Malware Analysis Report

2024-11-30 21:30

Sample ID 231230-pbvd6sgec9
Target 1815b979e3f5aa2374ec14a6b4af6f17
SHA256 9f22fb5dff891afceb79e39f45f87f122cde85dc48177a7510886d2834fa4b94
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f22fb5dff891afceb79e39f45f87f122cde85dc48177a7510886d2834fa4b94

Threat Level: Known bad

The file 1815b979e3f5aa2374ec14a6b4af6f17 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 12:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 12:09

Reported

2024-01-03 10:19

Platform

win10v2004-20231215-en

Max time kernel

188s

Max time network

203s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1815b979e3f5aa2374ec14a6b4af6f17.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\UAUJJW~1\\upfc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NCK\BitLockerWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Qa8VDQg\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\26KBJdOJt\sessionmsg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 3996 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 3428 wrote to memory of 3996 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 3428 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\NCK\BitLockerWizard.exe
PID 3428 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\NCK\BitLockerWizard.exe
PID 3428 wrote to memory of 4412 N/A N/A C:\Windows\system32\upfc.exe
PID 3428 wrote to memory of 4412 N/A N/A C:\Windows\system32\upfc.exe
PID 3428 wrote to memory of 4128 N/A N/A C:\Users\Admin\AppData\Local\Qa8VDQg\upfc.exe
PID 3428 wrote to memory of 4128 N/A N/A C:\Users\Admin\AppData\Local\Qa8VDQg\upfc.exe
PID 3428 wrote to memory of 3688 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3428 wrote to memory of 3688 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3428 wrote to memory of 1032 N/A N/A C:\Users\Admin\AppData\Local\26KBJdOJt\sessionmsg.exe
PID 3428 wrote to memory of 1032 N/A N/A C:\Users\Admin\AppData\Local\26KBJdOJt\sessionmsg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1815b979e3f5aa2374ec14a6b4af6f17.dll,#1

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\NCK\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\NCK\BitLockerWizard.exe

C:\Windows\system32\upfc.exe

C:\Windows\system32\upfc.exe

C:\Users\Admin\AppData\Local\Qa8VDQg\upfc.exe

C:\Users\Admin\AppData\Local\Qa8VDQg\upfc.exe

C:\Windows\system32\sessionmsg.exe

C:\Windows\system32\sessionmsg.exe

C:\Users\Admin\AppData\Local\26KBJdOJt\sessionmsg.exe

C:\Users\Admin\AppData\Local\26KBJdOJt\sessionmsg.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp

Files

memory/4988-0-0x0000000140000000-0x000000014011F000-memory.dmp

memory/4988-2-0x0000013B62040000-0x0000013B62047000-memory.dmp

memory/3428-4-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/4988-7-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-6-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-11-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-9-0x00007FFAD729A000-0x00007FFAD729B000-memory.dmp

memory/3428-10-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-12-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-14-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-13-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-15-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-16-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-17-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-8-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-18-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-19-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-20-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-21-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-22-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-24-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-25-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-26-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-27-0x0000000000860000-0x0000000000867000-memory.dmp

memory/3428-28-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-23-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-35-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-36-0x00007FFAD83C0000-0x00007FFAD83D0000-memory.dmp

memory/3428-45-0x0000000140000000-0x000000014011F000-memory.dmp

memory/3428-47-0x0000000140000000-0x000000014011F000-memory.dmp

C:\Users\Admin\AppData\Local\NCK\BitLockerWizard.exe

MD5 6d30c96f29f64b34bc98e4c81d9b0ee8
SHA1 4a3adc355f02b9c69bdbe391bfb01469dee15cf0
SHA256 7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74
SHA512 25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

C:\Users\Admin\AppData\Local\NCK\FVEWIZ.dll

MD5 1912212ac0003ffb4be57bff93c95e42
SHA1 bf1063ec0b9abb61657c0f942995da0a4362e68c
SHA256 d70ec282dd5a27dac1ace21d35f56fd6aa0da43b529de141b2bf90a62f19ea14
SHA512 653d0b3e43f737362fa03d2f42944443fda56586bf978b9b1faef4280ec5eafc17c7a0c748678152ddedc04648b586773262fbc57e97cc9bc5f971883e50d040

memory/2024-56-0x0000000140000000-0x0000000140120000-memory.dmp

memory/2024-57-0x000001941D5A0000-0x000001941D5A7000-memory.dmp

memory/2024-62-0x0000000140000000-0x0000000140120000-memory.dmp

C:\Users\Admin\AppData\Local\Qa8VDQg\upfc.exe

MD5 299ea296575ccb9d2c1a779062535d5c
SHA1 2497169c13b0ba46a6be8a1fe493b250094079b7
SHA256 ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2
SHA512 02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

