Malware Analysis Report

2024-11-15 08:50

Sample ID 240120-xgy9baegap
Target 6b2fb57199a0f55f49fc0b789c648d8f
SHA256 91e3ce41002c675b3c1fb73ecb4b2c055d2560a0c909753a9ad1f26f47d1d2b0
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91e3ce41002c675b3c1fb73ecb4b2c055d2560a0c909753a9ad1f26f47d1d2b0

Threat Level: Known bad

The file 6b2fb57199a0f55f49fc0b789c648d8f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 18:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 18:50

Reported

2024-01-20 18:52

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b2fb57199a0f55f49fc0b789c648d8f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\NiZ\spinstall.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4j5\wbengine.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\WDp\Dxpserver.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\Nqof\\wbengine.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NiZ\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4j5\wbengine.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WDp\Dxpserver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\NiZ\spinstall.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2644 N/A N/A C:\Windows\system32\spinstall.exe
PID 1196 wrote to memory of 2644 N/A N/A C:\Windows\system32\spinstall.exe
PID 1196 wrote to memory of 2644 N/A N/A C:\Windows\system32\spinstall.exe
PID 1196 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\NiZ\spinstall.exe
PID 1196 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\NiZ\spinstall.exe
PID 1196 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\NiZ\spinstall.exe
PID 1196 wrote to memory of 1460 N/A N/A C:\Windows\system32\wbengine.exe
PID 1196 wrote to memory of 1460 N/A N/A C:\Windows\system32\wbengine.exe
PID 1196 wrote to memory of 1460 N/A N/A C:\Windows\system32\wbengine.exe
PID 1196 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\4j5\wbengine.exe
PID 1196 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\4j5\wbengine.exe
PID 1196 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\4j5\wbengine.exe
PID 1196 wrote to memory of 2828 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1196 wrote to memory of 2828 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1196 wrote to memory of 2828 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1196 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\WDp\Dxpserver.exe
PID 1196 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\WDp\Dxpserver.exe
PID 1196 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\WDp\Dxpserver.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b2fb57199a0f55f49fc0b789c648d8f.dll,#1

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\NiZ\spinstall.exe

C:\Users\Admin\AppData\Local\NiZ\spinstall.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\4j5\wbengine.exe

C:\Users\Admin\AppData\Local\4j5\wbengine.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Users\Admin\AppData\Local\WDp\Dxpserver.exe

C:\Users\Admin\AppData\Local\WDp\Dxpserver.exe

Network

N/A

Files

memory/2404-1-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2404-0-0x000007FEF75C0000-0x000007FEF7665000-memory.dmp

memory/1196-3-0x00000000775C6000-0x00000000775C7000-memory.dmp

memory/1196-4-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

memory/1196-6-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-7-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-12-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-21-0x0000000002DB0000-0x0000000002DB7000-memory.dmp

memory/1196-14-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-22-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-24-0x0000000077960000-0x0000000077962000-memory.dmp

memory/1196-23-0x0000000077930000-0x0000000077932000-memory.dmp

memory/1196-34-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-33-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-13-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-11-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-9-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-10-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1196-8-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/2404-42-0x000007FEF75C0000-0x000007FEF7665000-memory.dmp

C:\Users\Admin\AppData\Local\NiZ\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

C:\Users\Admin\AppData\Local\NiZ\wer.dll

MD5 72dbe7ff8cb3b1c782692f3cc9615602
SHA1 7b97c3abc1e53da0d174f5f49bac65b2e005f13b
SHA256 c3ec167bc24e86e10581efc8f52840c6af30a72fe312924da4bc3f115ed55756
SHA512 cb5f4ef030942e8136626b9a225ef2b2d243dad900b2b196289335c592c537d5289382d25491c3e89bd0546a126ebdda8b6c0eee7dacd713ae155f62e8b0ea72

