Malware Analysis Report

2024-11-13 16:41

Sample ID 240127-gavpjsfhal
Target 7968f591e01c7a4a04d2d9c53d667082
SHA256 00a23ef486863b29a272d8b4405e375fefa0a629927a9bccd0434886b02c5cdd
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00a23ef486863b29a272d8b4405e375fefa0a629927a9bccd0434886b02c5cdd

Threat Level: Known bad

The file 7968f591e01c7a4a04d2d9c53d667082 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 05:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 05:36

Reported

2024-01-27 05:39

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7968f591e01c7a4a04d2d9c53d667082.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\SYi\taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pQ6\iexpress.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3KDM3e\msra.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\wDV7Jj\\iexpress.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SYi\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pQ6\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3KDM3e\msra.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 3008 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1260 wrote to memory of 3008 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1260 wrote to memory of 3008 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1260 wrote to memory of 1312 N/A N/A C:\Users\Admin\AppData\Local\SYi\taskmgr.exe
PID 1260 wrote to memory of 1312 N/A N/A C:\Users\Admin\AppData\Local\SYi\taskmgr.exe
PID 1260 wrote to memory of 1312 N/A N/A C:\Users\Admin\AppData\Local\SYi\taskmgr.exe
PID 1260 wrote to memory of 1912 N/A N/A C:\Windows\system32\iexpress.exe
PID 1260 wrote to memory of 1912 N/A N/A C:\Windows\system32\iexpress.exe
PID 1260 wrote to memory of 1912 N/A N/A C:\Windows\system32\iexpress.exe
PID 1260 wrote to memory of 1016 N/A N/A C:\Users\Admin\AppData\Local\pQ6\iexpress.exe
PID 1260 wrote to memory of 1016 N/A N/A C:\Users\Admin\AppData\Local\pQ6\iexpress.exe
PID 1260 wrote to memory of 1016 N/A N/A C:\Users\Admin\AppData\Local\pQ6\iexpress.exe
PID 1260 wrote to memory of 2824 N/A N/A C:\Windows\system32\msra.exe
PID 1260 wrote to memory of 2824 N/A N/A C:\Windows\system32\msra.exe
PID 1260 wrote to memory of 2824 N/A N/A C:\Windows\system32\msra.exe
PID 1260 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\3KDM3e\msra.exe
PID 1260 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\3KDM3e\msra.exe
PID 1260 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\3KDM3e\msra.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7968f591e01c7a4a04d2d9c53d667082.dll,#1

C:\Users\Admin\AppData\Local\SYi\taskmgr.exe

C:\Users\Admin\AppData\Local\SYi\taskmgr.exe

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\pQ6\iexpress.exe

C:\Users\Admin\AppData\Local\pQ6\iexpress.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\3KDM3e\msra.exe

C:\Users\Admin\AppData\Local\3KDM3e\msra.exe

Network

N/A

Files

memory/2912-0-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2912-2-0x00000000001B0000-0x00000000001B7000-memory.dmp

memory/1260-4-0x00000000775A6000-0x00000000775A7000-memory.dmp

memory/1260-5-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/1260-9-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2912-8-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-7-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-12-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-11-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-10-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-17-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-16-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-15-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-14-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-13-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-23-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-24-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-22-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-21-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-20-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-19-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-18-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-25-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-26-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-28-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-30-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-27-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-29-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-31-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-33-0x0000000001D40000-0x0000000001D47000-memory.dmp

memory/1260-32-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-40-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-42-0x0000000077910000-0x0000000077912000-memory.dmp

memory/1260-41-0x00000000777B1000-0x00000000777B2000-memory.dmp

memory/1260-51-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1260-57-0x0000000140000000-0x00000001401F1000-memory.dmp

\Users\Admin\AppData\Local\SYi\taskmgr.exe

MD5 09f7401d56f2393c6ca534ff0241a590
SHA1 e8b4d84a28e5ea17272416ec45726964fdf25883
SHA256 6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1
SHA512 7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

memory/1260-61-0x0000000140000000-0x00000001401F1000-memory.dmp

C:\Users\Admin\AppData\Local\SYi\Secur32.dll

MD5 dba2f56fdeaa3e8ce90ee1d3649276e9
SHA1 fdd7e1b898f24809bae38cac86cad107e3315cd2
SHA256 45c35b6aab5ff252316fd9d80612b10b1dd78f53e21391425f4f5648ffc69b1e
SHA512 b9274a460706582660b3eceaef75e8a0751709fceef16671bcdd4156566bba3fd8cd335ba1c83e40ee884baf1a92cca29acf48f74177bbcf58c57c5b866e1ca5

memory/1312-70-0x0000000000220000-0x0000000000227000-memory.dmp

memory/1312-69-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/1312-75-0x0000000140000000-0x00000001401F2000-memory.dmp

