Analysis Overview
SHA256
297b30d04329d60ca335b82dd1d813b21d884fe642e602b61a9314501ad69782
Threat Level: Known bad
The file 82db4107f6e131cd91a70e918dc4bfb2 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-30 23:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-30 23:29
Reported
2024-01-30 23:32
Platform
win7-20231129-en
Max time kernel
149s
Max time network
117s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\CF0VXO~1\\DEVICE~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\82db4107f6e131cd91a70e918dc4bfb2.dll,#1
C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe
C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe
Network
Files
memory/2948-0-0x00000000001C0000-0x00000000001C7000-memory.dmp
memory/2948-1-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-4-0x0000000077316000-0x0000000077317000-memory.dmp
memory/1384-5-0x0000000002A00000-0x0000000002A01000-memory.dmp
memory/1384-7-0x0000000140000000-0x0000000140325000-memory.dmp
memory/2948-8-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-13-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-21-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-28-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-33-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-36-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-40-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-46-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-50-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-54-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-57-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-60-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-62-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-64-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-65-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-63-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-73-0x00000000029E0000-0x00000000029E7000-memory.dmp
memory/1384-79-0x0000000077680000-0x0000000077682000-memory.dmp
memory/1384-78-0x0000000077521000-0x0000000077522000-memory.dmp
memory/1384-61-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-59-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-58-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-56-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-55-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-53-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-52-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-51-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-49-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-48-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-47-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-45-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-44-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-43-0x0000000140000000-0x0000000140325000-memory.dmp
\Users\Admin\AppData\Local\m2cq\appwiz.cpl
| MD5 | bf730a89e3f78d94db9935ddfdf84bc1 |
| SHA1 | 3d24069067f920801ab4beb378f9369ff2d2d0ca |
| SHA256 | 36e98fd33a1412f8b9428805a672d45d6a6bcc90799d8d5f15f42f5076287f1d |
| SHA512 | 6e27a68c10093610cbb002386f80a139a1d81b753cf9b7711a21407f3ab50a1b0e1e22a3424e203e453fe2a3ca1d1a2c30e7946d218ab94295b88a3f7b11e0b1 |
memory/1764-108-0x0000000000100000-0x0000000000107000-memory.dmp
C:\Users\Admin\AppData\Local\m2cq\appwiz.cpl
| MD5 | 4a460c513cb5b5d541745ebdb7c24a89 |
| SHA1 | b7229290b0330bda1d2d36bb38a53eea385dee08 |
| SHA256 | ef1048eef6d240573e6cfc0790e4b64b57f6d0c89417af361d705ae011ab7d9b |
| SHA512 | c2e46b421b0c71c95cba66043fc5fc92a058354ffc514b448b00b3374273c141dcaae6b0931b6cc103a1042d54ec8e61ca39bbcc8d9702c9a2bac39fcec11b2b |
C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe
