Malware Analysis Report

2024-11-30 21:16

Sample ID 231230-141x7sacbq
Target 1e1aa7febb7d18e4661e01e2cc9d0d0a
SHA256 aa9807d6e31b92125ea437d3aa692a5a764a70f931c6f19595ff63066443abd5
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa9807d6e31b92125ea437d3aa692a5a764a70f931c6f19595ff63066443abd5

Threat Level: Known bad

The file 1e1aa7febb7d18e4661e01e2cc9d0d0a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 22:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 22:12

Reported

2024-01-01 08:27

Platform

win10v2004-20231215-en

Max time kernel

131s

Max time network

170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e1aa7febb7d18e4661e01e2cc9d0d0a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\5tJr\\BdeUISrv.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pCz8O0qls\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iivREV\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XkrDy4oc\DevicePairingWizard.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 1444 N/A N/A C:\Windows\system32\iexpress.exe
PID 3464 wrote to memory of 1444 N/A N/A C:\Windows\system32\iexpress.exe
PID 3464 wrote to memory of 3876 N/A N/A C:\Users\Admin\AppData\Local\pCz8O0qls\iexpress.exe
PID 3464 wrote to memory of 3876 N/A N/A C:\Users\Admin\AppData\Local\pCz8O0qls\iexpress.exe
PID 3464 wrote to memory of 3440 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3464 wrote to memory of 3440 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3464 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\iivREV\BdeUISrv.exe
PID 3464 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\iivREV\BdeUISrv.exe
PID 3464 wrote to memory of 1872 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3464 wrote to memory of 1872 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3464 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\XkrDy4oc\DevicePairingWizard.exe
PID 3464 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\XkrDy4oc\DevicePairingWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e1aa7febb7d18e4661e01e2cc9d0d0a.dll,#1

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\pCz8O0qls\iexpress.exe

C:\Users\Admin\AppData\Local\pCz8O0qls\iexpress.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\iivREV\BdeUISrv.exe

C:\Users\Admin\AppData\Local\iivREV\BdeUISrv.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\XkrDy4oc\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\XkrDy4oc\DevicePairingWizard.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4760-1-0x0000000140000000-0x0000000140168000-memory.dmp

memory/4760-0-0x000001E1C2C90000-0x000001E1C2C97000-memory.dmp

memory/3464-4-0x0000000002990000-0x0000000002991000-memory.dmp

memory/3464-6-0x0000000140000000-0x0000000140168000-memory.dmp

memory/4760-7-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-9-0x00007FFCAA4BA000-0x00007FFCAA4BB000-memory.dmp

memory/3464-10-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-11-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-12-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-8-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-13-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-14-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-15-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-16-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-17-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-19-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-18-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-20-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-22-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-23-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-21-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-24-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-25-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-26-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-28-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-27-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-29-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-30-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-31-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-32-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-33-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-34-0x0000000002750000-0x0000000002757000-memory.dmp

memory/3464-41-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-42-0x00007FFCAC400000-0x00007FFCAC410000-memory.dmp

memory/3464-51-0x0000000140000000-0x0000000140168000-memory.dmp

memory/3464-53-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\pCz8O0qls\iexpress.exe

MD5 17b93a43e25d821d01af40ba6babcc8c
SHA1 97c978d78056d995f751dfef1388d7cce4cc404a
SHA256 d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3
SHA512 6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

C:\Users\Admin\AppData\Local\pCz8O0qls\VERSION.dll

MD5 039d94920ba8899475357b99933654ea
SHA1 d6033410d731ae53013d054e4df940d3420745f7
SHA256 fe41b7097e103291394adc155de01e19de1e725a7e657ed26c83e818665752d7
SHA512 f6351f483c994f311e7c0f06a3bb391ba66a38c8a4c035869f4146df2f52aef8f87c09739d279d97deec95e5a9f8a6e6d81978fe876079cf65c7d846722be979

memory/3876-62-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3876-63-0x0000016152D40000-0x0000016152D47000-memory.dmp

memory/3876-68-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Users\Admin\AppData\Local\iivREV\BdeUISrv.exe

MD5 8595075667ff2c9a9f9e2eebc62d8f53
SHA1 c48b54e571f05d4e21d015bb3926c2129f19191a
SHA256 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

