Malware Analysis Report

2024-11-30 21:26

Sample ID 231228-fr9pcsebdk
Target c60920a9c292aa669035396b03965a08
SHA256 4e37a17479c456a66c1b5bbc8204e65e2a7049852836df593d3cffad7ea546c9
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e37a17479c456a66c1b5bbc8204e65e2a7049852836df593d3cffad7ea546c9

Threat Level: Known bad

The file c60920a9c292aa669035396b03965a08 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 05:07

Reported

2023-12-29 17:15

Platform

win10v2004-20231215-en

Max time kernel

154s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c60920a9c292aa669035396b03965a08.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3073191680-435865314-2862784915-1000\\YbbL5OVY\\msra.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\a1Ac\dxgiadaptercache.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\EP6w\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XuPoT1\msconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 3500 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3520 wrote to memory of 3500 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3520 wrote to memory of 3800 N/A N/A C:\Users\Admin\AppData\Local\a1Ac\dxgiadaptercache.exe
PID 3520 wrote to memory of 3800 N/A N/A C:\Users\Admin\AppData\Local\a1Ac\dxgiadaptercache.exe
PID 3520 wrote to memory of 1068 N/A N/A C:\Windows\system32\msra.exe
PID 3520 wrote to memory of 1068 N/A N/A C:\Windows\system32\msra.exe
PID 3520 wrote to memory of 4700 N/A N/A C:\Users\Admin\AppData\Local\EP6w\msra.exe
PID 3520 wrote to memory of 4700 N/A N/A C:\Users\Admin\AppData\Local\EP6w\msra.exe
PID 3520 wrote to memory of 4384 N/A N/A C:\Windows\system32\msconfig.exe
PID 3520 wrote to memory of 4384 N/A N/A C:\Windows\system32\msconfig.exe
PID 3520 wrote to memory of 836 N/A N/A C:\Users\Admin\AppData\Local\XuPoT1\msconfig.exe
PID 3520 wrote to memory of 836 N/A N/A C:\Users\Admin\AppData\Local\XuPoT1\msconfig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c60920a9c292aa669035396b03965a08.dll,#1

C:\Windows\system32\dxgiadaptercache.exe

C:\Windows\system32\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\a1Ac\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\a1Ac\dxgiadaptercache.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\EP6w\msra.exe

C:\Users\Admin\AppData\Local\EP6w\msra.exe

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\XuPoT1\msconfig.exe

C:\Users\Admin\AppData\Local\XuPoT1\msconfig.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 65.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp

Files

memory/4888-1-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/4888-0-0x00000263F7EA0000-0x00000263F7EA7000-memory.dmp

memory/3520-3-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/3520-5-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/3520-6-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/3520-7-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/3520-9-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/3520-10-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/3520-11-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/3520-8-0x00007FFE77E5A000-0x00007FFE77E5B000-memory.dmp

memory/3520-12-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/3520-14-0x0000000001350000-0x0000000001357000-memory.dmp

memory/3520-13-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/3520-22-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/3520-23-0x00007FFE789A0000-0x00007FFE789B0000-memory.dmp

memory/3520-24-0x00007FFE78990000-0x00007FFE789A0000-memory.dmp

memory/3520-33-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/4888-36-0x0000000140000000-0x00000001400E9000-memory.dmp

C:\Users\Admin\AppData\Local\a1Ac\dxgiadaptercache.exe

MD5 e62f89130b7253f7780a862ed9aff294
SHA1 b031e64a36e93f95f2061be5b0383069efac2070
SHA256 4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5
SHA512 05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

C:\Users\Admin\AppData\Local\a1Ac\dxgi.dll

MD5 492ecb555b3aa4793f92bafb27777acf
SHA1 9cd923cac995853122f5d6eeec53664bae1c6792
SHA256 f5bf9f7c186ff381cd0c79591596fe4f1be00cf825750896137594505d5804cb
SHA512 57e31e9430c375896ad720a72cbb18ab75e544fe33403def39267459d0a928f51ecb9309f3a5617e0a1f24ec135b2537935994d5a0d4332fd4b95dbaf27c5223

memory/3800-43-0x000002890F550000-0x000002890F557000-memory.dmp

memory/3800-44-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3800-48-0x0000000140000000-0x00000001400EA000-memory.dmp

