Analysis Overview
SHA256
95ac611145f8bdc5b23e409ce8ca644477a513f6d31b87cd229e296b647d0df8
Threat Level: Known bad
The file 24dc00b648e1da094abe409fc55cfd8b was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 02:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 02:41
Reported
2024-01-01 23:59
Platform
win7-20231215-en
Max time kernel
170s
Max time network
141s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Ixe\\dwm.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 3032 | N/A | N/A | C:\Windows\system32\dwm.exe |
| PID 1260 wrote to memory of 3032 | N/A | N/A | C:\Windows\system32\dwm.exe |
| PID 1260 wrote to memory of 3032 | N/A | N/A | C:\Windows\system32\dwm.exe |
| PID 1260 wrote to memory of 3028 | N/A | N/A | C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe |
| PID 1260 wrote to memory of 3028 | N/A | N/A | C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe |
| PID 1260 wrote to memory of 3028 | N/A | N/A | C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe |
| PID 1260 wrote to memory of 868 | N/A | N/A | C:\Windows\system32\dwm.exe |
| PID 1260 wrote to memory of 868 | N/A | N/A | C:\Windows\system32\dwm.exe |
| PID 1260 wrote to memory of 868 | N/A | N/A | C:\Windows\system32\dwm.exe |
| PID 1260 wrote to memory of 848 | N/A | N/A | C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe |
| PID 1260 wrote to memory of 848 | N/A | N/A | C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe |
| PID 1260 wrote to memory of 848 | N/A | N/A | C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe |
| PID 1260 wrote to memory of 2528 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 1260 wrote to memory of 2528 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 1260 wrote to memory of 2528 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 1260 wrote to memory of 1628 | N/A | N/A | C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe |
| PID 1260 wrote to memory of 1628 | N/A | N/A | C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe |
| PID 1260 wrote to memory of 1628 | N/A | N/A | C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24dc00b648e1da094abe409fc55cfd8b.dll,#1
C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe
C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe
C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe
C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe
C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe
Network
Files
memory/2420-1-0x0000000140000000-0x000000014028C000-memory.dmp
memory/2420-0-0x0000000000240000-0x0000000000247000-memory.dmp
memory/1260-4-0x0000000077156000-0x0000000077157000-memory.dmp
memory/1260-5-0x0000000002B30000-0x0000000002B31000-memory.dmp
memory/1260-12-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-11-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-10-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-9-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-8-0x0000000140000000-0x000000014028C000-memory.dmp
memory/2420-7-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-13-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-17-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-16-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-21-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-20-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-25-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-27-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-35-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-37-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-38-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-36-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-34-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-33-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-32-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-31-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-30-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-29-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-28-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-26-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-39-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-24-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-40-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-42-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-43-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-41-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-23-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-22-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-44-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-47-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-48-0x0000000002B10000-0x0000000002B17000-memory.dmp
