Malware Analysis Report

2024-11-15 08:50

Sample ID 240121-tqc6naebck
Target 6d744bbf016772634f87aa5fdf2fc9c5
SHA256 d0c33dbcd2bc26465a2cdf232d5cfea8a77135f9572037c8a0fbe21ae5cd0c2c
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0c33dbcd2bc26465a2cdf232d5cfea8a77135f9572037c8a0fbe21ae5cd0c2c

Threat Level: Known bad

The file 6d744bbf016772634f87aa5fdf2fc9c5 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 16:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 16:15

Reported

2024-01-21 16:17

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d744bbf016772634f87aa5fdf2fc9c5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\HPIxUr\calc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\YAd\spinstall.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xCWjnC\WFS.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\fQTVdY\\SPINST~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\HPIxUr\calc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\YAd\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xCWjnC\WFS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2588 N/A N/A C:\Windows\system32\calc.exe
PID 1200 wrote to memory of 2588 N/A N/A C:\Windows\system32\calc.exe
PID 1200 wrote to memory of 2588 N/A N/A C:\Windows\system32\calc.exe
PID 1200 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\HPIxUr\calc.exe
PID 1200 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\HPIxUr\calc.exe
PID 1200 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\HPIxUr\calc.exe
PID 1200 wrote to memory of 1668 N/A N/A C:\Windows\system32\spinstall.exe
PID 1200 wrote to memory of 1668 N/A N/A C:\Windows\system32\spinstall.exe
PID 1200 wrote to memory of 1668 N/A N/A C:\Windows\system32\spinstall.exe
PID 1200 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\YAd\spinstall.exe
PID 1200 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\YAd\spinstall.exe
PID 1200 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\YAd\spinstall.exe
PID 1200 wrote to memory of 2744 N/A N/A C:\Windows\system32\WFS.exe
PID 1200 wrote to memory of 2744 N/A N/A C:\Windows\system32\WFS.exe
PID 1200 wrote to memory of 2744 N/A N/A C:\Windows\system32\WFS.exe
PID 1200 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\xCWjnC\WFS.exe
PID 1200 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\xCWjnC\WFS.exe
PID 1200 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\xCWjnC\WFS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d744bbf016772634f87aa5fdf2fc9c5.dll,#1

C:\Windows\system32\calc.exe

C:\Windows\system32\calc.exe

C:\Users\Admin\AppData\Local\HPIxUr\calc.exe

C:\Users\Admin\AppData\Local\HPIxUr\calc.exe

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\YAd\spinstall.exe

C:\Users\Admin\AppData\Local\YAd\spinstall.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\xCWjnC\WFS.exe

C:\Users\Admin\AppData\Local\xCWjnC\WFS.exe

Network

N/A

Files

memory/2060-1-0x0000000140000000-0x0000000140168000-memory.dmp

memory/2060-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1200-4-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

memory/1200-5-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/1200-9-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-7-0x0000000140000000-0x0000000140168000-memory.dmp

memory/2060-8-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-11-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-12-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-10-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-13-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-14-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-15-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-16-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-19-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-20-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-18-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-17-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-24-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-23-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-22-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-26-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-27-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-25-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-21-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-32-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-31-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-30-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-29-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-28-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-41-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-40-0x0000000002B10000-0x0000000002B17000-memory.dmp

memory/1200-33-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-42-0x0000000077001000-0x0000000077002000-memory.dmp

memory/1200-43-0x0000000077160000-0x0000000077162000-memory.dmp

memory/1200-52-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-58-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1200-61-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\HPIxUr\VERSION.dll

MD5 87c67c13be591a25ed37c09ffe8a8078
SHA1 c5b0ce806e5cd8bc2b3d654d3d97676ac5acb7a5
SHA256 a27eb6541964f39331bcf2515a8caa8eb841c0c53b4fb42633556c8b85845adc
SHA512 848c4d7f8dca843fdeb1f3659996a4191773dc82543f05ecabbc101bfa5f16bca2f805714571a416a4c09ba6845d0514f3726d8780196f5a8a43d0edc50fb7b8

