Analysis Overview
SHA256
d86ef2b5b3a29c907febf6d15d8f3fa781e1d5314549fed66df51d00db694818
Threat Level: Known bad
The file 6714db2df8a6f6b5c50d59629ec34c6c was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-19 07:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-19 07:50
Reported
2024-01-19 07:53
Platform
win7-20231215-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\1LYvp\slui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1LYvp\slui.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\4HBT6\\SoundRecorder.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\1LYvp\slui.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1360 wrote to memory of 2888 | N/A | N/A | C:\Windows\system32\slui.exe |
| PID 1360 wrote to memory of 2888 | N/A | N/A | C:\Windows\system32\slui.exe |
| PID 1360 wrote to memory of 2888 | N/A | N/A | C:\Windows\system32\slui.exe |
| PID 1360 wrote to memory of 3000 | N/A | N/A | C:\Users\Admin\AppData\Local\1LYvp\slui.exe |
| PID 1360 wrote to memory of 3000 | N/A | N/A | C:\Users\Admin\AppData\Local\1LYvp\slui.exe |
| PID 1360 wrote to memory of 3000 | N/A | N/A | C:\Users\Admin\AppData\Local\1LYvp\slui.exe |
| PID 1360 wrote to memory of 784 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1360 wrote to memory of 784 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1360 wrote to memory of 784 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1360 wrote to memory of 1864 | N/A | N/A | C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe |
| PID 1360 wrote to memory of 1864 | N/A | N/A | C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe |
| PID 1360 wrote to memory of 1864 | N/A | N/A | C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe |
| PID 1360 wrote to memory of 2832 | N/A | N/A | C:\Windows\system32\rdrleakdiag.exe |
| PID 1360 wrote to memory of 2832 | N/A | N/A | C:\Windows\system32\rdrleakdiag.exe |
| PID 1360 wrote to memory of 2832 | N/A | N/A | C:\Windows\system32\rdrleakdiag.exe |
| PID 1360 wrote to memory of 2828 | N/A | N/A | C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe |
| PID 1360 wrote to memory of 2828 | N/A | N/A | C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe |
| PID 1360 wrote to memory of 2828 | N/A | N/A | C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6714db2df8a6f6b5c50d59629ec34c6c.dll,#1
C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
C:\Users\Admin\AppData\Local\1LYvp\slui.exe
C:\Users\Admin\AppData\Local\1LYvp\slui.exe
C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe
C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe
C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe
Network
Files
memory/2168-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2168-1-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-4-0x00000000779A6000-0x00000000779A7000-memory.dmp
memory/1360-5-0x00000000025C0000-0x00000000025C1000-memory.dmp
memory/1360-7-0x0000000140000000-0x0000000140331000-memory.dmp
memory/2168-8-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-9-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-10-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-11-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-12-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-13-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-15-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-14-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-16-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-19-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-20-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-18-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-24-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-23-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-22-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-21-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-17-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-25-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-26-