Malware Analysis Report

2024-11-30 21:31

Sample ID 240102-tnfh1ahgdm
Target 7e7645b86e265b69aed08c4852fe6291.exe
SHA256 e0980b4994c3d61ec8c3ab1db13ef837487bd2e209e97a4ad4708211d9d4d712
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0980b4994c3d61ec8c3ab1db13ef837487bd2e209e97a4ad4708211d9d4d712

Threat Level: Known bad

The file 7e7645b86e265b69aed08c4852fe6291.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-02 16:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-02 16:11

Reported

2024-01-02 16:14

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\XaOGN\sigverif.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Xax\tcmsetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bv4mp\SystemPropertiesHardware.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\czD\\tcmsetup.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XaOGN\sigverif.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Xax\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bv4mp\SystemPropertiesHardware.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 540 N/A N/A C:\Windows\system32\sigverif.exe
PID 1220 wrote to memory of 540 N/A N/A C:\Windows\system32\sigverif.exe
PID 1220 wrote to memory of 540 N/A N/A C:\Windows\system32\sigverif.exe
PID 1220 wrote to memory of 976 N/A N/A C:\Users\Admin\AppData\Local\XaOGN\sigverif.exe
PID 1220 wrote to memory of 976 N/A N/A C:\Users\Admin\AppData\Local\XaOGN\sigverif.exe
PID 1220 wrote to memory of 976 N/A N/A C:\Users\Admin\AppData\Local\XaOGN\sigverif.exe
PID 1220 wrote to memory of 2196 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1220 wrote to memory of 2196 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1220 wrote to memory of 2196 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1220 wrote to memory of 1544 N/A N/A C:\Users\Admin\AppData\Local\Xax\tcmsetup.exe
PID 1220 wrote to memory of 1544 N/A N/A C:\Users\Admin\AppData\Local\Xax\tcmsetup.exe
PID 1220 wrote to memory of 1544 N/A N/A C:\Users\Admin\AppData\Local\Xax\tcmsetup.exe
PID 1220 wrote to memory of 860 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1220 wrote to memory of 860 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1220 wrote to memory of 860 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1220 wrote to memory of 1604 N/A N/A C:\Users\Admin\AppData\Local\bv4mp\SystemPropertiesHardware.exe
PID 1220 wrote to memory of 1604 N/A N/A C:\Users\Admin\AppData\Local\bv4mp\SystemPropertiesHardware.exe
PID 1220 wrote to memory of 1604 N/A N/A C:\Users\Admin\AppData\Local\bv4mp\SystemPropertiesHardware.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#1

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Users\Admin\AppData\Local\XaOGN\sigverif.exe

C:\Users\Admin\AppData\Local\XaOGN\sigverif.exe

C:\Users\Admin\AppData\Local\Xax\tcmsetup.exe

C:\Users\Admin\AppData\Local\Xax\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\bv4mp\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\bv4mp\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

Network

N/A

Files

memory/2268-1-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2268-0-0x000007FEF6130000-0x000007FEF6249000-memory.dmp

memory/1220-3-0x0000000077376000-0x0000000077377000-memory.dmp

memory/1220-15-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-18-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-17-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-20-0x00000000029F0000-0x00000000029F7000-memory.dmp

memory/1220-19-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-29-0x0000000077710000-0x0000000077712000-memory.dmp

memory/1220-28-0x00000000776E0000-0x00000000776E2000-memory.dmp

memory/1220-27-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-38-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-16-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-14-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-13-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-12-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-11-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-10-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-9-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-8-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-7-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-6-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1220-4-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/1220-40-0x0000000140000000-0x0000000140119000-memory.dmp

memory/2268-41-0x000007FEF6130000-0x000007FEF6249000-memory.dmp

\Users\Admin\AppData\Local\XaOGN\sigverif.exe

MD5 e8e95ae5534553fc055051cee99a7f55
SHA1 4e0f668849fd546edd083d5981ed685d02a68df4
SHA256 9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA512 5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