\Users\Admin\AppData\Local\pQ6\iexpress.exe

MD5 46fd16f9b1924a2ea8cd5c6716cc654f
SHA1 99284bc91cf829e9602b4b95811c1d72977700b6
SHA256 9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3
SHA512 52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

C:\Users\Admin\AppData\Local\pQ6\VERSION.dll

MD5 fda59afd0c6e113db719a9c4bc13a6ec
SHA1 b69a6f1dcf4782c6dda468fde6773732f77e8581
SHA256 ea26732655b9ed19b15a521cf7055d0d40a8d9035352a5a8976bcbee02d822bd
SHA512 bc9e6d088e0f56ca5b901f30b6dba01baba675b4f9211c5a3bc4f9c58a9f2ea87acd6707b547e1cd150bbddf5a2a5052f93428b9692a57c3926ac612669b3d3f

memory/1016-88-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1016-93-0x0000000140000000-0x00000001401F2000-memory.dmp

\Users\Admin\AppData\Local\3KDM3e\UxTheme.dll

MD5 2275127c227c413afe1b173506c828b9
SHA1 978e60d9cd6c4a890f9a77f9227f25858698d439
SHA256 a59e45b77d467938dc20568fa55398c245322253d29e85b798fc572814a2ed7b
SHA512 01ba3a5bbdee791f496514fe23a294bcea3efc1b4e27dd7beba44568f199aec7f18b0e5a619d05a86305f5395b7b98d93e1778af1f43c562cafa13f288cb00cb

C:\Users\Admin\AppData\Local\3KDM3e\msra.exe

MD5 e79df53bad587e24b3cf965a5746c7b6
SHA1 87a97ec159a3fc1db211f3c2c62e4d60810e7a70
SHA256 4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d
SHA512 9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

memory/2872-105-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/2872-111-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/1260-127-0x00000000775A6000-0x00000000775A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 65f1b19c148965d66854fb7ec54500ed
SHA1 1a90aa720cb26b3eca6e19b91d695d8aec649bf0
SHA256 5c2f71c06ed379a1260b5bb651b03f8273edde631bc7c8883843a00740016219
SHA512 8e6208e7565fb824c43790d251f6d1755886ba052d30c53c24a0ca55fe694f20248d13e431210ec9c6d2dc40dc73fe2e03bd030607f4a4b617c56a194704e74b

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 05:36

Reported

2024-01-27 05:39

Platform

win10v2004-20231222-en

Max time kernel

147s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7968f591e01c7a4a04d2d9c53d667082.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\hT1PPa\\Taskmgr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 4376 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3472 wrote to memory of 4376 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3472 wrote to memory of 3160 N/A N/A C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe
PID 3472 wrote to memory of 3160 N/A N/A C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe
PID 3472 wrote to memory of 4600 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3472 wrote to memory of 4600 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3472 wrote to memory of 4976 N/A N/A C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe
PID 3472 wrote to memory of 4976 N/A N/A C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe
PID 3472 wrote to memory of 3020 N/A N/A C:\Windows\system32\mstsc.exe
PID 3472 wrote to memory of 3020 N/A N/A C:\Windows\system32\mstsc.exe
PID 3472 wrote to memory of 1756 N/A N/A C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe
PID 3472 wrote to memory of 1756 N/A N/A C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7968f591e01c7a4a04d2d9c53d667082.dll,#1

C:\Windows\system32\RdpSa.exe

C:\Windows\system32\RdpSa.exe

C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe

C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe

C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe

C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe

C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp

Files

memory/1012-0-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1012-2-0x000001F2B17F0000-0x000001F2B17F7000-memory.dmp

memory/3472-5-0x00007FFD09D5A000-0x00007FFD09D5B000-memory.dmp

memory/1012-8-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-9-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-11-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-13-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-14-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-20-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-19-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-21-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-24-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-28-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-27-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-29-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-32-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-33-0x0000000006AF0000-0x0000000006AF7000-memory.dmp

memory/3472-31-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-40-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-30-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-25-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-41-0x00007FFD09E00000-0x00007FFD09E10000-memory.dmp

memory/3472-26-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-23-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-22-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-18-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-17-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-16-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-15-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-12-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-10-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-7-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-4-0x0000000006D10000-0x0000000006D11000-memory.dmp

memory/3472-50-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3472-52-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3160-61-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3160-67-0x0000000140000000-0x00000001401F3000-memory.dmp