memory/2528-50-0x000007FEF7670000-0x000007FEF7716000-memory.dmp

memory/2528-55-0x000007FEF7670000-0x000007FEF7716000-memory.dmp

memory/2528-52-0x0000000000110000-0x0000000000117000-memory.dmp

\Users\Admin\AppData\Local\4j5\XmlLite.dll

MD5 85ba6340c836fdcd7efc7fbc78d60817
SHA1 53e49b348a3ff1db4a5b59f34165f3ca6c1cbe4f
SHA256 2e0188862974438b82ac36ba48da6ff36884ac60fb4d4d95dee475dec5785c3e
SHA512 c4249b7c390a382aeddc94c1b3e3f445517c2c5962ae8d1bebc837f30e2b2a9997c758c4f892be4c55eea757c31e4ba58baf9d336dda8b74ef2de8f263ca3a67

C:\Users\Admin\AppData\Local\4j5\wbengine.exe

MD5 78f4e7f5c56cb9716238eb57da4b6a75
SHA1 98b0b9db6ec5961dbb274eff433a8bc21f7e557b
SHA256 46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af
SHA512 1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

memory/2412-67-0x000007FEF6A40000-0x000007FEF6AE6000-memory.dmp

memory/2412-69-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2412-71-0x000007FEF6A40000-0x000007FEF6AE6000-memory.dmp

memory/1196-77-0x00000000775C6000-0x00000000775C7000-memory.dmp

\Users\Admin\AppData\Local\WDp\Dxpserver.exe

MD5 4d38389fb92e43c77a524fd96dbafd21
SHA1 08014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256 070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA512 02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

C:\Users\Admin\AppData\Local\WDp\dwmapi.dll

MD5 fb64ceed968029f403123531851d7acf
SHA1 f37a9ca0f5dd5696f2c351977870ade2e82d8bc4
SHA256 a87870c970a7423677f3ae09e7e08bb3105444a7da98768746b06911a17dea0e
SHA512 15899dc3332e0c16bc3dbd4b54fa73e7218a7661fd79bc913807480535ea68d5ef2ec1f01608542300fb1085761d01122257d056a76c2c44c35309d444bc5df1

memory/2840-87-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2840-90-0x000007FEF6A40000-0x000007FEF6AE6000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 9534854b41c9e1473edad151a648f6a0
SHA1 841219278c63a9f696f988b277dbcff8c2c04a01
SHA256 1dfe125c1e67d9ca9224ff594e9d111fed822cdc585ff0e7b260db839f19de50
SHA512 5ccd8cdcdbd6e8e91362a7ee3f90e59a6db4715793aebe69330ba6850999f4233cc26f1e07ee0f55695a06756695d894240b705e200d3957713d93dd415c2d75

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 18:50

Reported

2024-01-20 18:52

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b2fb57199a0f55f49fc0b789c648d8f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\qNY6\\WindowsActionDialog.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QUMqo\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7T2ZMC\WindowsActionDialog.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WwQmMvro\RdpSa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 2648 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3492 wrote to memory of 2648 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3492 wrote to memory of 3972 N/A N/A C:\Users\Admin\AppData\Local\QUMqo\DisplaySwitch.exe
PID 3492 wrote to memory of 3972 N/A N/A C:\Users\Admin\AppData\Local\QUMqo\DisplaySwitch.exe
PID 3492 wrote to memory of 4176 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3492 wrote to memory of 4176 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3492 wrote to memory of 4332 N/A N/A C:\Users\Admin\AppData\Local\7T2ZMC\WindowsActionDialog.exe
PID 3492 wrote to memory of 4332 N/A N/A C:\Users\Admin\AppData\Local\7T2ZMC\WindowsActionDialog.exe
PID 3492 wrote to memory of 3780 N/A N/A C:\Windows\system32\wermgr.exe
PID 3492 wrote to memory of 3780 N/A N/A C:\Windows\system32\wermgr.exe
PID 3492 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\UCxVWA\wermgr.exe
PID 3492 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\UCxVWA\wermgr.exe
PID 3492 wrote to memory of 2276 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3492 wrote to memory of 2276 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3492 wrote to memory of 2184 N/A N/A C:\Users\Admin\AppData\Local\WwQmMvro\RdpSa.exe
PID 3492 wrote to memory of 2184 N/A N/A C:\Users\Admin\AppData\Local\WwQmMvro\RdpSa.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b2fb57199a0f55f49fc0b789c648d8f.dll,#1

