Malware Analysis Report

2024-11-13 16:42

Sample ID 240201-em2bracgfp
Target 85e07e2192815cfa564f16edf062c8af
SHA256 04952d47ce4e62e8f4c7917d557ae78e8d6944b20d050e33444f5dfae68e784c
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04952d47ce4e62e8f4c7917d557ae78e8d6944b20d050e33444f5dfae68e784c

Threat Level: Known bad

The file 85e07e2192815cfa564f16edf062c8af was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 04:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 04:04

Reported

2024-02-01 04:06

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\85e07e2192815cfa564f16edf062c8af.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\jAmCYAP\WindowsAnytimeUpgradeResults.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4tE\sethc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\cBKyOYRb\dwm.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\2NW\\sethc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jAmCYAP\WindowsAnytimeUpgradeResults.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4tE\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cBKyOYRb\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 2468 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1384 wrote to memory of 2468 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1384 wrote to memory of 2468 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1384 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\jAmCYAP\WindowsAnytimeUpgradeResults.exe
PID 1384 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\jAmCYAP\WindowsAnytimeUpgradeResults.exe
PID 1384 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\jAmCYAP\WindowsAnytimeUpgradeResults.exe
PID 1384 wrote to memory of 888 N/A N/A C:\Windows\system32\sethc.exe
PID 1384 wrote to memory of 888 N/A N/A C:\Windows\system32\sethc.exe
PID 1384 wrote to memory of 888 N/A N/A C:\Windows\system32\sethc.exe
PID 1384 wrote to memory of 1276 N/A N/A C:\Users\Admin\AppData\Local\4tE\sethc.exe
PID 1384 wrote to memory of 1276 N/A N/A C:\Users\Admin\AppData\Local\4tE\sethc.exe
PID 1384 wrote to memory of 1276 N/A N/A C:\Users\Admin\AppData\Local\4tE\sethc.exe
PID 1384 wrote to memory of 2784 N/A N/A C:\Windows\system32\dwm.exe
PID 1384 wrote to memory of 2784 N/A N/A C:\Windows\system32\dwm.exe
PID 1384 wrote to memory of 2784 N/A N/A C:\Windows\system32\dwm.exe
PID 1384 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\cBKyOYRb\dwm.exe
PID 1384 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\cBKyOYRb\dwm.exe
PID 1384 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\cBKyOYRb\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\85e07e2192815cfa564f16edf062c8af.dll,#1

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\jAmCYAP\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\jAmCYAP\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\4tE\sethc.exe

C:\Users\Admin\AppData\Local\4tE\sethc.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\cBKyOYRb\dwm.exe

C:\Users\Admin\AppData\Local\cBKyOYRb\dwm.exe

Network

N/A

Files

memory/1888-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1888-0-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-4-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

memory/1384-5-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1384-12-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-11-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-10-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-9-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1888-8-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-7-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-13-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-14-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-15-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-16-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-18-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-17-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-19-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-20-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-23-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-22-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-21-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-24-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-25-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-26-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-27-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-29-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-28-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-30-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-32-0x00000000025C0000-0x00000000025C7000-memory.dmp

memory/1384-31-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-39-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-40-0x00000000771F1000-0x00000000771F2000-memory.dmp

memory/1384-41-0x0000000077350000-0x0000000077352000-memory.dmp

memory/1384-50-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-54-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1384-56-0x0000000140000000-0x0000000140233000-memory.dmp

\Users\Admin\AppData\Local\jAmCYAP\WindowsAnytimeUpgradeResults.exe

MD5 6f3f29905f0ec4ce22c1fd8acbf6c6de
SHA1 68bdfefe549dfa6262ad659f1578f3e87d862773
SHA256 e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b
SHA512 16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

C:\Users\Admin\AppData\Local\jAmCYAP\WINBRAND.dll

MD5 4f4e54e8ab625db901bd3df5d887b4f8
SHA1 710dd287b638a2dc0a975a7bb5cb5775399fbf08
SHA256 ec64b706d3bde230d72bffcd868a4d5f2d8a69d2abc4735cd02ff32bf8cd0898
SHA512 fa71065885cc355b3e45b1f46c23ae5357a36b9c23954896e0fb2077c60a8c82d3895ad7d8f614fde4ff5c22c727b73408e4d551c41d77968578ef14b080b2cc

memory/2484-69-0x0000000140000000-0x0000000140234000-memory.dmp

memory/2484-68-0x0000000001B50000-0x0000000001B57000-memory.dmp

memory/2484-74-0x0000000140000000-0x0000000140234000-memory.dmp

\Users\Admin\AppData\Local\4tE\sethc.exe

MD5 3bcb70da9b5a2011e01e35ed29a3f3f3
SHA1 9daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256 dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA512 69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