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-27-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-29-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-30-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-31-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-32-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-28-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-34-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-35-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-38-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-39-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-40-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-41-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-36-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-42-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-37-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-43-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-45-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-44-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-46-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-47-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-48-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-49-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-52-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-53-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-51-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-50-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-54-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-55-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-33-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-56-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-57-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-59-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-61-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-62-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-60-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-64-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-63-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-65-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-66-0x0000000002590000-0x0000000002597000-memory.dmp
memory/1360-58-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1360-74-0x0000000077AB1000-0x0000000077AB2000-memory.dmp
memory/1360-77-0x0000000077C10000-0x0000000077C12000-memory.dmp
C:\Users\Admin\AppData\Local\1LYvp\slui.exe
| MD5 | 4c69d77cedf7f93c32016dfcdd2e2d48 |
| SHA1 | 42a775e41b551df80e6d0c10fe504ff229575cc6 |
| SHA256 | 88a6c503b97735038aeecdbeacf977777507c6af2eca6cce77fddb1d581247af |
| SHA512 | 98d82edca5e42a2d05f2318f2612bcc2b47bf0f7f1a9b39dd722e8e798af27aee4eb8bfb1a798db4ed710191148758b2f645415c73e3979608c679cc56bc2d04 |
C:\Users\Admin\AppData\Local\1LYvp\WINBRAND.dll
| MD5 | e5c9c7d7e52fd682e921e3e9460ac004 |
| SHA1 | 17337c9052eb419454d6ae66c756ce22e76b3da0 |
| SHA256 | 83d33081af1ef341e4047cce0ffab5a25f015d2e2b7dbf9914f90ee1dd89cf9e |
| SHA512 | cd7cf70010aafb0472a879da5527144966c2317c511c3e2df31951be277bd038bbc89dd694dc7f6d75caf9e7efc5ff16b3996bd5e9a8b8fbcfc78f12e9ef2a83 |
\Users\Admin\AppData\Local\1LYvp\WINBRAND.dll
| MD5 | f9d45b1dc0431c1e093e212c00b819ed |
| SHA1 | 2de9cb5e9acf358fcb627acdbfba13404a6ce04c |
| SHA256 | a93123a4e1325c0025e8e91971536434dd4a6d54ce02af9ee659530b8be80237 |
| SHA512 | f918ce1a255da0523505aa9d0ceb4ed89bfdec5f3435df8c81aa3d7df9bc8c8d7e37e1b430601746415f4ee92af17d85920463ba0d95a73749bc99131c90bb91 |
memory/3000-98-0x0000000000190000-0x0000000000197000-memory.dmp
\Users\Admin\AppData\Local\1LYvp\slui.exe
| MD5 | 5c70675645de3a5d03c151f37a2b8242 |
| SHA1 | 2259f35ac4c77f3f2fc5bbe9811b3c24de1e2bf1 |
| SHA256 | 9e26996c442389e61c4eef9048735b89adc8fa0d1a72b2b5e35a5efd78f64650 |
| SHA512 | df520d2857cfad413542f2ad846bff8664ac5ee9c532dcb6ee52a771387b8a0e1b5b3b59b2ab5af6f1642758daf0317b72b161399d35457d1163bf3b0d2ac118 |
C:\Users\Admin\AppData\Local\1LYvp\slui.exe
| MD5 | 4036533e7ad0a6f1fcf6bddd8915a3e7 |
