Malware Analysis Report

2024-11-30 21:06

Sample ID 231230-adnl3sgag8
Target 07f8db3e8548a97ebcd2326f317cdb7f
SHA256 d39063ca4da6bce99dc34fed4ee4ab290479d3b637c6f7d8882a2fea05561d6d
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d39063ca4da6bce99dc34fed4ee4ab290479d3b637c6f7d8882a2fea05561d6d

Threat Level: Known bad

The file 07f8db3e8548a97ebcd2326f317cdb7f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 00:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 00:05

Reported

2023-12-30 19:25

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\07f8db3e8548a97ebcd2326f317cdb7f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ooymWMk\rekeywiz.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\FlV\msdtc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\UF4WweA3\MpSigStub.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\OQ2P10aXpt\\msdtc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ooymWMk\rekeywiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FlV\msdtc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UF4WweA3\MpSigStub.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 660 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1380 wrote to memory of 660 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1380 wrote to memory of 660 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1380 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\ooymWMk\rekeywiz.exe
PID 1380 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\ooymWMk\rekeywiz.exe
PID 1380 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\ooymWMk\rekeywiz.exe
PID 1380 wrote to memory of 2908 N/A N/A C:\Windows\system32\msdtc.exe
PID 1380 wrote to memory of 2908 N/A N/A C:\Windows\system32\msdtc.exe
PID 1380 wrote to memory of 2908 N/A N/A C:\Windows\system32\msdtc.exe
PID 1380 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\FlV\msdtc.exe
PID 1380 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\FlV\msdtc.exe
PID 1380 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\FlV\msdtc.exe
PID 1380 wrote to memory of 2864 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1380 wrote to memory of 2864 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1380 wrote to memory of 2864 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1380 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\UF4WweA3\MpSigStub.exe
PID 1380 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\UF4WweA3\MpSigStub.exe
PID 1380 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\UF4WweA3\MpSigStub.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\07f8db3e8548a97ebcd2326f317cdb7f.dll,#1

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Users\Admin\AppData\Local\ooymWMk\rekeywiz.exe

C:\Users\Admin\AppData\Local\ooymWMk\rekeywiz.exe

C:\Windows\system32\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Users\Admin\AppData\Local\FlV\msdtc.exe

C:\Users\Admin\AppData\Local\FlV\msdtc.exe

C:\Windows\system32\MpSigStub.exe

C:\Windows\system32\MpSigStub.exe

C:\Users\Admin\AppData\Local\UF4WweA3\MpSigStub.exe

C:\Users\Admin\AppData\Local\UF4WweA3\MpSigStub.exe

Network

N/A

Files

memory/2400-0-0x0000000000330000-0x0000000000337000-memory.dmp

memory/2400-1-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-4-0x0000000077296000-0x0000000077297000-memory.dmp

memory/1380-5-0x0000000002650000-0x0000000002651000-memory.dmp

memory/1380-7-0x0000000140000000-0x0000000140242000-memory.dmp

memory/2400-8-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-9-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-10-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-11-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-13-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-12-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-14-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-15-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-16-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-17-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-18-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-19-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-20-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-21-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-22-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-23-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-25-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-24-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-26-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-27-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-28-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-29-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-30-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-31-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-33-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-32-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-35-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-34-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-36-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-37-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-38-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-39-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-40-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-41-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-42-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-44-0x0000000002250000-0x0000000002257000-memory.dmp

memory/1380-43-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-51-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-52-0x00000000774A1000-0x00000000774A2000-memory.dmp

memory/1380-53-0x0000000077600000-0x0000000077602000-memory.dmp

memory/1380-62-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-66-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-67-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1380-71-0x0000000140000000-0x0000000140242000-memory.dmp

\Users\Admin\AppData\Local\ooymWMk\rekeywiz.exe

MD5 767c75767b00ccfd41a547bb7b2adfff
SHA1 91890853a5476def402910e6507417d400c0d3cb
SHA256 bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512 f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

C:\Users\Admin\AppData\Local\ooymWMk\slc.dll

MD5 52ec9d8cce3fc20761ce0acdbf56eadd
SHA1 57cd7b11c0b85d7fcde130f314ef157e513baaa5
SHA256 2e4ce5bbeced7522dcfae333a58df80153e3ab5ac45d87439bffb9a14b8d5009
SHA512 eb55d06a17b7b0246998702f2e1a10c5358b1b168f914cf134e277166b18c7a7fe5522ee82e3bb2318fb16c341fcbe75e827e3e8588a590e9a701f3dcc95fb3e

memory/1128-80-0x00000000001E0000-0x00000000001E7000-memory.dmp

memory/1128-81-0x0000000140000000-0x0000000140243000-memory.dmp

memory/1128-84-0x0000000140000000-0x0000000140243000-memory.dmp

\Users\Admin\AppData\Local\FlV\msdtc.exe

MD5 de0ece52236cfa3ed2dbfc03f28253a8
SHA1 84bbd2495c1809fcd19b535d41114e4fb101466c
SHA256 2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3
SHA512 69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

