Analysis Overview
SHA256
6a19ea54058dfc1a9678abc823f1ed3697c8e77fba5279d998dadaef5e7ebf04
Threat Level: Known bad
The file 71c41494c927e33c33dadf1925c47cd5 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-24 08:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-24 08:37
Reported
2024-01-24 08:40
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\dQYhzbi1rd\\WindowsAnytimeUpgradeResults.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c41494c927e33c33dadf1925c47cd5.dll,#1
C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe
C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe
C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe
C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
Network
Files
memory/2524-1-0x0000000140000000-0x0000000140185000-memory.dmp
memory/2524-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1212-4-0x0000000077996000-0x0000000077997000-memory.dmp
memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/1212-19-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-20-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-18-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-17-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-16-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-15-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-14-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-13-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-12-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-11-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-10-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-9-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-8-0x0000000140000000-0x0000000140185000-memory.dmp
memory/2524-7-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-25-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-38-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-40-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-43-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-44-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-42-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-41-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-39-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-37-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-36-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-35-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-34-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-33-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-32-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-31-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-30-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-29-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-45-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-47-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-48-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-46-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-49-0x00000000029C0000-0x00000000029C7000-memory.dmp
memory/1212-28-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-27-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-26-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-24-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-23-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-22-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-21-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-57-0x0000000077AA1000-0x0000000077AA2000-memory.dmp
memory/1212-58-0x0000000077C00000-0x0000000077C02000-memory.dmp
memory/1212-56-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-67-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1212-73-0x0000000140000000-0x0000000140185000-memory.dmp
C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe
| MD5 | 0b08315da0da7f9f472fbab510bfe7b8 |