C:\Users\Admin\AppData\Local\EP6w\msra.exe

MD5 dcda3b7b8eb0bfbccb54b4d6a6844ad6
SHA1 316a2925e451f739f45e31bc233a95f91bf775fa
SHA256 011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae
SHA512 18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

C:\Users\Admin\AppData\Local\EP6w\UxTheme.dll

MD5 4643581cd4fdac26ac9eb7bb39bfb132
SHA1 54821b1e6bf4f614dd3c2fc405421da5ab080f96
SHA256 00daa76f3862d79a2a87fe0a29bd163527d4b29cac23d5a5adc4695a829738c9
SHA512 75dda9fdb887bca25b75cbc71ed5acff8879ecd8e8f48aa4af8ba2809a9bbd6976113abb87f27fb9500e92087c490d4ca45c50126c7f13cdaff6df37c0462add

memory/4700-59-0x000002B03D820000-0x000002B03D827000-memory.dmp

memory/4700-64-0x0000000140000000-0x00000001400EA000-memory.dmp

C:\Users\Admin\AppData\Local\XuPoT1\msconfig.exe

MD5 39009536cafe30c6ef2501fe46c9df5e
SHA1 6ff7b4d30f31186de899665c704a105227704b72
SHA256 93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04
SHA512 95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

C:\Users\Admin\AppData\Local\XuPoT1\VERSION.dll

MD5 7c2d965c2208841f24d43a575b828f8d
SHA1 233308ffddd2e06d0511d0ff2b5808f3ec44ab9a
SHA256 afb59f464f1ec5d2b8fdae055110f2ecafa57e779ba347a04d041be5b1487d6f
SHA512 c78d2195f6771b2b2b5004319d6a9df3f921a9bb949ccfc55142397e004d2d864be962a78bdaa525227fbae81679a2d020d7e13bada7f443bf108b073fd2e87c

memory/836-77-0x000001E2D5D10000-0x000001E2D5D17000-memory.dmp

memory/836-82-0x0000000140000000-0x00000001400EA000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 b19b6b82aed04484820ea294493ff734
SHA1 54b6b4de35057a2e147d1d70363bda8f6c033b56
SHA256 3577dab3edb4915b972be78450db1bcfa2a57e9c2afdeaf4b05a8d0add899968
SHA512 5f143e7bd16979c39d10bfc9d92bb4a4af78a8e7dcebdbae0c20c5c26b50cd3c62fdd622d10dbc64bf09bab3c04dd4379e79ab0fa39b550091b84fba9cb67088

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 05:07

Reported

2023-12-29 17:13

Platform

win7-20231215-en

Max time kernel

150s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c60920a9c292aa669035396b03965a08.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\WzlF\rekeywiz.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\oP1YJUqQY\VaultSysUi.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\23Q1I1A2\\VAULTS~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WzlF\rekeywiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oP1YJUqQY\VaultSysUi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 2592 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1212 wrote to memory of 2592 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1212 wrote to memory of 2592 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1212 wrote to memory of 2012 N/A N/A C:\Users\Admin\AppData\Local\WzlF\rekeywiz.exe
PID 1212 wrote to memory of 2012 N/A N/A C:\Users\Admin\AppData\Local\WzlF\rekeywiz.exe
PID 1212 wrote to memory of 2012 N/A N/A C:\Users\Admin\AppData\Local\WzlF\rekeywiz.exe
PID 1212 wrote to memory of 1248 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1212 wrote to memory of 1248 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1212 wrote to memory of 1248 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1212 wrote to memory of 1960 N/A N/A C:\Users\Admin\AppData\Local\oP1YJUqQY\VaultSysUi.exe
PID 1212 wrote to memory of 1960 N/A N/A C:\Users\Admin\AppData\Local\oP1YJUqQY\VaultSysUi.exe
PID 1212 wrote to memory of 1960 N/A N/A C:\Users\Admin\AppData\Local\oP1YJUqQY\VaultSysUi.exe
PID 1212 wrote to memory of 584 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 584 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 584 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 776 N/A N/A C:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 776 N/A N/A C:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 776 N/A N/A C:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c60920a9c292aa669035396b03965a08.dll,#1

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Users\Admin\AppData\Local\WzlF\rekeywiz.exe