C:\Users\Admin\AppData\Local\HPIxUr\calc.exe

MD5 10e4a1d2132ccb5c6759f038cdb6f3c9
SHA1 42d36eeb2140441b48287b7cd30b38105986d68f
SHA256 c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b
SHA512 9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

memory/2640-71-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2640-70-0x0000000000200000-0x0000000000207000-memory.dmp

\Users\Admin\AppData\Local\HPIxUr\VERSION.dll

MD5 351acddf71758690cc80ac73100f1b19
SHA1 2ef9f25046432aa3722f46443a77539732cb8595
SHA256 78520e1be605bd74981bab62c52decaf8d41c1ad1844346fa57bc816fb5e4a74
SHA512 75eaabfd3a474c6822d3757f7518c900edf64d49e10eabcb8afc5eae16bd09f7a98f6507ccf2eb45b8a7e6ac62cb9ecc40ccfea3782c4096b69afd0a03e4b9dd

memory/2640-75-0x0000000140000000-0x0000000140169000-memory.dmp

\Users\Admin\AppData\Local\YAd\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

C:\Users\Admin\AppData\Local\YAd\WTSAPI32.dll

MD5 ba7a86a07d4a79bfb7244a33e543f8fa
SHA1 c1aaf14e17539cee0ea6fd43ceff50f58cd0d931
SHA256 79a2a8e5f55add3bd88a04deb5ee3bf8d1cd64de27cfa30c1935ff0ae083e3a3
SHA512 f81920abce6b99d7c25a496c773f720c45c5f58f78f80a85a068f3565d30e0598a34c6e61efaec39ee99f7ebcdfb8be264afb3e92528468af43e71d6d19d1f1f

C:\Users\Admin\AppData\Local\YAd\spinstall.exe

MD5 7ecb8e9704df710d5bd546535162f1bc
SHA1 56e0ee9a9faf5702343efa5d03ea470ceaa8ae05
SHA256 49613fc250d16d4effec004f208f2bbe24f7220375bc5d3a6f64ed87e994795a
SHA512 400824f2739f730c938b8ac3231cfd13d640667a53ec1bb2ff9387865cfde1ce4808a036981c56ed683d7d213e10979a7e89378f5a82cf0ec62821c25e79c8ad

\Users\Admin\AppData\Local\YAd\WTSAPI32.dll

MD5 03966c64269893c80162606bd5c2c666
SHA1 d18176057e17622c04d4493b4ca6fa7b477f4dd6
SHA256 00d0635ca687ed2ce55b8f864f9b37240d25c28a83c6a8dcaf378154d2734cf7
SHA512 50ebbb7a1cd032e168df53c088e1c7bc2bdd26b37d066bd3b13b42867661fe372a94a98779936ece4d1a72350aa816d56e12a336cd71f041c214f712eabfbff0

memory/1900-90-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1900-94-0x0000000140000000-0x0000000140169000-memory.dmp

\Users\Admin\AppData\Local\xCWjnC\WFS.exe

MD5 a943d670747778c7597987a4b5b9a679
SHA1 c48b760ff9762205386563b93e8884352645ef40
SHA256 1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610
SHA512 3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

C:\Users\Admin\AppData\Local\xCWjnC\credui.dll

MD5 e9180b8d59f92b38fb7399b648eda0ae
SHA1 88c7aedde9aab4abec1bbfa62425e8d29640f840
SHA256 223defcc75297e8265c802179456a01b5de55d2221a2358b5c69d029e6555db0
SHA512 1caf9e4d0995be361acef49837fb7b1e64498667f78481c0eb2e907e40a10d0b9be2fe9638c0f1283eeff0ca6e68cb11bf4dee30901e42949824d824cf8b5b84

memory/752-107-0x0000000000120000-0x0000000000127000-memory.dmp

memory/752-112-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1200-128-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 02c51fabfe44853f0cf5775099ebdd50
SHA1 d470cfcd7620c22550763a6ed619850b8bc170ac
SHA256 100e1df37f89b9c49f722ec3ae3bfbe41db6a6c745c81b327324802031786354
SHA512 fba1b6264aeddba2f5f6f3914f5bf2d6b70f5ecb500dba0c64b9a68000ef31861ceb8807b06614d891f7ce88cad1f28c1cd94be3e9e34d6c594b0913a2379a8f