C:\Users\Admin\AppData\Local\Qa8VDQg\XmlLite.dll

MD5 c59f3220a516970f4853a466ef85f58f
SHA1 95faf63709e558dd40fd70b498b8f44cd3b0e5fd
SHA256 450b23935c2469ec3ce597f45c1782cc178a9c1d62740048bd2e7e149edee502
SHA512 80c49f7317746f724f78a39092fdc8e122e3c3b1f448011a3d50eaf8d838a29cc94d5d523e2ba2c1d0707ff7d9159da5d12c49ed2f4734cb08ec3e0b7d409990

memory/4128-74-0x0000028695FC0000-0x0000028695FC7000-memory.dmp

memory/4128-79-0x0000000140000000-0x0000000140120000-memory.dmp

C:\Users\Admin\AppData\Local\26KBJdOJt\sessionmsg.exe

MD5 480f710806b68dfe478ca1ec7d7e79cc
SHA1 b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA256 2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA512 29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

C:\Users\Admin\AppData\Local\26KBJdOJt\DUI70.dll

MD5 045bf05961082dc6cf8f1869102d9d9f
SHA1 6a8092da09476bf03fd6f14e66b502fcef9936a4
SHA256 90e7f49ffaff141a1e0c38858815e0f641f26e6357cb41a0265c23034867cf99
SHA512 9e0b83d354af869a74c5529c647adc179d38d7342e1af23541bfaf667e81ba058a3587b6e2b9ef1fe44342207184b1b80708823d7637e6ff98830e8159951ad5

memory/1032-93-0x000001FA3FE70000-0x000001FA3FE77000-memory.dmp

memory/1032-92-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1032-98-0x0000000140000000-0x0000000140165000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 b31e21cd83dc2e91b20881b7c18c3422
SHA1 84a0da7a6325a1c3543e9fffd317ee65677bf53f
SHA256 c1c393abdd057638da47fd8a063c7408f8deadfda559b6fedbf64edd389db0d3
SHA512 ec190eed344a54898fb958eaad7c059bccd1835e95b24000221309c5cda7925dc047c157eea5ab7f9cc118d949efef951b0108f7a3be4cb5bfeba03c4c8b852f

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 12:09

Reported

2024-01-03 10:19

Platform

win7-20231215-en

Max time kernel

151s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1815b979e3f5aa2374ec14a6b4af6f17.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\DGESs1\rekeywiz.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\VTbD1Spr\Dxpserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ju3dN\wusa.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\p4x\\Dxpserver.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DGESs1\rekeywiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VTbD1Spr\Dxpserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ju3dN\wusa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2596 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1252 wrote to memory of 2596 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1252 wrote to memory of 2596 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1252 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\DGESs1\rekeywiz.exe
PID 1252 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\DGESs1\rekeywiz.exe
PID 1252 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\DGESs1\rekeywiz.exe
PID 1252 wrote to memory of 680 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1252 wrote to memory of 680 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1252 wrote to memory of 680 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1252 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\VTbD1Spr\Dxpserver.exe
PID 1252 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\VTbD1Spr\Dxpserver.exe
PID 1252 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\VTbD1Spr\Dxpserver.exe
PID 1252 wrote to memory of 2556 N/A N/A C:\Windows\system32\wusa.exe
PID 1252 wrote to memory of 2556 N/A N/A C:\Windows\system32\wusa.exe
PID 1252 wrote to memory of 2556 N/A N/A C:\Windows\system32\wusa.exe
PID 1252 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\ju3dN\wusa.exe
PID 1252 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\ju3dN\wusa.exe
PID 1252 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\ju3dN\wusa.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1815b979e3f5aa2374ec14a6b4af6f17.dll,#1

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Users\Admin\AppData\Local\DGESs1\rekeywiz.exe

C:\Users\Admin\AppData\Local\DGESs1\rekeywiz.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Users\Admin\AppData\Local\VTbD1Spr\Dxpserver.exe

C:\Users\Admin\AppData\Local\VTbD1Spr\Dxpserver.exe

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

C:\Users\Admin\AppData\Local\ju3dN\wusa.exe

C:\Users\Admin\AppData\Local\ju3dN\wusa.exe

Network

N/A

Files

memory/2532-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2532-0-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-4-0x00000000776C6000-0x00000000776C7000-memory.dmp

memory/1252-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/1252-7-0x0000000140000000-0x000000014011F000-memory.dmp

memory/2532-8-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-9-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-10-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-11-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-12-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-13-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-14-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-16-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-22-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-23-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-21-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-20-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-19-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-18-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-17-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-15-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-26-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-25-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-27-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-28-0x00000000024B0000-0x00000000024B7000-memory.dmp

memory/1252-24-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-35-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-37-0x0000000077A30000-0x0000000077A32000-memory.dmp

memory/1252-36-0x00000000778D1000-0x00000000778D2000-memory.dmp

memory/1252-46-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-50-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-51-0x0000000140000000-0x000000014011F000-memory.dmp

memory/1252-55-0x0000000140000000-0x000000014011F000-memory.dmp

C:\Users\Admin\AppData\Local\DGESs1\rekeywiz.exe

MD5 767c75767b00ccfd41a547bb7b2adfff
SHA1 91890853a5476def402910e6507417d400c0d3cb
SHA256 bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512 f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