C:\Users\Admin\AppData\Local\7GMpuEOP\RdpSa.exe

MD5 5992f5b5d0b296b83877da15b54dd1b4
SHA1 0d87be8d4b7aeada4b55d1d05c0539df892f8f82
SHA256 32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c
SHA512 4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

memory/3160-62-0x000001FA3B700000-0x000001FA3B707000-memory.dmp

memory/4976-78-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/4976-79-0x000002655F600000-0x000002655F607000-memory.dmp

memory/4976-84-0x0000000140000000-0x00000001401F2000-memory.dmp

C:\Users\Admin\AppData\Local\6EJeq90wu\credui.dll

MD5 3bcdc623cdce76e61ee2ebb00172632f
SHA1 6c71e446b281d936950f709eb55f9d41d26e95a8
SHA256 5ed787a8fc60e02a4e39af5af7af2b3106cc8259c88a561c94473b4a6f7a732b
SHA512 a8c387b294d0da8efb50a802a15b7500389e76b438e347f325ab8dc6c9753f35e5e04aa7dc16f1f3c6ef8fc18eea5dfa675d5cd4d89d63f29ef89ce330455f8e

C:\Users\Admin\AppData\Local\glOyVHOM\VERSION.dll

MD5 66aa0c66cdf33b01b2d24144003b4512
SHA1 2fc004d13c12225680ce402e7131950f57c46f97
SHA256 6c5b2cb6ba9f81798cf519ae2a48803aeb06bc5d2daad3bd03b4593df127b2f3
SHA512 22fe22cc7ee620eb5ce0aaba0f51ef3c317f3660ed2c69d8e6ee9124aa82674440b88a61aa5aeb3a68c5d167944df0f643e44b6819054559daec6b3323e1db78

memory/1756-95-0x000001CA3EC70000-0x000001CA3EC77000-memory.dmp

C:\Users\Admin\AppData\Local\glOyVHOM\VERSION.dll

MD5 af845f23646a5b7cf1442a5bd007b86c
SHA1 3c1656b6a5d5f7405af85b3ae2f8dcdbb0fd20cf
SHA256 1aaec93d0522117af33476ac582daed081f5f6d0d8bc6664f3704887d17978b5
SHA512 71fde2009ae3f68d4c704a7162dd7b9642314bae35d9bcb8e6829df81f8cbbf5ac9cfa7a59adf585d305ae6ae8e21c1e61fbe2ed5d0538ccbf3093c2f22b65c2

memory/1756-101-0x0000000140000000-0x00000001401F2000-memory.dmp

C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe

MD5 a789b5b578ed10d31fa4b9ff98adf2b6
SHA1 010a7cd4b12bcab656c0f8c3b0cf4e77b5ea1a46
SHA256 9099f5dcf5f53572fdabbf6d12ce9515ba1f2fa89369be12900a1a0dd244b494
SHA512 b978f736b2cdbad381b179d4c24c28d5d841ab7d04926d3863cf764f5360c27f1bfcbf9ed113fe9557b00ede9c7d12aac8cc41ad607ddf8cd41c61cdfafff9a3

C:\Users\Admin\AppData\Local\glOyVHOM\mstsc.exe

MD5 bfa99bd8a693a6e090dec1f56a78a2bc
SHA1 791c1bab4bf016368d38def7fb788d75f1cd4d52
SHA256 133893f9757f740ff7eeefbeba5db6a22ca4dc48da6c264acbb175e8f1294509
SHA512 2963615a252d4d405c4bbc6cc7914be34839a4b2f092e5c29c5e1069cddad94b01a478353af61c678e1c19a31f5ecba9fa92b86ef4fcb654c2ad083cf57aaf12

C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe

MD5 d151dec7a4474bac9c74d995bb23aab5
SHA1 fb21b02a2cb62f7c1e75d5cb4892794c393d024e
SHA256 b3853b47475ee8e54f750d8fe30c6e6d62e83db46012f2e7a393e51fe9fa811d
SHA512 e75b6cb49353357ddd7530fd285e9d197926bfe29254c1a4323110ad608684f2333107393f37504978f2a07a608f7ce1e6af17e93507fedf358934ad559ec21d