C:\Users\Admin\AppData\Local\XaOGN\VERSION.dll

MD5 b51e59fb4ee43b5d948e1d67a42a620a
SHA1 4cf56cc832822be4ff5074e839f695777bc54cc4
SHA256 946755fb8b6690ffda2733ab67b7de33cca8a9d80c66e00ec41494902622a830
SHA512 902d15a4af7f0f074ebb50698022beea958ca8208d99c4e96ac0347f068943db5624f9b5987f3d8ba4ae3b64ac84c862aee77e9334544732a7e80e53b0cef8c4

memory/1220-54-0x0000000077376000-0x0000000077377000-memory.dmp

memory/976-57-0x0000000001B40000-0x0000000001B47000-memory.dmp

memory/976-56-0x000007FEF6C50000-0x000007FEF6D6A000-memory.dmp

memory/976-61-0x000007FEF6C50000-0x000007FEF6D6A000-memory.dmp

memory/1544-75-0x000007FEF6130000-0x000007FEF624B000-memory.dmp

memory/1544-77-0x00000000000E0000-0x00000000000E7000-memory.dmp

memory/1544-80-0x000007FEF6130000-0x000007FEF624B000-memory.dmp

C:\Users\Admin\AppData\Local\bv4mp\SYSDM.CPL

MD5 e8f0c898155faecdc84e733ffe71abe8
SHA1 78c7279bd318ad683fbb21d35698d581814ed266
SHA256 a2576374bf46064e8ab16bf83f2e6e814b1dbb2b46bfae4e2e79bc640ad1661b
SHA512 8cce03efc96982636ca31a3edc5d2c7c86a459d74c025c172a6be25216e3cff1f1f143e36c108534927d27422847c1824ed5f4bc340710c460b4f4f4afd96a5a

\Users\Admin\AppData\Local\bv4mp\SYSDM.CPL

MD5 273e14998462a561c7509d83583165cc
SHA1 d37d2d6914c7c8d96270b9bea262318f530c1b86
SHA256 0f4bedaf00f1374a7cb09e9ac55e5d70c5d26977489b98e8bc8f8e9a301d10f0
SHA512 327523f381e4a7db89f6d1506983d80ca72065ce85298e345ce9c7a54b008846dd4a9489ca715e248a89cca10edb3ea09bd1be8f1e7879e3caf9769be8118bcb

memory/1604-93-0x000007FEF6130000-0x000007FEF624A000-memory.dmp

memory/1604-92-0x0000000000260000-0x0000000000267000-memory.dmp

memory/1604-97-0x000007FEF6130000-0x000007FEF624A000-memory.dmp

C:\Users\Admin\AppData\Local\bv4mp\SystemPropertiesHardware.exe

MD5 c63d722641c417764247f683f9fb43be
SHA1 948ec61ebf241c4d80efca3efdfc33fe746e3b98
SHA256 4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2
SHA512 7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 301ee7fca9eec44a8e2dd2d1a9cdcd2e
SHA1 60e3d6fb0e5f6f856fcd472a820f5ed12336db37
SHA256 ef514d96c5db816f467fe8c64018f3dd5041182e51dab25a5aeb910383cb6fb7
SHA512 9d681652eb508a42ba495ffbeae3288af44559fa5cb5593e41b5a8bcccaf7bd6e465692190ab50ce2ba3ed16e34d28ea0331d0424c3179ea6fd2a641609a1ee9

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\czD\TAPI32.dll

MD5 981f724461b816b99901a02afb007c69
SHA1 b9de1c1db6d3a37c100ee006ef7e80754ac22f80
SHA256 f72c14a4fa14bc2559a643d0c530099d8f30cb23a3346d0190afb9164e0d91a0
SHA512 53430c1f8d5e8663ce66a015ecd8dd255831e70c175876a197a2a778bb7f7686eac15b56a169e58262f850d7d460853ab3c4c9e9bc75423396aad8f777541872

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\mtiESf\SYSDM.CPL

MD5 ddeb862049bb4949b71a58db066fc5b1
SHA1 41b8febe118e18671d1b1b06ebe29bf6749b0f6b
SHA256 e58e15aa69d8005c9de7cd3a8b2b5e3d88f7db5438a06807f2c054456645cfd2
SHA512 536faed876c1cf9fabf6aebf96f1ee76536b02be05b916eeab79a288b5fae5c2da49e8a29ee7633dcba2db3f26d63b9e634f9f9b25ba42833c659e34810cd49a