| SHA1 | 33ba48fd980216becc532466a5ff8476bec0b31c |
| SHA256 | e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7 |
| SHA512 | c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58 |
\Users\Admin\AppData\Local\8QBgwy\TAPI32.dll
| MD5 | 0e8580bb505f37f55a9ccc6410025006 |
| SHA1 | c63e91ab81aa134484710977167d7a3b5c243601 |
| SHA256 | d0524353ecaec64f35fe6d35a8c97fbc344ebece3c41245c4afb091229580cd5 |
| SHA512 | 8ee29562c447b9bb90ab992cdfce22c6a30591c9f0464a663861da45d05ad71a6e3f4d15d3141b5340123ec9db00902a2f7381e8384819422deaf26c073f278e |
memory/2272-85-0x00000000000F0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\LTcJmDDfC\WINBRAND.dll
| MD5 | 62e80ab94e81f2ba8314581ea90247af |
| SHA1 | 82ad70c55b862ce01224d523f692fed5c2b65f0d |
| SHA256 | a4d500538c235461fa99eb5ecb2b79ed2dff241bb0ef0a7457572d1fd892d0de |
| SHA512 | 5a59138394ab3f243991d963c912d5969f5d97e718c87d7d3b416b5338516ec79c78efe4f463cab3eb950fb259eef44c347739fcef8ba6e4eb44240d8816d141 |
\Users\Admin\AppData\Local\LTcJmDDfC\WINBRAND.dll
| MD5 | 150675ee71427332e1efa4ef3936b201 |
| SHA1 | 99b97e3ec7a07b783a67be2a330f67fb8c4d3538 |
| SHA256 | 9c0cbffcb730fcf4c5e22d6085eda94289735a31d3ec8711aaa8c3ab6731268c |
| SHA512 | d8494a7f9e507b061b1955e2c530dd17b3179e8cc769c95ac0dc4573428e524ce15a1d9dc330ee0d43b7faf9d8c344c3a2c090699880b0693a4816a6b50ae013 |
C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe
| MD5 | 4ce30803fe1b2f91a4c50a736dd8ea5e |
| SHA1 | f6cfd96b319162da2e3e0173e7ecb0d4cefd70ac |
| SHA256 | 04034e248d35c49ff3db4a8f1ea73a4c80ba295f91e4e5060fc97786a040740b |
| SHA512 | 00a1392b715ff0ff86c055e0fa010dea6829b92b6e5b163e8c5269277203ea2d2e16c02a461e07f34db8975aaf9694e69580423b4ecc823a7c4d074206c9d2be |
\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe
| MD5 | 6e3cd2b208d684c37038107cb1193320 |
| SHA1 | cd00bfab8a32c17ccf39b1e097369c894349e3ce |
| SHA256 | b9295b2141b35234a68e60b826af20677295435adc3eee5a36e3963e8a16693d |
| SHA512 | ba0429147fbf71c4a894c188ff097855790e7fc7d929c6b6e46b7a7d139cd060b9b699c8a3615e83266bca378905aa37516fca66b95bc88b67a22a49a249edc7 |
memory/2996-104-0x0000000000090000-0x0000000000097000-memory.dmp
C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe
| MD5 | f5b608370ff97e655c584bc84e92b08b |
| SHA1 | 214597b0a6c4eef50ef68b5fd7e247ae234b132c |
| SHA256 | 5fdd03790ea41a631a0b9cbb5893a8bd6c793aa5e885bdf1c79b2e6e5bbecfcb |
| SHA512 | 930d7dfcdbb772845b0d742f11cbe9be0b2ac6f9a1a4220ad99326a2ba12fed1972a446281041f3697c6b12cbcc3588416d659af856fa06648c4b037333579a7 |
C:\Users\Admin\AppData\Local\Sh4si\VERSION.dll
| MD5 | 70355dafda1ad274740c6f8aa1a9bdc8 |
| SHA1 | 4134311e39a83ab92cb7a41d10634c3d019f6766 |
| SHA256 | 7ad16e800ca65642cfa8f708304c9f4b6069e87818b038818263704ad26ae923 |
| SHA512 | 4d244aa7c8fc5146df63b1534013747be7a6f65aa93afd4302f27dd7b6842c0c43074e6c184e157dce9219abda34db9ec08918d1dace6021743b9ad6a6534244 |
C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe
| MD5 | b477b89e38889a8d36afa6552d7566cd |
| SHA1 | bef192a09e78ae0c5bcf9de3b55edbd7f7c46971 |
| SHA256 | 9a7dc98c3406fea6429b35f7d6edb8b06de74a7164498f7016756ef2d6672c11 |
| SHA512 | 87f527eddeae665e5e8532fec04de0e96fa36aecdb2ac668996d69aeff96dd9e968c6e0f31010773e4be56f7aae7b32866425541545838274ac934089579b549 |
\Users\Admin\AppData\Local\Sh4si\iexpress.exe
| MD5 | 7e4922fba02f84e550aaba4932097b59 |
| SHA1 | d84aed8d3faf480f7e41e7e5291854793311492c |
| SHA256 | ce49ac77a5536549ea398f53917457918b02857c207b424c23e4ff7e4035a238 |
| SHA512 | f2bbf5dae69ee9a85bdd2258f0b39906e091e0669db6160d8b746eb441237bf32a72c9ffec51b8ad1aa6f337518ff2a6a0dba8f91bf8ef6fb7e1baf33178b254 |
\Users\Admin\AppData\Local\Sh4si\VERSION.dll
| MD5 | e424e5b5f27e99dc7d70641d10633010 |
| SHA1 | 83fc389674aac7d797d1926dbd9510cc66a26413 |
| SHA256 | ecd8875e1034788c812e4747f9a64532aad5142e2173056fb69ba76b6f16cc70 |
