Malware Analysis Report

2024-11-30 21:34

Sample ID 240104-nhz3kahbb5
Target 40bbe10db80d2382bdf45137232a7d2c
SHA256 63233f6b4a4a8950500a09b524dbdfe23c7b290239c73e78aaf198798a765294
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63233f6b4a4a8950500a09b524dbdfe23c7b290239c73e78aaf198798a765294

Threat Level: Known bad

The file 40bbe10db80d2382bdf45137232a7d2c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 11:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 11:24

Reported

2024-01-04 11:28

Platform

win7-20231215-en

Max time kernel

146s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\40bbe10db80d2382bdf45137232a7d2c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8Bv\msconfig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\X67CkJqC\shrpubw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\aca\SystemPropertiesHardware.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\9z\\shrpubw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8Bv\msconfig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\X67CkJqC\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aca\SystemPropertiesHardware.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2640 N/A N/A C:\Windows\system32\msconfig.exe
PID 1204 wrote to memory of 2640 N/A N/A C:\Windows\system32\msconfig.exe
PID 1204 wrote to memory of 2640 N/A N/A C:\Windows\system32\msconfig.exe
PID 1204 wrote to memory of 320 N/A N/A C:\Users\Admin\AppData\Local\8Bv\msconfig.exe
PID 1204 wrote to memory of 320 N/A N/A C:\Users\Admin\AppData\Local\8Bv\msconfig.exe
PID 1204 wrote to memory of 320 N/A N/A C:\Users\Admin\AppData\Local\8Bv\msconfig.exe
PID 1204 wrote to memory of 2760 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1204 wrote to memory of 2760 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1204 wrote to memory of 2760 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1204 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\X67CkJqC\shrpubw.exe
PID 1204 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\X67CkJqC\shrpubw.exe
PID 1204 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\X67CkJqC\shrpubw.exe
PID 1204 wrote to memory of 800 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1204 wrote to memory of 800 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1204 wrote to memory of 800 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1204 wrote to memory of 1752 N/A N/A C:\Users\Admin\AppData\Local\aca\SystemPropertiesHardware.exe
PID 1204 wrote to memory of 1752 N/A N/A C:\Users\Admin\AppData\Local\aca\SystemPropertiesHardware.exe
PID 1204 wrote to memory of 1752 N/A N/A C:\Users\Admin\AppData\Local\aca\SystemPropertiesHardware.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\40bbe10db80d2382bdf45137232a7d2c.dll,#1

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\8Bv\msconfig.exe

C:\Users\Admin\AppData\Local\8Bv\msconfig.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\X67CkJqC\shrpubw.exe

C:\Users\Admin\AppData\Local\X67CkJqC\shrpubw.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\aca\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\aca\SystemPropertiesHardware.exe

Network

N/A

Files

memory/2668-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2668-0-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1204-3-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

memory/1204-4-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/1204-6-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1204-14-0x00000000029A0000-0x00000000029A7000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1204-23-0x0000000077350000-0x0000000077352000-memory.dmp

memory/1204-22-0x0000000077320000-0x0000000077322000-memory.dmp

memory/1204-21-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1204-32-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1204-8-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1204-34-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/2668-35-0x0000000140000000-0x00000001400AC000-memory.dmp

\Users\Admin\AppData\Local\8Bv\msconfig.exe

MD5 e19d102baf266f34592f7c742fbfa886
SHA1 c9c9c45b7e97bb7a180064d0a1962429f015686d
SHA256 f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1
SHA512 1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

C:\Users\Admin\AppData\Local\8Bv\VERSION.dll

MD5 c2b6f8ebb1dd8692d134ed9dd9891cfa
SHA1 1a1eb14433d4be1fb5e464c913a478f286fbf991
SHA256 b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f
SHA512 a6a938cdb0718f6757cffbf122d7f36420b78a20df3727872469c8f4bacf131d5ea596c90b148771e95c89cf9ccc10388f36e19098e491c1dbc0a96ff563befe

memory/320-49-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/320-53-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1204-58-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

\Users\Admin\AppData\Local\X67CkJqC\shrpubw.exe

MD5 29e6d0016611c8f948db5ea71372f76c
SHA1 01d007a01020370709cd6580717f9ace049647e8
SHA256 53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512 300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

C:\Users\Admin\AppData\Local\X67CkJqC\ACLUI.dll

MD5 65411740b33c7475d67552a92d3c4054
SHA1 d1191e086f3faa2f2168a28eac66d7360c94d5e9
SHA256 87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447
SHA512 3bdb279bba9946af41d4bccc9b2bed4c8f37fc03d0cc53d0845311645ba39d6a30ca0e8d6bbe7bc8a1d94c8cacaeb8f515686b226e59b8ec06f6d6242c85fb03

