Analysis Overview
SHA256
7687e9f3abc61ee051493a66f54044eea80c149788100ff4295211af104676cb
Threat Level: Known bad
The file 6b0a5e806359b4b92fc00861e1bf8bff was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-20 17:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-20 17:41
Reported
2024-01-20 17:43
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
150s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\CAS2M1KTt\\EaseOfAccessDialog.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b0a5e806359b4b92fc00861e1bf8bff.dll,#1
C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe
C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe
C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/4040-1-0x0000000140000000-0x0000000140339000-memory.dmp
memory/4040-0-0x0000018721750000-0x0000018721757000-memory.dmp
memory/3516-5-0x00007FFFDB45A000-0x00007FFFDB45B000-memory.dmp
memory/3516-4-0x0000000002E70000-0x0000000002E71000-memory.dmp
memory/4040-8-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-9-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-7-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-10-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-11-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-12-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-13-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-14-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-15-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-16-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-17-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-18-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-19-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-20-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-21-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-22-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-23-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-24-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-25-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-26-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-27-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-30-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-32-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-34-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-36-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-37-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-38-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-40-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-39-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-42-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-43-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-44-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-45-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-46-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-41-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-35-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-33-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-31-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-29-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-28-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-47-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-50-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-53-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-54-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-56-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-57-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-60-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-62-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-64-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-65-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-63-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-61-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-59-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-58-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-55-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-52-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-51-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-49-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-48-0x0000000140000000-0x0000000140339000-memory.dmp
