Analysis Overview
SHA256
d47a15f7fcfebfac9cd8e6613d618624b4ab1de7e052026b9b7ff566827f26ac
Threat Level: Known bad
The file 23f9d2ae51af5c55ef51d26821cc73bb was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 02:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 02:09
Reported
2024-01-05 04:03
Platform
win7-20231215-en
Max time kernel
151s
Max time network
125s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\T0e0\p2phost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\T0e0\p2phost.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\HC\\DeviceDisplayObjectProvider.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\T0e0\p2phost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9d2ae51af5c55ef51d26821cc73bb.dll,#1
C:\Users\Admin\AppData\Local\T0e0\p2phost.exe
C:\Users\Admin\AppData\Local\T0e0\p2phost.exe
C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe
C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe
C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe
Network
Files
memory/2504-0-0x00000000006B0000-0x00000000006B7000-memory.dmp
memory/2504-1-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-4-0x0000000077256000-0x0000000077257000-memory.dmp
memory/1204-5-0x0000000002970000-0x0000000002971000-memory.dmp
memory/1204-7-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/2504-8-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-9-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-10-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-11-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-13-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-14-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-16-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-19-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-20-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-21-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-27-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-28-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-26-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-30-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-34-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-33-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-36-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-37-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-38-0x0000000002950000-0x0000000002957000-memory.dmp
memory/1204-35-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-32-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-31-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-29-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-46-0x0000000077461000-0x0000000077462000-memory.dmp
memory/1204-45-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-25-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-50-0x00000000775C0000-0x00000000775C2000-memory.dmp
memory/1204-56-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-60-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-24-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-23-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-22-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-18-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-17-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-15-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/1204-12-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/2760-74-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/2760-78-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/2760-79-0x0000000001B50000-0x0000000001B57000-memory.dmp