| SHA512 | e031594389b6971fa05111c8369062b036a661cc4313040ef4dd6bf30ce97933e190560fb282e2b19ff64cbf8b47387bb0931a06c34aab78cbd4a4016189856f |
memory/1960-124-0x0000000000380000-0x0000000000387000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\IidO\iexpress.exe
| MD5 | f58a4a422453cbde4a28416a42b6f8a4 |
| SHA1 | a991911500174def40026385282f162c15879f80 |
| SHA256 | 7267b1f60c0b24d7554c6edb1a600f36afed921ff1d46654aa1bd2f229d1dd49 |
| SHA512 | 0c0cee49238c5cd47915e234140eef0d63b748ba76aa03692a2e1fc8ffd1607c35ed7f04c179f9cacedc60b4c06bde6167655dd9616f7e99b97421777189ffae |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\IidO\iexpress.exe
| MD5 | c6ab788e4ffdbf72567f967a696d6de4 |
| SHA1 | 174075b0bf4d2cb25139ad413af9a0b01fae8f80 |
| SHA256 | 2abedddaf86b25562675c636c0abc5d6dd65ddde66b4533ba45927748c434947 |
| SHA512 | dc2bbadd503d2d174c042404d774f26544450aeda58a90b574c30eadb981fba5a2d0015aed90d9085994e7a20299e0a48f4b5abd3a6c9e8749d740aac9870e72 |
memory/1212-145-0x0000000077996000-0x0000000077997000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk
| MD5 | 04b2a26562a12c8d17a9e1ccb05a3979 |
| SHA1 | 03807408d3643b30cc27f0edf73504e4e1f6e3ce |
| SHA256 | 608cc1a569ab1174b426bcac88811c3103920b0dea546bde5369dcf942f74eb7 |
| SHA512 | 0ad9c8866bfbe60639df0c779bf3ba32284b982a887ffbc64b0a211306f56ae4cc9f5e44b9799ac32af59e9c3ccda0201900f2df65faa42c6bfe2b6deec42565 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\kAs\TAPI32.dll
| MD5 | 79b47f8b6428b181596c68b50d5d4190 |
| SHA1 | 1f63e25da12c47289cc91c0c1f673c55911f800f |
| SHA256 | e277c110a0254cf5a0c367a58c10f06a61bcdd51e0adfbe696d6c2aa25fab8ca |
| SHA512 | ade9146ca5b89def6d38964c29e04d96598cce53a462ad02b0662e072a9b308873cf7a7f11d40b35d5f22b30ef4cf8c0439af1e5ec5d4a2c8fe8ff08b3a1eb6f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\dQYhzbi1rd\WINBRAND.dll
| MD5 | 2980575998a8a21f7a1f3fecb4accbdc |
| SHA1 | b9f9060689ad9dcf4a3969de23818a72ea26dc47 |
| SHA256 | 29d34e78b031d33b6fed294738a03fd74a15b0466c4c50a3a2b724267e9e94a4 |
| SHA512 | 7df68c27efb99e2f72eb0ec709f209af41203df55db09aac634944ebf6b16354a1be0f6323e7c1005a0e00fc09a9f0aec331604fc5753d07e22f8fbf5389cf8b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\IidO\VERSION.dll
| MD5 | 6fa2f6f34feeff9da50297744a175815 |
| SHA1 | e9f936f7abc7a05ff93c8809e8d4e9f356abcc76 |
| SHA256 | 3db7789c331823216fcc0b84dc839762877f5ef2f1e7d6302f156bc87655411d |
| SHA512 | 0124167f1411250a32aa71c09da05cfa2fcacb7307ccaf2d9b386f5cbbf8e9eab85581f4e544d243bbc432d50dae1bf302581b764106a22ae842a21014b78353 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-24 08:37
Reported
2024-01-24 08:40
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3iD\msconfig.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3iD\msconfig.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\hI5\\SystemPropertiesRemote.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3iD\msconfig.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c41494c927e33c33dadf1925c47cd5.dll,#1
C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
C:\Users\Admin\AppData\Local\3iD\msconfig.exe
C:\Users\Admin\AppData\Local\3iD\msconfig.exe
C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
memory/1568-1-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1568-0-0x000001B9BFCB0000-0x000001B9BFCB7000-memory.dmp
memory/3528-5-0x00007FF95885A000-0x00007FF95885B000-memory.dmp
memory/3528-4-0x0000000003150000-0x0000000003151000-memory.dmp