memory/3516-67-0x0000000000E80000-0x0000000000E87000-memory.dmp
memory/3516-76-0x00007FFFDBDA0000-0x00007FFFDBDB0000-memory.dmp
C:\Users\Admin\AppData\Local\2iF5zG\XmlLite.dll
| MD5 | 15167b9af8291e0d6af123ffd20d44d1 |
| SHA1 | 6ee6cec69aabc5c95b2c63ea6b3941e664aaa3d1 |
| SHA256 | 2beaeb66bcd73a79fe997cd971bdd67a9cb3ce0c13cb595db27417a83578ed91 |
| SHA512 | c3022bcaefd79e3b2aae01f576b5f77c2a436aa8d2171339bc03facde98d1fdab3e81046f4c3e8b933cf423013c5ad5930748002a820237f9906f83be348a5c0 |
memory/4996-96-0x0000020200390000-0x0000020200397000-memory.dmp
C:\Users\Admin\AppData\Local\2iF5zG\XmlLite.dll
| MD5 | deee50d10ae72bb742b42cd7c86edaed |
| SHA1 | 81d5b748bd2b429245e62b34b3c7939e68c115d8 |
| SHA256 | 407f88db24b1106e95975f81ad1bf515d3d6dd06f8e8bacbd3c2562301ada020 |
| SHA512 | 7288ae0da2a7ba51ddbcf288aca80d0ac96b8546013d27bdc7ad9ccd8f21b4841db962290012f7c4e472321c3d0bf3aa04772270fe757e2a5482259f1ad88d6a |
C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe
| MD5 | 85feee634a6aee90f0108e26d3d9bc1f |
| SHA1 | a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2 |
| SHA256 | 99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6 |
| SHA512 | b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff |
C:\Users\Admin\AppData\Local\ygDgV5C1\DUser.dll
| MD5 | ad67707c1856cf3a6bb04027e6489c96 |
| SHA1 | fce271e41241ff67cbb2de8a09b3d618bff1e093 |
| SHA256 | 755e3a45ee17b6e45f9e0ac221bbd4e05dca3f373725b55d87355a16063d76a4 |
| SHA512 | 68b027d7f6f847b30ee654a2bada172e587fb6237532c2380d388215b3276ce53a6a0f68cad39f8aa47d7dd0f82f284ffc36b183bf64e35872cca488de1abbac |
C:\Users\Admin\AppData\Local\ygDgV5C1\DUser.dll
| MD5 | ea2f7ed0798f4795e8dfdfa1b3af4caa |
| SHA1 | b14e38afa9ad8c4d369eea9bee26d1b4cc245c5e |
| SHA256 | d26f41e8d6afda3eade338bf4416c05ecbe13f82446288f56f5230791619f15b |
| SHA512 | 02b010bce82fc2cfb1f68e8449c2fe828a361d43153b1d41213594ada22836c3669f6aca27d93b7da781dc2c3b0865630b80fd9c67404a7f6771d54c858deceb |
memory/1832-113-0x000001D5EF980000-0x000001D5EF987000-memory.dmp
C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe
| MD5 | e75ee992c1041341f709a517c8723c87 |
| SHA1 | 471021260055eac0021f0abffa2d0ba77a2f380e |
| SHA256 | 0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc |
| SHA512 | 48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a |
C:\Users\Admin\AppData\Local\duSHcq\DUI70.dll
| MD5 | cbec2db00a4bb653a1c5b8c69edea31d |
| SHA1 | 92c2d6dc9351da341a80003da9de54a28aab1ab4 |
| SHA256 | acee873d72b1f06f59a1a6f0959af82a025464148bb740cf0a6a9bb5e76945cd |
| SHA512 | 558aae5f1f75367702474ae3d33c68a01de85828c9c01b38e16ae23accd22e9c69b5c929abd66de523cfab18191532485a67afe73a80bc9a669308cdeb470aa8 |
C:\Users\Admin\AppData\Local\duSHcq\DUI70.dll
| MD5 | fb0849152995b0a98c3868357292c623 |
| SHA1 | 7e315b0d28e5803bf3fe3a4bc6081658371f0648 |
| SHA256 | 23d44719b42de6bd2c4da2d10a2a8ac8d32f9ef44a4434cc852f69d062ba6dae |
| SHA512 | e7703d2c64f492ebe8446d905fd4cb259b616a8c6917860937aeff6a3f558b31aa0911d8add2b74e1746705756f45c79bec8da0491cedcddd575709cad33cdad |
memory/1436-130-0x00000180269D0000-0x00000180269D7000-memory.dmp
C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe
| MD5 | 325562720d6aa6eb20cc2b8ecef49884 |
| SHA1 | c8424c2c4c14870c75d380cbf80f4ade68ccc38e |
| SHA256 | 620bef9fdd5b589960ba4d75a6feb214eb75bdfba21b25869ddbe3e38777d082 |
| SHA512 | c0b8e7a77ae2dcec09d1268c7d9ea7fec4d804bf1afab781aa6910116b1cbe6e9f7b92ee153d96f5458f1d9d88d3831687763ee862deb0f92a3361d7fd3d24aa |
C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe
| MD5 | 094e356c4b9a9e7bf90cb827f93ead3a |
| SHA1 | 41f1f988ad7a36c232b45dc6fddd1f5e892b008c |
| SHA256 | e3d0982cbf71c6f758f8327fe6a2e5d2dcb382436497151ce6ae48e384cfc22d |
