Malware Analysis Report

2024-11-30 21:43

Sample ID 231229-1xy52adbg7
Target 0512aedf039191c7a60c97cd87a5d490
SHA256 d168ef7be6e3b73f63a62c817c0d87e4dd84cbe577454da94b7cc8bf8ff55879
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d168ef7be6e3b73f63a62c817c0d87e4dd84cbe577454da94b7cc8bf8ff55879

Threat Level: Known bad

The file 0512aedf039191c7a60c97cd87a5d490 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 22:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 22:02

Reported

2023-12-30 08:18

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0512aedf039191c7a60c97cd87a5d490.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3wl\calc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\R5KmR\\DWWIN.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3wl\calc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2584 N/A N/A C:\Windows\system32\calc.exe
PID 1252 wrote to memory of 2584 N/A N/A C:\Windows\system32\calc.exe
PID 1252 wrote to memory of 2584 N/A N/A C:\Windows\system32\calc.exe
PID 1252 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\3wl\calc.exe
PID 1252 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\3wl\calc.exe
PID 1252 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\3wl\calc.exe
PID 1252 wrote to memory of 2892 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1252 wrote to memory of 2892 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1252 wrote to memory of 2892 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1252 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE
PID 1252 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE
PID 1252 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE
PID 1252 wrote to memory of 1260 N/A N/A C:\Windows\system32\spreview.exe
PID 1252 wrote to memory of 1260 N/A N/A C:\Windows\system32\spreview.exe
PID 1252 wrote to memory of 1260 N/A N/A C:\Windows\system32\spreview.exe
PID 1252 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe
PID 1252 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe
PID 1252 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0512aedf039191c7a60c97cd87a5d490.dll,#1

C:\Windows\system32\calc.exe

C:\Windows\system32\calc.exe

C:\Users\Admin\AppData\Local\3wl\calc.exe

C:\Users\Admin\AppData\Local\3wl\calc.exe

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE

C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe

C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe

Network

N/A

Files

memory/2168-1-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2168-0-0x0000000000240000-0x0000000000247000-memory.dmp

memory/1252-4-0x00000000776C6000-0x00000000776C7000-memory.dmp

memory/1252-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/1252-8-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-9-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2168-7-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-11-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-10-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-13-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-12-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-16-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-17-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-18-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-15-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-14-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-20-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-19-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-21-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-22-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-23-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-25-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-24-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-27-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-28-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-26-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-29-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-30-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-32-0x00000000024B0000-0x00000000024B7000-memory.dmp

memory/1252-31-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-39-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-41-0x0000000077A30000-0x0000000077A32000-memory.dmp

memory/1252-40-0x00000000778D1000-0x00000000778D2000-memory.dmp

memory/1252-50-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-56-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-55-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1252-60-0x0000000140000000-0x00000001401F1000-memory.dmp

C:\Users\Admin\AppData\Local\3wl\WINMM.dll

MD5 8654cf4216544007779f89a886d42569
SHA1 c8470dd2db8dfc3b637a54229688026bdcc6351b
SHA256 68b958103987753014a8a795a37231245d6b52191ee48d87aef0392674ecda23
SHA512 068d224d759138e0c1922e2e90f29a73e6ad2d69204781a7a87f50305abde80287343ea62f851ee15804fb803b8fd98a9dcac62778d68f128b8c61f2e9bf9ba5

C:\Users\Admin\AppData\Local\3wl\calc.exe

MD5 8be359cd66021a9ab74a5307febb3d02
SHA1 f9439922b985f6ab1b702d8be46135d8cdc36c39
SHA256 124e583d8e6ff0e066447d6129a4c200b27b6dca59c48b7e2aab3b273d6cba8f
SHA512 9e67af19009f0445cfbeaa1889eecf9464c1c1ad740add7bb227734671bf5756313053247595e0ff82549fdec623d3c82543f6ee25113b583f97dc6caedb1351