C:\Users\Admin\AppData\Local\iivREV\WTSAPI32.dll

MD5 f34f6de122410f658b7bc7c167f6ff7b
SHA1 b40e615095051873ce861c239214be053a0bb228
SHA256 284b79ccb405e879b3ad618d065995d844c8f616ee20807d6a7cba816a7ddabe
SHA512 211a988dec9098b2d296962feef1a84847d7ca68d44a97faf8f7a704c6fa4e1f8eb301d407067a950b850785229f8b1d4f2d6037321deb1ad7eb3688148cd599

memory/2992-82-0x00000254FBD70000-0x00000254FBD77000-memory.dmp

memory/2992-87-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Users\Admin\AppData\Local\XkrDy4oc\DevicePairingWizard.exe

MD5 d0e40a5a0c7dad2d6e5040d7fbc37533
SHA1 b0eabbd37a97a1abcd90bd56394f5c45585699eb
SHA256 2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b
SHA512 1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

C:\Users\Admin\AppData\Local\XkrDy4oc\MFC42u.dll

MD5 518fe1a00905de3bfe5cdf0f640a8aa2
SHA1 3e8f6216ff1bf0f82250234a15b31c2255366c29
SHA256 a3d84bd925437aa647310ca2cc1e68538823f12c68c04845b7bf0d13046053ba
SHA512 07300bd672f1e64ab64f0073e634833530e5ef5d68019851df47fee9b21a47aa5a496608f74b57c7c26f1f8743c8cc17e9cfe39bd0aae33179988e9129b732ea

memory/376-98-0x0000015EBEA70000-0x0000015EBEA77000-memory.dmp

memory/376-99-0x0000000140000000-0x000000014016F000-memory.dmp

memory/376-104-0x0000000140000000-0x000000014016F000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 e00732f2a4a41b357dbe06675d369aff
SHA1 756e0398312cbc21476d5d29258b4d78e31b0b1a
SHA256 4f701a2d921f13ff03538db4bc4b3600c4e2f6bfd9445d99e24aa787c3495b0b
SHA512 57d638169044d246cc525e849a76336c2cf06fca0857af776835ebff783fa370b8b8c8a86bdd40dc15717e209273ab2686c4780c6bb96c91510ba678b49d9488

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 22:12

Reported

2024-01-01 08:27

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e1aa7febb7d18e4661e01e2cc9d0d0a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\IN4\wscript.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\47OCze\SystemPropertiesComputerName.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ScI\mfpmp.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\9408\\SystemPropertiesComputerName.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\IN4\wscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\47OCze\SystemPropertiesComputerName.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ScI\mfpmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 1988 N/A N/A C:\Windows\system32\wscript.exe
PID 1384 wrote to memory of 1988 N/A N/A C:\Windows\system32\wscript.exe
PID 1384 wrote to memory of 1988 N/A N/A C:\Windows\system32\wscript.exe
PID 1384 wrote to memory of 3056 N/A N/A C:\Users\Admin\AppData\Local\IN4\wscript.exe
PID 1384 wrote to memory of 3056 N/A N/A C:\Users\Admin\AppData\Local\IN4\wscript.exe
PID 1384 wrote to memory of 3056 N/A N/A C:\Users\Admin\AppData\Local\IN4\wscript.exe
PID 1384 wrote to memory of 1340 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1384 wrote to memory of 1340 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1384 wrote to memory of 1340 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1384 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\47OCze\SystemPropertiesComputerName.exe
PID 1384 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\47OCze\SystemPropertiesComputerName.exe
PID 1384 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\47OCze\SystemPropertiesComputerName.exe
PID 1384 wrote to memory of 1184 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1384 wrote to memory of 1184 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1384 wrote to memory of 1184 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1384 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\ScI\mfpmp.exe
PID 1384 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\ScI\mfpmp.exe
PID 1384 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\ScI\mfpmp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e1aa7febb7d18e4661e01e2cc9d0d0a.dll,#1

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\IN4\wscript.exe

C:\Users\Admin\AppData\Local\IN4\wscript.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\47OCze\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\47OCze\SystemPropertiesComputerName.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\ScI\mfpmp.exe

