Malware Analysis Report

2024-11-13 16:42

Sample ID 240129-bdcegsgacp
Target 7e7645b86e265b69aed08c4852fe6291
SHA256 e0980b4994c3d61ec8c3ab1db13ef837487bd2e209e97a4ad4708211d9d4d712
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0980b4994c3d61ec8c3ab1db13ef837487bd2e209e97a4ad4708211d9d4d712

Threat Level: Known bad

The file 7e7645b86e265b69aed08c4852fe6291 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-29 01:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 01:01

Reported

2024-01-29 01:03

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\E7jLd\mblctr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\sBUME\OptionalFeatures.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\MU2iq\UI0Detect.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1268429524-3929314613-1992311491-1000\\0wl\\OptionalFeatures.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MU2iq\UI0Detect.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\E7jLd\mblctr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sBUME\OptionalFeatures.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2600 N/A N/A C:\Windows\system32\mblctr.exe
PID 1204 wrote to memory of 2600 N/A N/A C:\Windows\system32\mblctr.exe
PID 1204 wrote to memory of 2600 N/A N/A C:\Windows\system32\mblctr.exe
PID 1204 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\E7jLd\mblctr.exe
PID 1204 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\E7jLd\mblctr.exe
PID 1204 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\E7jLd\mblctr.exe
PID 1204 wrote to memory of 2912 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1204 wrote to memory of 2912 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1204 wrote to memory of 2912 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1204 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\sBUME\OptionalFeatures.exe
PID 1204 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\sBUME\OptionalFeatures.exe
PID 1204 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\sBUME\OptionalFeatures.exe
PID 1204 wrote to memory of 1984 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1204 wrote to memory of 1984 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1204 wrote to memory of 1984 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1204 wrote to memory of 1648 N/A N/A C:\Users\Admin\AppData\Local\MU2iq\UI0Detect.exe
PID 1204 wrote to memory of 1648 N/A N/A C:\Users\Admin\AppData\Local\MU2iq\UI0Detect.exe
PID 1204 wrote to memory of 1648 N/A N/A C:\Users\Admin\AppData\Local\MU2iq\UI0Detect.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#1

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\E7jLd\mblctr.exe

C:\Users\Admin\AppData\Local\E7jLd\mblctr.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\sBUME\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\sBUME\OptionalFeatures.exe

C:\Windows\system32\UI0Detect.exe

C:\Windows\system32\UI0Detect.exe

C:\Users\Admin\AppData\Local\MU2iq\UI0Detect.exe

C:\Users\Admin\AppData\Local\MU2iq\UI0Detect.exe

Network

N/A

Files

memory/1944-0-0x000007FEF6080000-0x000007FEF6199000-memory.dmp

memory/1944-2-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1204-3-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

memory/1204-4-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/1204-6-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-7-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-8-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-11-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-10-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-9-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-16-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-17-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-20-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-19-0x00000000029A0000-0x00000000029A7000-memory.dmp

memory/1204-18-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-15-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-13-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-14-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-12-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-29-0x0000000077350000-0x0000000077352000-memory.dmp

memory/1204-28-0x0000000077320000-0x0000000077322000-memory.dmp

memory/1204-27-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-38-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1204-40-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1944-41-0x000007FEF6080000-0x000007FEF6199000-memory.dmp

\Users\Admin\AppData\Local\E7jLd\mblctr.exe

MD5 fa4c36b574bf387d9582ed2c54a347a8
SHA1 149077715ee56c668567e3a9cb9842284f4fe678
SHA256 b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f
SHA512 1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

\Users\Admin\AppData\Local\E7jLd\UxTheme.dll

MD5 45f793ab7aea6c16f4e8c5ac78ab04b5
SHA1 acb1ecd1d961e4e205991e1aed90cfbc754634b6
SHA256 b9db8e0bf94bf4cf8416e9b8aa72bcfe4a83cf49d6a5a4f847ddbf6eedae9e07
SHA512 b64ae62654a0339d09067173e0341fde67dd741450cb9488d837af0d6f973c62c6c0cfb677fc4053f0b362191e315b8d098f2504e8e5a53899893b5aa76ecbbb

memory/2660-55-0x000007FEF6860000-0x000007FEF697A000-memory.dmp

memory/2660-56-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2660-60-0x000007FEF6860000-0x000007FEF697A000-memory.dmp

\Users\Admin\AppData\Local\sBUME\OptionalFeatures.exe

MD5 eae7af6084667c8f05412ddf096167fc
SHA1 0dbe8aba001447030e48e8ad5466fd23481e6140
SHA256 01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512 172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

