Analysis Overview
SHA256
00a23ef486863b29a272d8b4405e375fefa0a629927a9bccd0434886b02c5cdd
Threat Level: Known bad
The file 7968f591e01c7a4a04d2d9c53d667082 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-27 05:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-27 05:36
Reported
2024-01-27 05:39
Platform
win7-20231215-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\SYi\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pQ6\iexpress.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3KDM3e\msra.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SYi\taskmgr.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pQ6\iexpress.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3KDM3e\msra.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\wDV7Jj\\iexpress.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\SYi\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\pQ6\iexpress.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3KDM3e\msra.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 3008 | N/A | N/A | C:\Windows\system32\taskmgr.exe |
| PID 1260 wrote to memory of 3008 | N/A | N/A | C:\Windows\system32\taskmgr.exe |
| PID 1260 wrote to memory of 3008 | N/A | N/A | C:\Windows\system32\taskmgr.exe |
| PID 1260 wrote to memory of 1312 | N/A | N/A | C:\Users\Admin\AppData\Local\SYi\taskmgr.exe |
| PID 1260 wrote to memory of 1312 | N/A | N/A | C:\Users\Admin\AppData\Local\SYi\taskmgr.exe |
| PID 1260 wrote to memory of 1312 | N/A | N/A | C:\Users\Admin\AppData\Local\SYi\taskmgr.exe |
| PID 1260 wrote to memory of 1912 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1260 wrote to memory of 1912 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1260 wrote to memory of 1912 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1260 wrote to memory of 1016 | N/A | N/A | C:\Users\Admin\AppData\Local\pQ6\iexpress.exe |
| PID 1260 wrote to memory of 1016 | N/A | N/A | C:\Users\Admin\AppData\Local\pQ6\iexpress.exe |
| PID 1260 wrote to memory of 1016 | N/A | N/A | C:\Users\Admin\AppData\Local\pQ6\iexpress.exe |
| PID 1260 wrote to memory of 2824 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 1260 wrote to memory of 2824 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 1260 wrote to memory of 2824 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 1260 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\3KDM3e\msra.exe |
| PID 1260 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\3KDM3e\msra.exe |
| PID 1260 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\3KDM3e\msra.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7968f591e01c7a4a04d2d9c53d667082.dll,#1
C:\Users\Admin\AppData\Local\SYi\taskmgr.exe
C:\Users\Admin\AppData\Local\SYi\taskmgr.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
C:\Users\Admin\AppData\Local\pQ6\iexpress.exe
C:\Users\Admin\AppData\Local\pQ6\iexpress.exe
C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
C:\Users\Admin\AppData\Local\3KDM3e\msra.exe
C:\Users\Admin\AppData\Local\3KDM3e\msra.exe
Network
Files
memory/2912-0-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/2912-2-0x00000000001B0000-0x00000000001B7000-memory.dmp
memory/1260-4-0x00000000775A6000-0x00000000775A7000-memory.dmp
memory/1260-5-0x0000000002C20000-0x0000000002C21000-memory.dmp
memory/1260-9-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/2912-8-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-7-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-12-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-11-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-10-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-17-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-16-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-15-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-14-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-13-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-23-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-24-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-22-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-21-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-20-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-19-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-18-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-25-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-26-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-28-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-30-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-27-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-29-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-31-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-33-0x0000000001D40000-0x0000000001D47000-memory.dmp
