165fb59360683122125271d668cfb28c3ad9502d559e491856005178fb22a254

Resubmissions

29-04-2024 17:56

240429-wjgllsgg29 10

17-04-2024 14:59

240417-sc15wsef8y 10

16-04-2024 14:20

240416-rnxq6sdg3t 10

Analysis

max time kernel
1799s
max time network
1175s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Size

628KB
MD5

97a26d9e3598fea2e1715c6c77b645c2
SHA1

c4bf3a00c9223201aa11178d0f0b53c761a551c4
SHA256

e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
SHA512

acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
SSDEEP

12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihmks = "\"C:\\Users\\Admin\\AppData\\Roaming\\mZ1aE\\bdechangepin.exe\""

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\system32\JTr8\wermgr.exe cmd.exe
File opened for modification C:\Windows\system32\JTr8\wermgr.exe cmd.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

628 schtasks.exe

description	ioc	process
File created	C:\Windows\system32\JTr8\wermgr.exe	cmd.exe
File opened for modification	C:\Windows\system32\JTr8\wermgr.exe	cmd.exe

pid	process
628	schtasks.exe

Modifies registry class 12 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open\command\DelegateExecute
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open\command
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\yc48Owo.cmd"
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open\command
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3692	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
3692	rundll32.exe
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3380

pid	process
3380

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fodhelper.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3380 wrote to memory of 4080	3380		bdechangepin.exe
PID 3380 wrote to memory of 4080	3380		bdechangepin.exe
PID 3380 wrote to memory of 4976	3380		cmd.exe
PID 3380 wrote to memory of 4976	3380		cmd.exe
PID 3380 wrote to memory of 1988	3380		wermgr.exe
PID 3380 wrote to memory of 1988	3380		wermgr.exe
PID 3380 wrote to memory of 4480	3380		cmd.exe
PID 3380 wrote to memory of 4480	3380		cmd.exe
PID 3380 wrote to memory of 1116	3380		fodhelper.exe
PID 3380 wrote to memory of 1116	3380		fodhelper.exe
PID 1116 wrote to memory of 3292	1116	fodhelper.exe	cmd.exe
PID 1116 wrote to memory of 3292	1116	fodhelper.exe	cmd.exe
PID 3292 wrote to memory of 628	3292	cmd.exe	schtasks.exe
PID 3292 wrote to memory of 628	3292	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 3488	3380		cmd.exe
PID 3380 wrote to memory of 3488	3380		cmd.exe
PID 3488 wrote to memory of 3952	3488	cmd.exe	schtasks.exe
PID 3488 wrote to memory of 3952	3488	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 1552	3380		cmd.exe
PID 3380 wrote to memory of 1552	3380		cmd.exe
PID 1552 wrote to memory of 4084	1552	cmd.exe	schtasks.exe
PID 1552 wrote to memory of 4084	1552	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 3180	3380		cmd.exe
PID 3380 wrote to memory of 3180	3380		cmd.exe
PID 3180 wrote to memory of 4656	3180	cmd.exe	schtasks.exe
PID 3180 wrote to memory of 4656	3180	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 1156	3380		cmd.exe
PID 3380 wrote to memory of 1156	3380		cmd.exe
PID 1156 wrote to memory of 2100	1156	cmd.exe	schtasks.exe
PID 1156 wrote to memory of 2100	1156	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 1832	3380		cmd.exe
PID 3380 wrote to memory of 1832	3380		cmd.exe
PID 1832 wrote to memory of 4624	1832	cmd.exe	schtasks.exe
PID 1832 wrote to memory of 4624	1832	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 4484	3380		cmd.exe
PID 3380 wrote to memory of 4484	3380		cmd.exe
PID 4484 wrote to memory of 4556	4484	cmd.exe	schtasks.exe
PID 4484 wrote to memory of 4556	4484	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 4440	3380		cmd.exe
PID 3380 wrote to memory of 4440	3380		cmd.exe
PID 4440 wrote to memory of 1588	4440	cmd.exe	schtasks.exe
PID 4440 wrote to memory of 1588	4440	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 4036	3380		cmd.exe
PID 3380 wrote to memory of 4036	3380		cmd.exe
PID 4036 wrote to memory of 2096	4036	cmd.exe	schtasks.exe
PID 4036 wrote to memory of 2096	4036	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 3264	3380		cmd.exe
PID 3380 wrote to memory of 3264	3380		cmd.exe
PID 3264 wrote to memory of 3608	3264	cmd.exe	schtasks.exe
PID 3264 wrote to memory of 3608	3264	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 2044	3380		cmd.exe
PID 3380 wrote to memory of 2044	3380		cmd.exe
PID 2044 wrote to memory of 2896	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 2896	2044	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 3040	3380		cmd.exe
PID 3380 wrote to memory of 3040	3380		cmd.exe
PID 3040 wrote to memory of 4004	3040	cmd.exe	schtasks.exe
PID 3040 wrote to memory of 4004	3040	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 4892	3380		cmd.exe
PID 3380 wrote to memory of 4892	3380		cmd.exe
PID 4892 wrote to memory of 4340	4892	cmd.exe	schtasks.exe
PID 4892 wrote to memory of 4340	4892	cmd.exe	schtasks.exe
PID 3380 wrote to memory of 2756	3380		cmd.exe
PID 3380 wrote to memory of 2756	3380		cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3692