C:\Users\Admin\AppData\Local\T0e0\p2phost.exe
| MD5 | a2ac63c10ee6237bdb207919ebcf47bb |
| SHA1 | 7ee91492601fb06374982198c5d7324be91632b8 |
| SHA256 | 848807b52f832cdfd4e12cb8d688db7f6b95e2d56752bd59003534a9407aa28d |
| SHA512 | 934b07f37ee01a21541646cc3a6c7a911ee24ac05d992fc401e487e3d5544f21d89900e18d2ff07de883f43e9524cf55d5e28c981f07f9420c48bc779ea88b4c |
\Users\Admin\AppData\Local\T0e0\P2PCOLLAB.dll
| MD5 | a8c6159df88e83246cf94db8a761f5b4 |
| SHA1 | 78b15cc086d65b52bd8631314c465a9f57832733 |
| SHA256 | 37c707995f88407bc9b1ef3460334a1f7c8641ad2db727c22c5f44bc29663b41 |
| SHA512 | 6f657f6b4225d82fb4e6b4452c339245e2c3156bb9871ff785af1c834be68a404177dbd47eb9822865074b6cd5a7c8cedc229a6c260948582fddb2cc0bb4a229 |
C:\Users\Admin\AppData\Local\T0e0\P2PCOLLAB.dll
| MD5 | c75ac080f68396d8713eea8fc6cd8182 |
| SHA1 | 55c2adb3dc68b24129357d0d42c46127ea4b1917 |
| SHA256 | 4e1b05997438071e8751d7d2965630786ac2133964da490b029777231566fd9a |
| SHA512 | f07db3a4e78e90b6fbb2fac7ac9ebb3fecffc458ec33ecfe5d03de1ae8cf4edb5c4af68097507c08f977f004158e93e16d573c85f468bc10e3c741f9715ef434 |
C:\Users\Admin\AppData\Local\T0e0\p2phost.exe
| MD5 | 0dbd420477352b278dfdc24f4672b79c |
| SHA1 | df446f25be33ac60371557717073249a64e04bb2 |
| SHA256 | 1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345 |
| SHA512 | 84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1 |
memory/1204-91-0x0000000077256000-0x0000000077257000-memory.dmp
C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe
| MD5 | fe18eda12ca06afa3f63c27932e81f56 |
| SHA1 | 16e586cd6db614e6f50dc52e21d65057286bc121 |
| SHA256 | d44f5eee1a1bc4045d097e091308a2871825aadd0f58c59bf3598bf74406da5a |
| SHA512 | c1ff44c7e9f8539e8fbf60b8fdbc1213466e4394d0ef85cf799a19be14610cc2d146d6ba3655d8fedcd39bfdfad0bdfdf1c61cd90b78c913c9bfd6c45214d594 |
\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe
| MD5 | 582b27174be9a93efb664e6d5bb2b6c5 |
| SHA1 | 5922755657692be3e84d7db0c1987bda6114950f |
| SHA256 | 16c95aac6868330f6463e1b585fdbb6c17efdf27e34f31bfd390176da2a66938 |
| SHA512 | 7d4a277c00eb219a442b9b9112fdec5b8f1d9a5f31759b516b4efcf79ce0137f2f2000ee374c42a190d3a8e2376599d5fe051cafaf381050b1580a32e3c6417c |
C:\Users\Admin\AppData\Local\zpRbP2AZ\XmlLite.dll
| MD5 | 8f8c4f87def653d3efbc6a32dba0349e |
| SHA1 | abbb880748b9125a0a280d03cce947d278ef4db6 |
| SHA256 | c06f0a63ee7c526876ab3c3597d0f4ba589cb148c5e441b39c6119f83ad0b053 |
| SHA512 | f8e1aa10824fb9db31c9304940e920c4ae5509b17675764b90f4cf244a5df58162c3fc1787d4eba5544044719921e0a9f2ff409efecb4805aa93bdaae0618dae |
\Users\Admin\AppData\Local\zpRbP2AZ\XmlLite.dll
| MD5 | ed97e41045fa9412013ecdc3d97de69e |
| SHA1 | 0d3693813fd48367c10f7719b0204c6d5aee4a9b |
| SHA256 | cb9a2a8880b78e746226db99e5983dd4c439655aa8b8cb29e68a3e9705c43d53 |
| SHA512 | 55cc258477b95a16a1f50dba91e001a83e3b30c193aa121b4c349409a399c8bff2f6e994450371f766ae59c4324d15418231efafbaeec4cf7420f7124283e684 |
memory/2384-99-0x0000000000170000-0x0000000000177000-memory.dmp
memory/2384-105-0x0000000140000000-0x00000001402C6000-memory.dmp
C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe
| MD5 | 05e500f49720a60d05e0aafe42779471 |
| SHA1 | 91a91f88a68b441f9e78690db09b122a2049a571 |