| SHA1 | 6a0607493719824ca744ee98288c6c3b93c27779 |
| SHA256 | a6fb08368d86b0d9923da90e0a9337fa73b7d28238fcb40c67697bbfafbc4be0 |
| SHA512 | 5a65ddd9eb69f84ce7d668a6da990d47f5af8c91c045729a3db9c5329ca78ee55f6358773c23a77826704d9c6567592c781b26bc924e5c664a369968ee80f56c |
\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe
| MD5 | 47f0f526ad4982806c54b845b3289de1 |
| SHA1 | 8420ea488a2e187fe1b7fcfb53040d10d5497236 |
| SHA256 | e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b |
| SHA512 | 4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d |
C:\Users\Admin\AppData\Local\xTgeUD\WINMM.dll
| MD5 | 5231bdcb06e75797eae0f5a2f04d5b62 |
| SHA1 | 3823dce4039a449214f83fce7229039d3f66ab97 |
| SHA256 | f9c92587c6c8c6a035bbbb2ba3ad09843392df098f8d1b0b81f4dd66bbf692e0 |
| SHA512 | 94c58fa06e6e467586cf9cd2d73056c8bdce88aeb77210540d8da157e9fc5998686913948f6ec77b207094cca46aebcacd2abfb542b23d5c888d33d65f75a448 |
\Users\Admin\AppData\Local\xTgeUD\WINMM.dll
| MD5 | be6a135b25e5ddcb17a2e609fdc276f1 |
| SHA1 | ae8876baa92ece9ccf2b7c6c2bbab0bd529659bb |
| SHA256 | e39a8c71a30523802383240a4cbb01369655afbf185a26efe97acf2ee93c9d6d |
| SHA512 | 350bbec3cc4468d598d2aaf1be61aab25c17eef9483a6dc9de814259299efc087fda0a4287ba7e3462cdf0fabc54abb4c73785dbdefa6d8e1ff089f205f0dfa0 |
memory/1864-118-0x0000000000100000-0x0000000000107000-memory.dmp
\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe
| MD5 | 5e058566af53848541fa23fba4bb5b81 |
| SHA1 | 769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6 |
| SHA256 | ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409 |
| SHA512 | 352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0 |
C:\Users\Admin\AppData\Local\0ShrJ\wer.dll
| MD5 | 49b55439a96b7003436742ad9e335996 |
| SHA1 | eadb0c32c6836ffddeb9bae3f628da1dc46eb354 |
| SHA256 | 93db37691d69b750e9d8d4c76f7af600bb70ddd93f0570eefef06bf1475ae4ae |
| SHA512 | abc9b4cb1eac592bab581dcd8aa872cd00a4ace2e6f567d2a59582403a1ea95515fbaf2ff8b7179ea27acd83ad60edd6681a75480330b25c6636c68a7988ae24 |
memory/2828-135-0x00000000000F0000-0x00000000000F7000-memory.dmp
\Users\Admin\AppData\Local\0ShrJ\wer.dll
| MD5 | b5e9c51fa887699fe07dfb07cac15ed1 |
| SHA1 | bec490f6765cf1f0f75d8f0d2004ccc87d984453 |
| SHA256 | ab72a3bb8f0fbf1e5a10ccebde5daa66156743e5e7eacebab537460d2f0e8387 |
| SHA512 | 42e06786b64afa93d1ae3847f1660f06030e2fac6c703deb8c73b5d4754311e6e92032ddd4727d05b0af76d6de2b59466fe8556cda9494d7bc38878cd44faa38 |
memory/1360-157-0x00000000779A6000-0x00000000779A7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | b211d9f88c0b1e77ca0b761adbf41af1 |
| SHA1 | d9deccd2217e6e372bebeae751275b1734bc146a |
| SHA256 | 24ba390e6461f4f0acf1292ba1dc6d3be1d5894768c1f4a18df92c485cf5c1ba |
| SHA512 | 8398a3b228588ea211c2918389ceae1b9bb13883a95345772583261e1b2ffed6eaf1fd060f93d862168c62502c5abbe5bbbff5914308e8290a6ec8182ee3987c |
C:\Users\Admin\AppData\Roaming\Identities\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\8F1\WINBRAND.dll
| MD5 | 798b239a9c885dd28e896ad5dd58cf29 |
| SHA1 | cd8a6df7f2291db2b5d33a7b40e8b7bf5d52e249 |
| SHA256 | 25c36ce747691e368aa3ed7ebaf9e8290324e454299edeeda3e8a3ac69561f69 |
| SHA512 | 66f7b5a56da76c46ac2ca290d38ae49b3a94482606580122763ab2c923d471bee8a090ad07eeeb61907b6e2a8f80e9c13708f370e61dd960cb3e6cd983a9f9f7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\4HBT6\WINMM.dll
| MD5 | d7b4fb439c322922134c6d7ff180e548 |
| SHA1 | a225f6fa1effb287d372be66e143853c245b922d |
| SHA256 | 678b553820afccc2eee907367d2a1d38e2531ba2d3162e461705c5de4f687984 |
| SHA512 | 1ad7fb22fabac3fa9d66c667055ff559b4fb3ff25903cc3b888a374d0fb1f24ad985e8b0983dfafd6dbb386b7a120227675c0cfa5bd359325fa84121d4937e31 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\62\wer.dll
| MD5 | 153901ab12c8a12a81b63dd43607377f |
| SHA1 | 01877819eab589c806804c8905ba17305240f364 |
| SHA256 | a4210f6342865988fd4c7bf8566649ccd2e48a5aa6574fbe5908533bb965ebc2 |
| SHA512 | 0b119887d580fdefa41a9660e3f5acd50712682f011c7c2ae7652ce0715beedafe823dc62d33a8a9394a83bb07dfba91095184e36040802598978c06f9c8a4e6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-19 07:50