C:\Users\Admin\AppData\Local\WzlF\rekeywiz.exe

C:\Windows\system32\VaultSysUi.exe

C:\Windows\system32\VaultSysUi.exe

C:\Users\Admin\AppData\Local\oP1YJUqQY\VaultSysUi.exe

C:\Users\Admin\AppData\Local\oP1YJUqQY\VaultSysUi.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe

Network

N/A

Files

memory/2524-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2524-1-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-3-0x0000000077996000-0x0000000077997000-memory.dmp

memory/1212-4-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1212-6-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-7-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-10-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-12-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-11-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-9-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-8-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-13-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-14-0x00000000029C0000-0x00000000029C7000-memory.dmp

memory/1212-22-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-24-0x0000000077C30000-0x0000000077C32000-memory.dmp

memory/1212-23-0x0000000077C00000-0x0000000077C02000-memory.dmp

memory/2524-33-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-36-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-34-0x0000000140000000-0x00000001400E9000-memory.dmp

memory/1212-41-0x0000000077996000-0x0000000077997000-memory.dmp

\Users\Admin\AppData\Local\WzlF\rekeywiz.exe

MD5 767c75767b00ccfd41a547bb7b2adfff
SHA1 91890853a5476def402910e6507417d400c0d3cb
SHA256 bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512 f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

C:\Users\Admin\AppData\Local\WzlF\slc.dll

MD5 5b7b3b177a05bb3c88f408bdc36d0eab
SHA1 f2aeae6cfb0662d065e004813611656d25d461a3
SHA256 b38d1747e148627c2d7d9f5a5666fbae3eba7e5fe9a967f566f2b82ffd4ad764
SHA512 a86bfd3bde01f389d58ab3080cae388a3686a203583c75c286efedf4bcec8e3f0f79b5bd696d01e9f09640df36be288391e2c93cc7ab683113199ae6cd548ddc

memory/2012-52-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/2012-51-0x0000000001D20000-0x0000000001D27000-memory.dmp

memory/2012-56-0x0000000140000000-0x00000001400EA000-memory.dmp

\Users\Admin\AppData\Local\oP1YJUqQY\VaultSysUi.exe

MD5 f40ef105d94350d36c799ee23f7fec0f
SHA1 ee3a5cfe8b807e1c1718a27eb97fa134360816e3
SHA256 eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2
SHA512 f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

C:\Users\Admin\AppData\Local\oP1YJUqQY\credui.dll

MD5 6510e1f763d9c57570766e1eeaa45f44
SHA1 925039212921ede1cbfc8141d23946cedfb91f70
SHA256 d87a965e77996fc3f1955bda011245ccc57931fe59f00f7ae0490ae924fc9ea7
SHA512 f4ca528a61de9528d23619fc78dfeb4153c4f108321d5dc715a2caa2bfb34957df1baba7fa82ef3309ccd504261f38e137fcbb87f47b6917f2a15289304e6f2e

memory/1960-72-0x00000000002F0000-0x00000000002F7000-memory.dmp

memory/1960-76-0x0000000140000000-0x00000001400EA000-memory.dmp

C:\Users\Admin\AppData\Local\I0MBl\DUI70.dll

MD5 1e3ec73e63598d793ab266ee2d2adad5
SHA1 d8afb986665feda3970c567f28a724ef4f109334
SHA256 63cee2f180167899c14ab68dd83cbfa609933d2169ee3100164a24a1b48bd140
SHA512 2a06147c5e93c3817c8095ba82f42ebc2325cff1c58ed5c83e919a096f0d0456e5a3cb35b9b7bd775c437c866dc2c630e5436795d689469da3ef42054a99b52a

C:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe

MD5 a4d8ba3f08458a308adf1909e01ebf8a
SHA1 bdc4be6169cf6620f6923d68a9eb450d953c9b38
SHA256 eca342c1342881e750ebbf4152320b887d09a6be641d7762cf23cccc6465e1c9
SHA512 d2d39395f47036ec480e468e9f3a8df0cb14ca9dfc1bd643ff1f7af71b07e49241585b4ecbba1f0ab9dce10a9e154c7ccd8fa2e74cd9b62a7487cf73a4b840c8