\Users\Admin\AppData\Local\3wl\calc.exe

MD5 e81caf1ca745db496798c904b8c43e63
SHA1 6536b8ee06e8de6dfe804b6d9bc331564bd87aed
SHA256 54ccc60ff473be99f852485ea18a224aa97cd71de4b3c978f7e1cbfc838d634d
SHA512 84f6e6a10acba9aca5266529751a523beaa6da8dc080926e908b6df3e12fabbc9abc414e81b89e44d9e4e3cdf20eca8d9e045a0bd22d15df6cb81d95a41b87b3

\Users\Admin\AppData\Local\3wl\WINMM.dll

MD5 7865ef64ac46aff236f9dc5d96e082de
SHA1 d5f9eb72af3205e6818e2529e67313b5e6351714
SHA256 6b638407e522feb643775978de2bfbaa6549b344dd8a72e615805cc3c970313d
SHA512 e83c7eea6e05f6344cb1411bb465e9fa8c339ec368fc05ad88f6459a5064cf15ee2dd3a1ad1d405adb8e59b30681e18c98ac66e2550e516ac6a2b09507e48112

memory/2600-69-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/2600-73-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/2600-68-0x0000000000190000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\3wl\calc.exe

MD5 294385625197223728c6a6f7532240ff
SHA1 0ced12e7347d39187bef138e3deb49eaa7de1b51
SHA256 5bab01744e82f681beb02b83ae2dd5b620682c9ab7d2e2950683216d8808be34
SHA512 3272723052536662664258eefafc8f0f26a2099532c1879d5d284463855b1cf7df1c69a740a21d66c9a2608cecbc53dcbaab99f40098277725215130914bf45c

memory/1252-85-0x00000000776C6000-0x00000000776C7000-memory.dmp

\Users\Admin\AppData\Local\NoXU\DWWIN.EXE

MD5 25247e3c4e7a7a73baeea6c0008952b1
SHA1 8087adb7a71a696139ddc5c5abc1a84f817ab688
SHA256 c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050
SHA512 bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

\Users\Admin\AppData\Local\NoXU\VERSION.dll

MD5 b358b6b76f40f3779fb31565bcb7edb6
SHA1 ca0b271c6c13f97c9cb3f401d147f1cc37d131dc
SHA256 b4ad5251329104a99195779d9f82a8019da57e565d1a4c226e190f04df5e8ad5
SHA512 551e4c236db0a406d4429cb747fa1f234cb07856e5adedc11c71a27389257fb6614515c394ff8fb8d4cdea6e9f648d800cd0478aae7ee8138c4d63392ffd4651

memory/2944-94-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/2944-98-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/2944-93-0x00000000001F0000-0x00000000001F7000-memory.dmp

C:\Users\Admin\AppData\Local\NoXU\VERSION.dll

MD5 00c949b1d89379876d8d6d68cdecb511
SHA1 d1f9177960ed3927825d5f609d6545b152b865b7
SHA256 8f74ba69a9564c67c1ee4f0398d8b129d0ea7dad27955b536f135e69a48d32c5
SHA512 e1192708d12eb6742c471285c09c55b295d0cf2a6353ab05dd98603abb8049e1e11d008bbfef637b329d1feaa675fb786083098095ed1a5bf74f181acf731bfc

C:\Users\Admin\AppData\Local\NoXU\DWWIN.EXE

MD5 08fb65553ecae21bd94a85fc88ae1b73
SHA1 5932b5b3912cc0962534496f2af9ed53b5968592
SHA256 cd186bffdd47ff17624da70131f68385fd1e3aa79cea67f7fabdba62599a6411
SHA512 8dfebef4306c6e56c9cf6957b415cdb51999b7297f52591b6d8cd59a241bfd1a50c5f953192e5a7bece9f68b0878ff09bd00f0273d95ec7b5a564b5361df70fc