memory/1260-32-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-40-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-42-0x0000000077910000-0x0000000077912000-memory.dmp
memory/1260-41-0x00000000777B1000-0x00000000777B2000-memory.dmp
memory/1260-51-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1260-57-0x0000000140000000-0x00000001401F1000-memory.dmp
\Users\Admin\AppData\Local\SYi\taskmgr.exe
| MD5 | 09f7401d56f2393c6ca534ff0241a590 |
| SHA1 | e8b4d84a28e5ea17272416ec45726964fdf25883 |
| SHA256 | 6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1 |
| SHA512 | 7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192 |
memory/1260-61-0x0000000140000000-0x00000001401F1000-memory.dmp
C:\Users\Admin\AppData\Local\SYi\Secur32.dll
| MD5 | dba2f56fdeaa3e8ce90ee1d3649276e9 |
| SHA1 | fdd7e1b898f24809bae38cac86cad107e3315cd2 |
| SHA256 | 45c35b6aab5ff252316fd9d80612b10b1dd78f53e21391425f4f5648ffc69b1e |
| SHA512 | b9274a460706582660b3eceaef75e8a0751709fceef16671bcdd4156566bba3fd8cd335ba1c83e40ee884baf1a92cca29acf48f74177bbcf58c57c5b866e1ca5 |
memory/1312-70-0x0000000000220000-0x0000000000227000-memory.dmp
memory/1312-69-0x0000000140000000-0x00000001401F2000-memory.dmp
memory/1312-75-0x0000000140000000-0x00000001401F2000-memory.dmp
\Users\Admin\AppData\Local\pQ6\iexpress.exe
| MD5 | 46fd16f9b1924a2ea8cd5c6716cc654f |
| SHA1 | 99284bc91cf829e9602b4b95811c1d72977700b6 |
| SHA256 | 9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3 |
| SHA512 | 52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629 |
C:\Users\Admin\AppData\Local\pQ6\VERSION.dll
| MD5 | fda59afd0c6e113db719a9c4bc13a6ec |
| SHA1 | b69a6f1dcf4782c6dda468fde6773732f77e8581 |
| SHA256 | ea26732655b9ed19b15a521cf7055d0d40a8d9035352a5a8976bcbee02d822bd |
| SHA512 | bc9e6d088e0f56ca5b901f30b6dba01baba675b4f9211c5a3bc4f9c58a9f2ea87acd6707b547e1cd150bbddf5a2a5052f93428b9692a57c3926ac612669b3d3f |
memory/1016-88-0x0000000000180000-0x0000000000187000-memory.dmp
memory/1016-93-0x0000000140000000-0x00000001401F2000-memory.dmp
\Users\Admin\AppData\Local\3KDM3e\UxTheme.dll
| MD5 | 2275127c227c413afe1b173506c828b9 |
| SHA1 | 978e60d9cd6c4a890f9a77f9227f25858698d439 |
| SHA256 | a59e45b77d467938dc20568fa55398c245322253d29e85b798fc572814a2ed7b |
| SHA512 | 01ba3a5bbdee791f496514fe23a294bcea3efc1b4e27dd7beba44568f199aec7f18b0e5a619d05a86305f5395b7b98d93e1778af1f43c562cafa13f288cb00cb |
C:\Users\Admin\AppData\Local\3KDM3e\msra.exe
| MD5 | e79df53bad587e24b3cf965a5746c7b6 |
| SHA1 | 87a97ec159a3fc1db211f3c2c62e4d60810e7a70 |
| SHA256 | 4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d |
| SHA512 | 9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb |
memory/2872-105-0x00000000000A0000-0x00000000000A7000-memory.dmp
memory/2872-111-0x0000000140000000-0x00000001401F2000-memory.dmp
memory/1260-127-0x00000000775A6000-0x00000000775A7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | 65f1b19c148965d66854fb7ec54500ed |
| SHA1 | 1a90aa720cb26b3eca6e19b91d695d8aec649bf0 |
| SHA256 | 5c2f71c06ed379a1260b5bb651b03f8273edde631bc7c8883843a00740016219 |
| SHA512 | 8e6208e7565fb824c43790d251f6d1755886ba052d30c53c24a0ca55fe694f20248d13e431210ec9c6d2dc40dc73fe2e03bd030607f4a4b617c56a194704e74b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-27 05:36
Reported
2024-01-27 05:39
Platform
win10v2004-20231222-en
Max time kernel
147s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\hT1PPa\\Taskmgr.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3472 wrote to memory of 4376 | N/A | N/A | C:\Windows\system32\RdpSa.exe |
| PID 3472 wrote to memory of 4376 | N/A | N/A | C:\Windows\system32\RdpSa.exe |
| PID 3472 wrote to memory of 3160 | N/A | N/A | C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe |
| PID 3472 wrote to memory of 3160 | N/A | N/A | C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe |
| PID 3472 wrote to memory of 4600 | N/A | N/A | C:\Windows\system32\Taskmgr.exe |
| PID 3472 wrote to memory of 4600 | N/A | N/A | C:\Windows\system32\Taskmgr.exe |
| PID 3472 wrote to memory of 4976 | N/A | N/A | C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe |
| PID 3472 wrote to memory of 4976 | N/A | N/A | C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe |
| PID 3472 wrote to memory of 3020 | N/A | N/A | C:\Windows\system32\mstsc.exe |
| PID 3472 wrote to memory of 3020 | N/A | N/A | C:\Windows\system32\mstsc.exe |
| PID 3472 wrote to memory of 1756 | N/A | N/A | C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe |
| PID 3472 wrote to memory of 1756 | N/A | N/A | C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7968f591e01c7a4a04d2d9c53d667082.dll,#1
C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe
C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe
C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe
C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe
C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe
C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
Files
memory/1012-0-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/1012-2-0x000001F2B17F0000-0x000001F2B17F7000-memory.dmp
memory/3472-5-0x00007FFD09D5A000-0x00007FFD09D5B000-memory.dmp
memory/1012-8-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-9-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-11-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-13-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-14-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-20-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-19-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-21-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-24-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-28-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-27-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-29-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-32-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-33-0x0000000006AF0000-0x0000000006AF7000-memory.dmp
memory/3472-31-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-40-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-30-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-25-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-41-0x00007FFD09E00000-0x00007FFD09E10000-memory.dmp
memory/3472-26-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-23-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-22-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-18-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-17-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-16-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-15-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-12-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-10-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-7-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-4-0x0000000006D10000-0x0000000006D11000-memory.dmp
memory/3472-50-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3472-52-0x0000000140000000-0x00000001401F1000-memory.dmp
memory/3160-61-0x0000000140000000-0x00000001401F3000-memory.dmp
memory/3160-67-0x0000000140000000-0x00000001401F3000-memory.dmp
C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe
| MD5 | 5992f5b5d0b296b83877da15b54dd1b4 |
| SHA1 | 0d87be8d4b7aeada4b55d1d05c0539df892f8f82 |
| SHA256 | 32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c |
| SHA512 | 4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6 |
memory/3160-62-0x000001FA3B700000-0x000001FA3B707000-memory.dmp
memory/4976-78-0x0000000140000000-0x00000001401F2000-memory.dmp
memory/4976-79-0x000002655F600000-0x000002655F607000-memory.dmp
memory/4976-84-0x0000000140000000-0x00000001401F2000-memory.dmp
C:\Users\Admin\AppData\Local\6EJeq90wu\credui.dll
| MD5 | 3bcdc623cdce76e61ee2ebb00172632f |
| SHA1 | 6c71e446b281d936950f709eb55f9d41d26e95a8 |
| SHA256 | 5ed787a8fc60e02a4e39af5af7af2b3106cc8259c88a561c94473b4a6f7a732b |
| SHA512 | a8c387b294d0da8efb50a802a15b7500389e76b438e347f325ab8dc6c9753f35e5e04aa7dc16f1f3c6ef8fc18eea5dfa675d5cd4d89d63f29ef89ce330455f8e |
C:\Users\Admin\AppData\Local\glOyVHOM\VERSION.dll
| MD5 | 66aa0c66cdf33b01b2d24144003b4512 |
| SHA1 | 2fc004d13c12225680ce402e7131950f57c46f97 |
| SHA256 | 6c5b2cb6ba9f81798cf519ae2a48803aeb06bc5d2daad3bd03b4593df127b2f3 |
| SHA512 | 22fe22cc7ee620eb5ce0aaba0f51ef3c317f3660ed2c69d8e6ee9124aa82674440b88a61aa5aeb3a68c5d167944df0f643e44b6819054559daec6b3323e1db78 |
memory/1756-95-0x000001CA3EC70000-0x000001CA3EC77000-memory.dmp
C:\Users\Admin\AppData\Local\glOyVHOM\VERSION.dll
| MD5 | af845f23646a5b7cf1442a5bd007b86c |
