Analysis Overview
SHA256
076083217aac190f6310dbf110f16fa2216583931f932b8d7b6cf604768c33cd
Threat Level: Known bad
The file 1c112351a2237b7e116ee59bd65db792 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 20:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 20:43
Reported
2024-01-01 04:35
Platform
win10v2004-20231215-en
Max time kernel
154s
Max time network
170s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\1jF\rstrui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\1jF\rstrui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\ABWHHq\\MusNotificationUx.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\1jF\rstrui.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3580 wrote to memory of 1300 | N/A | N/A | C:\Windows\system32\rstrui.exe |
| PID 3580 wrote to memory of 1300 | N/A | N/A | C:\Windows\system32\rstrui.exe |
| PID 3580 wrote to memory of 2296 | N/A | N/A | C:\Users\Admin\AppData\Local\1jF\rstrui.exe |
| PID 3580 wrote to memory of 2296 | N/A | N/A | C:\Users\Admin\AppData\Local\1jF\rstrui.exe |
| PID 3580 wrote to memory of 1160 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3580 wrote to memory of 1160 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3580 wrote to memory of 4644 | N/A | N/A | C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe |
| PID 3580 wrote to memory of 4644 | N/A | N/A | C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe |
| PID 3580 wrote to memory of 1896 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
| PID 3580 wrote to memory of 1896 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
| PID 3580 wrote to memory of 4476 | N/A | N/A | C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe |
| PID 3580 wrote to memory of 4476 | N/A | N/A | C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c112351a2237b7e116ee59bd65db792.dll,#1
C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
C:\Users\Admin\AppData\Local\1jF\rstrui.exe
C:\Users\Admin\AppData\Local\1jF\rstrui.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe
C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe
C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4496-1-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/4496-0-0x0000021D68670000-0x0000021D68677000-memory.dmp
memory/3580-5-0x00007FF93046A000-0x00007FF93046B000-memory.dmp
memory/3580-4-0x0000000007010000-0x0000000007011000-memory.dmp
memory/3580-7-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/4496-8-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-9-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-10-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-11-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-12-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-13-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-14-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-15-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-16-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-17-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-18-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-19-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-20-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-21-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-22-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-23-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-24-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-25-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-26-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-27-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-28-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-29-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-30-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-31-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-32-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-33-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-34-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-35-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-36-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-37-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-38-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-39-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-40-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-41-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-42-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-43-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-44-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-45-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-46-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-47-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-49-0x00000000028E0000-0x00000000028E7000-memory.dmp
memory/3580-48-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-56-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-57-0x00007FF930500000-0x00007FF930510000-memory.dmp
memory/3580-66-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3580-68-0x0000000140000000-0x00000001401C2000-memory.dmp
C:\Users\Admin\AppData\Local\1jF\rstrui.exe
| MD5 | 4cad10846e93e85790865d5c0ab6ffd9 |
| SHA1 | 8a223f4bab28afa4c7ed630f29325563c5dcda1a |
| SHA256 | 9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b |
| SHA512 | c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6 |
C:\Users\Admin\AppData\Local\1jF\SPP.dll
| MD5 | 5ad0983ee269c8bec39ddce01407e7c1 |
| SHA1 | 3e25438466601928d9799bbbea9f31a4d75e3ca5 |
| SHA256 | e552ee2a58a333b4c420f29b642e14030ee1d20a0ebaf440e120c12dda329c64 |
| SHA512 | df2a43185e8569dc6f7f3fda91d11e9d864d5219e782cfd04dec3a028cb80ac98ee3990864af457433f8a43f3beadee078b890c8c37a4d97bb36a9695168ac67 |
memory/2296-78-0x0000000140000000-0x00000001401C3000-memory.dmp
memory/2296-77-0x000002A6480E0000-0x000002A6480E7000-memory.dmp
memory/2296-83-0x0000000140000000-0x00000001401C3000-memory.dmp
C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe
| MD5 | b6d1d01115b94935e9de31a7fb58d5fd |
| SHA1 | a14b8b318c205dd91017ebfaa1456a7274afffe7 |