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-02 16:11

Reported

2024-01-02 16:15

Platform

win10v2004-20231215-en

Max time kernel

171s

Max time network

176s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\F37O1P~1\\EASEOF~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\j4Hmf\usocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3B0jr\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wtmQ36pi\EaseOfAccessDialog.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 980 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3452 wrote to memory of 980 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3452 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\3B0jr\BdeUISrv.exe
PID 3452 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\3B0jr\BdeUISrv.exe
PID 3452 wrote to memory of 4684 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3452 wrote to memory of 4684 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3452 wrote to memory of 464 N/A N/A C:\Users\Admin\AppData\Local\wtmQ36pi\EaseOfAccessDialog.exe
PID 3452 wrote to memory of 464 N/A N/A C:\Users\Admin\AppData\Local\wtmQ36pi\EaseOfAccessDialog.exe
PID 3452 wrote to memory of 1800 N/A N/A C:\Windows\system32\usocoreworker.exe
PID 3452 wrote to memory of 1800 N/A N/A C:\Windows\system32\usocoreworker.exe
PID 3452 wrote to memory of 440 N/A N/A C:\Users\Admin\AppData\Local\j4Hmf\usocoreworker.exe
PID 3452 wrote to memory of 440 N/A N/A C:\Users\Admin\AppData\Local\j4Hmf\usocoreworker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#1

C:\Users\Admin\AppData\Local\3B0jr\BdeUISrv.exe

C:\Users\Admin\AppData\Local\3B0jr\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\wtmQ36pi\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\wtmQ36pi\EaseOfAccessDialog.exe

C:\Windows\system32\usocoreworker.exe

C:\Windows\system32\usocoreworker.exe

C:\Users\Admin\AppData\Local\j4Hmf\usocoreworker.exe

C:\Users\Admin\AppData\Local\j4Hmf\usocoreworker.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 2.17.5.133:80 www.microsoft.com tcp
US 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 184.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/556-1-0x00007FF91E5E0000-0x00007FF91E6F9000-memory.dmp

memory/556-0-0x0000023E08280000-0x0000023E08287000-memory.dmp

memory/3452-3-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/3452-5-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-6-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-7-0x00007FF93B85A000-0x00007FF93B85B000-memory.dmp

memory/3452-8-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-9-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-13-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-17-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-20-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-19-0x0000000000DE0000-0x0000000000DE7000-memory.dmp

memory/3452-18-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-16-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-15-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-14-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-27-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-29-0x00007FF93BC70000-0x00007FF93BC80000-memory.dmp

memory/3452-28-0x00007FF93BC80000-0x00007FF93BC90000-memory.dmp

memory/3452-12-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-38-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-10-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3452-11-0x0000000140000000-0x0000000140119000-memory.dmp

memory/556-41-0x00007FF91E5E0000-0x00007FF91E6F9000-memory.dmp

C:\Users\Admin\AppData\Local\3B0jr\WTSAPI32.dll

MD5 6715e9bc1bc07026e942b84c82da2997
SHA1 6a7425e64eb20c6a862732e15d49733e617c7acb
SHA256 b54f849f79ff29f5bf9486f5a5cfe1853164aae4c3c0f8fa6f1169030870ffe6
SHA512 883da68bb1fb9b3f922a75065bce9816d9f3a7e2687a2cda7e2d2f18a1872d179295e0d33db2683972185c79c56341f86b05322be4c4ffce2733156094953640

C:\Users\Admin\AppData\Local\3B0jr\BdeUISrv.exe

MD5 8595075667ff2c9a9f9e2eebc62d8f53
SHA1 c48b54e571f05d4e21d015bb3926c2129f19191a
SHA256 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

memory/3696-49-0x00000248D1B00000-0x00000248D1B07000-memory.dmp

memory/3696-48-0x00007FF91E450000-0x00007FF91E56A000-memory.dmp

memory/3696-53-0x00007FF91E450000-0x00007FF91E56A000-memory.dmp

C:\Users\Admin\AppData\Local\wtmQ36pi\EaseOfAccessDialog.exe

MD5 e75ee992c1041341f709a517c8723c87
SHA1 471021260055eac0021f0abffa2d0ba77a2f380e
SHA256 0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA512 48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