| SHA1 | 3c1656b6a5d5f7405af85b3ae2f8dcdbb0fd20cf |
| SHA256 | 1aaec93d0522117af33476ac582daed081f5f6d0d8bc6664f3704887d17978b5 |
| SHA512 | 71fde2009ae3f68d4c704a7162dd7b9642314bae35d9bcb8e6829df81f8cbbf5ac9cfa7a59adf585d305ae6ae8e21c1e61fbe2ed5d0538ccbf3093c2f22b65c2 |
memory/1756-101-0x0000000140000000-0x00000001401F2000-memory.dmp
C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe
| MD5 | a789b5b578ed10d31fa4b9ff98adf2b6 |
| SHA1 | 010a7cd4b12bcab656c0f8c3b0cf4e77b5ea1a46 |
| SHA256 | 9099f5dcf5f53572fdabbf6d12ce9515ba1f2fa89369be12900a1a0dd244b494 |
| SHA512 | b978f736b2cdbad381b179d4c24c28d5d841ab7d04926d3863cf764f5360c27f1bfcbf9ed113fe9557b00ede9c7d12aac8cc41ad607ddf8cd41c61cdfafff9a3 |
C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe
| MD5 | bfa99bd8a693a6e090dec1f56a78a2bc |
| SHA1 | 791c1bab4bf016368d38def7fb788d75f1cd4d52 |
| SHA256 | 133893f9757f740ff7eeefbeba5db6a22ca4dc48da6c264acbb175e8f1294509 |
| SHA512 | 2963615a252d4d405c4bbc6cc7914be34839a4b2f092e5c29c5e1069cddad94b01a478353af61c678e1c19a31f5ecba9fa92b86ef4fcb654c2ad083cf57aaf12 |
C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe
| MD5 | d151dec7a4474bac9c74d995bb23aab5 |
| SHA1 | fb21b02a2cb62f7c1e75d5cb4892794c393d024e |
| SHA256 | b3853b47475ee8e54f750d8fe30c6e6d62e83db46012f2e7a393e51fe9fa811d |
| SHA512 | e75b6cb49353357ddd7530fd285e9d197926bfe29254c1a4323110ad608684f2333107393f37504978f2a07a608f7ce1e6af17e93507fedf358934ad559ec21d |
C:\Users\Admin\AppData\Local\6EJeq90wu\credui.dll
| MD5 | da5b1956e5ed121e0b85bdb441bc0375 |
| SHA1 | edba9f515fdc85bec1801cfc540a8f03cce0c3b5 |
| SHA256 | 9077cb97a0600dfc69cf803c56587d2b71e043804942a73546a74022a13a0fe6 |
| SHA512 | 493393ee3e4df034d651a1f9f7dff73a8e6e75bcc432dddb731e5b1114bc0c5b55e8694779cbcfde2eb39552e549c6cac2328416b04c535d58715cb78ca405f5 |
C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe
| MD5 | ba4df2e7cda214b318acd0a2f619bc68 |
| SHA1 | 9ea8b8aec96e725e1411c37c325cf4dbc874802e |
| SHA256 | d9a76aa0ed696031ef8d1aa45e7721b1a4901a345e0128090f5c5243f725af36 |
| SHA512 | 965ed7ed9aab11d63764d15fcf055a17d662116082437fc58c0cd992f327d102cf6d60caf6f19e40bdf85564c20b7c34d6df860a6c4cf2361062a393023722d3 |
C:\Users\Admin\AppData\Local\7GMpuEOP\WINSTA.dll
| MD5 | 8eadc5168ad087530c70f483363d60d4 |
| SHA1 | 0bcb3acf63a92ee1ed469a489631ebd61054f8c5 |
| SHA256 | 7e02b02c71039b7714064bceabd416758ad1ca3f211be928d4c0a7fdee1561f4 |
| SHA512 | 37724bd31d488121d51f0c851a43c001088d93b9c24087c66fe6d610855df975ba7926d97fd269cbbe0c5ba626816d4f59af1a7cbc21239e79f80c6cc2ea9810 |
C:\Users\Admin\AppData\Local\7GMpuEOP\WINSTA.dll
| MD5 | 9b8d5f33c847938b3bba5437374d1ac2 |
| SHA1 | 2a1c9cff9dc47e0e3f96e5f256a2b3e5e2a5e4be |
| SHA256 | c84214609f66f9c09d359a05fed610db4af4a564af2249fa562a6b645e47769d |
| SHA512 | e7190abd3f9ffdf070e0b73d36d3f892b08621a3bebf675e58a4124bfc7c5318d1967c4d61636bf9591ec9346afcd2abaeb8db28c0026b3d630235ece722a12d |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk
| MD5 | 1c9d31f7b53a9a57bfd66ac004a055d4 |
| SHA1 | a2490bdd9933a2abbbddbac10a27ae99a8c2c456 |
| SHA256 | 0c0f980af1d8ec21185e3be35c1db8f62c47c24b690d74c95d99261ef3f9c0c1 |
| SHA512 | cf1f373aba37024b51688ae568624b2b7cb3cf37edad4c4af27bedb441ff94a7e8830b388ed32f6bfd730861b8e47ff25616105fb9a7a00ab4a3c22e38a43a21 |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\78Lv\WINSTA.dll
| MD5 | 0c075860d8a3a1db2b481c8d52a0dbfa |
| SHA1 | 88ea911bef105668ff00ead3d2bdba5f9b9eb532 |
| SHA256 | c83a3973295b475a94e358536cefa9455eedf05e46a6a3754ce01dbbc78ce869 |
| SHA512 | 5715761af43d3930f28de9a1034f7c6c743b97d046fe5fc6916e65b2846fbd7e1f51c1876c9a48086d72858edb49d361a4aa20f2c27d4961173e9d3e3074a4f7 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\hT1PPa\credui.dll
| MD5 | cf334860cff3fcb18b627eebfd497f0b |
| SHA1 | 8bcdb7cf473d4e684dd539ad668547cb8b7390ce |
| SHA256 | aea7a8c764b3194fa69c3f5ced7e701c3ac8e1bc03f8731048a1ac97cf054c55 |
| SHA512 | fb1639573076e9689f5ef8317d8858641d97cbc23d9762d2483c984c7d3b670cb3dac304958c287a7000e79e7d4272203f5a52619a2cc8d2f0fee897cd553b25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SesmRCj\VERSION.dll
| MD5 | 07f7b67cebd6ade6b49ba150217c1d08 |
| SHA1 | 8548b8a60091b1dfecb761101cf8c8ab5e4cfddb |
| SHA256 | 243c1cf15886c8c1e92b1d9a423d8c7414112ce30aca16565c9db02fb0c8b79f |
| SHA512 | e479ae2f33ee3c6b738e2acdcc438ee04fe02b01cccfe726f946243eb5a525000e4134da84a1607e30ca2d9286e409018549a5e1a9ce3847fc6683af49f01ae6 |