C:\Users\Admin\AppData\Local\sBUME\appwiz.cpl

MD5 8f27d39ff91109cedc48233fe2373db6
SHA1 3aafe78932e33dcc1b61d920f82533d0b4ab49a9
SHA256 39f209ee19ad165b57662a5500ae82d1d6b403a69b60dd8896be65954e498584
SHA512 e3ad5621d73f395d224d2e1a6777925932acbecf9e776dfbe7b23f81fd2f233e846c33bc2de2fbb938b9c32fe1a2c9dfdd63bae8186e1442c76a345ef7a7b4b0

memory/1204-72-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

memory/2792-74-0x0000000000070000-0x0000000000077000-memory.dmp

memory/2792-73-0x000007FEF6080000-0x000007FEF619A000-memory.dmp

memory/2792-77-0x000007FEF6080000-0x000007FEF619A000-memory.dmp

\Users\Admin\AppData\Local\MU2iq\UI0Detect.exe

MD5 3cbdec8d06b9968aba702eba076364a1
SHA1 6e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256 b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512 a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

C:\Users\Admin\AppData\Local\MU2iq\VERSION.dll

MD5 409cc1b141d44ae6525911837e46e78d
SHA1 e075c662d275d60d572014701ea8aa665aee3303
SHA256 3f44153bde9311f0732597cf08a1e9c0082ed93751aed2bda955fe5e9718cf29
SHA512 c2f7042757fcdd2f96bba73f4993f6b6e3c09d222f1f99c014e424f085059767bdb1fa88ce97208e6203d4e6d0e53a36c6cd70e37a6ff863ae77849512c23dd1

memory/1648-91-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1648-94-0x000007FEF6080000-0x000007FEF619A000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 775299c60cb1b4b639269651f8ee286b
SHA1 cf446d65e5cd4a4ec4eb3d962fdd8b4bc9663485
SHA256 747073d8016c97a75f293a420f4900eaff826ac3ff22414ea05c85fd7099fd5f
SHA512 73a5d04ce68603f629d97ceb1a6cdf500dd40b8344dc3c11533eff418bb2d44faacd86790f95dfd0b599e5eba386db33d774ef81094e8b8cb034d3b43ccf49de

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Hdt7Hp\VERSION.dll

MD5 785afb7b5d4c68575a3761cd891602cc
SHA1 034585b66be6dd9d93348ad7c47716fc56e9ba23
SHA256 b23ea1f10b0e1c747436d145c594472f484cf0ffea9fe0d53395a02ddad22786
SHA512 9fee445ff5c52e4e00f612be497acc146bb1b955710ecd3689da37c9f91c1cf6890fb89d3df5783b33a879c702f95ff960f3752f967b5866e73db20bf95c7456

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 01:01

Reported

2024-01-29 01:03

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\1CCHU\\RdpSaUacHelper.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Vm8g\ProximityUxHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\GiWUxvIo\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bwhVLvW\RdpSaUacHelper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 1808 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3520 wrote to memory of 1808 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3520 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\GiWUxvIo\DWWIN.EXE
PID 3520 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\GiWUxvIo\DWWIN.EXE
PID 3520 wrote to memory of 3312 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3520 wrote to memory of 3312 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3520 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\bwhVLvW\RdpSaUacHelper.exe
PID 3520 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\bwhVLvW\RdpSaUacHelper.exe
PID 3520 wrote to memory of 5528 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3520 wrote to memory of 5528 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3520 wrote to memory of 3548 N/A N/A C:\Users\Admin\AppData\Local\Vm8g\ProximityUxHost.exe
PID 3520 wrote to memory of 3548 N/A N/A C:\Users\Admin\AppData\Local\Vm8g\ProximityUxHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#1

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\GiWUxvIo\DWWIN.EXE

C:\Users\Admin\AppData\Local\GiWUxvIo\DWWIN.EXE

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\bwhVLvW\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\bwhVLvW\RdpSaUacHelper.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\Vm8g\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\Vm8g\ProximityUxHost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/2224-0-0x00007FFC45730000-0x00007FFC45849000-memory.dmp

memory/2224-2-0x0000029E241E0000-0x0000029E241E7000-memory.dmp

memory/3520-4-0x00007FFC5297A000-0x00007FFC5297B000-memory.dmp

memory/3520-3-0x00000000088E0000-0x00000000088E1000-memory.dmp

memory/3520-6-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-7-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-10-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-11-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-12-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-15-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-16-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-17-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-14-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-13-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-19-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-18-0x0000000004D10000-0x0000000004D17000-memory.dmp

memory/3520-20-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-9-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-8-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-27-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3520-29-0x00007FFC54330000-0x00007FFC54340000-memory.dmp

memory/3520-28-0x00007FFC54340000-0x00007FFC54350000-memory.dmp

memory/3520-38-0x0000000140000000-0x0000000140119000-memory.dmp

memory/2224-41-0x00007FFC45730000-0x00007FFC45849000-memory.dmp

C:\Users\Admin\AppData\Local\GiWUxvIo\DWWIN.EXE

MD5 444cc4d3422a0fdd45c1b78070026c60
SHA1 97162ff341fff1ec54b827ec02f8b86fd2d41a97
SHA256 4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0
SHA512 21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