| SHA512 | 20104e2c187213bf6be4edca24efaf25caee3977db7810ec29c15a564e76d951a6f63f9a1afa1f68d1af1a65a170bd857a55d26472a836182da489c164d7ecfb |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk
| MD5 | 5adbbd74eee1417a342568bdd1650b3a |
| SHA1 | a55df6a2b7a57fc52e35396ebc6740a5b03da675 |
| SHA256 | be5cd6627b0b1c9762b5144179cdc458835fcf5f0232a00baf65d3321fc935d1 |
| SHA512 | 26fcbd3edc0652c849c551213820c58dff7134ef230e49de9e1f1943ebac041ed4d5e45f09cea687b02671d2d0141b3cc2ed0f363c7062220242233d3b1ef4ac |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\8148Is\XmlLite.dll
| MD5 | fd9ef5b903a08c01a5f580e32d522fa8 |
| SHA1 | dc5b9bf88ee193391e12e3e155f3a740f5521654 |
| SHA256 | ad21945b2d63a28f639c6db66262b3ea8f21fe9c49c76ae7f30963e3ce238fc3 |
| SHA512 | cb6ee74565f019177048c5c61c9af1f03753a7e4ed69f244cb74f9a3de8d673aeb20ffe8393bd5258bd8b387cc70879afe2291f6626c073713e6304c2828fe9a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\CAS2M1KTt\DUser.dll
| MD5 | 6c7e663925c2f6c65bb904a9b3721f9b |
| SHA1 | d225029169cb8e05fb64cdd1bdcb1802b1694c3a |
| SHA256 | 1a1b07837db7cc5adb87ca41e27e268b0812db8d165dc32bd5892f7e38e6e966 |
| SHA512 | 5defad9db3376f70bd0637c696a9d062d6efcfbb7e26d6e77b446db69ccffa6cbd64df1e0cac3b5928ce40c01a785c7bf3366664d39fc4c61ac2d0742d622cb5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\8148Is\9fEWSgBS\DUI70.dll
| MD5 | 0cf106ac4ef4e179eb1f6046ed11cca3 |
| SHA1 | b47bc9af1d4851a639317fd73f8adb0284663b9b |
| SHA256 | e43254c2bd6f9fc83024e530948fb4ec32614fd2b2f7f1073580c966ff42f130 |
| SHA512 | 036169370627843be89d6a59c3351f0f5f937247fd7cbca1d96deb1cc1b56665ce09e396923f9890056505075a0f72aaae8ea321eef37aac7e7084daaaf56323 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-20 17:41
Reported
2024-01-20 17:43
Platform
win7-20231215-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\stU\dpnsvr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\stU\dpnsvr.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\DGtvy\\AdapterTroubleshooter.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\stU\dpnsvr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b0a5e806359b4b92fc00861e1bf8bff.dll,#1
C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe
C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
C:\Users\Admin\AppData\Local\stU\dpnsvr.exe
C:\Users\Admin\AppData\Local\stU\dpnsvr.exe
Network
Files
memory/2284-0-0x0000000140000000-0x0000000140339000-memory.dmp
memory/2284-1-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1196-4-0x0000000076FE6000-0x0000000076FE7000-memory.dmp
memory/1196-5-0x00000000024E0000-0x00000000024E1000-memory.dmp
memory/1196-7-0x0000000140000000-0x0000000140339000-memory.dmp
memory/2284-8-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-9-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-10-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-11-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-15-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-14-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-13-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-12-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-18-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-17-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-21-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-20-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-28-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-27-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-29-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-26-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-25-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-24-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-23-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-22-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-19-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-16-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-32-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-39-