C:\Users\Admin\AppData\Local\4tE\DUI70.dll

MD5 ef0b0d8f89e64cb40fdb07cf91af0b68
SHA1 425bbc2d953396b877e844a92bba76d69ac22d80
SHA256 85ffe28aa02a2efe6152c6f7250550a85e15489bd1c8911d73a6490794d40080
SHA512 1da1e70132a1a855c008572d3d4365144c4f72361c02559fb99575d3c2a10a959f4fd9481c94394f99570b7619de6875174ecc10c83bfc1e7d6add9a888e5a48

memory/1276-88-0x0000000140000000-0x0000000140267000-memory.dmp

memory/1276-89-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1276-94-0x0000000140000000-0x0000000140267000-memory.dmp

\Users\Admin\AppData\Local\cBKyOYRb\dwm.exe

MD5 f162d5f5e845b9dc352dd1bad8cef1bc
SHA1 35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA256 8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA512 7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

C:\Users\Admin\AppData\Local\cBKyOYRb\UxTheme.dll

MD5 65f5a84c46844caaad4e7c47e4604d88
SHA1 38f9e076103e3f04426948df916481b56c14d303
SHA256 dbf049d03471c4c8fbf5a7e1de43dc3d49fdc5d2fd7f94e5e69a26c0bf1ae28f
SHA512 760ba61764810ee8ba4ffa1f4c62a12f627bff308097727a875bfc36844e536e1cf880c3e137e362e543c3cd7dbf570916000b747ac66c63cc1182ab9b6fbfe0

\Users\Admin\AppData\Local\cBKyOYRb\UxTheme.dll

MD5 a576490dfd0c9f2b4e21c550c9a2058e
SHA1 808c99319e33c295ae72cc5365313a4db91b0a5c
SHA256 37a9b11aa8e46214dd67c06a68b673ce161e7601d6c8d6fed02799b75bb552f7
SHA512 2bde81d1103a76285701eee281fb892943d9a3103c68b6c79eaecdf9ab72772001541e083638739d1b1c3f5455eb58fcc7519f6f488800b28fb0f43badb76060

memory/2640-109-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2640-114-0x0000000140000000-0x0000000140234000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 ea3b27e3c973ec7af3d79fc4c35e96b9
SHA1 61d6c31ab624afe08557896db0f6d288b52bcd18
SHA256 231282b607319060bb9d4ad53aa0725a9dcd3cc19e5ad0367ab75696fb93852d
SHA512 24e60e84ab935406b14f41ec83b33562c467b065630a32662f3441e6e51a9f398858ab80b93956c0b23910fa25b72144f093966a1753cbf229c42804c0321b8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\78Yi6Z\UxTheme.dll

MD5 5b21da464ed5994482015690552183ed
SHA1 f45fb4d0acddac2eaf82482b2361f04b9810f3fe
SHA256 f1ad5596cbe73c9f8cb93190a79435bf32fa212b11b9f4d41c4c40aad42fa93d
SHA512 d1367a2aebc7c3aaa81d5e762d6e076d43923cad331dc11d97fb93eb3b058d12e5a9981eda982371ac4112cd871c1e72089bc9db3a3916a13f7f044505ff4e87

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 04:04

Reported

2024-02-01 04:06

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\85e07e2192815cfa564f16edf062c8af.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\dvy3\\RECOVE~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 536 N/A N/A C:\Windows\system32\LicensingUI.exe
PID 3452 wrote to memory of 536 N/A N/A C:\Windows\system32\LicensingUI.exe
PID 3452 wrote to memory of 660 N/A N/A C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe
PID 3452 wrote to memory of 660 N/A N/A C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe
PID 3452 wrote to memory of 3176 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3452 wrote to memory of 3176 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3452 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe
PID 3452 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe
PID 3452 wrote to memory of 3552 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3452 wrote to memory of 3552 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3452 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe
PID 3452 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\85e07e2192815cfa564f16edf062c8af.dll,#1

C:\Windows\system32\LicensingUI.exe

C:\Windows\system32\LicensingUI.exe

C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe

C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/2136-2-0x000002C2419A0000-0x000002C2419A7000-memory.dmp

memory/2136-0-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-4-0x0000000004080000-0x0000000004081000-memory.dmp

memory/2136-7-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-8-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-6-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-13-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-12-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-17-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-18-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-20-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-19-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-16-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-21-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-25-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-28-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-29-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-27-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-26-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-24-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-23-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-22-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-15-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-14-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-11-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-10-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-9-0x00007FF8E831A000-0x00007FF8E831B000-memory.dmp

memory/3452-30-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-33-0x0000000002DC0000-0x0000000002DC7000-memory.dmp

memory/3452-31-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-39-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-40-0x00007FF8E8920000-0x00007FF8E8930000-memory.dmp

memory/3452-49-0x0000000140000000-0x0000000140233000-memory.dmp

memory/3452-51-0x0000000140000000-0x0000000140233000-memory.dmp

C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe

MD5 8b4abc637473c79a003d30bb9c7a05e5
SHA1 d1cab953c16d4fdec2b53262f56ac14a914558ca
SHA256 0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5
SHA512 5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