Reported
2024-01-19 07:53
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\4J4NzkY\\sppsvc.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3412 wrote to memory of 4436 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 3412 wrote to memory of 4436 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 3412 wrote to memory of 4864 | N/A | N/A | C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe |
| PID 3412 wrote to memory of 4864 | N/A | N/A | C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe |
| PID 3412 wrote to memory of 560 | N/A | N/A | C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe |
| PID 3412 wrote to memory of 560 | N/A | N/A | C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe |
| PID 3412 wrote to memory of 2848 | N/A | N/A | C:\Windows\system32\SnippingTool.exe |
| PID 3412 wrote to memory of 2848 | N/A | N/A | C:\Windows\system32\SnippingTool.exe |
| PID 3412 wrote to memory of 2228 | N/A | N/A | C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe |
| PID 3412 wrote to memory of 2228 | N/A | N/A | C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe |
| PID 3412 wrote to memory of 2776 | N/A | N/A | C:\Windows\system32\RdpSaUacHelper.exe |
| PID 3412 wrote to memory of 2776 | N/A | N/A | C:\Windows\system32\RdpSaUacHelper.exe |
| PID 3412 wrote to memory of 4848 | N/A | N/A | C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe |
| PID 3412 wrote to memory of 4848 | N/A | N/A | C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6714db2df8a6f6b5c50d59629ec34c6c.dll,#1
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe
C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe
C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe
C:\Windows\system32\SnippingTool.exe
C:\Windows\system32\SnippingTool.exe
C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe
C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe
C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/800-0-0x0000023F663B0000-0x0000023F663B7000-memory.dmp
memory/800-1-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-5-0x00007FFA9554A000-0x00007FFA9554B000-memory.dmp
memory/3412-4-0x00000000078D0000-0x00000000078D1000-memory.dmp
memory/800-8-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-9-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-10-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-7-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-11-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-12-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-13-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-14-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-15-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-16-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-17-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-18-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-19-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-20-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-21-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-22-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-23-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-24-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-25-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-26-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-27-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-29-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-31-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-34-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-35-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-37-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-36-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-33-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-32-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-30-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-38-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-39-