Analysis Overview
SHA256
6c28f1dd1c3bbf1187846af408ba671bf0fb28984469e666b284d4f4b1c3a823
Threat Level: Known bad
The file 6d6d6e2d25e5004f0487405fdb25a600 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-21 16:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-21 16:02
Reported
2024-01-21 16:05
Platform
win7-20231215-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\2AOpVFzcLX\\tcmsetup.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d6d6e2d25e5004f0487405fdb25a600.dll,#1
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe
C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe
C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe
C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe
Network
Files
memory/2496-0-0x0000000140000000-0x000000014016C000-memory.dmp
memory/2496-2-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/1188-4-0x00000000773A6000-0x00000000773A7000-memory.dmp
memory/1188-5-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/1188-7-0x0000000140000000-0x000000014016C000-memory.dmp
memory/2496-8-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-9-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-10-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-11-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-12-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-14-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-13-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-16-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-17-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-15-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-19-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-20-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-18-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-22-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-21-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-24-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-23-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-27-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-25-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-26-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-28-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-30-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-29-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-32-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-31-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-34-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-33-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-35-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-38-0x0000000002A50000-0x0000000002A57000-memory.dmp
memory/1188-37-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-36-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-45-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-47-0x0000000077710000-0x0000000077712000-memory.dmp
memory/1188-46-0x00000000775B1000-0x00000000775B2000-memory.dmp
memory/1188-56-0x0000000140000000-0x000000014016C000-memory.dmp
memory/1188-62-0x0000000140000000-0x000000014016C000-memory.dmp
\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe
| MD5 | e43ff7785fac643093b3b16a9300e133 |
| SHA1 | a30688e84c0b0a22669148fe87680b34fcca2fba |
| SHA256 | c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b |
| SHA512 | 61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a |
C:\Users\Admin\AppData\Local\hAkyUKUK\SYSDM.CPL
| MD5 | c2643eae06ac9cc0fda13c796c36131e |
| SHA1 | 51316ed272064e37e459f20a8c8a2f6add3412b2 |
| SHA256 | bfaeec6613997bcf82e41077fa1d02a934cd361e1d168ad1e7d9a50b9ae96d97 |
| SHA512 | b81551be9ca442da82e2ddf901f03a2033eb90343a58756ce95bb89d32ca939e233b2ccffa9ca41ec22648a0039c09897ea662f3c69b0a71ddf9106dc439d984 |
memory/2640-74-0x0000000140000000-0x000000014016D000-memory.dmp
memory/2640-75-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/2640-80-0x0000000140000000-0x000000014016D000-memory.dmp
\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe
| MD5 | 0b08315da0da7f9f472fbab510bfe7b8 |
| SHA1 | 33ba48fd980216becc532466a5ff8476bec0b31c |
| SHA256 | e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7 |
| SHA512 | c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58 |
C:\Users\Admin\AppData\Local\y8jTT\TAPI32.dll
| MD5 | f5aaf822675f3ff5565f64ebac272d39 |
| SHA1 | c687794391440629118bfa9e3d16f51e9c9510f8 |
| SHA256 | fd61a51c15cbf35e632938333ac5e1f3c472bb7760e6645ad1e9a5fdf586e111 |