C:\Users\Admin\AppData\Local\DGESs1\slc.dll

MD5 76ea8842257344c36a8785ddf6f1c340
SHA1 66198d336772abede5414905831fbc87635d252e
SHA256 b0d92ce2c9cc9fc1b7222d49a7ecd16ce28de9e9043a233da393409bf7481d38
SHA512 29b8a09649100f73f20f1434a08e2e8e534fc80be928e2d352922438a58f710a0df12588006ef02854b2d91fd39b228b836fbcaf7e949bd12f74a465d8338a78

\Users\Admin\AppData\Local\DGESs1\slc.dll

MD5 7b55d333aa79b57aafa8d293375b0729
SHA1 a6d66f8624999145fbc92c5c0d23ade2336f9e12
SHA256 98fbd83d80c021a79f79919d98037f6b7bf9b444c941b98bbd3b8267c0ff0e29
SHA512 09865a7f367859b4998daad4f3009415df4e3d9bf2ee53dc69beab10e1db73d7eae71230cc8fe6a8acf943773dca04dba6db473e89b32586a64749b27f08518a

memory/2648-70-0x0000000140000000-0x0000000140120000-memory.dmp

memory/2648-65-0x0000000140000000-0x0000000140120000-memory.dmp

memory/2648-64-0x00000000003E0000-0x00000000003E7000-memory.dmp

C:\Users\Admin\AppData\Local\DGESs1\rekeywiz.exe

MD5 46be58d354b059f89c1e9b21a7b7ec73
SHA1 98f2fbc346473a3e07e40709e5f072e3a455c374
SHA256 cae39c7d7febeb6f35301c07cda4785bf2026c869fd2071b16e61f03c3865dbf
SHA512 6e2dde8fc72dbbe34610ed0a8eaf06547f38d02bc6bfadd2ef754176dffad60e04705abc5dd6f6b08516e9a42eb00051b55003da0b7e635ee886709cb499cb5d

memory/1252-75-0x00000000776C6000-0x00000000776C7000-memory.dmp

\Users\Admin\AppData\Local\VTbD1Spr\Dxpserver.exe

MD5 4d38389fb92e43c77a524fd96dbafd21
SHA1 08014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256 070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA512 02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

C:\Users\Admin\AppData\Local\VTbD1Spr\dwmapi.dll

MD5 e14413a3dd2ced61a2d6b0ba6672d3ac
SHA1 9939fc434dff5bcd2f5709d0c1f6aa726545ce39
SHA256 f54ae71506259d49a3f129cf70efe08e114407543dee214c14f403a719ce288c
SHA512 642813bdf44244c88bf16d0f5cee034adff80a92fde642944721c16731f8137fb520a217a507489a9bfe9066d906fcc6317d1782d3645373045396a3a6c9a677

memory/476-88-0x0000000140000000-0x0000000140120000-memory.dmp

\Users\Admin\AppData\Local\ju3dN\wusa.exe

MD5 c15b3d813f4382ade98f1892350f21c7
SHA1 a45c5abc6751bc8b9041e5e07923fa4fc1b4542b
SHA256 8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3
SHA512 6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

C:\Users\Admin\AppData\Local\ju3dN\dpx.dll

MD5 0f15c7e045841d608563ff8d44b32c47
SHA1 b76c2e929b7d7a97bea431e7e2b4c0c6745af1e4
SHA256 4ecd652f474dc5207349c939f9595edf8cd56b89215c97133d2c5b7d261f36e1
SHA512 ebbe6c3e8b9279335fd38974020bb41103803d936faa46c4e300ff0f03739ce3dd764d48d359fcc1a8a0aa6f19070cb34bcdd54f3ed2ccfe38c0a02134bd6995

memory/1780-102-0x0000000000270000-0x0000000000277000-memory.dmp

memory/1780-106-0x0000000140000000-0x0000000140120000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 bb9c5894273397ccf797545530ea67fb
SHA1 b410c9172536006e873b22cee5b06ea94a564919
SHA256 2aed50ec39f087c6a6715195ab591ecf1465d76c59080b36e2193829dc078f61
SHA512 36ed6cecf6d02a966f4c22366e687d48a56f686179151679e7bf5dafb4b851c823f5778ad604c7eda8e175fe7a5c593dc310457c3d253925905bf282223b562b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Po4j8\slc.dll

MD5 e738ca31e7c3a6a45b9415814abd414e
SHA1 f010c6c58cc03289b4079bca5709d8fb935776d1
SHA256 8b38dd9db8d1a238f348cf4de4fa17a2022853cd7457ecf436ceae78a601db96
SHA512 d4328c9f70ae44b583f1a290835f4064fd3738f5488bbaa8524e3e5afa6ebf91067d9a73a2418d465038cdee905922c77dd10f0db1d9abddf88f104cd2c19f63