\Users\Admin\AppData\Local\X67CkJqC\ACLUI.dll

MD5 21da09682a5cb797b914e719d0478cf3
SHA1 ba3ea7e6f2537171b57ce63aaf6f7d305d419df4
SHA256 094a278b26c4162bba84a35d3db0fb3848494b1bf343466f6f1aefabfcfdeacc
SHA512 8fdb769ba45fd0cd01a2cf5b2fffa9914b1c8b147c5638e28a42e9a871efb3e95278521a4515fe802620dcaa37bf993f59f2132ce6f3c521bf1be3061c20aacf

memory/2960-66-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2960-71-0x0000000140000000-0x00000001400AD000-memory.dmp

C:\Users\Admin\AppData\Local\aca\SYSDM.CPL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1752-83-0x0000000000080000-0x0000000000087000-memory.dmp

memory/1752-87-0x0000000140000000-0x00000001400AD000-memory.dmp

\Users\Admin\AppData\Local\aca\SystemPropertiesHardware.exe

MD5 c63d722641c417764247f683f9fb43be
SHA1 948ec61ebf241c4d80efca3efdfc33fe746e3b98
SHA256 4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2
SHA512 7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 7bb9e92044a1ca00f25699d296d906ac
SHA1 33d148c23370dae63b128a71e582158f1aa4417d
SHA256 4211b2f862e1f1b92d3155d4ea8567b259b8b0e192fab086eea72b9f1d4b2534
SHA512 47a43d5803432c4277ebdb27868db366acdea95e86a8891914f31e28b7697a3e637cd60cac5ddaf4d3547a1bd81d8e858d4690bdd6c290a6d54f1f3e28d96261

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\MmL\SYSDM.CPL

MD5 e9531680b8f5142d44285991f2709e0a
SHA1 45d9e59a69ddade77a8f3b4f0edb6deb18e8d3b6
SHA256 4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa
SHA512 dbb8b8208e7f6ebf90a715963d9fdbfdb29c66ce079c9b805f116064e5ffbd334f5ef958279460ac3193a1610eca25d90f7e63c078b0e70369c2d0bef3262617

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 11:24

Reported

2024-01-04 11:28

Platform

win10v2004-20231215-en

Max time kernel

157s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\40bbe10db80d2382bdf45137232a7d2c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\V05\\WindowsActionDialog.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3sS0mudx\mstsc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XYcTRlp4Q\WindowsActionDialog.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\H0GRkLr\FXSCOVER.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 3948 N/A N/A C:\Windows\system32\mstsc.exe
PID 3444 wrote to memory of 3948 N/A N/A C:\Windows\system32\mstsc.exe
PID 3444 wrote to memory of 3756 N/A N/A C:\Users\Admin\AppData\Local\3sS0mudx\mstsc.exe
PID 3444 wrote to memory of 3756 N/A N/A C:\Users\Admin\AppData\Local\3sS0mudx\mstsc.exe
PID 3444 wrote to memory of 2124 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3444 wrote to memory of 2124 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3444 wrote to memory of 800 N/A N/A C:\Users\Admin\AppData\Local\XYcTRlp4Q\WindowsActionDialog.exe
PID 3444 wrote to memory of 800 N/A N/A C:\Users\Admin\AppData\Local\XYcTRlp4Q\WindowsActionDialog.exe
PID 3444 wrote to memory of 216 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3444 wrote to memory of 216 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3444 wrote to memory of 4444 N/A N/A C:\Users\Admin\AppData\Local\H0GRkLr\FXSCOVER.exe
PID 3444 wrote to memory of 4444 N/A N/A C:\Users\Admin\AppData\Local\H0GRkLr\FXSCOVER.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\40bbe10db80d2382bdf45137232a7d2c.dll,#1

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\3sS0mudx\mstsc.exe

C:\Users\Admin\AppData\Local\3sS0mudx\mstsc.exe

C:\Windows\system32\WindowsActionDialog.exe

C:\Windows\system32\WindowsActionDialog.exe

C:\Users\Admin\AppData\Local\XYcTRlp4Q\WindowsActionDialog.exe

C:\Users\Admin\AppData\Local\XYcTRlp4Q\WindowsActionDialog.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\H0GRkLr\FXSCOVER.exe

C:\Users\Admin\AppData\Local\H0GRkLr\FXSCOVER.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/4296-0-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/4296-2-0x000001EC16650000-0x000001EC16657000-memory.dmp

memory/3444-4-0x00007FFDA5C4A000-0x00007FFDA5C4B000-memory.dmp

memory/3444-3-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/3444-6-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3444-9-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3444-7-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3444-10-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3444-11-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3444-8-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3444-12-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3444-13-0x0000000002BE0000-0x0000000002BE7000-memory.dmp

memory/3444-22-0x00007FFDA6E80000-0x00007FFDA6E90000-memory.dmp

memory/3444-21-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3444-23-0x00007FFDA6E70000-0x00007FFDA6E80000-memory.dmp

memory/3444-32-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/4296-35-0x0000000140000000-0x00000001400AC000-memory.dmp