memory/1260-46-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-55-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-59-0x00000000773C0000-0x00000000773C2000-memory.dmp
memory/1260-62-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-58-0x0000000077261000-0x0000000077262000-memory.dmp
memory/1260-65-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-45-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-19-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-18-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-15-0x0000000140000000-0x000000014028C000-memory.dmp
memory/1260-14-0x0000000140000000-0x000000014028C000-memory.dmp
\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe
| MD5 | f162d5f5e845b9dc352dd1bad8cef1bc |
| SHA1 | 35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2 |
| SHA256 | 8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7 |
| SHA512 | 7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851 |
C:\Users\Admin\AppData\Local\mfgIroFyI\UxTheme.dll
| MD5 | 440cc76f78a86ec4b17243041f8f5a20 |
| SHA1 | 9b6410ea7da8d6663ba8d87883dcff0b7093cb11 |
| SHA256 | 277ea122d4f47912bc861fb305c05989a8abebf5e047ada7863c01b8245d7f7b |
| SHA512 | 652173373b4ce9a4c7d5d37d64363cc9ea1c6e4ed3b725b429f0ee523c247114476ad6a6838e22f6f507454d4ba7e6e3227bbb9afdf4319f22880a1aa9f65f3d |
\Users\Admin\AppData\Local\mfgIroFyI\UxTheme.dll
| MD5 | a45fbecd291f8364fa5d74257227e4af |
| SHA1 | 22dfc69189a57dae3f3148c3cd525fa14208d65b |
| SHA256 | f4daccb7a912cc67558b4b190499b5586e269049aaa4774253cab9a751e60d09 |
| SHA512 | d2c7ed2bed92f374f6a24de3f50f5a95b9d16b196aaf1ed331df1e766035e23c03a51d0b76293bade816fd558af032a5292f20557ad30805010857196c5ea5c7 |
C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe
| MD5 | 45ceffa9c7ee106d6161b2dc7ce2a740 |
| SHA1 | ad3041f982d6d9e8d70b1d3370a3aa9593dc77c6 |
| SHA256 | c68e99abfd1380833772a97ab0d8ab5949f7c484886981916134b8324a1335fd |
| SHA512 | 1096423449b6320e9197ed968ecabca21b12c25344be7415457f0cca8d75d01b883d236a008e2b3cd2971083e5d20ced8cb7b7eccff9f3a90ee3d1b6a975d26e |
memory/3028-80-0x0000000001A90000-0x0000000001A97000-memory.dmp
C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe
| MD5 | 5eae15de1e8a068dec966c6304369f07 |
| SHA1 | 306d2092f34ea546964d855b5478afb493cdd962 |
| SHA256 | 9ac1a947036653e312c1ea739fd60a7236007d35d6b8957910388a43e748cbef |
| SHA512 | c2fdbdb152fdfaed246139be48cdcc0e84443dfb7dfe3e8e2a5784675788db8a211c214b4f6a71ca1bb132c07c1a6b52680d15670dbab59aaa8e6649fbc60def |
memory/1260-91-0x0000000077156000-0x0000000077157000-memory.dmp
C:\Users\Admin\AppData\Local\zmHgoM\UxTheme.dll
| MD5 | cd05667f81fd3c5749e869ed7072bde9 |
| SHA1 | 1c198e60b5d6a223462527a8007079f6dc3cc902 |
| SHA256 | 4c27198135a578a18c5bd208f2ecb918a7583c61666555aabd3eece489550be3 |
| SHA512 | 8c109d0cb42941df78e33d943e6956247148cefa3db6bcca6c270f5b111d2debcad5ee7106eb3724c9895c1db08ccd87ef79500ced1624622abad3dc3054a07e |
memory/848-99-0x00000000000F0000-0x00000000000F7000-memory.dmp
\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe
| MD5 | 9fea051a9585f2a303d55745b4bf63aa |
| SHA1 | f5dc12d658402900a2b01af2f018d113619b96b8 |
| SHA256 | b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484 |
| SHA512 | beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76 |
\Users\Admin\AppData\Local\NoRKpuZ\MFC42u.dll
| MD5 | c1d3a53704c819d80fa906ae76301e2f |
| SHA1 | 4fd5256b9fa5965ac7318ea35882162914468212 |
| SHA256 | 1a4e3d2ac8a26b194807345f096df626ffab860dcf5c2ae72f47d39d9ae08923 |
| SHA512 | 38c2a93a471a732689c695488a3096f078fd6f8346030a083779b8f5a824f8b6c4b59101190ef4331506e9ffa5ee12f3711bf052e4a567454fb61be10834a0b6 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk
| MD5 | ee14fd84587a5bafc52492ca6e26c5f7 |
| SHA1 | ed4ab21f12721c8973ebe3050d12254f2d2cb8ef |
| SHA256 | f15b457cf52ad959c77d9bde6ccf8a25996d0d06de59db37c23d9165d85af68e |
| SHA512 | ac8a7bef2eff8f90fe9333e73626b99d64bb9b6dce265f5072fbf120c0ed30bd1c07aa448159e7f133dd272484fa9549e235699a0719ef64fc35e710a23fa5e2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\xoYGVp7\UxTheme.dll
| MD5 | 39c0247bb2d695c0e7c51726d2681fa9 |
| SHA1 | c4c1e6fc397b56e234f31a380c66acecab2826da |
| SHA256 | fe539570820905afd286fd6ba7f7ac29d16fe874070f33b58ac5add9c70f0934 |
| SHA512 | 94ed642532f0b7ddaa6d11e2b0d3a1c2eb343c79c4a5a02883b5a3ee1ea34797946676923b87dfc158604a995ef9f6ab5a85cd04cdd16c0cd20be9d6fc30f1f7 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 02:41
Reported
2024-01-01 23:57
Platform
win10v2004-20231215-en
Max time kernel
127s
Max time network
149s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\BXOA69~1\\osk.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3492 wrote to memory of 2416 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 3492 wrote to memory of 2416 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 3492 wrote to memory of 4792 | N/A | N/A | C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe |
| PID 3492 wrote to memory of 4792 | N/A | N/A | C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe |
| PID 3492 wrote to memory of 4992 | N/A | N/A | C:\Windows\system32\osk.exe |
| PID 3492 wrote to memory of 4992 | N/A | N/A | C:\Windows\system32\osk.exe |
| PID 3492 wrote to memory of 4048 | N/A | N/A | C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe |
| PID 3492 wrote to memory of 4048 | N/A | N/A | C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe |
| PID 3492 wrote to memory of 4860 | N/A | N/A | C:\Windows\system32\PasswordOnWakeSettingFlyout.exe |
| PID 3492 wrote to memory of 4860 | N/A | N/A | C:\Windows\system32\PasswordOnWakeSettingFlyout.exe |
| PID 3492 wrote to memory of 3764 | N/A | N/A | C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe |
| PID 3492 wrote to memory of 3764 | N/A | N/A | C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24dc00b648e1da094abe409fc55cfd8b.dll,#1
C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe
C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe
C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe
C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4032-1-0x0000000140000000-0x000000014028C000-memory.dmp
memory/4032-3-0x00000209E5EF0000-0x00000209E5EF7000-memory.dmp
memory/3492-6-0x00007FF9CACAA000-0x00007FF9CACAB000-memory.dmp
memory/3492-5-0x0000000002BF0000-0x0000000002BF1000-memory.dmp
memory/3492-10-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-9-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-11-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-12-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-13-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-14-0x0000000140000000-0x000000014028C000-memory.dmp
memory/4032-8-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-17-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-20-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-23-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-29-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-34-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-35-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-36-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-41-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-45-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-47-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-49-0x0000000001290000-0x0000000001297000-memory.dmp
memory/3492-56-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-57-0x00007FF9CAD40000-0x00007FF9CAD50000-memory.dmp
memory/3492-48-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-68-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-66-0x0000000140000000-0x000000014028C000-memory.dmp
memory/4792-78-0x0000000140000000-0x000000014028D000-memory.dmp
memory/4792-84-0x0000000140000000-0x000000014028D000-memory.dmp
memory/4792-79-0x0000026F45C80000-0x0000026F45C87000-memory.dmp
memory/4792-77-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3492-46-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-44-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-43-0x0000000140000000-0x000000014028C000-memory.dmp
memory/4048-103-0x0000000140000000-0x00000001402D2000-memory.dmp
memory/4048-98-0x00000209719A0000-0x00000209719A7000-memory.dmp
memory/4048-96-0x0000000140000000-0x00000001402D2000-memory.dmp
memory/3764-122-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3764-117-0x000002887B890000-0x000002887B897000-memory.dmp
memory/3764-115-0x0000000140000000-0x000000014028D000-memory.dmp
memory/4048-95-0x0000000140000000-0x00000001402D2000-memory.dmp
memory/3492-42-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-40-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-39-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-38-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-37-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-33-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-32-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-31-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-30-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-28-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-27-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-26-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-25-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-24-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-22-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-21-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-19-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-18-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-16-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3492-15-0x0000000140000000-0x000000014028C000-memory.dmp