| SHA256 | 03dc279432f1c50b8710bf9bec6e7a626729f26883c8f37478a0402d2552338f |
| SHA512 | d1c0284f1efd085ba49259689fd2eeb0a5d15224f435c1e5a494794f7de029279c6a5310fabfde2c479a13aa37d00e638fdf44930056aa34f2a7c4438d619583 |
C:\Users\Admin\AppData\Local\Omq7ioChO\XmlLite.dll
| MD5 | 55d4844a87a26e49d674228ba235ade4 |
| SHA1 | 1edbfce95b356d22f6fc67a51b9e773e61d1ce62 |
| SHA256 | 53976076f237cdffe91f0008b62c0a951ccf258cd65e950e1291b0e552ed3faf |
| SHA512 | 307979d015a46ccdaac4463960c672a76d1e816ad8732eb94bae87d87c3bebc8fe2165b89f66ab7c492d77a74976506abd6b34c3510526c33526ec0f688458da |
C:\Users\Admin\AppData\Local\Omq7ioChO\XmlLite.dll
| MD5 | 7f435cec2f9b1a47d39dcb3b95c01a83 |
| SHA1 | e94cdeabf73a5032d9a075316859a23d21b46281 |
| SHA256 | 00fb541585e33ddfe2be4f07520bcb97b336d5e7583da5062297f410e47b05f4 |
| SHA512 | 844f7fffa6d5f82726a501dc6301c96df3cd2dfeaa5101e5893ff5e7e9aa094f485161652e729787ec2c10c5fcd55779b94dfe4a1842d6ede88bf4b19bbfc6bf |
memory/4644-97-0x000001D576E70000-0x000001D576E77000-memory.dmp
C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe
| MD5 | 869a214114a81712199f3de5d69d9aad |
| SHA1 | be973e4188eff0d53fdf0e9360106e8ad946d89f |
| SHA256 | 405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361 |
| SHA512 | befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012 |
C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe
| MD5 | b6d6477a0c90a81624c6a8548026b4d0 |
| SHA1 | e6eac6941d27f76bbd306c2938c0a962dbf1ced1 |
| SHA256 | a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb |
| SHA512 | 72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe |
C:\Users\Admin\AppData\Local\fSdzmb\DUI70.dll
| MD5 | b44fb86324ee0f54f00fc67f77769e75 |
| SHA1 | 2405d35a9a4f3425d99c9114a1aefb7b7fcf646b |
| SHA256 | fd89123eca1fe036e44ad5a85f56c1bd1b449be49ff37421311dcde1853ffc38 |
| SHA512 | c78f68d5d295b06045618dc11dd01376ab5a251655ecc22a72594eed9c7aadc59d4b1ac6a1000c67f0948469ec8eadcd8f412908bb89786123d845726d2d1447 |
memory/4476-114-0x000002383B430000-0x000002383B437000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 5608e32d237a04719f1965dee509ad34 |
| SHA1 | 432e57ebd6071db28a11cf91b1313ab3ff2d0d89 |
| SHA256 | ecc99c328eff62f92765353dd24b035fbea290d6110f60c40be3745a89d4958d |
| SHA512 | 158489f0482261af4f302c10a858495ee7f9c0147ae663e61eb582c55190f1f1652568010c4d33e1d8127eff3b24f3b18c158cfb9b666bb3a97d2ece9901bd3a |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 20:43
Reported
2024-01-01 04:35
Platform
win7-20231129-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\CbM\\dvdupgrd.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c112351a2237b7e116ee59bd65db792.dll,#1
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe
C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe
C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
Network
Files
memory/1912-0-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1912-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1344-4-0x00000000770A6000-0x00000000770A7000-memory.dmp
memory/1344-5-0x0000000003E00000-0x0000000003E01000-memory.dmp
memory/1344-10-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-14-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-23-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-32-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-41-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-47-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-49-0x0000000003C50000-0x0000000003C57000-memory.dmp
memory/1344-56-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-60-0x0000000077410000-0x0000000077412000-memory.dmp
memory/1344-67-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-72-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-73-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1948-85-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/1344-57-0x00000000772B1000-0x00000000772B2000-memory.dmp
memory/1344-48-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-46-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-45-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-44-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-43-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-42-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-40-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-39-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-38-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-37-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-36-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-35-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-34-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-33-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-31-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-30-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-29-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-28-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-27-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-26-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-25-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-24-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-22-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/2948-103-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1344-21-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-20-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-19-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-18-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-17-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-16-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-15-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-13-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-12-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-11-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-9-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1912-8-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1344-7-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1852-122-0x0000000000220000-0x0000000000227000-memory.dmp
memory/1344-142-0x00000000770A6000-0x00000000770A7000-memory.dmp