C:\Users\Admin\AppData\Local\FKI5\DUI70.dll

MD5 bee73c7867ededd226f7e90a6e292a24
SHA1 fbad3701ec60d8c9a458b9002d96f3f61723563a
SHA256 eacd0357f677df1fc194aab5f12c3538336c75e6075fd2ef0a19b4d99b5238ec
SHA512 60e2333f2f157308d80abcee62ac65270f2a44d709a21d3047d3480ee0e3a9ca54eb69a99eee3a20d081ad0e951568754dd10441c2c7a7ebfce87637ab2d1c83

memory/660-60-0x0000000140000000-0x0000000140279000-memory.dmp

memory/660-66-0x0000000140000000-0x0000000140279000-memory.dmp

memory/660-62-0x000001B768D30000-0x000001B768D37000-memory.dmp

C:\Users\Admin\AppData\Local\FKI5\DUI70.dll

MD5 597ee22f75ea48c02b692a78086e743a
SHA1 7db50ce8413d59ded3cb48f7ddcfb815a228b552
SHA256 7f2d44beb3898fba16880656abcd4ef29dbee5a6c6e3117ec865ababebe5384c
SHA512 fb7114ad9016862fdfe12c9dbc1301abf5aa44544c9b86fd05892cc6fc151b8590d5ce180d19ac6c1c241d6f21d90e3ad8d46fa18f6ab102772d8de71c13713a

C:\Users\Admin\AppData\Local\FKI5\LicensingUI.exe

MD5 45a74f29bfa4209e84f4a40c7f40973e
SHA1 12f6a209cfc2f05c7b9eb2f12044fc4bc88242d9
SHA256 75b298681ecfdc53f44d623e690aa2c85023f176cff9fec5676b6d309649f1db
SHA512 a96a644c5c5c3d349c905678374c234903c4b97b27c8334e224aedd8565bdfd7e87b6254d51e9d6e9b0f38b6e1e2ec8d56b879e45c208b58296a6454deded386

C:\Users\Admin\AppData\Local\JPial\ReAgent.dll

MD5 9318de3fab9388da342b8349bde9fef0
SHA1 bff6ae6eba07ed136e34e9b6ecff86325b39ff64
SHA256 1ef967d341e69be196d5c4c2458df2cda364fb360b856946d7badc0c04ea86ab
SHA512 fa08683fcded3d42a21e7a844eae8cb8efe88a46aecda452fc303d6ad18234d2cbbce063d880654ba5f3ea8667e9a1927f620575b119b9421690074d1482555f

memory/4564-77-0x0000023811540000-0x0000023811547000-memory.dmp

memory/4564-83-0x0000000140000000-0x0000000140234000-memory.dmp

memory/4564-78-0x0000000140000000-0x0000000140234000-memory.dmp

C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe

MD5 39229701c166367982e04e7cf61dd619
SHA1 0a29e58fbd6612f94e4fb7bcc3d9c84bbfb9f829
SHA256 a8da48ba6cc0b5a2ff7d9474398f222e7ea9b3bbe9da1823914ec31e32701595
SHA512 e42a0ab3b6969c1ab6a7a5dbcdce544c29dad89e96a1bee1399e4b191354d41735d5053088240734034d42ff23661fad3351c056147f96711562f4ee194d579f

C:\Users\Admin\AppData\Local\JPial\ReAgent.dll

MD5 e83e1287997473f2118102dd5cf38fa4
SHA1 4e7bfde741cabea9abef528c7f586e6bf6ab8515
SHA256 109421e9389c179036b3d4de2b9020a6c4a15c211a6518e86d510732439e258d
SHA512 7bde864f64631a99b4bec2c85fa43fc61490c9a6698417a5f298dac7eb7043c4f9666e4bb60fe7f8fe113ad4b029f24677c18f3cf7b1855203193988777dba38

C:\Users\Admin\AppData\Local\JPial\RecoveryDrive.exe

MD5 819f4f6a66b72a1b6d1179108e10862b
SHA1 ecf126a3d089063bae8e2e28efe357096e9947c4
SHA256 442a14a283172cba0ce8ca1db418ef78662178c6fdd02cd7d2a9cfd76a08cffd
SHA512 42df10cff5c028e93ae9f0e9fae97ff0c59b872bd64a2092b6b2058453a079bb4b40eee8039269ab1a9b5fb42ec1736151b72e2cb4fa951f44080309ed45eca1

