Analysis Overview
SHA256
60df94d0fa102fe714906ec53efafa0308a79d6caf9e8688edc8525123a7b1e3
Threat Level: Known bad
The file 38f8f403c494cd304763615d922a67fb was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Dridex payload
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 14:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 14:00
Reported
2024-01-05 14:25
Platform
win7-20231129-en
Max time kernel
144s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\CUST\isoburn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\y6G5\spinstall.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CUST\isoburn.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\y6G5\spinstall.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\QBMIs\\DisplaySwitch.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\CUST\isoburn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\y6G5\spinstall.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CUST\isoburn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CUST\isoburn.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1376 wrote to memory of 2444 | N/A | N/A | C:\Windows\system32\isoburn.exe |
| PID 1376 wrote to memory of 2444 | N/A | N/A | C:\Windows\system32\isoburn.exe |
| PID 1376 wrote to memory of 2444 | N/A | N/A | C:\Windows\system32\isoburn.exe |
| PID 1376 wrote to memory of 2464 | N/A | N/A | C:\Users\Admin\AppData\Local\CUST\isoburn.exe |
| PID 1376 wrote to memory of 2464 | N/A | N/A | C:\Users\Admin\AppData\Local\CUST\isoburn.exe |
| PID 1376 wrote to memory of 2464 | N/A | N/A | C:\Users\Admin\AppData\Local\CUST\isoburn.exe |
| PID 1376 wrote to memory of 3048 | N/A | N/A | C:\Windows\system32\DisplaySwitch.exe |
| PID 1376 wrote to memory of 3048 | N/A | N/A | C:\Windows\system32\DisplaySwitch.exe |
| PID 1376 wrote to memory of 3048 | N/A | N/A | C:\Windows\system32\DisplaySwitch.exe |
| PID 1376 wrote to memory of 2692 | N/A | N/A | C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe |
| PID 1376 wrote to memory of 2692 | N/A | N/A | C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe |
| PID 1376 wrote to memory of 2692 | N/A | N/A | C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe |
| PID 1376 wrote to memory of 2820 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1376 wrote to memory of 2820 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1376 wrote to memory of 2820 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1376 wrote to memory of 2648 | N/A | N/A | C:\Users\Admin\AppData\Local\y6G5\spinstall.exe |
| PID 1376 wrote to memory of 2648 | N/A | N/A | C:\Users\Admin\AppData\Local\y6G5\spinstall.exe |
| PID 1376 wrote to memory of 2648 | N/A | N/A | C:\Users\Admin\AppData\Local\y6G5\spinstall.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll
C:\Users\Admin\AppData\Local\CUST\isoburn.exe
C:\Users\Admin\AppData\Local\CUST\isoburn.exe
C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\y6G5\spinstall.exe
C:\Users\Admin\AppData\Local\y6G5\spinstall.exe
C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
Network
Files
memory/2176-1-0x00000000002B0000-0x00000000002B7000-memory.dmp
memory/2176-0-0x000007FEF70F0000-0x000007FEF71C4000-memory.dmp
memory/1376-3-0x00000000777B6000-0x00000000777B7000-memory.dmp