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 16:15

Reported

2024-01-21 16:17

Platform

win10v2004-20231222-en

Max time kernel

148s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d744bbf016772634f87aa5fdf2fc9c5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\pCYK9kIMWpy\\SystemSettingsAdminFlows.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8DdDb\mmc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 2292 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3512 wrote to memory of 2292 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3512 wrote to memory of 4036 N/A N/A C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe
PID 3512 wrote to memory of 4036 N/A N/A C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe
PID 3512 wrote to memory of 732 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3512 wrote to memory of 732 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3512 wrote to memory of 1124 N/A N/A C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe
PID 3512 wrote to memory of 1124 N/A N/A C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe
PID 3512 wrote to memory of 4916 N/A N/A C:\Windows\system32\mmc.exe
PID 3512 wrote to memory of 4916 N/A N/A C:\Windows\system32\mmc.exe
PID 3512 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\8DdDb\mmc.exe
PID 3512 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\8DdDb\mmc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d744bbf016772634f87aa5fdf2fc9c5.dll,#1

C:\Windows\system32\CustomShellHost.exe

C:\Windows\system32\CustomShellHost.exe

C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe

C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\8DdDb\mmc.exe

C:\Users\Admin\AppData\Local\8DdDb\mmc.exe

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 198.52.96.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/2664-0-0x00000182509E0000-0x00000182509E7000-memory.dmp

memory/2664-1-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-6-0x0000000140000000-0x0000000140168000-memory.dmp

memory/2664-7-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-8-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-10-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-11-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-12-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-9-0x00007FFFFBC9A000-0x00007FFFFBC9B000-memory.dmp

memory/3512-4-0x0000000003390000-0x0000000003391000-memory.dmp

memory/3512-13-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-16-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-14-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-17-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-15-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-18-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-19-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-23-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-26-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-28-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-27-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-25-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-24-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-22-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-21-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-20-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-32-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-31-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-33-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-34-0x0000000002B50000-0x0000000002B57000-memory.dmp

memory/3512-30-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-41-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-42-0x00007FFFFD200000-0x00007FFFFD210000-memory.dmp

memory/3512-29-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-53-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3512-51-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\P3idB\WTSAPI32.dll

MD5 01e94816a651a7fade4cc4d6bad61e9c
SHA1 18daee1c251f6475a63a62b31083b912fe12503c
SHA256 b87646b99ca3441265ffdedb70cfcd40a7683fe2dd08a675585b1bebef0a26db
SHA512 b6267b13fc054444b31ffefb432ed0e369fb14110970c8342029cde0aaaa3e53891632b4a24a2b274244bfdac8f0233f5df901d6cfced753bcdc9f361c2d8827

memory/4036-63-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4036-68-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe

MD5 fc6f6f006f0baf6dee8ab1d07695684b
SHA1 7d079fc485b394f12ae8a12e1975e1c50e00eb3d
SHA256 5c7bfba9ab039bff5da77c99df2e9c3e6a8841eb5d18c09656bd786a64fea66b
SHA512 3c53c5742bfe1348d7d7fae2b339fbc8f1fe485430cb5f9979bcc19edd590ed7232c0d4ebc3f121918984249552ffe5016a43c877eead7eb885dbfee7c29dc19

memory/4036-62-0x000001CDA6FF0000-0x000001CDA6FF7000-memory.dmp

C:\Users\Admin\AppData\Local\P3idB\WTSAPI32.dll

MD5 1d4a429d23a09561e355dfd4fcba6f95
SHA1 95aae76d594c648aa3294c6076d39511831aa8ce
SHA256 af71a4ed80432703f2c242c95b846863c2673013fb4dd4dc206e0480bc5b6d5c
SHA512 bbe1e326613560cb86eecc9440547872b2b246428a01c796be63e69e55bc1c109f1801ea94a0393181a364a9ce3a69e2d618378bd56f45407a12d1f7b20ee5ac