| MD5 | 86bd981f55341273753ac42ea200a81e |
| SHA1 | 14fe410efc9aeb0a905b984ac27719ff0dd10ea7 |
| SHA256 | 40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3 |
| SHA512 | 49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143 |
memory/1384-42-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-41-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-39-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-38-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-37-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-35-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-34-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-32-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-31-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-29-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-30-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-27-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-26-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-25-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-24-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-23-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-22-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-20-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-19-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-18-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-17-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-16-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-15-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-14-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-12-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-11-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-10-0x0000000140000000-0x0000000140325000-memory.dmp
memory/1384-9-0x0000000140000000-0x0000000140325000-memory.dmp
C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe
| MD5 | 1fffd5db902c6bdaa7c56ee780fe9fd3 |
| SHA1 | 3ad853969142f78835904de5aba74fa0ce1411b1 |
| SHA256 | 2d5b4f609429806763f48b5fab64181f00e3fb60d30eeb3fd859c0598dbbee8c |
| SHA512 | c215ccdf98d9ac47986062528d159554e68265688534d8bccd4484e6e99d1e8ba5e471a9c68a1fd8cd1fcac19ff03cd3e04a2215a8cd8e62a4a8b2a2bc8146a2 |
\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe
| MD5 | c96c8854766f7b5d314e5e5cb9dd37cd |
| SHA1 | 6a280be3746f052e01797d4b7b1aa12237421b50 |
| SHA256 | 5b387569e33d1c5f6c100410bfa8346152fdc726fb894fb73315e5f17c6925d1 |
| SHA512 | aca48cd23524efde0c3975a394388fc12e578db974e1580737cda90d0c8d78edc1137d76fe82b2988f68bdc13a46f9c8c2c96bb3315a151ca63003e7175d70d6 |
\Users\Admin\AppData\Local\rMqp\XmlLite.dll
| MD5 | 9086b275455f1233c77e2cb7c4077a7b |
| SHA1 | 016732a992c478559c7a92ae94b4f3cf7dee3bdd |
| SHA256 | 394cfeb66285fc5e967dc3d05b60040c779bcc0d9f6e0556e18d1db4b1a4f637 |
| SHA512 | d8d4fe290bd1eed81b04176bb2ced296880f85e9de7a2411773f27902f80a5b94c49d86193531b52fcd5ef6a725995181f217c1a4d7eca2f9c1be2b44652aaa2 |
C:\Users\Admin\AppData\Local\rMqp\XmlLite.dll
| MD5 | f9a79479fd303e74edca6b9079e9c839 |
| SHA1 | 858b42b3f50fd24c7ce0754938e9d11dd53cbb20 |
| SHA256 | 6ce3304366db0370ef22360320caa549360b429fb765088be6e6b7327df6f037 |
| SHA512 | a1e5229bdb3f08206c0c040d8f23b9ea87924d6eeff36fdc2f2ef86453f68e2fa3445ba043046ce6a46342aa3d30a82e44cffb230e621f1c8648ab48b28a5b9b |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\cf0VXOVMXTd\DeviceDisplayObjectProvider.exe
| MD5 | 7e2eb3a4ae11190ef4c8a9b9a9123234 |
| SHA1 | 72e98687a8d28614e2131c300403c2822856e865 |
| SHA256 | 8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0 |
| SHA512 | 18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf |
\Users\Admin\AppData\Local\AMsGPi\FVEWIZ.dll