| SHA256 | 569028adcefe0c1d797e347bc99fe439ab100a80c298b0f1ea55eff31b97b8f0 |
| SHA512 | 894d434cef367268a2cfea479fb40305dd0e9aae2cbe4c460fb27204cbc27d12db7e0f3cab671ac01343082bada7cf6b3cf10a16bba36944153aa116f811701a |
C:\Users\Admin\AppData\Local\61euku5G\WTSAPI32.dll
| MD5 | a20e64cd5fc7a119c2b77f7604d27714 |
| SHA1 | 5b540ef59ca3ac0127601db5b9920e7f986fe1dd |
| SHA256 | 7778957af3656f169147a4d290cf92a4c448068711b52d88e61034a9c81f8f7f |
| SHA512 | e2ef072a6a7315cd412f6615599986483926629e59ca90eb940bcaae1e659f1199393e1dcbe8e0fb4a3b66bd77e15b59abff1e03170c0309a8489d7ea992c2a3 |
\Users\Admin\AppData\Local\61euku5G\WTSAPI32.dll
| MD5 | 04b1f4ccff7478839765d5bf8f3a7259 |
| SHA1 | 535662bea1f622fbba85f716a15c20028dab8790 |
| SHA256 | f8c538d1044e8bcbf40cbec1af892c80e1a2cd5d316df7b8dfdbe9cc869067e3 |
| SHA512 | 7a3793d496715ae7fe2914f20fd4d458b42cbb75b2c1aeb20d161852a31b00fae4b9dcd35bf1a8b22d87b18866355c05a202ca8e156329cfd56e9473f6ac04ed |
C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe
| MD5 | 4aa3edfad3005708d50d1d2e9ff1dadd |
| SHA1 | b1125c66514706fcf058785bcdd272856f99b77c |
| SHA256 | d862732b85c9072a553b74c90c3d76bfa8b6b84f7be8d7ba25ba27b0af2cfc32 |
| SHA512 | 5ea8941d16bd5f15e81d46e3754b08481092d35cf7f7ca11bfa09b50989dfb31eda04dfa63c195011f5dba11400387cb6a86967e0ae422c3b315a4e269b1e3eb |
memory/1572-117-0x0000000000190000-0x0000000000197000-memory.dmp
\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe
| MD5 | 54d141930907c219f6512659763c4d90 |
| SHA1 | 6b35b7cc91c82b191682cde9e9ff0cb6a45124d1 |
| SHA256 | 74635ab24d4afd39dc38da01a5721c9e7609a9d4f6c75d741924b7f919a51b46 |
| SHA512 | 418adf1a6547dc0c31b2345237eb48292a9039a5366cabda765ddd9842845dd3f3f30e5f11ede35115c89b0575ca7181cd5567103e84e231b13dd9008ea7444e |
C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\caL\RDVGHelper.exe
| MD5 | 285322cccefbe3533207aaab74ff057a |
| SHA1 | 1d331d6b2016e513d036035e47ca4a50deefd1cd |
| SHA256 | 75d749600ff402c205518c143273c7223134ce6cf5b3a92d743078fcdd9c5e3a |
| SHA512 | 18b6c1547bf618529cd3dbfd5b806d0a1d7a0e49bbbf7fc5c19e8e858d95b0ff65e503734730491431394b84e9890a28922daba4373474fcbe6f002fddca1366 |
\Users\Admin\AppData\Roaming\Mozilla\Extensions\caL\RDVGHelper.exe
| MD5 | f1756a4c448df3b2f7670db22be3fc1d |
| SHA1 | 6e588d434c690340b65d669e209d97912dcaae5d |
| SHA256 | 2fe200a8e63dbf49ebd50309373cd2b00927ce12a4dc9ef0b8f1b7fd2aff472e |
| SHA512 | 58022cc824984bde050c750fa98137f492e668d49492565531857472d493bc663197550e7f4e7a9a4a5a4788b4c80fe8b52431ef3ea5ceabe5af3fcdac1b2a9e |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk
| MD5 | 4be8fab5f2a669181366e9bcd7cb8100 |
| SHA1 | fa977d4abd2fa711a375d72c97adb7bb4c2a8044 |
| SHA256 | 04b34f71b74eac6bf3a38bf715abb98334976667ae46283fc361ee562ddaebed |
| SHA512 | 4d14b7a40d37a811961512760f9e24f19e6deff55055df426837053bd9014e811103f119dc03fb0e575adaf2946028df5676ea7363642aa5a4803bb8b804630d |
C:\Users\Admin\AppData\Roaming\Adobe\VGjeDOg\P2PCOLLAB.dll
| MD5 | ed334326bcdcb7e1771d114b968d3992 |
| SHA1 | 4310e49807a8ed608e6f57a7629e24ebe1c92301 |
| SHA256 | bd8763d28db6f8e01bda0cdf56f1e7a3383538e309e122746533676c67be8ac0 |
| SHA512 | 52d35910090e542541d2c41fb066b86c8f1b65d8b0ac59152d257753e81549cc76ff8a32be7b3d1bb1d160208e8a06eaf573c87b929a01988c0ec049c63bf206 |
C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\HC\XmlLite.dll
| MD5 | 0a836ac423a75bf03108432ddcda9efa |