memory/1376-17-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-26-0x0000000002A80000-0x0000000002A87000-memory.dmp
memory/1376-29-0x0000000077B50000-0x0000000077B52000-memory.dmp
memory/1376-28-0x0000000077B20000-0x0000000077B22000-memory.dmp
memory/1376-27-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-19-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-18-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-16-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-15-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-14-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-13-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-12-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-11-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-10-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-9-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-8-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-7-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-6-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1376-4-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
memory/1376-38-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/2176-41-0x000007FEF70F0000-0x000007FEF71C4000-memory.dmp
memory/1376-40-0x0000000140000000-0x00000001400D4000-memory.dmp
\Users\Admin\AppData\Local\CUST\UxTheme.dll
| MD5 | 50248e684c39232cd0591e1259effbe7 |
| SHA1 | 72ad275a31e69ec2b760b9ca657c50d4e7467190 |
| SHA256 | 144bafeefb96fcc5e9a5b91e1e5fbb06378c94383295dcb4d0fbd8dfc831f6dc |
| SHA512 | aeab1658acaa4b97524fc4d1437cd937f0159403227785d52c09f8ed5c204f24954dc5f90fd0fdc3e0df059abe97fd01c8e3e62510a8bb68bd6db038a9b5dd98 |
memory/2464-55-0x000007FEF7150000-0x000007FEF7225000-memory.dmp
memory/2464-57-0x0000000000100000-0x0000000000107000-memory.dmp
memory/2464-60-0x000007FEF7150000-0x000007FEF7225000-memory.dmp
C:\Users\Admin\AppData\Local\CUST\isoburn.exe
| MD5 | f8051f06e1c4aa3f2efe4402af5919b1 |
| SHA1 | bbcf3711501dfb22b04b1a6f356d95a6d5998790 |
| SHA256 | 50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a |
| SHA512 | 5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa |
C:\Users\Admin\AppData\Local\CUST\UxTheme.dll
| MD5 | feb6b432629f2cfe22505ad3f7c62ef0 |
| SHA1 | 4ad8b7f2ff1475d1f70773619c0dd2536c30d147 |
| SHA256 | 6afe2a2a0ad0d80d3c15606af40010ccc58d00f8118d3a21288ffad7607fea47 |
| SHA512 | 8933ea54369146c18f435a719c8525334d5f0c061e649029f324fc190727bab945f60957fea0a2ba9a9d5b1854a06bd30ecd07624e3daefff94084956dbfd9a2 |
C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe
| MD5 | 3022e575cb03c376d8c6db479c2a8e2b |
| SHA1 | 9e3473dd1a6aca74f676038871ee326c311647b8 |
| SHA256 | 4eaae0b8bf8400389de0f9f863c7d6174f7c6fb9b837b275b9f17e5ba4459285 |
| SHA512 | 707371ea1d532b26515747304af7496bb0ef4a98fbba44eafe387f991b5823221c51b0c3c09baea2d2d196c6e1333972116a868e5e6a72bb5d73d967a4e37326 |
memory/2692-77-0x000007FEF6AC0000-0x000007FEF6B95000-memory.dmp
memory/2692-75-0x0000000000180000-0x0000000000187000-memory.dmp
memory/1376-74-0x00000000777B6000-0x00000000777B7000-memory.dmp
memory/2692-72-0x000007FEF6AC0000-0x000007FEF6B95000-memory.dmp
\Users\Admin\AppData\Local\AGLuh\slc.dll
| MD5 | fbaed2cca816e25e61de1a9ddfd9c205 |
| SHA1 | ff1de9a3ffb3e796c79939b33502434f37d770bf |
