Malware Analysis Report

2024-11-30 21:30

Sample ID 231231-flstnagehm
Target 2915f0ee3b4358c235bd91e7e90325c5
SHA256 99c03fb6a99ac38d78f5c1e853acae759e8cbefdf160e7257c8f3fcbb74ccf4e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99c03fb6a99ac38d78f5c1e853acae759e8cbefdf160e7257c8f3fcbb74ccf4e

Threat Level: Known bad

The file 2915f0ee3b4358c235bd91e7e90325c5 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 04:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 04:58

Reported

2024-01-02 06:40

Platform

win7-20231129-en

Max time kernel

100s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2915f0ee3b4358c235bd91e7e90325c5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\cQO3Xxe\SystemPropertiesHardware.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\qNd\iexpress.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\adPKG4Oi\\SystemPropertiesHardware.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cQO3Xxe\SystemPropertiesHardware.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qNd\iexpress.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2700 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1360 wrote to memory of 2700 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1360 wrote to memory of 2700 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1360 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe
PID 1360 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe
PID 1360 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe
PID 1360 wrote to memory of 2532 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1360 wrote to memory of 2532 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1360 wrote to memory of 2532 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1360 wrote to memory of 1084 N/A N/A C:\Users\Admin\AppData\Local\cQO3Xxe\SystemPropertiesHardware.exe
PID 1360 wrote to memory of 1084 N/A N/A C:\Users\Admin\AppData\Local\cQO3Xxe\SystemPropertiesHardware.exe
PID 1360 wrote to memory of 1084 N/A N/A C:\Users\Admin\AppData\Local\cQO3Xxe\SystemPropertiesHardware.exe
PID 1360 wrote to memory of 2844 N/A N/A C:\Windows\system32\iexpress.exe
PID 1360 wrote to memory of 2844 N/A N/A C:\Windows\system32\iexpress.exe
PID 1360 wrote to memory of 2844 N/A N/A C:\Windows\system32\iexpress.exe
PID 1360 wrote to memory of 792 N/A N/A C:\Users\Admin\AppData\Local\qNd\iexpress.exe
PID 1360 wrote to memory of 792 N/A N/A C:\Users\Admin\AppData\Local\qNd\iexpress.exe
PID 1360 wrote to memory of 792 N/A N/A C:\Users\Admin\AppData\Local\qNd\iexpress.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2915f0ee3b4358c235bd91e7e90325c5.dll,#1

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe

C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe

C:\Users\Admin\AppData\Local\cQO3Xxe\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\cQO3Xxe\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\qNd\iexpress.exe

C:\Users\Admin\AppData\Local\qNd\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

Network

N/A

Files

memory/2376-1-0x0000000140000000-0x000000014011B000-memory.dmp

memory/2376-0-0x0000000000420000-0x0000000000427000-memory.dmp

memory/1360-3-0x0000000077036000-0x0000000077037000-memory.dmp

memory/1360-4-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/1360-11-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1360-12-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1360-15-0x0000000002B00000-0x0000000002B07000-memory.dmp

memory/1360-24-0x00000000772D0000-0x00000000772D2000-memory.dmp

memory/1360-23-0x00000000772A0000-0x00000000772A2000-memory.dmp

memory/1360-33-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1360-34-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1360-22-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1360-13-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1360-10-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1360-9-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1360-8-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1360-7-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1360-6-0x0000000140000000-0x000000014011B000-memory.dmp

memory/2376-42-0x0000000140000000-0x000000014011B000-memory.dmp

\Users\Admin\AppData\Local\sLKsq\eudcedit.exe

MD5 cff7f28cc5ba69ca3bd61b638859c062
SHA1 372ed738ed7fe53280ed80decd688a01a772c911
SHA256 a1a6d39268bec44ecb5d4f2cf29c82e2e19fbb4e30243bd9c65410670a8058e3
SHA512 e361e7b39bd113b49705a9ab93ecf0bba391077ec27cc3444fc15788340bac054369a61f9b1f2572d4da690488f06822aabffcf4cff8fca6e50b9258c0b1a2d9