C:\Users\Admin\AppData\Local\GiWUxvIo\VERSION.dll

MD5 33e013d7911ff83a083efb3894b23c5c
SHA1 79838ef66683c637dbac0094639a9ae35f0d9ad8
SHA256 e4bd549a1c8550a96b9f20e6cba5e1d959a703f373593285501fe236efa071cf
SHA512 5226081172206d947ad83764077aa7b3881496b273dd0a5e7588a31e7f3ae1a7a8de733a81cc7ed1e54251b6f092ec8a428e1d6c2ff3b660da28f63aad9421b0

C:\Users\Admin\AppData\Local\GiWUxvIo\VERSION.dll

MD5 e8aaef56c57a679ef815de5f6aca1f81
SHA1 055adb07be39221eb3ce92d967864f0d39093f55
SHA256 284b65f1e293ba9b0c9ae1ba74b02b07edeb9d55e12d86320e285a35ba6f97a5
SHA512 0ec51733d528d9a0fd7dec7967582bdab4da132e2ad8f59a64468a2e70f028020a8774e0fdcef032fada42fca1b0763b4857579647a6cdbc9bbcf42dca027c80

memory/2296-49-0x000002073B7D0000-0x000002073B7D7000-memory.dmp

memory/2296-48-0x00007FFC35C80000-0x00007FFC35D9A000-memory.dmp

memory/2296-53-0x00007FFC35C80000-0x00007FFC35D9A000-memory.dmp

C:\Users\Admin\AppData\Local\GiWUxvIo\DWWIN.EXE

MD5 5222057fb8c4786be60f0d66735e79f3
SHA1 695c2f7e81c221993c69e0c69f62c52057fca147
SHA256 dd88a5890a4bb9b8600965a03aadedbe3e8c8819edbb9abb8906f16ff8e390fb
SHA512 167990f36275a2ea4c7cb70c2ab2a229042d687f68c7fbf496e6720b3226a698136463fd30418cc794f2671c61cb2da3000485cd454da88ff8662f535b58bbe9

C:\Users\Admin\AppData\Local\bwhVLvW\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

C:\Users\Admin\AppData\Local\bwhVLvW\WINSTA.dll

MD5 230cc394556247623b32f9f673344d72
SHA1 99e79d80fb52eb5d9fa0a9f2557ce07961e1c8be
SHA256 5606cdecf6a69ea58d5405ab9329f1cdd3a88a6f7d6b4adc2803060a1583e80a
SHA512 4dfa95e91deaf73188c1e55e98a67fa2403fd9b6abefc254b53c2b4500bcc940534ba0d92d64f90cd6a307f9bc4f6a64ad796ac9afd8ce1262e7de98e80b1367

memory/216-64-0x00007FFC35C80000-0x00007FFC35D9B000-memory.dmp

memory/216-66-0x000001405F260000-0x000001405F267000-memory.dmp

memory/216-69-0x00007FFC35C80000-0x00007FFC35D9B000-memory.dmp

C:\Users\Admin\AppData\Local\Vm8g\ProximityUxHost.exe

MD5 9ea326415b83d77295c70a35feb75577
SHA1 f8fc6a4f7f97b242f35066f61d305e278155b8a8
SHA256 192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f
SHA512 2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

C:\Users\Admin\AppData\Local\Vm8g\dwmapi.dll

MD5 7e90daaee4ace2dc75364eb542c33db3
SHA1 3d779d3f4757a6fb6fff6ba1cb9fe667168e3f35
SHA256 f173bdceed2f7cc9c0cdc5ae915b2b77a1efaaee5777953648159ffc597d9091
SHA512 3812b24fffca82764ee474e358e0c2a13ff3c669d6bddc9d7ea3171cbb12881979c1c00c74d4a299ed993062e7d8dd42534400dc69f4a090e9f22bbf908278c3

C:\Users\Admin\AppData\Local\Vm8g\dwmapi.dll

MD5 f4c011f4530e49417abd363a08e25233
SHA1 6612c5e73e311ec04356012b4b7605047576ca10
SHA256 f1f12bc24ec33dd794070ccb9d304b37ae97300fc2fbc7adf1db23a2f8d68b5c
SHA512 711aa53d6ce876bd103036a9a34448221cc220d58e393c7a838c4b82907541f396e27607d9c79e8fcd3c0f8c96a3506a80ebc8f5a7f279cdbb0cad6f4cd690eb

memory/3548-80-0x00007FFC35AD0000-0x00007FFC35BEA000-memory.dmp

memory/3548-82-0x0000023239810000-0x0000023239817000-memory.dmp

memory/3548-85-0x00007FFC35AD0000-0x00007FFC35BEA000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 c41c00732b23aa91749f4a0b93758a19
SHA1 a3052dca3768cdbde1201fba28a824b524cda54e
SHA256 86cc84c83da0526d768919b1b6775275af9f548e1ceec3a32c712c40b54bd85c
SHA512 9f8d3ee5edbe73d4ee8247ace3962e507c6d4873dff7f73b9022cb6c2d11dc7294c5b705bc582644295f01d02d97e4c3ccae9d9a00fc4546d813ba129c159bf2