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\QUMqo\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\QUMqo\DisplaySwitch.exe

C:\Windows\system32\WindowsActionDialog.exe

C:\Windows\system32\WindowsActionDialog.exe

C:\Users\Admin\AppData\Local\7T2ZMC\WindowsActionDialog.exe

C:\Users\Admin\AppData\Local\7T2ZMC\WindowsActionDialog.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\UCxVWA\wermgr.exe

C:\Users\Admin\AppData\Local\UCxVWA\wermgr.exe

C:\Windows\system32\RdpSa.exe

C:\Windows\system32\RdpSa.exe

C:\Users\Admin\AppData\Local\WwQmMvro\RdpSa.exe

C:\Users\Admin\AppData\Local\WwQmMvro\RdpSa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4480-2-0x0000021C9D760000-0x0000021C9D767000-memory.dmp

memory/4480-0-0x00007FF9BCB90000-0x00007FF9BCC35000-memory.dmp

memory/3492-5-0x00007FF9CACAA000-0x00007FF9CACAB000-memory.dmp

memory/3492-3-0x00000000079E0000-0x00000000079E1000-memory.dmp

memory/3492-6-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3492-9-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3492-8-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3492-10-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3492-7-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3492-13-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3492-12-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3492-11-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3492-15-0x00000000079A0000-0x00000000079A7000-memory.dmp

memory/3492-14-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3492-24-0x00007FF9CAD30000-0x00007FF9CAD40000-memory.dmp

memory/3492-23-0x00007FF9CAD40000-0x00007FF9CAD50000-memory.dmp

memory/3492-22-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3492-33-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/4480-36-0x00007FF9BCB90000-0x00007FF9BCC35000-memory.dmp

C:\Users\Admin\AppData\Local\QUMqo\DisplaySwitch.exe

MD5 4c39e82694057109ead90a9bbd4cba08
SHA1 e43aa69cceb23435f4d1adf813603f0f4ed1dd94
SHA256 fb865caf3e62cdffa37a1df63fe3da429212a772f7157df8b78c8f664c600e82
SHA512 b6bd6fa8a5ba0474bc8695549195ad7fa922c0dca7afe3eac5acf0363b6fa463c94a4a3f2e37537ba1294f6aba22d943e14cdda09c4aa129c8c1f387d68e0603

memory/3972-43-0x00007FF9ACE20000-0x00007FF9ACEC7000-memory.dmp

memory/3972-44-0x0000013D71D40000-0x0000013D71D47000-memory.dmp

memory/3972-48-0x00007FF9ACE20000-0x00007FF9ACEC7000-memory.dmp

C:\Users\Admin\AppData\Local\QUMqo\DUser.dll

MD5 2605b9de89f3edcdd8fd058adddbcd99
SHA1 1e71cb29249cec1bc6ddbda164e9cba92397b9ef
SHA256 36eeaf4907071cac6d4614b9f50f9fd1e73454678564461dd4b3237cc2a7deae
SHA512 a01ebb7995bafe98dfafc99419b57a59e4d296192eb2a1d545745e890044f29f64200e0537d7a0742a5cb2b369c2ca4a185a251ae403ef2ec58805d4afbee99c

