
\Users\Admin\AppData\Local\1bW\VERSION.dll
| MD5 | a3687f4433f20505c17be5bff855286f |
| SHA1 | f40c23fb0d01b2d49a5905ca69a605b6a94edaf5 |
| SHA256 | 425831ed48bb6c1079d898bccb4d018afbba3bd2aaa0a2eb531d32117bebc68a |
| SHA512 | 9e220112ebeeea76554ba9de7371c8b78ec80eb292863a9c4df99edb375364d7880d0a477ca291270e24a55f3605bb27e1acc3f096b597b802f670ddf016a6c9 |
memory/476-104-0x0000000000080000-0x0000000000087000-memory.dmp
\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe
| MD5 | 0b08315da0da7f9f472fbab510bfe7b8 |
| SHA1 | 33ba48fd980216becc532466a5ff8476bec0b31c |
| SHA256 | e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7 |
| SHA512 | c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58 |
C:\Users\Admin\AppData\Local\Vx3i2Zwk9\TAPI32.dll
| MD5 | 18666d44fb1511bf3296e0979b778530 |
| SHA1 | 88e968bf444b59e024907f440ee488e28fc1dd9d |
| SHA256 | 7dfdcc6fbfefc87e1693139cebe54d63ed6d04b1d1e8fc0e46906f3e7a6867e5 |
| SHA512 | 35d0a29c2bc8cbbfe2b4cfa31eacf72155ba8c43141f008b32a6f77bd39acda56b025d2aab866ef74df42573be6ce767090650d2a3928e67b4f1cec0eebe7052 |
\Users\Admin\AppData\Local\Vx3i2Zwk9\TAPI32.dll
| MD5 | cc06d8e4b3516772c101fa63a40a2000 |
| SHA1 | 47f709062b46855e4da28e0d2aa6762e4964afbb |
| SHA256 | 010a59461bb434c23d8bb62b300a1abc2df0eab6808412ce343682fe83e5723e |
| SHA512 | 2fc456c33f91b05be303f48d1ac01d01cae1a9b837454573ed0355f67a01a90b3f345a1a44156078d8eff4ca27ee3123338a08751fc30ad4b9fcaf9b01786960 |
memory/1224-122-0x00000000001F0000-0x00000000001F7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk
| MD5 | ced52f1a1e699e42c72180a67b46b021 |
| SHA1 | 2d7bed3aad3acad5051371260b6699cf1e6eab9b |
| SHA256 | f99900b614d6de0fa0261ecc278f1d479cb69c17351801f312b1f1fe1130442a |
| SHA512 | 2981e7e475603f6027881a36a0814add3b7b577188405d270482320eb8fe47d5bde9b7c0b2801082f6ffcdbbd5303352b976e8067006925f34fa2d3757ca77ef |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\cLYa9hq\VERSION.dll
| MD5 | 11c89f8bbd11b343b466c40c15044ac0 |
| SHA1 | e0faea1f1f088d8770db6df4ff2c1fa48f316b61 |
| SHA256 | ac78f4eb6179067d69ffd586c7cf7c52a085d2af25225ae2e1c4d00d87ad0627 |
| SHA512 | 31afb6ee9350c0441baf06524c35deb66d947246c41513e18c070081916328f7cbafa74abf326058b505b21b98cfe40cb9dbce19f8d0d2a7226e03df92a7fa37 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\WEVAt\VERSION.dll
| MD5 | 3ff5c4bb300fd97b2c791fef7ff5d313 |
| SHA1 | 0ef067f60f3357e6b9777adad9c543f362c4db79 |
| SHA256 | 1eae34fee64b3d362ffe3b04837ce45fe860be5e7b4d6e56951650e411e0fca7 |
| SHA512 | 75022dfb69dbfd61717d89190b41bf12f081bab4a60be3a19512e806cac9dafbc349040aac89de8dee84588a4afaa2910500f4fe7d2545e0692c00582a8149ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\DJjWOqASW\TAPI32.dll
| MD5 | ae12f6e27c229ba77c5ff79c40c36ae5 |
| SHA1 | c0d5c364cec013408286d8cc0e237aec5028d6b5 |
| SHA256 | 4a7ec3534d533668d86286279832a09f8c4bd1f7191f4cd22ddd8d660ed1c36b |
| SHA512 | 487191fbabdc38a77ddd5c5af1cf0e9d74abcbe359c0a328feb3fa9d80db99cadd53780f818e50530e6d9ac572f9f67beb863a89cb1dae744f645b28157ac147 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 12:10
Reported
2024-01-03 10:19
Platform
win10v2004-20231222-en
Max time kernel
128s
Max time network
152s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sihclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sihclient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\eMo\\CUSTOM~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3488 wrote to memory of 4364 | N/A | N/A | C:\Windows\system32\EaseOfAccessDialog.exe |
| PID 3488 wrote to memory of 4364 | N/A | N/A | C:\Windows\system32\EaseOfAccessDialog.exe |
| PID 3488 wrote to memory of 372 | N/A | N/A | C:\Windows\System32\sihclient.exe |
| PID 3488 wrote to memory of 372 | N/A | N/A | C:\Windows\System32\sihclient.exe |
| PID 3488 wrote to memory of 3796 | N/A | N/A | C:\Windows\system32\CustomShellHost.exe |
| PID 3488 wrote to memory of 3796 | N/A | N/A | C:\Windows\system32\CustomShellHost.exe |
| PID 3488 wrote to memory of 1196 | N/A | N/A | C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe |
| PID 3488 wrote to memory of 1196 | N/A | N/A | C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe |
| PID 3488 wrote to memory of 1500 | N/A | N/A | C:\Windows\system32\MoUsoCoreWorker.exe |