| MD5 | 3367dd81b65c54db5d91bd476cb519bd |
| SHA1 | e23863b6e28a3f0969ba7f04ab0e871bac73b9fa |
| SHA256 | bc5036db87108d2e6259b3fe00e034b3d64ae837e8849a05aa64cc7babda1349 |
| SHA512 | 6e77ea682275b87c6b59678aa1997df6ffa935cd0a21fb30af9ccc7bad4043500333515c0df10cec8db17b7320ac74a81a70c769ca2d406763c0d50ba60e864d |
memory/2344-140-0x0000000001F20000-0x0000000001F27000-memory.dmp
C:\Users\Admin\AppData\Local\AMsGPi\FVEWIZ.dll
| MD5 | 2be30f81b80bb026c2ad98a21fcfc7e8 |
| SHA1 | b9f42f38573d1b1da8b6a3ef954010b87daab7d8 |
| SHA256 | 75e841b8d111057de153bdffff1cc0f3770c33aec4aa8b4f1de59ab5dab0cb00 |
| SHA512 | 7de186b7f58cb2ce92db4a2838d32d16d1a4bf4ded4fdd5fbea085a7bf43214cebbbac954c3d3a93758b9ddcd1a6881667424b529d1b8daa023352094405d7a3 |
C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe
| MD5 | 73f13d791e36d3486743244f16875239 |
| SHA1 | ed5ec55dbc6b3bda505f0a4c699c257c90c02020 |
| SHA256 | 2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8 |
| SHA512 | 911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af |
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EYSJKQKJ\IkhM45LsJ8\BitLockerWizardElev.exe
| MD5 | 0bf47230134131e29b6882da88f46ba8 |
| SHA1 | 7f8e57a2e713016a133fe5d753af670042677515 |
| SHA256 | f39bb73e7eb0c9152883471835f4c8053b85ade257b7e05b6d79ec55cf0b021f |
| SHA512 | a285de5b15adcf66b522dc31c98d09de8f2ea9097c4f0e82bb2df42f17b17186d7bd13c5c524428ec50ccd3b720956edb71dc06ba04bdbcbc2cedde9a82ed980 |
memory/1384-161-0x0000000077316000-0x0000000077317000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk
| MD5 | a1c097ca2d2e8f14e3856435a0d23a89 |
| SHA1 | 6fb9a5afba99bb0590ccdc841a07d624c2112362 |
| SHA256 | 93bcd20ad967694bdbc0bc1eb89f232fc251a51b8ec30abc2b24c458df2f8ed9 |
| SHA512 | 31a20150a14a28ae4560a1e7fa2affc9bb71338023878034c52a7a85ff7dc2d2cb93ea387770c0ea6073870e7d4f600dbc2f0c65f94d7b26cd06daa0f15daa44 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\iLNrb5lZyS\appwiz.cpl
| MD5 | 015c38842e81e36f68ccea31cc835480 |
| SHA1 | c29a109d93b15cb1361af74fa32b54825ade7c54 |
| SHA256 | 160e230daf82dc4f482307c504d47e5aaa3a1d1083e033dfbf241bf9fd584d4a |
| SHA512 | 0feb506770be4bce18e967800cb6d531a37aeb6600310fcd187533c425db0af8d1cf0775641b96bf084c29d6b5887fcb1f87fe4bb14343bf084608196889d301 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\cf0VXOVMXTd\XmlLite.dll
| MD5 | 7e0da16b846a6f71d494e4548f610a6a |
| SHA1 | 0987f9ae66ea08d766933d82e7c1371b8336d0d9 |
| SHA256 | 6f00969e209f70c997c1440b13be99dd2a17cda19c0d9a36a437d3edba061cbb |
| SHA512 | 36771851af2245c96b304139f3235e4df453c75a5031dbe2a7ac054a8207b46fd03cac8ddef1799418864bd04ca254f5ad6e2814b8b9ac5876b004d374cf7542 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EYSJKQKJ\IkhM45LsJ8\FVEWIZ.dll
| MD5 | 1387b1b0e64d26e71f7feae51b049b0d |
| SHA1 | da653da74e8a9da940864017659bd92c3c540532 |
| SHA256 | 962396dddb441d5b43a19e038722091806f945a8cce79a082971f24656a829ff |
| SHA512 | 31f116a9d034651f5b1d89aa7dd7fae44184f0c63ac9e433316b07ca873fdb726ebab96939fbd2f57c34d70a7e5e48a1c5124d85ad2372fdb974b9c8ce0e595f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-30 23:29
Reported
2024-01-30 23:32
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3n0LOro\slui.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3n0LOro\slui.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\VO9Pe2\\MusNotificationUx.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3n0LOro\slui.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3392 wrote to memory of 4312 | N/A | N/A | C:\Windows\system32\msinfo32.exe |
| PID 3392 wrote to memory of 4312 | N/A | N/A | C:\Windows\system32\msinfo32.exe |
| PID 3392 wrote to memory of 1008 | N/A | N/A | C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe |
| PID 3392 wrote to memory of 1008 | N/A | N/A | C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe |
| PID 3392 wrote to memory of 4764 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3392 wrote to memory of 4764 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3392 wrote to memory of 1484 | N/A | N/A | C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe |
| PID 3392 wrote to memory of 1484 | N/A | N/A | C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe |
| PID 3392 wrote to memory of 4376 | N/A | N/A | C:\Windows\system32\slui.exe |
| PID 3392 wrote to memory of 4376 | N/A | N/A | C:\Windows\system32\slui.exe |
| PID 3392 wrote to memory of 3068 | N/A | N/A | C:\Users\Admin\AppData\Local\3n0LOro\slui.exe |
| PID 3392 wrote to memory of 3068 | N/A | N/A | C:\Users\Admin\AppData\Local\3n0LOro\slui.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\82db4107f6e131cd91a70e918dc4bfb2.dll,#1
C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe
C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe
C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
C:\Users\Admin\AppData\Local\3n0LOro\slui.exe
C:\Users\Admin\AppData\Local\3n0LOro\slui.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
memory/636-1-0x0000000140000000-0x0000000140325000-memory.dmp
memory/636-0-0x000001227DCF0000-0x000001227DCF7000-memory.dmp
memory/3392-5-0x00007FF8C5A7A000-0x00007FF8C5A7B000-memory.dmp
memory/3392-4-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
memory/3392-8-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-9-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-11-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-10-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-12-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-14-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-13-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-16-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-15-0x0000000140000000-0x0000000140325000-memory.dmp
memory/636-7-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-17-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-18-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-19-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-20-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-21-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-22-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-23-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-24-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-25-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-26-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-27-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-28-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-29-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-31-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-33-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-34-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-36-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-35-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-32-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-30-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-38-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-37-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-39-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-40-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-41-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-42-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-44-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-43-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-45-