| SHA512 | be7541443ef8841103000470f21121ef83f59b3e639fa36e4f9fba898b5644a5b55a91c831d195f4aad8b069739a52707876314f41d2a1bbc92554c9b9ec7f14 |
memory/1588-92-0x0000000140000000-0x000000014016E000-memory.dmp
memory/1588-94-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1588-98-0x0000000140000000-0x000000014016E000-memory.dmp
\Users\Admin\AppData\Local\BHKZxD0\osk.exe
| MD5 | b5ccc580308ea920c8c0e31d17f21b23 |
| SHA1 | 0d760edb7f98c92a96ee84870f160ca282863763 |
| SHA256 | 49bd64d5d22fe03b6fcdb6651c97e99e77c86d1bfc338f51879bb6b5cd597781 |
| SHA512 | 18f6065b985197f0c3764da8f22ae9f56d589c1b83f447a2b0bbb6287c43059d7d534b90a7ce660e8a5a36e1a8a2a0cfe6f944b4b384e14901d6b66461ccf272 |
\Users\Admin\AppData\Local\BHKZxD0\dwmapi.dll
| MD5 | 62a31f0c69e4e51ba92f9ce221491ba5 |
| SHA1 | 1fc006d6fe2cb3b510e25c7ff7e0619061fb2ae8 |
| SHA256 | ddf59b686325b020bf449b76cbd93f716854c3075f239f2cb37ef9400c7e9566 |
| SHA512 | d579914db5e53b527172bac4b67705eac8af1364a0f553929d8a607d498a9baf07794fd4966b96b46b9942bffa3d45dfc2ada9317642422be42b13d26a7c91f8 |
C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe
| MD5 | b918311a8e59fb8ccf613a110024deba |
| SHA1 | a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b |
| SHA256 | e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353 |
| SHA512 | e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1 |
memory/1188-131-0x00000000773A6000-0x00000000773A7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | 4226746aea5e60126dc602df3d4a0de4 |
| SHA1 | b296a138183d36798e6b6bac886f43bbd7e45bf8 |
| SHA256 | 76e13d0cf8e2d2e699532d880ab6862794248a51b818a56700fac621f02d50a7 |
| SHA512 | 3a858b5796626a82e506f257403234c7205522855ce085f2b463bb4b5bea39d215b4b2ec5cb5947065175e6266bf6cf8c2aaf079a99bcec6f0162e17a8d2ca67 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-21 16:02
Reported
2024-01-21 16:05
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
160s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\kQjfp\msra.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\kQjfp\msra.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\553\\DWWIN.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\kQjfp\msra.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3540 wrote to memory of 2884 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 3540 wrote to memory of 2884 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 3540 wrote to memory of 3324 | N/A | N/A | C:\Users\Admin\AppData\Local\kQjfp\msra.exe |
| PID 3540 wrote to memory of 3324 | N/A | N/A | C:\Users\Admin\AppData\Local\kQjfp\msra.exe |
| PID 3540 wrote to memory of 3352 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 3540 wrote to memory of 3352 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 3540 wrote to memory of 3456 | N/A | N/A | C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE |
| PID 3540 wrote to memory of 3456 | N/A | N/A | C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE |
| PID 3540 wrote to memory of 4620 | N/A | N/A | C:\Windows\system32\RdpSa.exe |
| PID 3540 wrote to memory of 4620 | N/A | N/A | C:\Windows\system32\RdpSa.exe |
| PID 3540 wrote to memory of 3956 | N/A | N/A | C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe |
| PID 3540 wrote to memory of 3956 | N/A | N/A | C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d6d6e2d25e5004f0487405fdb25a600.dll,#1
C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
C:\Users\Admin\AppData\Local\kQjfp\msra.exe
C:\Users\Admin\AppData\Local\kQjfp\msra.exe
C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE
C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE
C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe
C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/4680-0-0x00000194B8FA0000-0x00000194B8FA7000-memory.dmp
memory/4680-1-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-4-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
memory/3540-6-0x0000000140000000-0x000000014016C000-memory.dmp
memory/4680-7-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-9-0x00007FFC3775A000-0x00007FFC3775B000-memory.dmp