\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe

MD5 b3218a80063ea9b84cc8a887f2574588
SHA1 21a76a7ef9d239f96d39f9871203a882be7970af
SHA256 25837691bc812d6626f2c396f49ffbf189887273c412653ba2f141650673d5df
SHA512 e22da4b8b412e9da708823c85b7f70edb942188f5355ec90f77470f2892f12153b49057d427a97a63bce74c095defd2c467dff21040395cbf877baffb04668c3

C:\Users\Admin\AppData\Local\8z76P5X4b\sqmapi.dll

MD5 3d669d1adf501966262fa3626ed7f4a3
SHA1 8a45b6f04fba8eb0075fbaee5f5ddc5b376fc158
SHA256 bd6d19b8a7ed037c37940369b612d30bcae7665951e9bff11d2326bbe93b6239
SHA512 454f5b8d1d37a3f86c2f99da4e338a998001ad50c36ae362b2ef305d00bd6d7bbbe70def9bfafd9396c9aba9f3746f2e4041dfba5926af2d9e7d85c73d7118d3

\Users\Admin\AppData\Local\8z76P5X4b\sqmapi.dll

MD5 19148e3efa7d03bff9ea61c190bd58ed
SHA1 3a0cbe868e7c9bd7c38b9b9b966365880a30de25
SHA256 5d7ff004e04df56323c79aa66be0cec54f519fbaef9b7245f42b8eaf20fda53c
SHA512 58687563c2788c190a6d182aaf9d007ab26c834b36c94fc5be405bc2d1783888da0826c436b48432efe313c1ca408c4db4fc9194dfaa204aefe06a41600f9bc7

C:\Users\Admin\AppData\Local\8z76P5X4b\spreview.exe

MD5 060aff2d94d9fed857d2324a8d5328cc
SHA1 2618a88285b4bd88b7c5d930908121f1ef9c3577
SHA256 bcee680f17d43d45728bb178c5b7535a683731dec99b34171f0bc3cb3c54f5a1
SHA512 4c349da0836115120c5a4bfa4373bc1992472c57a4abeaa46ed0ebabb3f08005149a76e8daeecdde7de29355b4a934549e5bb7b132aadd6eb26e19fc731580bc

memory/1364-113-0x0000000000280000-0x0000000000287000-memory.dmp

memory/1364-118-0x0000000140000000-0x00000001401F2000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\iO3QYVHA\spreview.exe

MD5 6cd189936a8b983efd0dbee0dd768d38
SHA1 98069ebd4468441b13d0a5c22ae119aa0c1d8dea
SHA256 61d2d1945a8a825575cebe02b00ceece2cc66fc3a03b76ba40d71ecb0e8441fe
SHA512 5a35210c821f58c359c37a1c95a809a54546379d45ccb5f9d2853d3b03b5597b9a2a67074c1a2dc62a3e03b07190f237b858a43da8dc62b7272404b9d760357c

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\iO3QYVHA\spreview.exe

MD5 c4708c48fbca2b94f19759aa67adbe42
SHA1 efd62b851ae3ab2f72c0ce8eec61f580d648f542
SHA256 aef0cc4508cc6f3e62fda1dce7d7cd00e47b8186985d0c23b0d59ba27c93176e
SHA512 088f3a11d2e862fbd5459c3e8366611c774a2dd627d33359ecb29d046ff1f11bae75f8b80e1ab3ed0252de8728274f9954c474d2e46550d11424b63a4981587b

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 7b1397720ad81632d9bdfe543a913a57
SHA1 73d1aa1ebb23dd23c9e148dd79047d9a9c1f4ee1
SHA256 5cdf6705c29f1c94a976b15635ecfc52fccb025c5b49a91bd7a495bd65dd1d80
SHA512 7979acefe6757c216f92f8bf8d56f3f625f52642d7a3fa4881d7ff10fec8c5bc9c766e5b59604c607e4c054eec9933abfdbfce9836d508063e94c0cb3b3d825c