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-38-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-37-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-36-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-35-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-40-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-34-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-33-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-45-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-44-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-43-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-42-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-41-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-31-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-30-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-46-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-48-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-49-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-47-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-50-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-51-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-52-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-54-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-55-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-53-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-58-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-57-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-56-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-59-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-64-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-65-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-68-0x00000000024C0000-0x00000000024C7000-memory.dmp
memory/1196-63-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-62-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-61-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-60-0x0000000140000000-0x0000000140339000-memory.dmp
memory/1196-77-0x0000000077250000-0x0000000077252000-memory.dmp
memory/1196-76-0x00000000770F1000-0x00000000770F2000-memory.dmp
C:\Users\Admin\AppData\Local\eVcdx6Q\SYSDM.CPL
| MD5 | db6e76817f6b921100213fcc6171ced1 |
| SHA1 | c3954c7c73ba7cd6307ecfd87722da007ae2643c |
| SHA256 | 76fee30ee84579b11b51ea9e9a145955eb1ae55528eb36a5da2893fdc25a3c87 |
| SHA512 | 673cefc9147f34f32484696e7f2ec11385c235138d9bdf8fbb3386d1a940bed644638bd9f00e36c0a77d4bda22afa41ff929d1d52993b8dc9622246f4615c0d2 |
memory/2868-108-0x0000000000280000-0x0000000000287000-memory.dmp
\Users\Admin\AppData\Local\eVcdx6Q\SYSDM.CPL
| MD5 | 15135e1f03dab43c3f9a0321548de50f |
| SHA1 | 3b6f4854ef23d845801330a557edec239d22d42a |
| SHA256 | 0bff4aef44e56fd5f6b3a25720e4090e389f3e76f83bd5175a019f41dfc3b99a |
| SHA512 | 0bf537006ba79c68d4b429d01b8dcdf448ba463fee93529c22d885b2e9592940401fc6b4457baa2fbb3b3112a2535f56cf281e3e8015114c5db8e222dc727314 |
C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe
| MD5 | bd889683916aa93e84e1a75802918acf |
| SHA1 | 5ee66571359178613a4256a7470c2c3e6dd93cfa |
| SHA256 | 0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf |
| SHA512 | 9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026 |
C:\Users\Admin\AppData\Local\N0t\d3d9.dll
| MD5 | 58e9a380a2f917a71cd6718882149d2d |
| SHA1 | dca0dd8e13c1673cfb38f306e5325bd9f5b028c8 |
| SHA256 | fb32fa5dea1a60a2220d5ecda1852d17f0a5f3f1c1a77f61afbd9188f1b0c017 |
| SHA512 | 7256608ab354917f477506ef30c0b165994fddfb4bb22fb8085086a4422eff37868d38c85586894b0c7af85987b5fae316e34b535baafd5fe83c05fcc79c7e33 |
\Users\Admin\AppData\Local\N0t\d3d9.dll
| MD5 | a1591bc662091ead517847a064f14cf6 |
| SHA1 | a5d10698602c9767b3176492a272d43f3de6baa1 |
| SHA256 | e1981dae2bd02e643cff6d1f6a5d7ee3198e75a5fc1b4c48921854c7aaf1a19f |
| SHA512 | 9ab1c02e141819c81379958cd0a7a21d368682bde24612bae103feb1695762a2c43b8b2d6ba4f8dec2669e806603f4c01c2e2599677f99c4a2404a539822572a |
C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe
| MD5 | d4170c9ff5b2f85b0ce0246033d26919 |
| SHA1 | a76118e8775e16237cf00f2fb79718be0dc84db1 |
| SHA256 | d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da |
| SHA512 | 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608 |
C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe
| MD5 | 3b48c060089db96efa0fad2c5308a248 |
| SHA1 | b97b715cb72a6525143e0ffb2f8a13abb5ee3fdd |
| SHA256 | 3c9070561d2510f624f812c93959f8794f4f52c12b74358749833eeb051c544a |
| SHA512 | b638d1148f151f7416da2e898ec5a602bd13b4e35d87b5fc80776e290e925460fcb13364cc77ef0f840095d71772b29fec1439bd34771417c1a05f07fa4a22bf |
C:\Users\Admin\AppData\Local\stU\WINMM.dll
| MD5 | e8068ffce7078cacf0dc983764c9d662 |
| SHA1 | ec7c9ae56f903f272678545270007d3d67d41917 |
| SHA256 | a03b44754e3d439af4036fa5ccfa145f5621c07e4457e9a4690ab142a61318d2 |
| SHA512 | 995b9ea2289d7549c4f592f6b09fff8357bc281208708114642a82b19ffda22dea6816831fc665062af9bae6e4cc3cd9b658774532fc346c1eec9cd5ef25e16e |
\Users\Admin\AppData\Local\stU\WINMM.dll
| MD5 | 4703e6f90b33c7508108d97a7692a978 |
| SHA1 | b331de0af673898bdb661c73a19b7399e7d5a583 |
| SHA256 | 044aa37ae09ed70843d7d1093cb07ac8a62cde0ad9c8fc3a091d867486d84d6e |
| SHA512 | 7577d6c1a20a127abd300e3207b8e1f1dde6d6b206f8b7d1cc44876785837eb7eb60a2a08da8b526e0478206af9d0c1334857b02c13f676c19dacee3726c5b14 |
memory/2508-140-0x0000000000100000-0x0000000000107000-memory.dmp
C:\Users\Admin\AppData\Local\stU\dpnsvr.exe
| MD5 | 02f20a0d2ffd3d30776460e3d8114d36 |
| SHA1 | 9e0bcdc06cabe007c1b3a1196081be84c06b36f2 |
| SHA256 | df99daf6b19e24272171186bf9c7ec9e3dbbbd2653bf78d68564d274e364bd4d |
| SHA512 | 71d9e2367de0794294d2937ea1802d74b307b32cb990290daea0a113326dedc0888c65c3bf222aa6822f7dc98fe1e80fc3da058d1593231f178b63b54b227f9a |
C:\Users\Admin\AppData\Local\stU\dpnsvr.exe
| MD5 | 6806b72978f6bd27aef57899be68b93b |
| SHA1 | 713c246d0b0b8dcc298afaed4f62aed82789951c |
| SHA256 | 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c |
| SHA512 | 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b |
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\YL32BKDN\h7ZDza\dpnsvr.exe
| MD5 | 863c35161b01888e38e8a356f3010119 |
| SHA1 | 59559dee41fd93429304de9ea883c5b237a31190 |
| SHA256 | cd039241e8e09ce9f4b440ccef19124bf34e22f165b76c786378a8d939aa17cf |
| SHA512 | b410e2e1af216c85b49ddff713b5bde0bab1805bf361c5d9233687761c12bc10a716cd3f45a402c45edb4066631673489cf51b74c4d2784ed64c958a2e40eec1 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk
| MD5 | cb7dbbb252bed6fd3dc2c97d85b3a758 |
| SHA1 | 06d0604ab488fdc29c0988451881c010e3fd9092 |
| SHA256 | c8bfae9d1a56ad145a0622a361eb97ac03459ae92a07f86dd98d77ad8cbb5681 |
| SHA512 | c6d0786492145c266ddf2a100a071238f88e1ff7f846ad3972a51ff7d328040d6efc7777dd54dd3a15b43057f0f830bf5ebb471dbfed5e37092a939774b2f02e |
memory/1196-163-0x0000000076FE6000-0x0000000076FE7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\gMBz\SYSDM.CPL
| MD5 | 57598b8effd9ee00bb9de1de4d698579 |
| SHA1 | 4682b4932c529c6b78e539658f28c2149b70069f |
| SHA256 | 74a48260144c9372547f173309c8cdda7c8df0316f8948697bc76fe4b3b2f839 |
| SHA512 | a06bba19bc24855c7992155a1a5cbcd6cca4ddc3d3d87768b4440256fe2cfa21e22f2aa71924be0a2aa32e52cbc7b08178ee33155dfe433c666cfae21fcc43ff |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\DGtvy\d3d9.dll
| MD5 | c19d5ba1d09b3f6416974e9705ddba57 |
| SHA1 | e5104acab769c1f5f64a83d564f713a430cbf7fb |
| SHA256 | e076b25bc81949aa563be6a0a6052c6945b448f23041fa2de68dc16da5c148f2 |
| SHA512 | e4489dff5cb4502169e7c3b6272675ba696d08628f9df534cc9dc6228b3158b5edf0867faf6b629eebf1206b55ed749b7a9a786cca5a3afaa3a723fee8135e57 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\YL32BKDN\h7ZDza\WINMM.dll
| MD5 | f6867104198a685b2c187b047871b7a1 |
| SHA1 | 5c50224f9fa1b3408095a046454985256e321935 |
| SHA256 | e6d525f7b9f95731299af758c4d3e97b9eafcc7bec8f2f3b2241e30b23d32da2 |
| SHA512 | 8581781f015a9dc393a41f8bdde2bf4d0daa2aeacc96de5a11ee3769703be87231b6d97d4ea57b0d00ff22eb86f88c3d35bfa51bd0ae59c7c60d750e8e3d87d1 |