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-46-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-48-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-47-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-49-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-52-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-51-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-50-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-53-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-54-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-55-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-58-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-60-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-62-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-61-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-59-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-57-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-56-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-63-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-65-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-64-0x0000000140000000-0x0000000140325000-memory.dmp
memory/3392-70-0x0000000000B40000-0x0000000000B47000-memory.dmp
memory/3392-78-0x00007FF8C5D20000-0x00007FF8C5D30000-memory.dmp
C:\Users\Admin\AppData\Local\ETb9oF\MFC42u.dll
| MD5 | aed8988e35f05063b928a88f8fcd708c |
| SHA1 | b26042d06d73bc0430ce041ea3f913e1f396df3f |
| SHA256 | 047911a6ade8398496049caab8a5c2b1742d55f48968c11ddc545777af11f249 |
| SHA512 | 2efbc38985950099a8b02e0a730937e12464d4c36fa3bea04916ffb909935d08215b2e3cd72b017b697ed9c6630b042fab3bfd2d40581d60479e7400901bf521 |
memory/1008-98-0x0000025E31D50000-0x0000025E31D57000-memory.dmp
C:\Users\Admin\AppData\Local\ETb9oF\MFC42u.dll
| MD5 | 0328f872e56e03d431511b816bafdaa5 |
| SHA1 | 7c909e864144d88156fc17c9b8786a2f16168bb7 |
| SHA256 | e2a0a81c3951f9453c4cecb6087a51926b07a2d6d41379934af124b1bcb3256e |
| SHA512 | 47394a42af1555a8edf82c18fc68a840e958bcb4b191ff5f57152044a0a065d68d3540df897a39b19b5b94429161e31b904281796c1a6e4e24b703a18a2044e7 |
C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe
| MD5 | a31dd2bf8868f96e8e4da799b3c5efed |
| SHA1 | 669ebd8fce571337106619a95455b20fceaeba04 |
| SHA256 | 9a1241c18510db5a3378143ca2381e61344de975784e348b166180ef8daa5e80 |
| SHA512 | f8df5d64d4459bbb1ee62bad65fc8f5b6de280edb3e4c8251604b93b330572146148b1a8da02b3409ae61f9c2d7a5dfc4b4cfb9e0e718db5a0ca1c3be18243c3 |
C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe
| MD5 | 85ac749bb1b114cce683f3ec15f4e548 |
| SHA1 | d6157ec509d2d3fb138f5a4b4c39b4df5ae00c97 |
| SHA256 | f014450fa8d4ccbd171997988a40848f081292e1971f8a6bacf229dc59744c16 |
| SHA512 | 50ae04abccc807a6f4d2bdf4014ac9631cba47d4d9ebbd61aba327e74d2827bf7c9fe096dfe32b910893bc256eb523e6daa22f47637cfa0bd663076d0cad5434 |
C:\Users\Admin\AppData\Local\LSxc\XmlLite.dll
| MD5 | 51efdb3baf5676cc76272bfa7c27827f |
| SHA1 | e8d6da2c8f0df8c03ef37812b5c0e8afcd10f900 |
| SHA256 | ab2dd218c7a94e951c87b066741171b21871882e8bc05f9b5f93fc0b151ab82c |
| SHA512 | 75d88cbe1c33346a3ba0a9119fe4468cb13a59d20db81022455fc54b038542a59df216c61f7872e767104aeb2081bc867c5873d1739cc94e613c29841840cf46 |
memory/1484-115-0x0000021EBDB90000-0x0000021EBDB97000-memory.dmp
C:\Users\Admin\AppData\Local\LSxc\XmlLite.dll
| MD5 | d1dcac7fbc53da70821f2e6cddd3aab7 |
| SHA1 | 8618b0294bf6902075f91096ad9c3dc39ef9d1a7 |
| SHA256 | 67a0688cf98d2691014fd1b807bc832deab5bd32e83429f02138f654e5fc7311 |
| SHA512 | 843de3e08f004a3dfac90931400585f500cb3522fb6f8c39a17f384d6af4c2f8283084fa787c900ae58a536d1bf7c8b581ca4279123722649bd27a4e10191dd8 |
C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe
| MD5 | 270a4f431525a7368784707bbe0b438a |