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\rN1br3gMa36\WINMM.dll

MD5 b3df8bdd9ecd09e0a69df46d46782b36
SHA1 cd20a3fa55e33fb8b67022f2ecd12cae7ef77eed
SHA256 0c349fe17caf4c8021a4571532619e3741ccca49660ae7e7ded3fb92c7892cd0
SHA512 b0dd6dccc5e41e368b9873fd80e485d3a88b3c1495cddb45a961107a43150b4d793572313eaed7ce23da42e5ff45494cb936d72325e4383fdc5af9509897e078

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\R5KmR\VERSION.dll

MD5 152a098fb248a7a78cfad9791c6053b0
SHA1 ba84bc3a98fef3ba2d51eb22ae86c8c693710a61
SHA256 4ed67f4d290ac4cc5dc09c900306fe32cf9b6326a7111ccacf6e11611422923e
SHA512 8f7914b473ecd2c6b22c7a03fa37cb318c4e2a7cb0e04d2d9dff9d48abe028c57de3abc1e8ee1e9fc78e0d6309bb7dc3fe74942e6e349576faca386b1d5d283e

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\iO3QYVHA\sqmapi.dll

MD5 a199c45fa7d67f0dbbd569748536beb6
SHA1 23a730b8f04989bab2fc817d58d3f6d82c371112
SHA256 4c39b54751668e412ced8abe00bd5b39f6869fc5e8f0379b1a597935d5711f09
SHA512 fabff48b19ad2b93db766324fc0d2a27866e536ffcc41eb6e4b4f287b87f4a79f27524cd350424d3adff4059431966a56ec7e065eab067fd50c51d5a860224d2

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 22:02

Reported

2023-12-30 08:18

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0512aedf039191c7a60c97cd87a5d490.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0512aedf039191c7a60c97cd87a5d490.dll,#1

C:\Users\Admin\AppData\Local\Dx4\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\Dx4\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\4eT\wscript.exe

C:\Users\Admin\AppData\Local\4eT\wscript.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\bB6Cw3S\upfc.exe

C:\Users\Admin\AppData\Local\bB6Cw3S\upfc.exe

C:\Windows\system32\upfc.exe

C:\Windows\system32\upfc.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp

Files

memory/1356-0-0x0000022199710000-0x0000022199717000-memory.dmp

memory/1356-1-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1356-7-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-12-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-13-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-20-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-27-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-32-0x00000000010E0000-0x00000000010E7000-memory.dmp

memory/3488-31-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-40-0x00007FF9F64A0000-0x00007FF9F64B0000-memory.dmp

memory/3488-49-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-51-0x0000000140000000-0x00000001401F1000-memory.dmp

C:\Users\Admin\AppData\Local\Dx4\UxTheme.dll

MD5 7ffa1966eeeb89969aed664ed2f35847
SHA1 6199b50f6d9b9619bd29dc2352cbe25298fd10a0
SHA256 7d20164cd12e8b21a3daefec74a43edf3f0813a48b2998b9c43a5b2d0ffba286
SHA512 1495e426a62e2660817aeae2d01755fd4e11e59aa99d02d82c0617d5425403fa2096ccd1d9af2c5049d439466a11b01f4c12f0783a6b10a4048c6afd13f9f52a

memory/4960-61-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/4960-66-0x0000000140000000-0x00000001401F2000-memory.dmp

C:\Users\Admin\AppData\Local\Dx4\EhStorAuthn.exe

MD5 529a746fc4baa5dec1f6fb3a41764331
SHA1 8696dcf8c61eb0c619ade5eeae2d40ef1a991eea
SHA256 03eb6453402183a6098fbfad6eaf266ee59865718c7705a09e330e92e5d31a61
SHA512 ebcc19a454c62f34bebe335b16ca562fd5ceba4e2da122a3a871a157f5efc32dfdc554c1245a3ee7a6ce3f2ceb08ab0bbe5579d377535391e418016b35b95c29