| PID 3488 wrote to memory of 1500 | N/A | N/A | C:\Windows\system32\MoUsoCoreWorker.exe |
| PID 3488 wrote to memory of 1952 | N/A | N/A | C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe |
| PID 3488 wrote to memory of 1952 | N/A | N/A | C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1818727531779e08447d319417050652.dll,#1
C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe
C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe
C:\Users\Admin\AppData\Local\cFvneX\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\cFvneX\EaseOfAccessDialog.exe
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv KmQemMGHV0+o4yX4S2LeLA.0.2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp |
Files
memory/1280-0-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/1280-2-0x0000014730AB0000-0x0000014730AB7000-memory.dmp
memory/3488-6-0x00007FFBB098A000-0x00007FFBB098B000-memory.dmp
memory/1280-8-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-11-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-15-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-19-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-23-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-28-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-32-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-36-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-39-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-44-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-47-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-49-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-48-0x0000000002F50000-0x0000000002F57000-memory.dmp
memory/3488-56-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-66-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-68-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/372-80-0x0000020FECBB0000-0x0000020FECBB7000-memory.dmp
memory/372-84-0x0000000140000000-0x00000001402D2000-memory.dmp
memory/1196-102-0x0000000140000000-0x00000001402D2000-memory.dmp
memory/1952-121-0x0000000140000000-0x00000001402D2000-memory.dmp
memory/1952-116-0x000002162DCD0000-0x000002162DCD7000-memory.dmp
memory/1952-114-0x0000000140000000-0x00000001402D2000-memory.dmp
memory/1196-98-0x000001E8F3510000-0x000001E8F3517000-memory.dmp
memory/372-77-0x0000000140000000-0x00000001402D2000-memory.dmp
memory/372-78-0x0000000140000000-0x00000001402D2000-memory.dmp
memory/3488-59-0x00007FFBB0A20000-0x00007FFBB0A30000-memory.dmp
memory/3488-46-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-45-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-43-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-42-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-41-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-40-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-38-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-37-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-35-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-34-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-33-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-31-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-30-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-29-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-27-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-26-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-25-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-24-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-22-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-21-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-20-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-18-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-17-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-16-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-14-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-13-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-12-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-10-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-9-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-7-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3488-4-0x00000000032E0000-0x00000000032E1000-memory.dmp