| SHA1 | 2265983ced9785dffd28778c0f88b80c80759560 |
| SHA256 | da184beced8ad67bba521aaaa637bd12bb04de5ad9817f8c7acb83c16720d5a8 |
| SHA512 | 6d92927f7a17507402961e4978b5c497bff5259e3f914eef501a1ee545f0be9988d253afa439f5f4aafb8cee72c4ca3312ca304204023fa7e042a57780d88030 |
C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\caL\WTSAPI32.dll
| MD5 | bb18f0d9c00afd8f822e27179f75df9e |
| SHA1 | fa0ab3b4ab8ec4b1900c0f9600b277f57ef078c8 |
| SHA256 | 3dab90c8f8cbbd492f5d92a85413f67871ede63c540fd0d1559f525d41717de5 |
| SHA512 | 94e57bacab44dd0ca2a5e842f39fbf2859f88b882d3d65d4d5f91b2ca3cd6fb981f247cfa82239ee34eec3ef70c32f0745178f70135750476655063e1cb3a3d8 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 02:09
Reported
2024-01-05 04:03
Platform
win10v2004-20231222-en
Max time kernel
64s
Max time network
153s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uot\dialer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uot\dialer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\OUDQJR~1\\dwm.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\uot\dialer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3512 wrote to memory of 1280 | N/A | N/A | C:\Windows\system32\dialer.exe |
| PID 3512 wrote to memory of 1280 | N/A | N/A | C:\Windows\system32\dialer.exe |
| PID 3512 wrote to memory of 3312 | N/A | N/A | C:\Users\Admin\AppData\Local\uot\dialer.exe |
| PID 3512 wrote to memory of 3312 | N/A | N/A | C:\Users\Admin\AppData\Local\uot\dialer.exe |
| PID 3512 wrote to memory of 4264 | N/A | N/A | C:\Windows\system32\dwm.exe |
| PID 3512 wrote to memory of 4264 | N/A | N/A | C:\Windows\system32\dwm.exe |
| PID 3512 wrote to memory of 4580 | N/A | N/A | C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe |
| PID 3512 wrote to memory of 4580 | N/A | N/A | C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe |
| PID 3512 wrote to memory of 3700 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 3512 wrote to memory of 3700 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 3512 wrote to memory of 4056 | N/A | N/A | C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe |
| PID 3512 wrote to memory of 4056 | N/A | N/A | C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9d2ae51af5c55ef51d26821cc73bb.dll,#1
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe
C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe
C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe
C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
C:\Users\Admin\AppData\Local\uot\dialer.exe
C:\Users\Admin\AppData\Local\uot\dialer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
Files
memory/5084-0-0x000001D7EB7B0000-0x000001D7EB7B7000-memory.dmp
memory/5084-1-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-5-0x00007FFFFBC9A000-0x00007FFFFBC9B000-memory.dmp
memory/5084-8-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-11-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-14-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-19-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-23-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-24-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-27-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-29-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-33-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-35-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-37-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-38-0x00000000012B0000-0x00000000012B7000-memory.dmp