C:\Users\Admin\AppData\Local\P3idB\CustomShellHost.exe

MD5 4f823b02373183704aafba71fd7f2f8b
SHA1 061232659e8367069deb4dd9659117a542bf8659
SHA256 bb8ba795b4afefd5398c06c75de12756fb439bfe30ab71ea9adadd46a4519d57
SHA512 1eae94e6cc8fe8462ee5feb6af791446cd37aafb9ecdcaefdc863e624bdf53be7c2c68ba0472942cd184daa4f1f7b6ad7def74b8fe2613a14c72d9edb3b0f06b

C:\Users\Admin\AppData\Local\aN6s\DUI70.dll

MD5 e145906ef931cec3d9dee3dab719a424
SHA1 3fc735c0d0a0dcf6799e71b0746df2f9ae99219a
SHA256 0d42385abf0891086720003cf511e96682f1b8f37a8707b3b1fdb51f4f396113
SHA512 1ca08daa1e71c18c4da5463c04bc1a93f5e662d9699f255a5c2b3f2fce93a7e0703d45e7a419ce87638a98213af699bb05c1af9e1ef7c9b0a3ba7e5aa05a2550

C:\Users\Admin\AppData\Local\aN6s\DUI70.dll

MD5 5c633b86bf6bd0bea888d2c23656728b
SHA1 0271bce2016448adaf53e7c08844674918f2108a
SHA256 e1d9928f9586a92216909b2bc70308730d00783bb4891d986aa9947cad3bac92
SHA512 5334fc109c35379f1ed79b818fb0ff2f0d53031e3e079ba42c31fb5cd502f4963fcad6af929d1d7261bf97a75ee5a87d8d228d713bcd1093c2d2f7dc2a556481

memory/1124-85-0x0000000140000000-0x00000001401AE000-memory.dmp

C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe

MD5 f776d493cf1209729850adaab83970a0
SHA1 beb5f0d58447c5d579d751a212a6d52b6ef3f9ec
SHA256 7f121b1315bee099ea92093fb3403b5bf6171970e0ee2760beb40eda78eeae53
SHA512 9b76fdebc9b7b7f1af0b263daf73d4e81e2387a865e21aef3cb12c0728d9836bb3b9cbd3a6f837cdf2f526c6579017bed8e536645f05183cdef7e8a69ef92e17

memory/1124-80-0x0000028C48990000-0x0000028C48997000-memory.dmp

C:\Users\Admin\AppData\Local\8DdDb\DUser.dll

MD5 a87d1d6dfe2c58a21e385a08c93f59ab
SHA1 f99c29d76d72df4905ad6f0aec8d7a156db679a9
SHA256 f18b073b85e18b852c9f9309e26e0ab1ec819cf5c44e6f88ebfac4847f35ec4d
SHA512 3e0ae91de351014195f523fa9bd1d8e4b5eb9ef69cd79546f6aa01375545207344710086044baf11fd36112afd8d615c8a211b3bdacc6e89c8063d0fcf59c70d

memory/3028-100-0x00000000032F0000-0x00000000032F7000-memory.dmp

memory/3028-101-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3028-97-0x0000000140000000-0x000000014016A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\YJeW3hlPGTz\mmc.exe

MD5 4f934448978b57ead4c1490821d19a88
SHA1 0a7a426897d0d33893ca201de045174cc51da636
SHA256 c60004f0b6a6f046d6a5526d65ab74dd90d6eff96caf691f394d9984941b5253
SHA512 73ad605305a7a9e99e6ccd0bd5f2b41c5c83bc342b7948ecc875e8e5db5c31cd400449de6e720dfbc7c14ee9675c50ac8c37b8cf6e888913e506bb4c2c652192

C:\Users\Admin\AppData\Local\8DdDb\DUser.dll

MD5 66d8bc9a5115e649edd1255682546285
SHA1 6cc32f03971c35b761c1beb37582f83641aa2bba
SHA256 140366a66d6fd7a27b79d1535c6c9fb45bb0d79942f99c4eac15ef29638ceb39
SHA512 a242b45946378bae379f78b71a36a5abd2e85d7ebc7f7044e0868898582dd402ce51bdca6bab2dcece934200309151a110641df31b90ba8ef759347d63e60725