C:\Users\Admin\AppData\Local\FlV\VERSION.dll

MD5 d0a3fe1239c5ba7c765ac465e0c342a3
SHA1 77051a7c75f5aee21b7af9c42d4afc50205318a6
SHA256 d449eb4f1b890e87e4f72601b29a1d4d0e7696e0cc7ffbc7fc7fd289eeffc16a
SHA512 55fe2e1acf4aef29208c26c88aa59d3d7de9572648bef9908ec0e8cc41f2dfd906be6871c357fae8f23c1991c86f0264fcb3db86b95fcd8d311a56d811bf26f0

memory/2720-98-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\UF4WweA3\VERSION.dll

MD5 ba1bc5ffd01164de91f58dde61f10e57
SHA1 d07b87ab1ac58254ffa46f6d4a3f23a7b15bb0f2
SHA256 a68f88ee25822de08a572832792a8f04ae1c620a1d6bc7eb9f065ec3f7be14e0
SHA512 24d334e80e325bf07fea6f7d5255201f347850db4eb0ab1636876edbcdf8beae63f2b2d46afeaa1923afab2dbbfb78e8e459a87be3161cecd33091c42633af52

C:\Users\Admin\AppData\Local\UF4WweA3\MpSigStub.exe

MD5 2e6bd16aa62e5e95c7b256b10d637f8f
SHA1 350be084477b1fe581af83ca79eb58d4defe260f
SHA256 d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA512 1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

\Users\Admin\AppData\Local\UF4WweA3\VERSION.dll

MD5 0d71b5a6cf4bc84aa5dc06f54f75cf77
SHA1 f01230eeb0642f96996f356e96324a954386ecf7
SHA256 ad2d2f35f02032e8c724d5d9fc7504173da6800b3cc2993c8fd475a7f903c9af
SHA512 8ded726be51c4dd55e585fe209331b9646dbe1c65136f786aad545033aa8caeee7d2aeea15e975b40a7d0f5aef8c3c241512c4df4eefb2529e0951faaa89a31e

memory/1972-117-0x0000000000080000-0x0000000000087000-memory.dmp

memory/1380-140-0x0000000077296000-0x0000000077297000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 ba86586fb4cb068453cff1d9bd7544bc
SHA1 26ae954873c91a2f638396f38d97890e6af47002
SHA256 fffac85c94653590cfb8c81a3c1948892a70ec407eff57a5847d4f9815f2060f
SHA512 bf17b2b75aaa023691f340d87b3a770d451575b5f7f3f4af780a328cb7a3f383ddd962fcbb1ef09e08ce8cdbe0a92685b864f0ee4a04532337880b4d00cbdd03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iInC32Kqdw\VERSION.dll

MD5 a2942db9ba7a676f868f230deb21a4fb
SHA1 891a816fab4bc1ba828d925c0b8a70880a3d5d97
SHA256 281da5fe25743c08d4935ac138b8c51dc90d648a074dfcbc388f06756a8098db
SHA512 8a165b8636882f1a7cc7781575287219e7b4befcc28a289ef27b6804e1105e5346bf9955cbc9221f1491c4a52c39102b2c289c034812cdb6744615e85858929e

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 00:05

Reported

2023-12-30 19:25

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\07f8db3e8548a97ebcd2326f317cdb7f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jg6reDzxb\\osk.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PdNt\rdpclip.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VRTSJxrh\osk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\EH4G9b1\CloudNotifications.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 2160 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3348 wrote to memory of 2160 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3348 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\PdNt\rdpclip.exe
PID 3348 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\PdNt\rdpclip.exe
PID 3348 wrote to memory of 3848 N/A N/A C:\Windows\system32\osk.exe
PID 3348 wrote to memory of 3848 N/A N/A C:\Windows\system32\osk.exe
PID 3348 wrote to memory of 4952 N/A N/A C:\Users\Admin\AppData\Local\VRTSJxrh\osk.exe
PID 3348 wrote to memory of 4952 N/A N/A C:\Users\Admin\AppData\Local\VRTSJxrh\osk.exe
PID 3348 wrote to memory of 3612 N/A N/A C:\Windows\system32\CloudNotifications.exe
PID 3348 wrote to memory of 3612 N/A N/A C:\Windows\system32\CloudNotifications.exe
PID 3348 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\EH4G9b1\CloudNotifications.exe
PID 3348 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\EH4G9b1\CloudNotifications.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\07f8db3e8548a97ebcd2326f317cdb7f.dll,#1