memory/3512-45-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-46-0x00007FFFFD200000-0x00007FFFFD210000-memory.dmp
memory/3512-57-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-55-0x0000000140000000-0x00000001402C5000-memory.dmp
C:\Users\Admin\AppData\Local\uot\TAPI32.dll
| MD5 | e345bc21f9129ef14a4d695e783c5b20 |
| SHA1 | 22abfcd1776fcd2460bbf3bf47bb0311d5a8342a |
| SHA256 | 47fc6ce8460a0338a8d8293e007082c391001d85c38d8d81e18ca358d0cfb77a |
| SHA512 | 6bcf1dcd5b5132863fe5b4af88be09757451be50984dcf4910b160f6c4d89273673b0bb616963c61dc2b1ee7653a70d184e14f25bf2af668ecb5014a07ea5cb9 |
memory/3312-67-0x0000000140000000-0x00000001402C7000-memory.dmp
memory/3312-72-0x0000000140000000-0x00000001402C7000-memory.dmp
C:\Users\Admin\AppData\Local\uot\dialer.exe
| MD5 | 7b1f4d56d93d145a3da0df79c572f77e |
| SHA1 | 82f45f5fc01219b68c00297172160866cde248c5 |
| SHA256 | 6b1a2fc33ce5e96d7a39a4abf86c8a3042088abe59aedcb4d55aea788ac6c8d2 |
| SHA512 | f57833b7bc9ea0285ddef6daae1d7abddd919d4e4f1c3211f7a39c72f79e702669219f1aa1a1a74a58c89bfd9359ba0b95c78344b64a619b03aa5ab9fb2ea7d6 |
C:\Users\Admin\AppData\Local\NgpjE4onL\dxgi.dll
| MD5 | c0cbfedde819e35a9db2d9dddbc4e9a3 |
| SHA1 | 7166ba4867d19d37c682477181ae10fc8a174214 |
| SHA256 | d7b03ef35709fe694712195118fdfbb6b99ab909039dd8f2003f0af2b6bcb17b |
| SHA512 | ca2dc6b9aec13b76fff6192b6c35b57868913b45b6d3f18a804dac6fd79e576cb13f248ceeba246af151981dcc41c8ae04e08724b6524a5339096977ad1cb7d9 |
C:\Users\Admin\AppData\Local\NgpjE4onL\dxgi.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4580-87-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/4580-91-0x0000000140000000-0x00000001402C6000-memory.dmp
C:\Users\Admin\AppData\Local\LIcTdiir6\XmlLite.dll
| MD5 | e757f85ee54232bf40d4c6583b971473 |
| SHA1 | dc5288a4871aac84c2fd959084e67566cebd83b4 |
| SHA256 | 5b1100f52af3a8802445793051326648a9c028cd3dfebcfd5be84d62f77c83cf |
| SHA512 | 160ccb6f9fe63826f224fb058b1478fa1bdfd1c58e13f092d71be6076debc922033ad36fcfdc6077bcecd2fc58c637069cbe65a7e59514ad1426933bdcabab3d |
memory/4056-100-0x000002A0AD2A0000-0x000002A0AD2A7000-memory.dmp
memory/4056-106-0x0000000140000000-0x00000001402C6000-memory.dmp
C:\Users\Admin\AppData\Local\LIcTdiir6\XmlLite.dll
| MD5 | 3b591a3d495ed6f3d50f06b427c4eb4a |
| SHA1 | 1f15df46a93b871da7ca24794361dc2331fb729f |
| SHA256 | 8cc49798d16204431a89be934845eed7f8dce712e372cec1082c657db687ffbb |
| SHA512 | 070cf7250536dc8a8ee5bf09d618d505a5db7c29a50dc26d7caecf785f40612c6357d0f7382996040cce63b1027e46d902269b27e0e50c6dd28074d29ff0a3e1 |
C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe
| MD5 | 62d7168eac7aa772cc3df4aa8fc89a32 |
| SHA1 | cacb82b6db6c5c24a3489ff81747cc336217602b |
| SHA256 | 3b666e5aadb9511fb55126bdcecc09249dfac202359bdd75e7eddb33f04622d5 |
| SHA512 | cf59695aa34d31113dd02356752ed30c73f9e8805af0be293a11a0e68eb8a60ceee23fad817893871fc1e6f38b5e83801b520624aac609fd1f87c4e5f38ffbc7 |
memory/4580-88-0x0000019A1A470000-0x0000019A1A477000-memory.dmp
C:\Users\Admin\AppData\Local\NgpjE4onL\dxgi.dll
| MD5 | 5101c5553042cab33e7788092574ec15 |
| SHA1 | 246aa1d2c3826d91d107f0bb5f54c33a93c122bb |
| SHA256 | b30e67d9f853ae46c5df0a663d81103b553f4b244c3221846fe9dad30547e7ea |
| SHA512 | 60cb7cd44578793d7f25199d8869933724f2ea117e8c8f773a8cba6861b540a7b0a1093b01aaa68521e0ea76fe614bc2fc4e6e9194f77c11814eafd34262ae7a |