| SHA1 | 993c33261fb6f4957418cb058b11c204e5f7f83c |
| SHA256 | 4ae2a9c5280b042c2dd6cf75f58b389838600cffa4362e55f224e9ca35f413a3 |
| SHA512 | e3f35c1c40fc96e296ac0fe80abd7c260642727a05be921c1c7884ca6dbdf2f05008bfbe9ba71c31e1c63b64ef55ae43dd2d4b0b52fa051f5661fc253beaa485 |
C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe
| MD5 | a3f58d7cff2631a3bd997e11c93ff494 |
| SHA1 | 1d574e7628728c95c2771a95f83cad8e33f08477 |
| SHA256 | 7a5ea80a67ddc4c68cf99e206452fb6b894f7f11479cc56b24d4f912010d2b60 |
| SHA512 | 8f574e2ade7a6178b2889b78f147a64722c7249de85e4ef1d8feb89a3b13d5ddbb6a9307edc8c293e519b6bb3e41be27bae784a26d336ee4fdfdd8d668a964d1 |
C:\Users\Admin\AppData\Local\3n0LOro\WTSAPI32.dll
| MD5 | aab395b3713100e89968143e6660d35d |
| SHA1 | 3401423701e8f003683cfda11376e224f17219e7 |
| SHA256 | 2861ea6962e3d0e73a4aa6376d29a487aebeeb419e3bf9ddf6d7a9b6503ed4d6 |
| SHA512 | 31fe9bf069e7192e62dcd1ee71c273c041b242f7735f45f3666fec88dd9b8adc850b750ba6f2614be7a93c4fff6d4a99c4363a5f96605221add0b1bf7ae0db5f |
C:\Users\Admin\AppData\Local\3n0LOro\slui.exe
| MD5 | 985e280b5f1a4e8c3d9a2488141f33da |
| SHA1 | e487e8db6d6b4cdb265ee645cc3c115297d4a8bf |
| SHA256 | bdb1ad1ce7a7b4d755c05bd9e8406a4b86bd7909e17e469f4dd05a2bb459654a |
| SHA512 | 1152466037a41791ed3555566fa1a0a95b8ac07df090bd47356bac8d9372e4ee689c129c436c7a3e0a2afb9924c261aae652e11f5bf86bc418f90173a8668b5c |
memory/3068-132-0x000001D8E7A80000-0x000001D8E7A87000-memory.dmp
C:\Users\Admin\AppData\Local\3n0LOro\WTSAPI32.dll
| MD5 | e66e436895e57e36c87716f377be5c73 |
| SHA1 | 80545353a7dcb288ccbbab4ae39b80206dcffe76 |
| SHA256 | 62e3232323b8e0ce851e7c931c45eabdcc88b4b935ce8a05771bc817566cefa9 |
| SHA512 | 6de6d76d9a9ed8125564c16e63470d6394250c047d3cdd99c97abe579eec53921ea74a470b2768233695aff7462fd6a85983358e25cf97ea76035b39465554e7 |
C:\Users\Admin\AppData\Local\3n0LOro\slui.exe
| MD5 | de50f3cd9d2e00d1f010963cf90471dc |
| SHA1 | 410e4f258916a40c146f7a341ae53cc624ae3b56 |
| SHA256 | ef072f41d0973cbeb251e721bb35fc6ffde04824f3e9bdbdda6901c057dfc294 |
| SHA512 | fd7d2ffd6c2a87b02e38ca1ce735f42cbecbbe9e6397a4a83ecf0626b145bcfdd3fb36823082ca259692db5c218f7d7f3bd3c8c9d2bd3f138c37cc152e3f33a2 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk
| MD5 | 0862b73d5c2ac2616453a66be3f9ce93 |
| SHA1 | c2c69b4107d61641c253027548a0b26fd1c39aa2 |
| SHA256 | d7b31e9d67250c2145e103acd9fac29faf3b2d5104395a60765faa31aedb1f07 |
| SHA512 | bb042ec82c4d63c067f5e113381d417249a7fd057e7e556f02237e85ec4a28703b96da4d807594a0584331e4fb634180e91378bdad4994cc5728c141847201eb |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\Jy5vuk5G\MFC42u.dll
| MD5 | 43bf94dd5a162e83cf4acd8db1c915fd |
| SHA1 | e9afd1847746851722ae05b030b96b8edebb10b3 |
| SHA256 | 6550eca6923c644d6accfb896bb085522a7d9dbbf468695182b95beba3aa3d3f |
| SHA512 | 418370019f8f44dc475bbaebf33263bd5f73de417e656854e2a64e44c1738ab2e1b41f9966dca0f242bc47e7edeff02a5b6c96bac1eedf0abc205d7a24314088 |
C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\VO9Pe2\XmlLite.dll
| MD5 | 045b2896f94f4f10a4863f7e09aa9c09 |
| SHA1 | 0cf695742d107d544c3c41e5c8debe11e9c96f47 |
| SHA256 | c71d16a5b71de29c5d2dff9df340044bc038329c44949e7aaa3ffd78ad4e4d77 |
| SHA512 | b0fb4850b59d2c35cc5785465673cae149cfb43de393e1d8f899fc5a3492fbd8cd4619bd6e244dd3839b36c4fe22ef47eadb76862a15ec690913fc0c9c9c6f7b |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\nb2H8mUe\WTSAPI32.dll
| MD5 | b845a2df799155ba80eafae496796b04 |
| SHA1 | 62805690f4cd9a13711529d72cacd5d359db3cbc |
| SHA256 | 961497d529a1d85b61e0d0eb35a37c587d40e30875f8632f16fb921a58565e56 |
| SHA512 | 4e139803559bdfa8f8fbf606b9dc43969580a09bd22777f759362bb540f7f68138b54395182f0d80932fa02b72fe049920847f4a09667861452b65ab20749c92 |