C:\Users\Admin\AppData\Local\ScI\mfpmp.exe

Network

N/A

Files

memory/2856-0-0x0000000140000000-0x0000000140168000-memory.dmp

memory/2856-1-0x0000000000330000-0x0000000000337000-memory.dmp

memory/1384-4-0x0000000076F56000-0x0000000076F57000-memory.dmp

memory/1384-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/1384-7-0x0000000140000000-0x0000000140168000-memory.dmp

memory/2856-8-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-9-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-10-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-11-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-12-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-13-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-14-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-16-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-15-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-17-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-18-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-19-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-20-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-21-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-22-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-23-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-24-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-25-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-27-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-26-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-28-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-29-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-30-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-31-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-32-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-33-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-34-0x00000000025A0000-0x00000000025A7000-memory.dmp

memory/1384-41-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-43-0x00000000772C0000-0x00000000772C2000-memory.dmp

memory/1384-42-0x0000000077161000-0x0000000077162000-memory.dmp

memory/1384-52-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-56-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-57-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1384-61-0x0000000140000000-0x0000000140168000-memory.dmp

\Users\Admin\AppData\Local\IN4\wscript.exe

MD5 8886e0697b0a93c521f99099ef643450
SHA1 851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256 d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512 fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

C:\Users\Admin\AppData\Local\IN4\VERSION.dll

MD5 d25bab1416ec9258d799c17a4f7fdcb8
SHA1 fa76b747623a55c968decaac79b5346b03070485
SHA256 da458bcb6486594c763e462fb774138cb88480d431a6986e2afcd451bd500acd
SHA512 ed423eb2e1cf3d969e146cb6569f5d299d8f3458b5a58f6f7f53f74b4db66a66c4d4e68df011a23b4f39cd860f712cf2ebd7ada454ff91ff2dab440a4aa0b69d

memory/3056-73-0x00000000000E0000-0x00000000000E7000-memory.dmp

memory/3056-74-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3056-79-0x0000000140000000-0x0000000140169000-memory.dmp

\Users\Admin\AppData\Local\47OCze\SystemPropertiesComputerName.exe

MD5 bd889683916aa93e84e1a75802918acf
SHA1 5ee66571359178613a4256a7470c2c3e6dd93cfa
SHA256 0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA512 9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

C:\Users\Admin\AppData\Local\47OCze\SYSDM.CPL

MD5 1998182d7b320f396d8fb531a286ca8a
SHA1 e1ca2de2c08f81a1d4662b7cf68f709e6aecbed1
SHA256 f69b4cc7a7e701b384a60281903365c7ad2c2e8ff71dfe30db741213acb86eb6
SHA512 1f8b66c5eca93e2a7fe64f90eeb335e6e89b4b09fecc8c1f9c2affd9348def84642e6ee9907f6d8b24361ee4970b53fcedb38f7a2a6c6cfba6f3ca0e53eb4950

memory/328-91-0x00000000001F0000-0x00000000001F7000-memory.dmp

memory/328-97-0x0000000140000000-0x0000000140169000-memory.dmp

\Users\Admin\AppData\Local\ScI\mfpmp.exe

MD5 2d8600b94de72a9d771cbb56b9f9c331
SHA1 a0e2ac409159546183aa45875497844c4adb5aac
SHA256 7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA512 3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

C:\Users\Admin\AppData\Local\ScI\MFPlat.DLL

MD5 e920ee4a48fe2130ccb8ddc2f663d0ba
SHA1 0e6ca9a4cd2419a64e0453f0cfc2123126e7c964
SHA256 f3ab787d8fffb8d4ff8600e054a7eb3746842ad7ed709252c1858d814ac9ad42
SHA512 0a83a95923f49fb2793cfa3c436acc0b93fd8dd9d768cc5afe17d5706bc9a7580fb1df69b3664face8c9e4bb6d2c659f27b0453dc289c2557eb86aef7c8c45bb

memory/2436-109-0x0000000140000000-0x000000014016A000-memory.dmp

memory/2436-110-0x0000000000320000-0x0000000000327000-memory.dmp

memory/2436-115-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1384-131-0x0000000076F56000-0x0000000076F57000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 e3dd6327572d43eeb683190549c48616
SHA1 54f14d1be4839181f1a0ec9fc06746444292da21
SHA256 e08132ec4727690a0535b09b002888bd4c6d581a8d1c0cbbf0d74dfc7554385f
SHA512 5b406da628de7e9c81f27e840bee06b121a340ffc343f6f6fd6df0a883f6f5296d2f4b48c9437d0a60b0ffcb2472ea3b692f1924bbc17a1bb4c882fa6fa905b2