\Users\Admin\AppData\Local\I0MBl\DUI70.dll

MD5 09a598d589c74c9ead54cd1e5a45fa64
SHA1 e0c771cf37c265588d76f323aa65e9dceeb2862e
SHA256 b1a9300ea638ea81a6befeff77badb7cd074eec6d290d61bf8c7e93719dedb72
SHA512 1403739cb97a8635856b5408aa38485c1d6f6041dcbe8fcbc649e0cf5cdc62fd386d2d1050186da3b14bda0a69c57cba65d6eb8b702a5e0e5e87a58c6bd10ba6

\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe

MD5 589324d14a31291fbedac9791c4ae94f
SHA1 460bc63a186da4250b9e5ccc5e35ca0da392a8ef
SHA256 cee540948a789b677a262072166e7526847387764d2e05b83a9385811587f85d
SHA512 5818b3d7b216e3db68dfa8c105322afece3e83b2b218163ae19ad4a95e5d3d89e765e93bd936f73f5c392c7758368ee63d7874734af0929cf8a1a60cd7498552

memory/776-89-0x0000000000300000-0x0000000000307000-memory.dmp

memory/776-88-0x0000000140000000-0x000000014011D000-memory.dmp

memory/776-93-0x0000000140000000-0x000000014011D000-memory.dmp

C:\Users\Admin\AppData\Local\I0MBl\WindowsAnytimeUpgradeResults.exe

MD5 f5ee9a1a389cfa775d19c8b243c07cfc
SHA1 cd3ca4b78d5c739cced0c2ea19b3b103426dba1e
SHA256 28f4fb36813499b08db8ad61235bbb84228f20c871c95307bb1524f880818ec5
SHA512 111151db9854c92e4e4937f949bd32c74d535a3ef91b96fb1b46671c1c5837233aa17263a7e43234611f6437e6fac699706419526c2d3c6024c84783228fa4aa

\Users\Admin\AppData\Roaming\Identities\ybMsdd\WindowsAnytimeUpgradeResults.exe

MD5 2ed4268820067ec145ba0a99a2bf7043
SHA1 56ed21b742d5b97c5d8ab5d002745d4dc6a43412
SHA256 65502f644b49be98a5e5f936fe5c8c91bdbf66147f468132d604fd0e15802cbc
SHA512 30869c4ee9195e07d0fcdebf8b672fc5f0b48d25302b1f8e4500377ee2699a4848474ef0f6a1cd3743049e51e79edb5960bb4188ef9f213e8c6d4ef5d79e0422

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 e4052fe17f9a516971a1acc7c7c35987
SHA1 21d8baf7e052ff5c435cd76778feba18fd228b94
SHA256 e2fd71c0166bb34bb55d42f329c3a5a5bb141e95d5025f19008b93097a23b5f6
SHA512 a627689c7824f97ba6a356c9ee168f7d8b13b05cc87b5e7e43e30b5e458f51de4336ce6c6767c23f6426042c19158c96e825f55e585996ab8820b6fbd8407480

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\bRAL\slc.dll

MD5 44cf4ca34c0bbb82b6023e04e2592b7f
SHA1 993ba8d20ec2f3dd82308251540191a70801c287
SHA256 bee61487f3c0905e4f126dd3e52b2d6f7a1f0df725bc84d03622265e26c40441
SHA512 de60a04d8c3ef4e3df902e350136605d48a8e33f3bbfe86d37fffd1353b1b104bcdae2308768a303be6da9e628d2e590254be176c2ab9f4858e521863bb44892

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\23Q1I1A2\credui.dll

MD5 d08723fd833c6edddc2eeb25a404bd11
SHA1 85fdddc7a9ed07e7bd5534db3dbfda418e3634a8
SHA256 e715152fd1481511d6a7528c0873231fc0d5a859a20712caf9cb965d895b15b9
SHA512 dc779688f35dc76fd79866cc6f497b4f9919291822e026addee6d6334146454643924420326c5784215309a453c68db06caa98f27eb43982e0272a7a2ebb0aea

C:\Users\Admin\AppData\Roaming\Identities\ybMsdd\DUI70.dll

MD5 e5a6697b862a52dfe1fb836b7b2da7a3
SHA1 272eddaa70ffaf031cf81cef1bcb696781994a92
SHA256 fc5abbd2289493ab59a0061886bbe1820ed4f15df33bf0061523077fc21cfb8f
SHA512 386cc1d04d8c10b2e51ad059a77fa3f4b18af672e809096b7fd9f0788c9717b793737621a5cc096fdbc8c58a226129591589234569051b5815fe1f05788f9390