| SHA256 | 9b4f1eadd9b1f525f486f587b72ed319f3146c653a2ff7d64cf92e015ad51d97 |
| SHA512 | 08f45acf4a2bf6c635f7f31c46ee168c15a65c830e969f5439b016f5c26eb21ea2856bd0ba4625157ebea2a88620682ed44d2deb6643a4231764bea3ccffe67f |
C:\Users\Admin\AppData\Local\AGLuh\slc.dll
| MD5 | b183ba330074484594294168dc3e3f7c |
| SHA1 | 92f992a31eb45f47a764b7cc04ba767a9eccf554 |
| SHA256 | 5853c01bcf74a5d079659acab8fad71509e8cc5349bdb368d8a707724e121a5e |
| SHA512 | 547c39c2a54aea6d6661413ab49d09f8b09a930bac872b65c408b22ad9a93cb0332282fbcfa627b45f32020585b37fc99b136b7394d25449a07135225d9f31ec |
\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe
| MD5 | 00a8af9951e0475f880898587cb8dc9d |
| SHA1 | 86f7c2832adb08ac6f72659a262cb05339d73dd1 |
| SHA256 | 4dc90332391bec21c16a0584093783ab3efdb1e8f3c8ccdc2492e6f6e9954131 |
| SHA512 | c2700b0890bc1e7c015de5f23067cbb84025a28a509ae2b391814375d97a7490689f7d3ad5410c1999b79b888592dc2b3212db8f8b4524af13e870c595484e73 |
C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe
| MD5 | 91dc004f6ac7ed5986f4068500f0cbbc |
| SHA1 | a93b8662ff69301319fd2e0b770f135e3dddcb16 |
| SHA256 | 140348291d2dff91be0ddb57b2efff572753ceb713c048753e67c3ec335d7883 |
| SHA512 | 1efc2dcd91dd89ab8a4b6e0c05c4bea1ab5a43863cad1bb4656be03201eac523566a04af38b49cb3c54f1d6642ac07aefbcbe38f4f0c6d8be04a4d245e9bf4b6 |
\Users\Admin\AppData\Local\y6G5\spinstall.exe
| MD5 | 337ad813cbf12ae44d92b3942a0b0f26 |
| SHA1 | 6286367360e2dede3cceff1ca8332ffe47c2cdfd |
| SHA256 | e3586c60c509eb97a522c611837ca908f3f6075d17e47b67af5b72a98df60515 |
| SHA512 | eb7d77f7ca8e78daa326c33cf702327aafa4d39e41e91ac57026331bdbee07f64cafa16f109e8bd2358c2228f57ccd2071c824b449e7a9d36e0a6b91078f681f |
memory/2648-92-0x00000000000E0000-0x00000000000E7000-memory.dmp
memory/2648-94-0x000007FEF6AC0000-0x000007FEF6B95000-memory.dmp
\Users\Admin\AppData\Local\y6G5\VERSION.dll
| MD5 | 178e42ce54404a2e334b04ad3eb7e495 |
| SHA1 | bb8ec96650ce5d40d9b8e315b759854308de34d8 |
| SHA256 | fd98fb27176cfc7ff946cb14d19abdd84f6f6d99141f871052b40993ec5e64c3 |
| SHA512 | 41ddae55dad0493fa210347b71fd09199cd636b6603c1bc316db5871d5c2dffb4794d7e1f78a2d919fb10ff8af084dd8a841a67fe5ccbd7ee823e8129ae598b0 |
C:\Users\Admin\AppData\Local\y6G5\VERSION.dll
| MD5 | 0a680b8854d1444fc6b84adc92796ea3 |
| SHA1 | 44796311dfef6b1299cf20c826039ef96d1f96a1 |
| SHA256 | dd2bf1f6bcb5339fddbbf25a7b560a1ab7422f2e01a523d6ef94cd253867f683 |
| SHA512 | 0ca41a613ca56fc62e6e222053790d2137c1d09ab57aa4b5c74cc3bda8c5db7be48f51ffd2ef71297b39ad8607a8ae1920f2b51a9b9710641289d878e306327b |
C:\Users\Admin\AppData\Local\y6G5\spinstall.exe
| MD5 | d75d8b18ab57ebf060dc40ddeda83196 |
| SHA1 | 626c510561ae8662c14a5b0ec0c51c29c0b5b769 |
| SHA256 | 266f9a0cc86fef8a52a2443096a60976a3d05f958f89405de64196c4156f1aeb |
| SHA512 | df4c4708e7de657a6d1773008a1778fbf7405a16bd8622549874a0647f7f36d1bbe375882ab716ca31e8481b414bc3b0f3cf90502db50c1854f0576bc43a2acc |
C:\Users\Admin\AppData\Local\y6G5\spinstall.exe
| MD5 | 53d2c0776e6a005fb5e82791850181fb |
| SHA1 | 14898bf52d4e5b789be4af96995b144bfb4039e4 |
| SHA256 | 508cecd471b6ed3bea318744b2e7952ed2a68de303c2a4350e2ebc91fa52c49e |
| SHA512 | 27c6bb7e0e6cc867fb7424d64c0d977b9388ca73da6b3d197ce633ee65a3b7aaede3400c641d60b8a8c89281170ae3dd3c1436443a01db0a60e23043e1da09f6 |