memory/1568-8-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-9-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-7-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-11-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-12-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-14-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-13-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-10-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-15-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-16-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-17-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-18-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-19-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-21-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-22-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-20-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-23-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-24-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-30-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-31-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-29-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-28-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-32-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-33-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-34-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-36-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-35-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-40-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-41-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-39-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-38-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-42-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-47-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-48-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-49-0x0000000001200000-0x0000000001207000-memory.dmp
memory/3528-46-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-45-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-44-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-43-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-37-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-27-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-26-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-25-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-56-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-57-0x00007FF95A700000-0x00007FF95A710000-memory.dmp
memory/3528-68-0x0000000140000000-0x0000000140185000-memory.dmp
memory/3528-66-0x0000000140000000-0x0000000140185000-memory.dmp
C:\Users\Admin\AppData\Local\ScD4cQi\DUI70.dll
| MD5 | f92f1050d95019205d5f7f87c2d80d25 |
| SHA1 | b86df951973b15cf890a8ba4fbb03d095583529e |
| SHA256 | ba45548f7d48b0cba559cd7137751133dee9c2169a7e055d2861a4f59917e89a |
| SHA512 | 3d47ddb87660c4365eaa91b99082003236179ad948188f3adab2bf3b06ac3f5506cf2801ad8a2aa3d80b3407407236e05dcfca91780a967d9f39b847ee1608a1 |
memory/4588-77-0x0000000140000000-0x00000001401CB000-memory.dmp
memory/4588-83-0x0000000140000000-0x00000001401CB000-memory.dmp
C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe
| MD5 | 9e98636523a653c7a648f37be229cf69 |
| SHA1 | bd4da030e7cf4d55b7c644dfacd26b152e6a14c4 |
| SHA256 | 3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717 |
| SHA512 | 41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78 |
C:\Users\Admin\AppData\Local\BwtEj9usD\SYSDM.CPL
| MD5 | dfef82c0eace71cca863f867aacb9cda |
| SHA1 | 8baa0574d4de5faefd9698d59817e840cb506aca |
| SHA256 | 7ab5f1cf80a172b74faafb21723ba85db97ab1caad5dcd22afce4cac1bd3ad90 |
| SHA512 | a17a4af5ba253b7b7bcfce27260af245e43feffb1bcfc39126ce73702ddf1eceb034578494c662e5d6dcdf4aeadee2880be409ea22c34c819c94165239d0bfc9 |
memory/2404-94-0x0000000140000000-0x0000000140186000-memory.dmp
memory/2404-96-0x0000020513280000-0x0000020513287000-memory.dmp
C:\Users\Admin\AppData\Local\BwtEj9usD\SYSDM.CPL
| MD5 | 9722cb2b36f7d441efcf3b72196e210e |
| SHA1 | 1ae58447b27384adc631eaecda83900ca8eb60cd |
| SHA256 | 79bbe56abdf96a2c37f1253e03b91dafabd5672fdbc0482ddb61ba2035f3e5cc |