C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe

MD5 c6d856dd0577d4752a724614437a0e49
SHA1 61580e8df03e2582f70722c1a45e0cbe28b47c48
SHA256 5ce52e878505e4f53ee1525cbe17f1c4e4a177a01844f13fba5463b5fe2478f2
SHA512 56f7a5f12f8e580471ff970808c6285f1a514149b30e1ad50e872d99bcf21fd67952752945c1c255233aa6c8d38f731a196d8ac70284e4da7fe4a7cf801df2c7

C:\Users\Admin\AppData\Local\sLKsq\MFC42u.dll

MD5 bf9aae01b072df34060548afd5aa0c31
SHA1 565e507455ea5c805dfd7e2d0c2b745d4b9e75df
SHA256 d75b7e3dfa81db854b11d26a105bbfc92da29fe8070dcc420c1d0acba5cbbe02
SHA512 5f863c33f525160267e2f3eeb0f5072ff4b55d94881fe420711d20035546498134397574bc73a01be4869781c4b786b34b6bd5a13805aea12a1913088c74232d

memory/2736-52-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2736-55-0x0000000140000000-0x0000000140122000-memory.dmp

memory/2736-50-0x0000000140000000-0x0000000140122000-memory.dmp

\Users\Admin\AppData\Local\sLKsq\MFC42u.dll

MD5 054a76f4c99be583e201604594fa18fc
SHA1 7fe47692f9ec5d168abce1466ff609fc17bcff36
SHA256 14ed63d092856faeb0c7d83b56e6b2f3a86599e2600b76bd42f1c976d78f29f6
SHA512 25f1414ea790a832751b8e854772c802630e17c9692e96576f34e08390cadf81ec21dd81b941a87048f2ca0f62eb616d1eb67b5e3c7abe6a9eb29ce8aea40a67

memory/1084-70-0x0000000140000000-0x000000014011C000-memory.dmp

memory/1084-67-0x0000000140000000-0x000000014011C000-memory.dmp

memory/1360-73-0x0000000077036000-0x0000000077037000-memory.dmp

memory/792-87-0x0000000140000000-0x000000014011C000-memory.dmp

memory/792-85-0x0000000000510000-0x0000000000517000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\R0jSX2\iexpress.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

MD5 d9fb5e7b648535d2e99cf722e6e77748
SHA1 3212a94fd66f0e3893e47bc1858213ecfa4fb8ad
SHA256 1dee7db558463566ef79f9b2e92fbc4f14f006837541c1fdd83bc14089d27a36
SHA512 2664a45064234398a269995c9075ab180158788e266579f9bd62dc7210698bf4f32bb0c8fd143d6725904b4f1e46499376b084727871bbd40b33649b4f6a05fe

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\I7aE6YfyTc\MFC42u.dll

MD5 ed6a3d3aa37d236b35d7a1808155ac08
SHA1 d7d7968ee0e29bdde351402b053972228894b0ca
SHA256 9d5d4dab3d3eff61b3e3eff51c028213ddf29434982eae2115277acafccf9829
SHA512 ec69dad3e064c1cb866359ff5eb8e74bc003e50307ac595101e698c0ca7879129e7437104ede4cac28736c88f708235801037f05ad7beb7db56b77784e07f8f6

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\adPKG4Oi\SYSDM.CPL

MD5 174039bc2a2fc970320a0ac71b3118ab
SHA1 cf47a2b4caccfd882465ffbd2b337b56551b7c73
SHA256 23c90d02685a7bbb1a3bd25d9e659d1e7aa363f811a170dc9c6f73b2fa6c742f
SHA512 4cf26d3488cdc0ac1a28f8fc79fa1b39f4f34660e637ea7e4bb52606a82e58d0197f8bb59353b41d9a16fa0a3a88dae491e1eb20c332ef7c02110825255c4b9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\R0jSX2\VERSION.dll