C:\Users\Admin\AppData\Local\QUMqo\DisplaySwitch.exe

MD5 ce0cd72771ba121f3635b4df8e11f879
SHA1 6dae247f51326ec6261817bbf3dc27ccfb4230e6
SHA256 1d9fbed21056ea7084ae6c447380de1bc8939d5281fe46e8da5a7e88c0bab26c
SHA512 e27ebe28452f9376e7bd0acc3b12065dab52a7d711aad7cfd371d4fbf5d426a32dcb4b4dc4d78f07ba4be2bdeed1e4dbacbba20ae54cc63503a5ba7fa7b3db53

C:\Users\Admin\AppData\Local\7T2ZMC\DUI70.dll

MD5 b37803173a15e02626fb9e093f49b610
SHA1 7f5451bc32410aac999e84f3d24d7b86e5d43a0c
SHA256 52b29c4abbbd3743e1249fd7e93ec4d09816e3ea305a6c840ad57947d4ad2bb1
SHA512 951a0653b6f9a6d689fd8e671487591b4e813efb688c39d9a00a5044ec5b488613d9c11f5595c72ecce8f5db6df47cdac0fb04aabd364252f781cb72ed44a7c7

C:\Users\Admin\AppData\Local\7T2ZMC\WindowsActionDialog.exe

MD5 73c523b6556f2dc7eefc662338d66f8d
SHA1 1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5
SHA256 0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31
SHA512 69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

C:\Users\Admin\AppData\Local\7T2ZMC\DUI70.dll

MD5 ec55b891bd2b159dc0c2b5e1ae1ebe9b
SHA1 958813aa3864dca17099a853bbe5fd0d5e1b8f81
SHA256 b9acdf1463d2c13ec20b623355fd808f4a7d9bb6be4426110e594c37b633ee84
SHA512 e4f68f545b9da3a94a3fe253311f63cf2ca171e2175e943407d89841b7f5e032ee7e77798ea9d84151bd3c880bc1d00b14de3ecec3407fd984ed4fe80638b0f4

memory/4332-59-0x00007FF9ACDE0000-0x00007FF9ACECB000-memory.dmp

memory/4332-61-0x0000025AB9850000-0x0000025AB9857000-memory.dmp

memory/4332-64-0x00007FF9ACDE0000-0x00007FF9ACECB000-memory.dmp

C:\Users\Admin\AppData\Local\UCxVWA\wermgr.exe

MD5 f7991343cf02ed92cb59f394e8b89f1f
SHA1 573ad9af63a6a0ab9b209ece518fd582b54cfef5
SHA256 1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc
SHA512 fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

C:\Users\Admin\AppData\Local\WwQmMvro\RdpSa.exe

MD5 5992f5b5d0b296b83877da15b54dd1b4
SHA1 0d87be8d4b7aeada4b55d1d05c0539df892f8f82
SHA256 32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c
SHA512 4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

C:\Users\Admin\AppData\Local\WwQmMvro\WINSTA.dll

MD5 68716a010cc7093f10b36d0c886ae030
SHA1 75ffb8693bcbf4cafa0fba09a5302f2e0f2c1df6
SHA256 ff4144c8cc33129e3e51eb87174bb82e62597373df4f0a70832d3a598b473b8e
SHA512 b33b8fcd34e3a96097d428944e886d25dbe43638e098d45dbe1d883d144ff3398a7877b6d3915a19298294c2b3b1029faca642ebf41223ad63e6d0fea827c406

memory/2184-85-0x000001B758970000-0x000001B758977000-memory.dmp

memory/2184-88-0x00007FF9ACE20000-0x00007FF9ACEC7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 d8308189d11779b292aa535ae20751ad
SHA1 63a4d20b5a20d2a578b763dcd043833be28bd5cb
SHA256 e07bd49f88b12fdc70fd13ea1867cb05b33310448964dca0ccc5ece142b7d99b
SHA512 7e4b95c03497fdd7d215f15b87007f1b0263b6d48097c28f6d24aac2f3da339cc1219bd298c889918ac70ecb4fccf03117f0d9094e5b58aaf1406eb14eba6167