memory/4960-60-0x000001F67E020000-0x000001F67E027000-memory.dmp

memory/1584-77-0x000002B1945E0000-0x000002B1945E7000-memory.dmp

memory/1584-83-0x0000000140000000-0x00000001401F2000-memory.dmp

C:\Users\Admin\AppData\Local\bB6Cw3S\upfc.exe

MD5 10afe080d3d68e8082374c70ae5312ff
SHA1 6da7ab8c2b9179d426438cb072064baaf8ac6332
SHA256 5a179f3e2a089fdb60790c016a913d6753df671f99d74655ceab766bece7e4fd
SHA512 aa9edd556fb2cb98df48479a840865b96ea7187ac736ad9a757e6397f5eb7a3d63430a821e8747a6e56a1c3a685b242834d8e8e01ab2e33590fd8404e189186d

C:\Users\Admin\AppData\Local\4eT\VERSION.dll

MD5 a1d7e3aa2cb9620abc16dc99d2e98af6
SHA1 664154129020372e8b7521f754bc32a94d75b6a2
SHA256 1b404ca65182a4473fbc04437f25c84b2a47c558db008e07b161fdcf540c89a9
SHA512 ae8ceaea70732194f3d79c9be69d3e0002d4432405f86e590955c80e2926a60e5311c492ba38226cfce38df36c34abd821c910b3d9258b0f17f5471a24e1d515

memory/3976-100-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/3976-94-0x0000028C86B60000-0x0000028C86B67000-memory.dmp

C:\Users\Admin\AppData\Local\4eT\wscript.exe

MD5 4286433d83e7bd3f68c8b3ee7acfb0f3
SHA1 017507dd3f29f92a8ef186f752dbce1b22709520
SHA256 dbc9c3665b58f2b88fd68c2d4d4ac500209cca823a0e3da5e84d494cbfb5203d
SHA512 c37b61ec0dbe90a6d5cae6cc37aec7c4b8b90c5411141034b3d665b33d0f7c9730e3cbbafea163e587bfe495646373cf437cbad96b395ac312c83774f3877d24

C:\Users\Admin\AppData\Local\4eT\VERSION.dll

MD5 e89cdd42374ee74b19ea18b179856f83
SHA1 534e5645376873126fd2c9a24e463a47ca963f3d
SHA256 1ea0219eabb1fc0ffc103338533d40fb4d9489f814f3beffda0254696facfba8
SHA512 c1895e3d6d15176419e17c50afeb5188d85481ecf5d6253dd14e4a4fe31ed735cc052b6ae8692724bbf8888c3eef326eb55388157e75dd272b6837863b54dac8

C:\Users\Admin\AppData\Local\4eT\wscript.exe

MD5 a7e0f0bd7819507ecdfc638f29e9b885
SHA1 309bc0ddad63617205926531f4509a820e48d2f6
SHA256 283e2e89a1c34c2e8d16efff57a9b2be06feb3a6595683791455857b821614f2
SHA512 519087d2ca1ff7118dfd03eb2a7c24f0ea27471e98c261bccbb5d7d622af5075eab08c2d77c532d4dee6af8192832f71311a19ec9a34dced178df4ffb8b4e372

C:\Users\Admin\AppData\Local\bB6Cw3S\XmlLite.dll

MD5 7108d9913efe83fdb9659f12e8746ac6
SHA1 01eb45b40e94213596b195ad01bb9a33097ea833
SHA256 e56ce2a2ae091354573b0942d88841125aa2ebf04f62740f36e37e9caafb0ac7
SHA512 aef3f9db64612d868df19c7a2e0e04478b97cfc4975367d143e617370cc20a50d79e1444df952cfa023dde8c90a7491c8644b475d930f50d4b77817a5497fdaf