C:\Users\Admin\AppData\Local\3sS0mudx\mstsc.exe

MD5 3a26640414cee37ff5b36154b1a0b261
SHA1 e0c28b5fdf53a202a7543b67bbc97214bad490ed
SHA256 1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f
SHA512 76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

C:\Users\Admin\AppData\Local\3sS0mudx\Secur32.dll

MD5 4e9ee8c6b8009c8373d5eeb12b6a011f
SHA1 a91bd75d1d9b349e6a8f663757c8de44572776a2
SHA256 ad0b18cfa7d60fe654fbe6a1cd60aab989d005842ee266b22d02d37113eee410
SHA512 aec16fa91604cf5fad9be022e6c0d8a28fe64c5cf9b18fe196ca21bde8403e4f555f8066e26d9fd15d4d257bf8669b3c89d886b0e4259d227c5785ad28017644

memory/3756-42-0x000001F79A250000-0x000001F79A257000-memory.dmp

memory/3756-43-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3756-47-0x0000000140000000-0x00000001400AD000-memory.dmp

C:\Users\Admin\AppData\Local\3sS0mudx\mstsc.exe

MD5 a80a03266a039da340acef5f957ebe4d
SHA1 cdc3763f95c61059a866d057c7a41bc1abe3257e
SHA256 ff6afcc29f8d367e904c47e1e9b06e77e73bf7850d3526fb2434d983227f14fd
SHA512 58f66386dd6d3127add3e9cd6848671f80c7545516ed62b32479bd7fc30330fab79d9624303d445a9eae1daa87c1da2e0c2bb23acc947bb9d23dc856a6284a6e

C:\Users\Admin\AppData\Local\XYcTRlp4Q\WindowsActionDialog.exe

MD5 73c523b6556f2dc7eefc662338d66f8d
SHA1 1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5
SHA256 0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31
SHA512 69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

C:\Users\Admin\AppData\Local\XYcTRlp4Q\DUI70.dll

MD5 fd60ad1d2848f94357f0663bd97db25d
SHA1 e3b177222c740c9f5d826d76c4c2e7795be6da9c
SHA256 2cb2f60fac68113528afaa0d73879ee5b67b146038dd01824f3ebf85f15ce9b6
SHA512 6f2efb09809aa5c88f12224653f79e4bee1eee562620fa16d6736783e056375f4eaa48b04cd305558ccb8a6a974f1563966530f9f7cee5d014dbaa9d5e362526

C:\Users\Admin\AppData\Local\XYcTRlp4Q\DUI70.dll

MD5 5453dd8223f092553390e303d02d3160
SHA1 db579b41e2b925e52a32d67c44d5efadcdb52c91
SHA256 4b9e28d775612f9c757d7f7daef0c07823e6764a5f6716a0b9d5e8ae21850d8f
SHA512 9b3f0cca2e9b8d1af6b86a232606a57a44480f08ecb5854539f517a56d229a7b3a227cf7415caee70f040ee79cdea6cce0139ec99776664785966467199ca82d

memory/800-59-0x0000018641EE0000-0x0000018641EE7000-memory.dmp

memory/800-58-0x0000000140000000-0x00000001400F2000-memory.dmp

memory/800-63-0x0000000140000000-0x00000001400F2000-memory.dmp

C:\Users\Admin\AppData\Local\H0GRkLr\FXSCOVER.exe

MD5 5769f78d00f22f76a4193dc720d0b2bd
SHA1 d62b6cab057e88737cba43fe9b0c6d11a28b53e8
SHA256 40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31
SHA512 b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

C:\Users\Admin\AppData\Local\H0GRkLr\MFC42u.dll

MD5 e85e1ec50007aaefe8a569d3931bccf9
SHA1 fbddb1fd526afad1be106f3ac1790fa75866a995
SHA256 da457d69f37782526f9a253e305e10ccf5c10320f930879b33e30475adf061ec
SHA512 691a3e2b10e5c9a0edb8d51a9fc0df29246232cc6c7b67539b3c9256a9be6e0cef58022abef8dbd7e49e8e3c0d21b60dc8b68e484684e0c9e6da9c0cad332766

memory/4444-74-0x0000000140000000-0x00000001400B3000-memory.dmp

memory/4444-76-0x000002A6E7710000-0x000002A6E7717000-memory.dmp

memory/4444-79-0x0000000140000000-0x00000001400B3000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

MD5 d3e05330a9fe226152b315c594f07e66
SHA1 78c350a1b8beac720b107919c618230ca8c26e81
SHA256 781f8e448fc309fee0f80a926ce13cfe043f0cdbd27d04f7f4582c44001665a6
SHA512 1387cdee3496789717bfd3de11e6d8f3d89ac4526e2dc3da471c8ca63361132ae011faf7f51f4a0b6d541b87d535319406fe17548adc1766e079a190a27bdfb6