C:\Users\Admin\AppData\Local\8DdDb\mmc.exe

MD5 87fe2610a68552750f9046712660d8b7
SHA1 e807cbd8f418a9d1f3ff5ed732892a6831ff0a7d
SHA256 f439441b81a728d6b23ecd1322a4299a81a1c08cc8c95063bf56c8840eb894c7
SHA512 2f87552cccd34b0eb84e450b61d619ba63c55dd1c9440d7c5ade0ee7efabc5e79a3ce50bd4e39e00f8e322cbfa6cc486a5099916e4f9a3fca7a55ccd4eb79d4a

C:\Users\Admin\AppData\Local\8DdDb\mmc.exe

MD5 3e3a22ceb99c26c4c69fa685002510e3
SHA1 d130ba8fdc12dd888a7ac4552e5b77f7240e476a
SHA256 8547aff38416da1be2359bc2bb7c49df90e070821748215334f750b985b0f3db
SHA512 df1cc8ca9ed2e930f33859ca4e4099cc93233cb0d33b2160c0294ed618fb2aed6eadfc6727103719beb71c09b24996546d758b36bc953acc18d3c499ff5c1e6b

memory/1124-79-0x0000000140000000-0x00000001401AE000-memory.dmp

C:\Users\Admin\AppData\Local\aN6s\SystemSettingsAdminFlows.exe

MD5 8a7cbf4160d0c27242d1688324926255
SHA1 fbfb7c54131d58d0e03cbbc91753e0a5f7b2d9c3
SHA256 8dcf399ecdd5a47fc36004fa20547b3f5e6c8be6172e932c1e9bf30755cbbea6
SHA512 e58687e917f98c07f1bfca55ccecb516c1a61547958e66f36f8f33fd0e82d7237d99da208cd4742662b183b75890d2ff85060dfcb0edc3cd2085a36d6fbe0c7a

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 8f5c75ecdc71ee2dde698a5bf4bd3be5
SHA1 80f320f8a24a1b4a81424d4c68cb58c2c489998c
SHA256 d9ccb600a92ae4ca0c2277dcc01e6f5312d48dd16235c7f232ce829f8bbc6df7
SHA512 04e7fcac25be3f954a521dde6da931be9fc62bf1ef89190a4759e2733b49922adba406279bf02550fa3e44981b31ef6a62d9831215ae33c73b948c6031095f12

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\7FNr\WTSAPI32.dll

MD5 74d4e14b1e1ed6486b8e2db9f13ba2e4
SHA1 4f24278e6f378f29858468ff870d53c51e4baefe
SHA256 3cda882d10fd0d4201412339f09a2069b4bf11ed9b4fd9ae7820a4208d10160c
SHA512 4f16b33a5ab4cedff64e51554d1622077a031c59cc4c65f54533b4f279f177b1823351432bd943dacfd7df06958d2fe23ee445e219754124d3decf304648dbb3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\pCYK9kIMWpy\DUI70.dll

MD5 16adbdebeba837320007478e082c2565
SHA1 244ea71b4c11f982e4d1f0744355cd8217451e89
SHA256 8f3d913afd92151d511b1285168db26c98751a140b38c7d8b3d9161145be11f1
SHA512 f4a140fd8f33dae3f6903dc2d2a30dac2ca47e15169d6f53afbe791c339a6c6e78040a3946c552e09423d659d68d452bb2b1645773f869684424193c658c19c5

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\YJeW3hlPGTz\DUser.dll

MD5 d0391dc12fdef7ccc1f2e18d246c4320
SHA1 47c13787044c5bdb1f36f69a9f9eecca8a70430c
SHA256 bf8f16a4884ba0fb4898a7bb6602aca615148e58df207a3030f014eed4bb2387
SHA512 cb254a4561fd1bfe2024458ca91fa23b9405e5529120a43d1f61a5c18694f840aa8047cef127ea3bc394a88049f320263593212a54e12488c4ec8f687cc5cd40

memory/3536-211-0x00000261DAB90000-0x00000261DABA0000-memory.dmp