C:\Users\Admin\AppData\Local\H0m8IOS\WINSTA.dll

MD5 92a7a431ff406430593d2bb5eea68b0a
SHA1 f85877ea075e73e8e97644fe43540d2a0d59959b
SHA256 e5bdcd1d4014f621969651d5fc402f767decacd88e8433cb40a96b9acf606b5e
SHA512 cabf6f0c1b8dbc23656e28f18a868b7deaa5e8c9916d42ecd00733fb0e01af98246d2ff092652697b9d8ea8820e6ee6bb39892c4abb5f17c35e9ac6a25d0bd36

memory/1364-94-0x0000000140000000-0x0000000140235000-memory.dmp

C:\Users\Admin\AppData\Local\H0m8IOS\WINSTA.dll

MD5 35661b80f377796daa6919bede0c76c7
SHA1 14beccc011dc71df877d48422f568d9510949d9e
SHA256 c5e541876a0ca81da859088183a7fcafd0338c08aa75d8047142949ba348ad2e
SHA512 90c195b4d695e0a55507998f13c16a538fcddcc7c7f47706b807fb0d2217419b64a52929fc1eb5254731e97eda845deb372514fd15c4484e2c9a3197ec4ef057

memory/1364-96-0x0000027D1B3E0000-0x0000027D1B3E7000-memory.dmp

memory/1364-100-0x0000000140000000-0x0000000140235000-memory.dmp

C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe

MD5 862f8be58fa3c88a5ec9cc7d6d24f5fc
SHA1 83f60f2ab310a16e49beb3990ca0975bfac11f56
SHA256 f2132c13cdbd4bfc67fa6cb5a0bfa8635d58e0555ef73faab8b7e2749db4c651
SHA512 9004d816875d3b7978e5656faf9169f30a24048622b830c1bbd31e4a225514807524bb62af896fc06a938b7e96ad53f0cf35396f5b48a1844d1e384d072eae0e

C:\Users\Admin\AppData\Local\H0m8IOS\DisplaySwitch.exe

MD5 d5695cf2b78ca077756c00c84a451cae
SHA1 9abed1c9c64b9b75f046213dd5ed97ff2c8b1ab4
SHA256 822b70663928fc181a29d163386dda8f761278f0df7405c27aad6f38e75abd3b
SHA512 147787ee4a8143942367116dd428b21f5afe1ffb2ed5addbd9a9ea213541349500c3cda2e1cbdae1db0285c91fa10dc7b16c11bb803da110b8a9fad116c9f90b

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 d1f591c64a16683d40dae45cc26805ac
SHA1 b1c932de6da31c7257fb0ea6aea80d6f68ea1228
SHA256 ee5d3d17630dee44212c92c15dbafdbca58e79c25ba382852504e319556455ca
SHA512 1b333b0de9d44f8a1c24aee0638f0795430329ffbb82d67e6d5a7b7edcba789804fdd0d83171e9364fc579fa2f8a6c8ddfb029fb4892f6e00c28ccc1d1e1ebfe

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\VfR\DUI70.dll

MD5 4762200a5a80b1dd8e69bec7e6674e82
SHA1 cb6e3e0c77f70b7e6ed2d9dc26fb1d2af30929a2
SHA256 aec08acf04f25ec5260428fdb3a53f8b345572314c88ef34442ecc0310c53c64
SHA512 604d1eeaaaa339c4e8043c177f56172d7565881e36563233d6fd3f9175c7f04cf79a3c56624ffa73a4e19dc096aa6c2187bbeff45ad70c6fdc97d8cdb2465787

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\dvy3\ReAgent.dll

MD5 42abe37bb4f5cf2c2a5dbd4134b87614
SHA1 acfcbc1b06a65d0d3ccc85edfadf0f4c879b1305
SHA256 e447f93f1b43f42b7783add163653e6484864e94faca1489014de62befaf040d
SHA512 f334c4bc781240d12768741636b6b07cd9fbbc6fd221c501f3a32465115424dbb79c95c62a749f60806cee46b2a567d34bfbb70b83aed6ce50a7c3785d473553

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\RblThYkrfK\WINSTA.dll

MD5 4bb5fbad8072db1e33204b6c0b97b57d
SHA1 76e54b3912192747f8a974fd453b95a685ae6618
SHA256 437bc590b06702f6ab6b1766db98f30e14bfb79a2ed9872d8a6d5292045a8410
SHA512 1c95ed01dac600ba983d807990410a179a88b3e9ea8fe6c520a0bb5d1096672508977799296a7d9f43e85549670c803c498f4017e8dd0602e83a1ec81269ed4d