C:\Users\Admin\AppData\Local\wtmQ36pi\OLEACC.dll

MD5 6c2efcde11564cec7ce3fbd7e6abb7d5
SHA1 dde854157f11c05c01e850a99658fc0e39b7426d
SHA256 6c694f1b31464cd99eb29a6d9c7d9911e4f344d5066444a0309928cff574e2f5
SHA512 b33971b1df49e0005612be003e12b347cb3c67f7a6d68ec51bfc29a3026d532af97ea86cd89b4a2b33cb05d1578b25e04f4119cbe50d73387a057e73aae40607

memory/464-65-0x0000013DEE190000-0x0000013DEE197000-memory.dmp

memory/464-64-0x00007FF91E3B0000-0x00007FF91E4CA000-memory.dmp

memory/464-69-0x00007FF91E3B0000-0x00007FF91E4CA000-memory.dmp

C:\Users\Admin\AppData\Local\j4Hmf\usocoreworker.exe

MD5 9fc2b73ef13222c3bcbb250b28c9571f
SHA1 9be29520159fd87e7b8f503eaa96456ab55ca122
SHA256 b217477cae0e7c0fb63c98ecfb1387fc7dd02647a6f3fe41d6a6aaeed6b87bd7
SHA512 0bc9ae9b7752f0cee70f8978c8f6c91dd24b3a493cdd522072bc79d95d2b4efa32235d20d9daa426d8a616e98d43dc848b33772e03a2d571a500fe57563fe9c8

C:\Users\Admin\AppData\Local\j4Hmf\XmlLite.dll

MD5 d4ff9dae64693fc23e0dca46e76e2b47
SHA1 e50e054d68611272a599950f217a6791adb242d7
SHA256 a2b807e152e293b8c70b0e8cb7e27d2a1e3c57bb96ea210b25392a6b840e9511
SHA512 9e19b2d9cc5d7888f874f5de7633c7987efe5de323a3126f746b9fdfdd1880c9ccc2881eda9b1f1395b35e0bacb1f28ed42e9caa46b9e1a317f4325711c4a6a9

C:\Users\Admin\AppData\Local\j4Hmf\XmlLite.dll

MD5 ef01ffc8e22bf1dbd35cc6d6a6ce5ea5
SHA1 c595093c02e71f42552de2209a88051d6c0431c9
SHA256 c2c4b3ce3b8b4bc227cef9e8d3304b420cee502106f8d721606f9e6bdba23bbb
SHA512 58e6ccc04331e23bd688e606ad14749e90a215ed2ee41c620871a7db9ee8365f99d68f36b104cf1d06ca09d20f62158d5a25b7456df5ea32c044f0abb7b8508a

memory/440-81-0x00000282ECAE0000-0x00000282ECAE7000-memory.dmp

memory/440-85-0x00007FF91E3F0000-0x00007FF91E50A000-memory.dmp

memory/440-80-0x00007FF91E3F0000-0x00007FF91E50A000-memory.dmp

C:\Users\Admin\AppData\Local\j4Hmf\usocoreworker.exe

MD5 6d528e0f63ef2024735470c9465529d4
SHA1 1ae1b514c08dc933d199c4867749838fc0848645
SHA256 2a273f3409ee7d9b45d5776319cb4708d653ac4684f14fe141832a680269e733
SHA512 c58440061ba141cf27a09302df9f307dcfb825c6ac6246a333bfd0e157b987b625307a4ce645368b935e15b3d2df2b4ee3ffee485a0e9444edb9bdadbfe789d3

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 e20fb16fe605deabdb296da3154d39ac
SHA1 bebfb6701d38748c11e66f193989cddcca46d61b
SHA256 6883fe32e49ec5a9b7f3bcdf6f698adaa669b7130c6f3fe2c6c0a7b1a7213b6d
SHA512 49e2b6feaa0af49fcd566c2072bc6153190c59e7c7316b8fdb670bf066d1aa52c44751191995a660fb865a0f0138c9f94bd992885398a11b9d6b129aed213c31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Qgd9\XmlLite.dll

MD5 18f584effd2f7372bd1fb4174108885d
SHA1 de0ed29d491e912392d53d770de5ad7459bc4a3d
SHA256 20947dac1352ccf4855a435093952c775211dabc7ec7a3f0f966bbc9971f6820
SHA512 edd65acd7679b345ffc851555d4d33539b18a80d64a78e6d549013a58d397ab4a270d7cfe41d458c04d7f5cae29da74c94d818d0635c10a0a2a4a7cc9511dc0b