memory/3540-10-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-12-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-13-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-11-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-8-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-14-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-15-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-16-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-17-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-18-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-19-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-20-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-21-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-22-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-23-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-24-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-26-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-25-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-27-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-28-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-29-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-30-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-31-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-32-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-33-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-34-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-35-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-36-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-37-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-38-0x0000000002AB0000-0x0000000002AB7000-memory.dmp
memory/3540-45-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-48-0x00007FFC378E0000-0x00007FFC378F0000-memory.dmp
memory/3540-55-0x0000000140000000-0x000000014016C000-memory.dmp
memory/3540-57-0x0000000140000000-0x000000014016C000-memory.dmp
C:\Users\Admin\AppData\Local\kQjfp\msra.exe
| MD5 | dcda3b7b8eb0bfbccb54b4d6a6844ad6 |
| SHA1 | 316a2925e451f739f45e31bc233a95f91bf775fa |
| SHA256 | 011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae |
| SHA512 | 18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5 |
C:\Users\Admin\AppData\Local\kQjfp\UxTheme.dll
| MD5 | 2fba5de7ba6b557726088ea7c8c84781 |
| SHA1 | 77a388982aab793366cb89fa261c26f93b9d7ede |
| SHA256 | a365bb94cb6595eb832995201a3ae9882c24d44d7a47fb40bcce6202698a1105 |
| SHA512 | da4454b10968f1d99cc1d279742b79ea276bbba1a01d21e4533baa84fa51f28713c978a32a1076498093883afbdac4eec4726ec485f3f495931bbf3814ffc66f |
memory/3324-67-0x0000018E811B0000-0x0000018E811B7000-memory.dmp
memory/3324-66-0x0000000140000000-0x000000014016D000-memory.dmp
memory/3324-72-0x0000000140000000-0x000000014016D000-memory.dmp
C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE
| MD5 | 444cc4d3422a0fdd45c1b78070026c60 |
| SHA1 | 97162ff341fff1ec54b827ec02f8b86fd2d41a97 |
| SHA256 | 4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0 |
| SHA512 | 21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553 |
C:\Users\Admin\AppData\Local\MNL7M7zBh\VERSION.dll
| MD5 | 66ca5a0eaf9e1bf0a134f662fa2ce506 |
| SHA1 | 20d8862053be86331311621939d4e6e8cb862eae |
| SHA256 | 7090ac75b5724e680cfacd55fc25c64ac72024d7579225259fce7160c12e2004 |
| SHA512 | c92a306c9e7ca9ba12f01e3c1f58ac6017323c2daa81a6f3c1fb5cf651f691adeb6b3fbc791bed27d1e2a12ac0bbe17a0f3a3e02889be166599372d526098330 |
memory/3456-84-0x0000020E48740000-0x0000020E48747000-memory.dmp
memory/3456-89-0x0000000140000000-0x000000014016D000-memory.dmp
C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe
| MD5 | 5992f5b5d0b296b83877da15b54dd1b4 |
| SHA1 | 0d87be8d4b7aeada4b55d1d05c0539df892f8f82 |
| SHA256 | 32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c |
| SHA512 | 4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6 |
memory/3956-98-0x00007FFC36D26000-0x00007FFC36D28000-memory.dmp
C:\Users\Admin\AppData\Local\JjoqkoObI\WINSTA.dll
| MD5 | eec26e04b45dad57fafcb27ac62eeecf |
| SHA1 | 68029a8151014499ab334cca7d926f6ab49b3b03 |
| SHA256 | 8304782d65bfa7ffe4845d0b3aac4483e80a7d0b6e973952a7156b343f1baea2 |
| SHA512 | bc47d142f704926fa5f5979434f99a31f647e1f51b31dbfbc04f05d08b5c822a75b3cba8eee7873f809458a9fefa486225175d8afbd8f7976296ce80af142451 |
memory/3956-101-0x0000000140000000-0x000000014016E000-memory.dmp
memory/3956-102-0x00000251C23E0000-0x00000251C23E7000-memory.dmp
memory/3956-107-0x0000000140000000-0x000000014016E000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | b126b6c783d8f6e63c8b79d221394148 |
| SHA1 | 5009faaf3de959c8a367f29924d34cb576ea4189 |
| SHA256 | e44c5ac9655e84335d276050144819f118ea74f05428966148e9cc0a83896859 |
| SHA512 | 38f60923e0a0546ac1bc047a955c137d071ae5db5e752e82fc7b37eea9d560857e4de0d02a5b2dffd90320cb38e7ac69ea51d4540cdeeac1454a9c9fcf8585c0 |