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-40-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-28-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-41-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-42-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-43-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-45-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-44-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-47-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-50-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-52-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-53-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-51-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-49-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-48-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-46-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-54-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-55-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-57-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-56-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-58-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-61-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-63-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-64-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-65-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-66-0x0000000002FD0000-0x0000000002FD7000-memory.dmp
memory/3412-62-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-60-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-59-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3412-74-0x00007FFA972E0000-0x00007FFA972F0000-memory.dmp
C:\Users\Admin\AppData\Local\DbMLLK\VERSION.dll
| MD5 | b485bc2c938b7ef3b7d634563eb26eba |
| SHA1 | 44d826673d5736b0c92ef9d6eca9d12d4a6b3aa1 |
| SHA256 | d1ea149e973d18c97de7ce48b4775f09ada300235189150c0af99ad71aa32bbc |
| SHA512 | f47c8039023206cc43ba105cc83eafb30435ed5823165be2040eb39666627289bc21fde9423bf188b61fb473fcd0feb112fa56f41ffa15e20c5f70acfbd2fc73 |
C:\Users\Admin\AppData\Local\DbMLLK\VERSION.dll
| MD5 | 8d12cc5ebd1dc117c2350334c64e51a6 |
| SHA1 | 3eff9980a31999a3a34185a93f142226f3086b27 |
| SHA256 | fe9523e6386913d82d6c2803ce6539ea50bb6bee898ac595e9a0a7e4395e7ff6 |
| SHA512 | 2806dfb03c560edb48a11e5b7896088542215efdc5b5496f9188ccd5f95f357bf66cf85b876d0e453d47a7a13cc59297b8ad08ffb7ae33cb31bbb9acec049a2a |
memory/4864-95-0x00000134D43F0000-0x00000134D43F7000-memory.dmp
C:\Users\Admin\AppData\Local\DbMLLK\VERSION.dll
| MD5 | aac63ed7382e87e3796b8b38cd27658d |
| SHA1 | a779b1c352d959c1fbac59a5bcce47df68619b61 |
| SHA256 | d79ba099bcef2fa569d032f00e84739400ef66e9bdb96a08eab4dcb61f5405c5 |
| SHA512 | 6e54bbce3f136e673687d1ecc20c22b0a3e559155f80c719a28cc59c0015960b317f911819a582087ccb5d4729cf543c82b54b6ed42d2456d42559e2597e1379 |
C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe
| MD5 | 4cc43fe4d397ff79fa69f397e016df52 |
| SHA1 | 8fd6cf81ad40c9b123cd75611860a8b95c72869c |
| SHA256 | f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c |
| SHA512 | 851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157 |
C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe
| MD5 | 121dfc2fe6f6a84b06eb0d6f0dbc2c8e |
| SHA1 | 7e322b5a7003dd7370c330a4179f91bd50d4b07a |
| SHA256 | 2651ec3fa204d1ff89595fba5dbd8b1565cb32bf0b4e91623202f2d8097bbe09 |
| SHA512 | c5b9c4b641d8486c8e6e65c047d8292f5a44bc9341bae65b2588f4b5694ce5495feb54ff11ec5b58ebb4d9cf2aaecab586ebf0bc58bf6b9161d17b1b9db58f59 |
C:\Users\Admin\AppData\Local\Gkdmb\XmlLite.dll
| MD5 | 75fef8ec2da7e712ea0b8c3d60af413f |
| SHA1 | a52255558de36a60d022ea5af621320bfee36d83 |
| SHA256 | 1444f5be0608bab20c0302d860f81aad105ef22fd4afdf722577cef9c1aa0221 |
| SHA512 | c5f207f9dba1c010f00652bf0c10d2942aaadea10ccdb114d6ac4c612cdc13e098d13c0b189a23f24a7a3d4e8a3f02ba3cd3fa73c499dd95de1caa79c19c8af0 |
C:\Users\Admin\AppData\Local\Gkdmb\XmlLite.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/560-112-0x000001F7D1DD0000-0x000001F7D1DD7000-memory.dmp