| SHA512 | e1c8a743e4668ab74187d22e911ee2ecae4692590df10826b8a94bb3db8821de816ff1155861e99eff37d5c3f61c5dec826b29b4f3f2fc5474ac657748323b08 |
C:\Users\Admin\AppData\Local\3iD\VERSION.dll
| MD5 | 280a008cc497b3756d267e129590f935 |
| SHA1 | f504575191a04be79f51b3bf94d7034559d579f3 |
| SHA256 | 1543de373d133b7711a1bb32e171edef9e0f1f3cb514171b1c708e188619a8af |
| SHA512 | 6efec5e86239e1d82e94f4aadacbd7ebdcdca41b96a0c4e6aaa1402925982103c3f7147c28480670c7db473c087b1259868d00649fc40a9847f446481e519b94 |
memory/5076-114-0x000001FBC4A50000-0x000001FBC4A57000-memory.dmp
C:\Users\Admin\AppData\Local\3iD\VERSION.dll
| MD5 | 1aee5b4955fd78d91f15bdff3a89cc88 |
| SHA1 | b831931db52930b8163bd68b00518a70c5621aa5 |
| SHA256 | 409eca704520ac2423fe0b0b8aa45de7ada4ee964e07e2013de1fdf4848ffca7 |
| SHA512 | f8633404f9b172f9fb0fb8984872998f445dc0b37cfbda0ceebb5185b2edadacb143eaa413f9e8901b993a6789797310f098ddecdc10008656af0d92385d337f |
C:\Users\Admin\AppData\Local\3iD\msconfig.exe
| MD5 | 1dc9e45df7a22351dbe5835170a6a03f |
| SHA1 | a4afb671dd9137e0ff7c7c4775dd9c5131fe4dfe |
| SHA256 | a5967098ed910c84a610fb6bc796fb192dfd116a59e1e9530b037cddbad661d6 |
| SHA512 | 3bbb431a8b671850ad36446e282c679ab0390adff1a7e3eafe6fef720f86531670d760cf5de631f3601d1df31f999c096f7298ec4530c779542751b50e9c627c |
C:\Users\Admin\AppData\Local\3iD\msconfig.exe
| MD5 | f576ed4f0a554be5e398a2d7b311b479 |
| SHA1 | 6220bc8c54a11245d8fd2ff6840ecbf1d1e39bd8 |
| SHA256 | 6e979a8f00f11e4d472af88282fce095998f541f00662085e0e417aca32379d7 |
| SHA512 | f91e1eedb94b99c185e35e8edb4c7040397b1f31a5bed155fe9018858f3d840da9bb83bcce222ff571a8b15d54b41afee6ce1910f6b6b34b23cb75db663cfb2b |
C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe
| MD5 | cdce1ee7f316f249a3c20cc7a0197da9 |
| SHA1 | dadb23af07827758005ec0235ac1573ffcea0da6 |
| SHA256 | 7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932 |
| SHA512 | f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26 |
memory/4588-79-0x0000026622DF0000-0x0000026622DF7000-memory.dmp
C:\Users\Admin\AppData\Local\ScD4cQi\DUI70.dll
| MD5 | 8c092427a27850dc9a24e96f3e2e6194 |
| SHA1 | 753eaf9238dd26f7076197ffe0833153f5b7b8d6 |
| SHA256 | 38305049e4dc03c426eec8267e625b21f2df4920b0bb94855c07665449604ca3 |
| SHA512 | 4fd1801a3845008af8aed403df9c05e68d350fd48cb752f35b973456fca89d4623942aad84a5a0f2df4d4f5c09fa2398834fbb82dcb5a6eef8e6cf44946d901c |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk
| MD5 | cd0819c619a82d965f36ee93b53e2e5e |
| SHA1 | b91df3556970c43b15260a150cef7dd621c3c62a |
| SHA256 | 4f6cca3a1433386c9be275b6b6ec4b872d84e2ba728cb514dbcb5778cf5eaae9 |
| SHA512 | 9133b873a0226c939229885fc2919f969befecf99b0c6bf9dd73e6de5cdecaefe463046cd498dafd2b2241a3440f7c0027f4d73bfe9d33c791d55347dc8ffce5 |
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\7zAIyhcteJ\DUI70.dll
| MD5 | 43dee0324e066addfb97533de3b2c21b |
| SHA1 | 9e46139a484b0e93b4d062fa0efd82ccad426ca0 |
| SHA256 | f196e624cb7627d4fbda346f215b82c3e4adbbb9df9cc03d9c0a98a2f55ab8a2 |
| SHA512 | 1932487dc84f289948949fc98542235fb438f91c6c7903ac0d26c7bb6c0a7e6ca1ed777ba5796a8555e6ec883b8e51a7c9d73016bb44fab1afc1ff1c56ab2e29 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\hI5\SYSDM.CPL
| MD5 | ab75a06fa6df3c7d7592a7bd6fe1fe4a |
| SHA1 | cf766e66bb1d13a3ce4d0e576de41e7c1e817f75 |
| SHA256 | 4aa91b86986e2be027d32294d0dafab16f9ec1b787b73b0a5aab372cf39fabdd |
| SHA512 | 93708e84d562971f8b93b6c3a28e72f3d23b67f4cb42dbb388556934e11193ee518d1b5e9928ddc2a2d288271fe70184e8d4c077f5db9b133032e077a9684e02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\QFFMG\VERSION.dll
| MD5 | 82dd187e5474fae89c3f5a71157b0075 |
| SHA1 | e0034fdd7141826f7bcc27cbd6d05d1e45ae2b6f |
| SHA256 | a267c62bddb6b58f7f363c527df7632f4b8ab83b36a9b9b55b196b20dcb6f26a |
| SHA512 | 01343992b1a84e7a0d4ea515d6b49da1195bd9cafa481798ce48181719b113f70615c06b7f8a37475ed8699b9c7d1b0aa758e11c9b9da40992b756199797d0c2 |