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\ZIwBy1N6wuL\spinstall.exe
| MD5 | b99369e32a53bba7194eb3127639022e |
| SHA1 | 91b871c330fbac870a7a55a9907f750f4cd6de18 |
| SHA256 | 78ede9d0e06d43711f75e71ecc43415745edfc35d43e43e51626350497726eb9 |
| SHA512 | 33e349278de65eecc6e7a25204fb050c893138c896e056379c1a875741a4889c2953ddca0fe01fc1f1a7bb53ca179664d68f9ec94bd016dc5b3f36d3e172b507 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
| MD5 | e90b35555813cf089261a04fa50ac51f |
| SHA1 | d54af25407400f98f90d99268f898ec1ca2a29bd |
| SHA256 | ada27f28f9c5b603e3e6aa2d8307cefe0cc03fb17d4e2f0c5e8517bf8447b122 |
| SHA512 | 7297ed7bc676a65b336523389818390aa320dcdf3fa0766476863c14b12779e8bcdc5e2222f1cf0629a09fb92a5f83bce4b77501f3dc35f23685b868a9b98f51 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\OmTB9\UxTheme.dll
| MD5 | f8202aa272de4ac3f58679c78f445892 |
| SHA1 | 00a36c2e9e26356fc7cc7e6a69e3980bfe806f3d |
| SHA256 | 53cf7ac7ef5442d265e35849487e89964cd33492133d07d5340238f2a153c077 |
| SHA512 | 6804d4542d64e662357b593f961fda2e689d0925c963b999ac3793d8c41c089a120573e178da96d8391ef60b578d6b77ca94610108ab012d96214d0c842ca315 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\QBMIs\slc.dll
| MD5 | 5e861e2d087dac8f23b2c8eac1bc26c9 |
| SHA1 | 011b32062245e098274622f0bba785384dfad47c |
| SHA256 | f71cf158ea837e07202f91d37f4e732980db743cc77bca70a626b3d9a0a77c32 |
| SHA512 | 4915add0ee87b62839543ddb4c882d79fa7b18b27fd809e8dcf104e44dd7b1b093abec989601f291c3163bcd69debd4f8fe856b7a596bf3c86d19a6dffa9d0c1 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\ZIwBy1N6wuL\VERSION.dll
| MD5 | 15ad0c727ad8fb6c7b02325c330639fd |
| SHA1 | da616d22d06bed95a8325db7699427dac88b4515 |
| SHA256 | d4e13a528b52517485d900910ac07e7f8acafafc2b29f0504fb4686b571c5aea |
| SHA512 | 3316730e4d1fa33b580ca11bfa97aea694c36366b3d8a9e6f231a8c79b06ccb2209ff46fbcddd7f8ec2143e00165999d4fc0442c040054a8f5436fec3a091829 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 14:00
Reported
2024-01-05 14:37
Platform
win10v2004-20231215-en
Max time kernel
2s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll
C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
C:\Users\Admin\AppData\Local\eN0\msinfo32.exe
C:\Users\Admin\AppData\Local\eN0\msinfo32.exe
C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
C:\Users\Admin\AppData\Local\erGfzyXY\osk.exe
C:\Users\Admin\AppData\Local\erGfzyXY\osk.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\CDUkQ2\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\CDUkQ2\SystemPropertiesPerformance.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 96.17.178.205:80 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
Files
memory/1052-0-0x0000000000E70000-0x0000000000E77000-memory.dmp
memory/1052-1-0x00007FFCDFA60000-0x00007FFCDFB34000-memory.dmp
memory/3472-4-0x00007FFCEC36A000-0x00007FFCEC36B000-memory.dmp
memory/3472-11-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-16-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-18-0x0000000000690000-0x0000000000697000-memory.dmp
memory/3472-20-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-19-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-17-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-15-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-27-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-29-0x00007FFCEDFB0000-0x00007FFCEDFC0000-memory.dmp