MD5 17fdc10fd740ca5e7f830dd1ca5ab3c7
SHA1 38e8011d60a734ebbadf5c8e5536613841bc93a4
SHA256 e801467781ba7c4fa6ef3fa87ea7060721f965a511f51b8ef1eb74fbdaa64c83
SHA512 60e1cbf7777120b4691140c39ff1d23e3c0f4c2d3376f61e5fb4a93251f71a31583f251aa947f2cbbb164e41e699c1a1336f4541af2e1c40bda586cea44c063d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 04:58

Reported

2024-01-02 06:40

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2915f0ee3b4358c235bd91e7e90325c5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\bA7KFlHrF\\DWWIN.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RuyVVGcW\GamePanel.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\i90hdLE3\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\klNmO1\MoUsoCoreWorker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3320 wrote to memory of 4640 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3320 wrote to memory of 4640 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3320 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\RuyVVGcW\GamePanel.exe
PID 3320 wrote to memory of 1128 N/A N/A C:\Users\Admin\AppData\Local\RuyVVGcW\GamePanel.exe
PID 3320 wrote to memory of 4360 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3320 wrote to memory of 4360 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3320 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\i90hdLE3\DWWIN.EXE
PID 3320 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\i90hdLE3\DWWIN.EXE
PID 3320 wrote to memory of 2388 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3320 wrote to memory of 2388 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3320 wrote to memory of 1308 N/A N/A C:\Users\Admin\AppData\Local\klNmO1\MoUsoCoreWorker.exe
PID 3320 wrote to memory of 1308 N/A N/A C:\Users\Admin\AppData\Local\klNmO1\MoUsoCoreWorker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2915f0ee3b4358c235bd91e7e90325c5.dll,#1

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Users\Admin\AppData\Local\RuyVVGcW\GamePanel.exe

C:\Users\Admin\AppData\Local\RuyVVGcW\GamePanel.exe

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\i90hdLE3\DWWIN.EXE

C:\Users\Admin\AppData\Local\i90hdLE3\DWWIN.EXE

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\klNmO1\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\klNmO1\MoUsoCoreWorker.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/4692-1-0x0000000140000000-0x000000014011B000-memory.dmp

memory/4692-0-0x00000245B7230000-0x00000245B7237000-memory.dmp

memory/3320-3-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/3320-5-0x00007FF9B4BCA000-0x00007FF9B4BCB000-memory.dmp

memory/3320-6-0x0000000140000000-0x000000014011B000-memory.dmp

memory/3320-7-0x0000000140000000-0x000000014011B000-memory.dmp

memory/3320-8-0x0000000140000000-0x000000014011B000-memory.dmp

memory/3320-9-0x0000000140000000-0x000000014011B000-memory.dmp

memory/3320-10-0x0000000140000000-0x000000014011B000-memory.dmp

memory/3320-11-0x0000000140000000-0x000000014011B000-memory.dmp

memory/3320-12-0x0000000140000000-0x000000014011B000-memory.dmp

memory/3320-14-0x0000000000F90000-0x0000000000F97000-memory.dmp

memory/3320-13-0x0000000140000000-0x000000014011B000-memory.dmp

memory/3320-24-0x00007FF9B60D0000-0x00007FF9B60E0000-memory.dmp

memory/3320-23-0x00007FF9B60E0000-0x00007FF9B60F0000-memory.dmp

memory/3320-22-0x0000000140000000-0x000000014011B000-memory.dmp

memory/3320-33-0x0000000140000000-0x000000014011B000-memory.dmp

memory/4692-36-0x0000000140000000-0x000000014011B000-memory.dmp

C:\Users\Admin\AppData\Local\RuyVVGcW\GamePanel.exe

MD5 266f6a62c16f6a889218800762b137be
SHA1 31b9bd85a37bf0cbb38a1c30147b83671458fa72
SHA256 71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd
SHA512 b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