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Users\Admin\AppData\Local\VRTSJxrh\osk.exe

C:\Users\Admin\AppData\Local\VRTSJxrh\osk.exe

C:\Windows\system32\CloudNotifications.exe

C:\Windows\system32\CloudNotifications.exe

C:\Users\Admin\AppData\Local\EH4G9b1\CloudNotifications.exe

C:\Users\Admin\AppData\Local\EH4G9b1\CloudNotifications.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\PdNt\rdpclip.exe

C:\Users\Admin\AppData\Local\PdNt\rdpclip.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3340-0-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3340-2-0x0000019514DD0000-0x0000019514DD7000-memory.dmp

memory/3348-4-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/3340-7-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-6-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-13-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-19-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-25-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-31-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-37-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-42-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-46-0x0000000000DD0000-0x0000000000DD7000-memory.dmp

memory/3348-43-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-52-0x00007FF8350A0000-0x00007FF8350B0000-memory.dmp

memory/3348-51-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-41-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-61-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-63-0x0000000140000000-0x0000000140242000-memory.dmp

memory/1872-72-0x000001C8F5420000-0x000001C8F5427000-memory.dmp

memory/1872-78-0x0000000140000000-0x0000000140243000-memory.dmp

memory/1872-73-0x0000000140000000-0x0000000140243000-memory.dmp

memory/4952-89-0x000001BCB2CC0000-0x000001BCB2CC7000-memory.dmp

memory/4952-95-0x0000000140000000-0x0000000140243000-memory.dmp

memory/1048-108-0x000001994F3B0000-0x000001994F3B7000-memory.dmp

memory/3348-40-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-39-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-38-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-36-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-35-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-34-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-33-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-32-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-30-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-29-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-28-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-27-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-26-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-24-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-23-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-22-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-21-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-20-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-18-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-17-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-16-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-15-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-14-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-12-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-11-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-10-0x0000000140000000-0x0000000140242000-memory.dmp

memory/3348-9-0x00007FF8344EA000-0x00007FF8344EB000-memory.dmp

memory/3348-8-0x0000000140000000-0x0000000140242000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

MD5 de962b137558e331a771a09f7fcd1248
SHA1 2b7c719239bcbd4581983a9b0ec397e7b7a6dc4e
SHA256 0b4ac9b54c098a1c37c45cd2ebac9e01ddd635124a8c458d02a97f15ad885067
SHA512 1a3e443b0129562f9332aaa7f29c7e868006735983a86bca40c8ebdd30e227bfbdb96eedb7684ea23557258ce4cde177065340de3121485e1f1ce96c31a45a91

C:\Users\Admin\AppData\Roaming\Sun\Java\Deployment\J9rIJvBSSo\WTSAPI32.dll

MD5 85f0c271dfc818b8ea34c69007561f81
SHA1 7cbbaa21fc7492f9164a1d26dcb340ba0925ee3c
SHA256 bf4cf080166fc875831d9bd45ff27429462932ace0eb10169d95be4e3f639bdc
SHA512 9e2942eb2ff8d6e80ccaee8c48487ea511ad4ae778b17c34ff0d2bf33e1f6185bd9779bb09778114bbb4453477757c8c266f4eb36c78864c9d70e18a428a564c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\jg6reDzxb\OLEACC.dll

MD5 18a0faa44c32e8f7e7d8e0dd7a3803ad
SHA1 a3a61e46d49c9fb71efecb555258a3a447da1794
SHA256 fb5d53ca901b9e10a0f2e8502572fc4ca965d682ae4293220bf8085d2157646f
SHA512 ac06edb3fdc12464567230f5872860096fd003ff205b876d2f4085d69fee0a0d7deb45ef6388c3fc435d2bcf3e60815f6d56eb77d9ec88d644ff888f5c9772b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\8XUF4\UxTheme.dll

MD5 076724837788396fee43a0bb7d57d642
SHA1 c290d542c3c5dab79bb54b91dd2ef4ceb21b0425
SHA256 1b90e42367f2e17b50a5dd0f191422fd6cee93d90957f449a7ac03a5c97e9e3d
SHA512 17d5f8d1b2e84eed717b5638adcd331ccc49fe30357d35f6fd78d391806f52daa3e140f8fe369ef5e101418aff0e4b30b40f12841e5835d11cb4664b17c6c5a0