memory/3472-28-0x00007FFCEDFC0000-0x00007FFCEDFD0000-memory.dmp
memory/3472-14-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-38-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-13-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-12-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-10-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-9-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-8-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-7-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-6-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3472-3-0x0000000001FD0000-0x0000000001FD1000-memory.dmp
memory/1052-41-0x00007FFCDFA60000-0x00007FFCDFB34000-memory.dmp
C:\Users\Admin\AppData\Local\eN0\SLC.dll
| MD5 | 50360e27993b94ffe446f98a877d5812 |
| SHA1 | d97d6182d2342048ccbb9d3ad28b10f251897908 |
| SHA256 | a3fbecae74012a87c8d9a5af7fde055f1eaed3c63dc066893a5a9dd36c267299 |
| SHA512 | 5b4ac7ab75ca5d0cb288709d3a0736d0ca0a6d7af10df9ffa5a499f8c2abef57213f242ccc06edd86599fe7c620f8762be33f027d0a2ec90048b5b1a92572296 |
C:\Users\Admin\AppData\Local\eN0\msinfo32.exe
| MD5 | 315fbb621e18406c97f9b42d19101ad9 |
| SHA1 | cc7babb43fd756b213ad3f3cfeb764ea566c76c3 |
| SHA256 | 8ba26dfd1e6dc83c214f338e79a545ff8f4c2961ea21008105bb987c01d3524f |
| SHA512 | 7917f61ffcae7139f4b18aeb36f5705ad6668e1c8a70f805b02b989b767b44af2407e0dc6a15cb44220b80c8f1dc3ee5ea288fdf0d320d5ca91beb3c81d88ce7 |
C:\Users\Admin\AppData\Local\eN0\SLC.dll
| MD5 | 8b9820436497c55d4245b347ce3ce5b0 |
| SHA1 | cb75c6c194f4903ae4b52acc33534a02998945d0 |
| SHA256 | d2fb79f2fffdb958b2f3e8237ca1b3521e96bbd7a774a7510a59bdc1978cfa85 |
| SHA512 | 2e1ddf2f6f663ec8b1aedf7072984fd1cc0b80a261f41d8034c1f51dc8ad70af00d21dea32d6915b2698a737de972aa6a132d9528282dcc5a32147da3327822c |
memory/3436-53-0x00007FFCDF520000-0x00007FFCDF5F5000-memory.dmp
C:\Users\Admin\AppData\Local\eN0\msinfo32.exe
| MD5 | ca23da6c81165df8e94309b517db7c8c |
| SHA1 | fba57a166fc006779376d6ebd30925f2107a22ad |
| SHA256 | a1be267e050d6ffc61e7f3616774066c45b92c6c7ff0b1c3a490e29825c7bb28 |
| SHA512 | 019a589287e3d931fd9773954405ebc471e7207fe16aee4c837e92946ef450a7b6f8faf000f05785feddcca5c87f8ed2fdd8884668d89b142026bcc54d9e8b69 |
memory/3436-48-0x00007FFCDF520000-0x00007FFCDF5F5000-memory.dmp
memory/3436-49-0x0000010752420000-0x0000010752427000-memory.dmp
C:\Users\Admin\AppData\Local\erGfzyXY\osk.exe
| MD5 | 522b865175d8df291df23707912d143d |
| SHA1 | 637bd73deea0aa18e9ef9386c3b90a00730bc5f6 |
| SHA256 | ac435a6e18551b969395c8d933f5f44855e096d2914aa9a2626204f0fc0dc818 |
| SHA512 | 882c35b5e4aa8c35be0b95fabc5e7b1683e62f9589b7570dff5185be2d2f85a670e85f022289696cb76bb7a0c910fb42fbbf04ccc908929318553cdadc7ae17a |
memory/2664-64-0x00007FFCD03F0000-0x00007FFCD04C6000-memory.dmp
memory/2664-66-0x0000024ACD230000-0x0000024ACD237000-memory.dmp
memory/2664-69-0x00007FFCD03F0000-0x00007FFCD04C6000-memory.dmp
C:\Users\Admin\AppData\Local\erGfzyXY\osk.exe
| MD5 | 91f496111a7e36d085589dda454aaac7 |
| SHA1 | d7993e1b4f6259c6d7b6274b31eb3012d1b99610 |
| SHA256 | 3d4c46036e276b70f05cdf2d7b928043d015859dde576dfc47b2950d33df9508 |