C:\Users\Admin\AppData\Local\bB6Cw3S\upfc.exe

MD5 8e6c608c050c0dc839ba50994f47fa3b
SHA1 e8d7b84b1a2b48644aa390b6d5744fd047be200d
SHA256 eb0cf164d8ef0636316ccc4a8963e61ee53e386f5d3b4378f061cd072ef8245e
SHA512 cc1a9eb555a5353729b3cc310fb0f67be880395ddb042aa0bb1c94d201e2179e99215686e09bf11c770807ac04a3340f7fb5914d9dc872210edcad22d43533c7

C:\Users\Admin\AppData\Local\Dx4\UxTheme.dll

MD5 3df4e529477fb0a38153f6792e0a054c
SHA1 5f55500177c78401d423127dd68ae3a7744989a7
SHA256 15257ce982996e364fc57bcd5868a46f7d7e8ab9bf56a71759bba38c47dc165e
SHA512 8dac8b4f9ab248aaa7caa96a170916daf51618b93935b1558432e9d10b9dec00e0103399f94e90a6b4ee5ff36a2ba92604a70f0733a245100b56a92f29766d2f

C:\Users\Admin\AppData\Local\Dx4\EhStorAuthn.exe

MD5 091ccca07d24d56fe365f9b790a5d467
SHA1 01c2c3e14768d0c775d256e9260b634e6fc96bf0
SHA256 d8fb01faa50f23a17230989889264f759a4679453ebdedc70f9547103143aed9
SHA512 2f641f4c4bf5a7f594719a6f68e5d0703d018cb763c7f1023206b2f63d4b19791201fcaf86a3adb7ab97e178ef4c42fc122c987ca7eb24b5bddaf86f61bbf99e

memory/3488-39-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-30-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-29-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-28-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-26-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-25-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-24-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-23-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-22-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-21-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-19-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-18-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-17-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-16-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-15-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-14-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-11-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-10-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-9-0x00007FF9F4EEA000-0x00007FF9F4EEB000-memory.dmp

memory/3488-8-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-6-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-4-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 35473b3569566b5ba3b7ed446fc17674
SHA1 5eef934f1627f3bb694eecb699d7dc59031ed5e2
SHA256 7e0cfccfc1ab0794efee62399747cde6ec0692f9445e02d2dd6629705a80ea26
SHA512 5fcc32eb08d0539a8d174af60dcf410233434f07f849d6b3f263aa5a2073e116ba4f173e9d5c2c5fa97a5a93faddd6e89068d876a14c165837a11c56a148caf6

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Khny766MOmA\UxTheme.dll

MD5 e424b0b5623c3d4b6a3c5ec58b2ff1ef
SHA1 381757dcb6f5dc7787469e3df524b9a66e43b450
SHA256 67626a40c29278c4ef41073aa98078d314e7c398929320244d8f3b24b5c3245d
SHA512 a2af0f2700a524b7e30e9517436a6d790adee92f9bd759f7f0c6b425f6c731280b55ecca7f8c7e58e481475b698befdc6f6cc0c8e2babbca2e889da99ff09cb5

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3803511929-1339359695-2191195476-1000\4yBqkVK\XmlLite.dll

MD5 42e0fba27e109ef6c216c29f0572d006
SHA1 bbac363b2e0ee4a08024d8d0f760dffe61cce469
SHA256 4a070686b32b626ea2396fad01dbda4fdc11d67516bb61f54b4538f812567f93
SHA512 1bb72f0ec698f05b3b91183c392885341bef19a1b017ad151df6787abe96b258e9a88ee6a5429985a1d796b399503450531f04d54f9e9f1a6e8d748bde3c69c5

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\eiS\VERSION.dll

MD5 a9223f9d8f2260ca2856f809801f8f36
SHA1 f30f8d28667fcd14e1933c58077383d2588765e9
SHA256 903c4f0fa435d2a433539db4c07d9ae534113f337007a93352335835946dfc39
SHA512 4f88768411e7df09b71e420a39768eb82a7dfe17ff72f749d4f9356b96f39ea4e88d39f963a4312b678318216c2f4a9071de59caa071426417b3cceca14561cd