C:\Users\Admin\AppData\Local\6EJeq90wu\credui.dll

MD5 da5b1956e5ed121e0b85bdb441bc0375
SHA1 edba9f515fdc85bec1801cfc540a8f03cce0c3b5
SHA256 9077cb97a0600dfc69cf803c56587d2b71e043804942a73546a74022a13a0fe6
SHA512 493393ee3e4df034d651a1f9f7dff73a8e6e75bcc432dddb731e5b1114bc0c5b55e8694779cbcfde2eb39552e549c6cac2328416b04c535d58715cb78ca405f5

C:\Users\Admin\AppData\Local\6EJeq90wu\Taskmgr.exe

MD5 ba4df2e7cda214b318acd0a2f619bc68
SHA1 9ea8b8aec96e725e1411c37c325cf4dbc874802e
SHA256 d9a76aa0ed696031ef8d1aa45e7721b1a4901a345e0128090f5c5243f725af36
SHA512 965ed7ed9aab11d63764d15fcf055a17d662116082437fc58c0cd992f327d102cf6d60caf6f19e40bdf85564c20b7c34d6df860a6c4cf2361062a393023722d3

C:\Users\Admin\AppData\Local\7GMpuEOP\WINSTA.dll

MD5 8eadc5168ad087530c70f483363d60d4
SHA1 0bcb3acf63a92ee1ed469a489631ebd61054f8c5
SHA256 7e02b02c71039b7714064bceabd416758ad1ca3f211be928d4c0a7fdee1561f4
SHA512 37724bd31d488121d51f0c851a43c001088d93b9c24087c66fe6d610855df975ba7926d97fd269cbbe0c5ba626816d4f59af1a7cbc21239e79f80c6cc2ea9810

C:\Users\Admin\AppData\Local\7GMpuEOP\WINSTA.dll

MD5 9b8d5f33c847938b3bba5437374d1ac2
SHA1 2a1c9cff9dc47e0e3f96e5f256a2b3e5e2a5e4be
SHA256 c84214609f66f9c09d359a05fed610db4af4a564af2249fa562a6b645e47769d
SHA512 e7190abd3f9ffdf070e0b73d36d3f892b08621a3bebf675e58a4124bfc7c5318d1967c4d61636bf9591ec9346afcd2abaeb8db28c0026b3d630235ece722a12d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 1c9d31f7b53a9a57bfd66ac004a055d4
SHA1 a2490bdd9933a2abbbddbac10a27ae99a8c2c456
SHA256 0c0f980af1d8ec21185e3be35c1db8f62c47c24b690d74c95d99261ef3f9c0c1
SHA512 cf1f373aba37024b51688ae568624b2b7cb3cf37edad4c4af27bedb441ff94a7e8830b388ed32f6bfd730861b8e47ff25616105fb9a7a00ab4a3c22e38a43a21

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\78Lv\WINSTA.dll

MD5 0c075860d8a3a1db2b481c8d52a0dbfa
SHA1 88ea911bef105668ff00ead3d2bdba5f9b9eb532
SHA256 c83a3973295b475a94e358536cefa9455eedf05e46a6a3754ce01dbbc78ce869
SHA512 5715761af43d3930f28de9a1034f7c6c743b97d046fe5fc6916e65b2846fbd7e1f51c1876c9a48086d72858edb49d361a4aa20f2c27d4961173e9d3e3074a4f7

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\hT1PPa\credui.dll

MD5 cf334860cff3fcb18b627eebfd497f0b
SHA1 8bcdb7cf473d4e684dd539ad668547cb8b7390ce
SHA256 aea7a8c764b3194fa69c3f5ced7e701c3ac8e1bc03f8731048a1ac97cf054c55
SHA512 fb1639573076e9689f5ef8317d8858641d97cbc23d9762d2483c984c7d3b670cb3dac304958c287a7000e79e7d4272203f5a52619a2cc8d2f0fee897cd553b25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SesmRCj\VERSION.dll

MD5 07f7b67cebd6ade6b49ba150217c1d08
SHA1 8548b8a60091b1dfecb761101cf8c8ab5e4cfddb
SHA256 243c1cf15886c8c1e92b1d9a423d8c7414112ce30aca16565c9db02fb0c8b79f
SHA512 e479ae2f33ee3c6b738e2acdcc438ee04fe02b01cccfe726f946243eb5a525000e4134da84a1607e30ca2d9286e409018549a5e1a9ce3847fc6683af49f01ae6