| SHA512 | ce52bc461b361671c1b92f4bea24b4fc4cd3afe6458be026fbebdde4c6e5a7c3d09bf497bdbd9c77946ea4f30d426b1d8f3d64cf611bef8eb90d676a92ca436a |
C:\Users\Admin\AppData\Local\erGfzyXY\WINMM.dll
| MD5 | fb209fdab3dbc1d839cb812a5ee16342 |
| SHA1 | ea951984c6e52d71f5db34dc75921b26ad09ad87 |
| SHA256 | 60a29b63f81576b97eb3afc720e3fd9056e8c76c8dd3bd85c03b556a17579d95 |
| SHA512 | 9fe393e4691da91a10e7634cfe5ce6f27828c06e9f3bb042191c8d78c99598f023f168ce6baaff54cd023dd17ac4517f093fbb499a33cabfc960db1ed6fa0c3f |
C:\Users\Admin\AppData\Local\erGfzyXY\WINMM.dll
| MD5 | cc23382e06151fb9ed7158d7c16830e6 |
| SHA1 | 39b3a006765140dc301466b58933d0d5cd744b06 |
| SHA256 | 56558ae29d54344c2003520fca21fa0ebc057b06f5dc1a660a4159d5c821c53f |
| SHA512 | 9576235eeaa495e310d1dd7052b72287fd62fc4b15a5efe34d6b439f30614ca54b7d5b3a96ca29b3fccc8425a791b926a103fdf825c90b13dfb1a6f211def9ed |
C:\Users\Admin\AppData\Local\CDUkQ2\SYSDM.CPL
| MD5 | e6614ed210a60d417bbc43ddd716125b |
| SHA1 | 109831a2e2446a06e95442586ffa06ba3e33e6ce |
| SHA256 | 70855b6493e056aae4a7a4ae1d637fc9ab7df1637f5d7d44784a5c9131f483db |
| SHA512 | e07e78dcdd93f959b5694a95e0364d918a0308f9ffa3e273d667b4c6829eff5f20a7e13fdd3444807d7a3dbd7198f54563cae6dc4e4dfa2a6d3417e8accdaf42 |
memory/1304-80-0x00007FFCDF430000-0x00007FFCDF505000-memory.dmp
memory/1304-82-0x000001D826900000-0x000001D826907000-memory.dmp
C:\Users\Admin\AppData\Local\CDUkQ2\SYSDM.CPL
| MD5 | ef33d8fa014b05f779d1db544b5fdee9 |
| SHA1 | 7983267441c35de2bf139a804bd9fc8934534f2b |
| SHA256 | e9bb22a44f0b696497707c5a2cc4e67634634d5620308bb9ab47d3776a5621dd |
| SHA512 | 6fc68de5b391954d840156cebe962e79cb1c0d84b3d748ef4841010bd7d059e4211513f055ce3c709c5983d61d674b2557f8541db7f79a5d82a68b5862ecb681 |
C:\Users\Admin\AppData\Local\CDUkQ2\SystemPropertiesPerformance.exe
| MD5 | 2f365f49fbd94a283f0f442a3641287e |
| SHA1 | eadf0dd6234f7853c8d4881b1de6106b8a016bd0 |
| SHA256 | c99136569f6b830b6fe2ea3f1c97f30a9af2f9f79238a0d3465508061aa791ef |
| SHA512 | 0431257dc2e7b7d277dec55ea4340effbea142c2270aef2e1f4f7bd3392a61fa11eea9d0db469c4df8904336f7a3e999e480b81c5986849a807595da9f558034 |
memory/1304-85-0x00007FFCDF430000-0x00007FFCDF505000-memory.dmp
C:\Users\Admin\AppData\Local\CDUkQ2\SystemPropertiesPerformance.exe
| MD5 | e4fbf7cab8669c7c9cef92205d2f2ffc |
| SHA1 | adbfa782b7998720fa85678cc85863b961975e28 |
| SHA256 | b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30 |
| SHA512 | c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk
| MD5 | d62bc849c329198569c2baff623f7898 |
| SHA1 | c2f9c62a414578cad331b7a9db1fc478802b945c |
| SHA256 | 1764364ad38734487c2a711c67b7e7df33335ba2320a157da37606f4c05856df |
| SHA512 | bffc7f4b82db09fde2b8229b5ddabc5170983a0addfd1058aff15c7c2ff2bfa2dc35386ec6ff6b91c15f6a8b7884dad6b412217bd1168f68b1e672801f2a97c3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\5w\SLC.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Sun\MktQtVq\WINMM.dll
| MD5 | 116d2f11aff132bef13d2505a872e8b8 |
| SHA1 | 592e8ae23c3ed0e98819912f5756f21ab327d8d0 |
| SHA256 | 9ae14fefbf5fb880ecb343e1e8bb9abd6a455fe8f654585a29870e793ce51373 |
| SHA512 | ae0afbb6c838ecbcea95cd05ac3c06134ebe3436dcc9fc4e84531fd5d3ceb96c1ed671fcfc50835541b6bef8969253183ff85ce0a9b1279176979231e19724c7 |