C:\Users\Admin\AppData\Local\RuyVVGcW\dwmapi.dll

MD5 e6d1c2e5b87a7ed6ba3589239a6f4df1
SHA1 23b73577254af4ca38171c0414b44bdee8980c50
SHA256 6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b
SHA512 9c6be91ff095cc8828ae4aff713ceb20e098f81e49ba3a2e61c16b9c06d99bfb14604e5074811d2a0de176748b96a06f72ad0a3d3e8b21827d43eb087b1ecae8

memory/1128-43-0x0000000140000000-0x000000014011C000-memory.dmp

memory/1128-44-0x000001E2E0CD0000-0x000001E2E0CD7000-memory.dmp

memory/1128-48-0x0000000140000000-0x000000014011C000-memory.dmp

C:\Users\Admin\AppData\Local\RuyVVGcW\GamePanel.exe

MD5 d563eae4f6273425855b65c13896250b
SHA1 c67506a39fac1b0106b12b9478af7765dd944742
SHA256 e106c90590aed2945523a52e6d5a7e70150e5b2ae096ab146d042066896292bd
SHA512 46060f39d292a9a74b3485f5d774001a319032f711b38a60c04b000a66070c5db37bf3864b626748983a6b5f75432be26ad373cb9be687d50035786ab4859fd3

C:\Users\Admin\AppData\Local\i90hdLE3\DWWIN.EXE

MD5 444cc4d3422a0fdd45c1b78070026c60
SHA1 97162ff341fff1ec54b827ec02f8b86fd2d41a97
SHA256 4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0
SHA512 21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

C:\Users\Admin\AppData\Local\i90hdLE3\VERSION.dll

MD5 03ba8398a126fa806383c66c8d69ba43
SHA1 3c3d0b73ae14fa215b32418adbcb836addd8de29
SHA256 d3520a682e5bc9190f954ecba113c31ae5aaef3cebdd5deaae12a5845fa449d4
SHA512 1b154d637599acc42a07a5dcf2deb3c1dd5dea933fd40f7f1adeb8876adecbf78d897d44fc819fa9abb96f6d96166321b33e8162004e611970b3f3a360b22fac

memory/2856-59-0x000002088A820000-0x000002088A827000-memory.dmp

memory/2856-64-0x0000000140000000-0x000000014011C000-memory.dmp

C:\Users\Admin\AppData\Local\klNmO1\MoUsoCoreWorker.exe

MD5 47c6b45ff22b73caf40bb29392386ce3
SHA1 7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9
SHA256 cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0
SHA512 c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

C:\Users\Admin\AppData\Local\klNmO1\XmlLite.dll

MD5 47256612c3c8c8f506e0755af28551e8
SHA1 c72c90635b24feadcd786fef8cfe756eaa14b4cb
SHA256 4aa9b7b5b577b6596e284ef74944718f3e790cbdda9f8fc30c065a545dab628a
SHA512 c84b91c039127bf34c2bf3996fe5c044dbd34ca248f8117966d4a43582f4e87578b471675278a6f46ba20fe58856144c8498d435e4df15075a087a81815e0075

memory/1308-75-0x000002C422B00000-0x000002C422B07000-memory.dmp

memory/1308-80-0x0000000140000000-0x000000014011C000-memory.dmp

C:\Users\Admin\AppData\Local\klNmO1\MoUsoCoreWorker.exe

MD5 e4105a5e0a646939711596e14682c729
SHA1 0533c8bdaf790dee3dc5e805b44fcab3ccefe74f
SHA256 827e1be0d1afb2ba3b573c5dc06cc546c28c7f1350c390890468f798d7565f72
SHA512 116e8c1807a0795aa21e16bb3c2cbe5e2fe7ffa4df9e08feb2d6b724422693cbdf730bdba610e1ecf0fe8070f85dffb9ec8ed9c79c844d6e79a6f6e1c9126284

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 28eb5d9d633aec5505059aba20ef8620
SHA1 7d76e79dc671dbfc083f279251debc9ad83dede4
SHA256 ff4f2482f354004f173f964314476dc61c954b8083ab34e7d2023a1b40b797ec
SHA512 ac0f0501387504a46730a46ec5e9e4ab9cf3fd3f2aaccf0b3f1d884e25e52f8be4a0a1a1e7dd379adafe366bee1f3f5bc2d0f21bcbf929f0303815bffe2f3603