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:4080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\20e.cmd
1⤵
PID:4976

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
1⤵
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ISd.cmd
1⤵
- Drops file in System32 directory
PID:4480

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\yc48Owo.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Arqdxytqgr" /TR C:\Windows\system32\JTr8\wermgr.exe /SC minute /MO 60 /RL highest
3⤵
- Creates scheduled task(s)
PID:628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:5100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:5008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:5048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:4656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:1768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:2172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Arqdxytqgr"
1⤵
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Arqdxytqgr"
2⤵
PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20e.cmd
Filesize
231B

MD5
d8f44381d539c26fd9d2d3d43e28ffd4

SHA1
6f3898a189463718f44f2743f8532b7d3222dbd9

SHA256
78af3322ef0612bc6c17e652ef4b21d4122ffc05cfa89c67eb8c989b43cd3531

SHA512
8024603212dd2049a6dc7e671c5fa457c1e157fd4e6d3670a313e0c5d638adbc606d37291dd184ea2fe50d521661e31cf33af4bfefd1574378fcdd36ab4bbc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISd.cmd
Filesize
187B

MD5
9f6d45f5a02e911706d9fe6ad287d40d

SHA1
64f2432aed0d2f61a71a6c52df1791ff1f534cf9

SHA256
e52204118e00da5136f01de9e425a622126610e3cbdb458ef7ef232632b14a23

SHA512
3db2a588738762db3470bcef213882684dceb8461040fac6465d64145a23d0e2b5dbb6ebf127dd4a5fe91b363ace42271566831cfcda52495c9e82ae67fe6dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YB9CB.tmp
Filesize
636KB

MD5
f3d675272b532fd31b7be4cda8835cdc

SHA1
053e2101ac7691f75f7855ab2b8819053f0a0702

SHA256
b01576a9dab4c7b80cbc6039d7a6d069a55d9692c1e178cb9528d2fd2cf5bfa5

SHA512
6b1f34635656feccb076604396d45f74777c67a210fee553c99801b89ee27d9399ecab46758a58d98b856d47c4aa2facb4cb496c0914cab6e98326b44df7287b

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9182.tmp
Filesize
908KB

MD5
dd3f6dadae1631d053e5d349ff6b3d30

SHA1
0300be83916725077fde0e36a5ef4e6bfd870f14

SHA256
eb016394a03e7dfd9f247cc6419d0251f27f2a2b41d2e0ad5f009feae942ddc6

SHA512
f9e00ff20f76b361e1fee3715ae4cb42210178178d67682bf87e0d5955f08873882d968131cfd96045c2e18f41176f162ffb82c19d26f767537bbbfc7819c2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yc48Owo.cmd
Filesize
125B

MD5
3ee27bfce7cc7db37c9e10298656bd26

SHA1
9aaa0cb104fc03b450ebd7a7eb133d32d81e05ea

SHA256
c809ffb2c43b9ac07070381297fedfa50068c7449ff0759b7477455b78ea3add

SHA512
35af6c86f8e326606505e82d4490b9ef607cdd1329fd864835afb878b548798b8e1da6c1a439fa4aefab4d0e1e8df05d4ccac5d170ac3690bbb5f2a6c5626c22

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ihmks.lnk
Filesize
924B

MD5
8580b779d7ca8feec811e8796dc51893

SHA1
f50bd54d6e17931ed960a4202806722db24dc7ca

SHA256
5592bad24e30431d3975852f54adae6855b4383f919f83c363a75af2337ee2fc

SHA512
692c2332658c302d39d43e295c89c1fc42fb14c68b5306584312c080fea89294a7840e0312273f5a487ad14e78b827786fd37abd7f418bb12fb7cc9f75d509b9

Download Submit
C:\Users\Admin\AppData\Roaming\mZ1aE\bdechangepin.exe
Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
memory/3380-11-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-31-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-15-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-8-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-7-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-13-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-20-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-25-0x00007FF880F40000-0x00007FF880F50000-memory.dmp

Filesize
64KB

Download
memory/3380-23-0x0000000002470000-0x0000000002477000-memory.dmp

Filesize
28KB

Download
memory/3380-9-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-33-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-10-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-3-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3380-12-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3380-5-0x00007FF8800DA000-0x00007FF8800DB000-memory.dmp

Filesize
4KB

Download
memory/3692-6-0x00007FF872140000-0x00007FF8721DD000-memory.dmp

Filesize
628KB

Download
memory/3692-0-0x00007FF872140000-0x00007FF8721DD000-memory.dmp

Filesize
628KB

Download
memory/3692-2-0x000001E4A36B0000-0x000001E4A36B7000-memory.dmp

Filesize
28KB

Download