C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe
| MD5 | 76522df15475f02bf7dc0aa202f4c9de |
| SHA1 | 3ec68f95f83365e73f4a85f1cf97787ce6e75eef |
| SHA256 | 5125f542dd7dbda0c2ea920d9e4090ded59cdcfd29e87e28a9dae7554089bcf9 |
| SHA512 | 0aad23389328c3cb5f77e93834f0cfcb0666282fafe56db935146a606da63b27d748757ac34be865c328fa2103dc60389017c4f3a88bb61e791e8014e33604b1 |
C:\Users\Admin\AppData\Local\vOm174L7s\UxTheme.dll
| MD5 | a9cd11bed2c07f798caedf4cc013acb4 |
| SHA1 | c115955839c6b4f52deedeecd5ce45b1d640de12 |
| SHA256 | eaa2de2fc193015e81ac575cd06fb082b1db4331456b26ae5fcbe66147c290bd |
| SHA512 | bade396ddbbc49f363761d4adb96c474290963721ff113a6d25e980602425557345a3fa10e2229fa6f3de5e5e81d0fd9f856a36868db1ecd9b0716fdcca655b1 |
C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe
| MD5 | 6ececee18c82ad304b1d06b10208d2ff |
| SHA1 | 56988e12e06fab7cc3a1baab7d78979c2dc8d290 |
| SHA256 | fb2200e5ed55b7f2f2324ce5656dd73f589c4dfd5ff568776825e7bc81a6595e |
| SHA512 | 1a951a7971619537dbf26dc35cb6524986fce572850fa0ef117e0ac4f91e6b642a0027adf29979e98ef2380e6d201a06cc410565a8db34c482e0f3e11311a90f |
C:\Users\Admin\AppData\Local\vOm174L7s\UxTheme.dll
| MD5 | 047fb5fba00720f7c8d0e86f3f48a04d |
| SHA1 | da35002a111a7f4a6492ca3635187b9f1de80bdc |
| SHA256 | 359d6a91ed1ec5722202458f04c50592a64ad2ff10378c961a46e53d34f6072a |
| SHA512 | 394c0bf917725063ff1c160f4335b1d9ee8b18838b14a0fe1a43f05b016930e6cb04fe26120fb605ab9ca0242a5345acf429a7ba8712c06f6d0dbfc9e58cbb1b |
C:\Users\Admin\AppData\Local\q25ZD\WINSTA.dll
| MD5 | 87f3487d9b3609ee8d85309b202eba23 |
| SHA1 | fad9cb70114f31a30b82a3941b9aeebf8b9e0ab5 |
| SHA256 | aaa3ec4df10df7c46ede712624eb3ba8289e4548226a59bb28f9608a409b87ac |
| SHA512 | 9586b528dcc2c91dd2149dbb426280f825b50c6ecd21c9f578aafb9097f94ab23e7b09d32276ecf0bf5c75e8726d88b74e9e72b6aaeccbc2391379eb13b8edd0 |
C:\Users\Admin\AppData\Local\q25ZD\WINSTA.dll
| MD5 | 276eb57200c0063186402a4304451536 |
| SHA1 | f78ec17fcb7a398ab1bd31a86af18a416665e4e6 |
| SHA256 | 17ffe57e068eacabc091356a90c75dbf10a60fffaa8e37177adcd425be6257b5 |
| SHA512 | 7e71b25f20fad100206a2132dbd0e03accaaabd40b53878fc7b32a862dbbc62c692234be78f2ffa93fd591a471d1a479bf23170ad5ffa80ba61e6c65cab3dd9b |
memory/4848-139-0x000001E42E9A0000-0x000001E42E9A7000-memory.dmp
C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe
| MD5 | 0d5b016ac7e7b6257c069e8bb40845de |
| SHA1 | 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2 |
| SHA256 | 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067 |
| SHA512 | cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk
| MD5 | 9b4f8d1a23abf25112971055d616d32a |
| SHA1 | 34b759178210de08deed06055eb0989224997872 |
| SHA256 | 33021467e2df029a97a6f2db4f45ef9f0fcb146052cfd4b0fde1a09f63a79289 |
| SHA512 | 31677224c0b088f91c03daedb2303644e425c0c0c0528521510e2fd08ce01876c9568cbf5d62f6fe19443222e57d75e927024c9f35b3a1bbb27126619c0475f5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ymOch4b3\VERSION.dll
| MD5 | 6428df938670ba9ba8e8f3b7e5e4afbd |
| SHA1 | 3a9c3cfdf58aac25e9ab7edcc5a8d9120ccdf6c6 |
| SHA256 | 3b24bc5c24dcb54d77de8156f5ba38ca71c50b5fcd72d39c76064d536fe06521 |
| SHA512 | 191d1bd87d81039e031b9ea7c2f5a1ec492b3a2b384ff2509fcdaaf51f86f3e821bd51d947974c924b339910df73b6d3d35c6a645c2b5d2bd724ed1c9321ea87 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\4J4NzkY\XmlLite.dll
| MD5 | b4561c365bf82b197da05111c811ff56 |
| SHA1 | 057ba2ca7045af2e900fb32fa43876855dad7515 |
| SHA256 | dab1ebd0f5ff1202c3c2a4a755f6b04f0cce18340a618435f15ffee8fdf4ac22 |
| SHA512 | 9aba6501d0023f100a3cf38a44cf468bc139a57b19593b61788e03d191f4f14db35efe73a2214797b272e2a4ea4c05d249bf0784dce24204bb91d389c7e9eb80 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\fO\WINSTA.dll
| MD5 | 85a51b315a1959ac8a2bb1814a53bbe5 |
| SHA1 | 9da4c3ec46b1fb5858113650564e826038bf0500 |
| SHA256 | 135c94d666f3cd4b401cf35d43680713f689c4eef286bee3cbd81478cac4e39d |
| SHA512 | 3a44cd1736d26e0bf3707be3ec3a123bbc849f6576c8e70a50949c8c892896fcef38937de3e2c9d0083f03e18e2bbadfa3559336a64f399486e7d3b541cca5ee |