C:\Users\Admin\AppData\Local\NgpjE4onL\dxgi.dll
| MD5 | b3ff0e34a5c6be0907c9b79ec9d6bef0 |
| SHA1 | cf95eb3a5a220ffda8657c8c7da520f24c9fc9d7 |
| SHA256 | e3798b63e42ae8289df6f02f773e0e01fc5d3332f3594a3c7299d11e9c7b39dc |
| SHA512 | fefd8d2d19f40a8efca18e242dfa92834e2ccd0231fbd349bcf15bbe3401940098054a96f8316ee14916fee3b51f6161c4431e6d661f67bd8c2156740c9b4526 |
C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe
| MD5 | c252d1c81482a6a42089e38491c7a6e9 |
| SHA1 | 52b3c6760114a8039839da8d356d58b3b3d4bd32 |
| SHA256 | 8e96e06a058f8bb30b24fce55bd6946216b7f0f4f1c69d846a3a87cd5ab00594 |
| SHA512 | f95f1835d7ce5138c451a6de4443e94726b0daa95d1486f29cf8ab1ab3e2f86a8f9a6b1347197dd598a409d319d55dcf09a85a4856ea075a8912e77d8c4a8a6e |
C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe
| MD5 | 2c3cc5ac4c335f857374108d0346a144 |
| SHA1 | ac42a5edbb68ba396e0361cf0528cef426980011 |
| SHA256 | 8adab6d1a5d62bbc2436fae920eaa930508c3bdde589102cefe99840944023b8 |
| SHA512 | 28cb4d351f0f8ac1f35883b7996222b0e83e6d8adba179d8a6d7790bcfe3981abb5c5287850bdb6568e8cdc74060544fce37b9fc6a33870f2c2bdd44b537c1d6 |
memory/3312-66-0x000001B0ACEB0000-0x000001B0ACEB7000-memory.dmp
C:\Users\Admin\AppData\Local\uot\TAPI32.dll
| MD5 | eb573d8eb4a5b9eabd3fcd501e992049 |
| SHA1 | dbabd81eaf048acdbdff4798fc361aff833d4e98 |
| SHA256 | db9edad2062b466a6f6dd4e8a2120aec2dcd960499451762e33df744d97c7c4e |
| SHA512 | 62b9bf51051786d6c8a7b93661eefd2e99f4227fd39fab5e021d9e3ad16097996eb0990ef766dd9a1d19cea12ae366ce9762c2a6d862aae6634d7c6e9e9e3dd5 |
C:\Users\Admin\AppData\Local\uot\dialer.exe
| MD5 | b2626bdcf079c6516fc016ac5646df93 |
| SHA1 | 838268205bd97d62a31094d53643c356ea7848a6 |
| SHA256 | e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb |
| SHA512 | 615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971 |
memory/3512-36-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-34-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-32-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-31-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-30-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-28-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-25-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-26-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-22-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-20-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-21-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-18-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-16-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-17-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-15-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-13-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-12-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-10-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-9-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-7-0x0000000140000000-0x00000001402C5000-memory.dmp
memory/3512-4-0x0000000002C70000-0x0000000002C71000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk
| MD5 | c62f465cba51840f84e84f4881f89e04 |
| SHA1 | f17db4daed7a2285693fb264789d68a4b6d96b73 |
| SHA256 | bdc4d8a95eda3ffbfa39bc8abfdfc60f35a6367b8e2ac47dcd4f9bb5ee77ae00 |
| SHA512 | 308fac3a80b952cefdcaea4226e7ba0c5533fb3850516c1ac654d15c8f54b450f2dd9794a605a18e5cb412e02ef8c7a5432d785caf28f00e9104ab3f67358fd5 |