Malware Analysis Report

2024-11-13 17:05

Sample ID 230612-wrdvpadc43
Target 66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67
SHA256 66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67
Tags
obama261 1683268508 qakbot banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67

Threat Level: Known bad

The file 66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67 was found to be: Known bad.

Malicious Activity Summary

obama261 1683268508 qakbot banker stealer trojan

Qakbot family

Qakbot/Qbot

Blocklisted process makes network request

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-12 18:08

Signatures

Qakbot family

qakbot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-12 18:08

Reported

2023-06-12 18:19

Platform

win7-20230220-en

Max time kernel

600s

Max time network

603s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#1

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 904 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 904 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 904 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 904 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 904 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 904 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 904 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1700 wrote to memory of 1108 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1700 wrote to memory of 1108 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1700 wrote to memory of 1108 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1700 wrote to memory of 1108 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1700 wrote to memory of 1108 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1700 wrote to memory of 1108 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1108 wrote to memory of 1008 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 1108 wrote to memory of 1008 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 1108 wrote to memory of 1008 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 1108 wrote to memory of 1008 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#1

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\ping.exe

ping -n 3 yahoo.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 oracle.com udp
US 147.154.26.35:443 oracle.com tcp
US 8.8.8.8:53 www.oracle.com udp
NL 95.101.125.213:443 www.oracle.com tcp
US 108.190.115.159:443 108.190.115.159 tcp
US 108.190.115.159:443 108.190.115.159 tcp
US 108.190.115.159:443 108.190.115.159 tcp
US 108.190.115.159:443 108.190.115.159 tcp
US 23.30.173.133:443 tcp
NL 87.248.202.1:80 tcp

Files

memory/1108-54-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/1108-55-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-56-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-57-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-58-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-59-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-60-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-61-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-63-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-66-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-67-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-69-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-87-0x0000000000080000-0x00000000000A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6635.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

memory/1108-104-0x0000000000080000-0x00000000000A4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 b5fcc55cffd66f38d548e8b63206c5e6
SHA1 79db08ababfa33a4f644fa8fe337195b5aba44c7
SHA256 7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1
SHA512 aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

memory/1108-134-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-150-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-152-0x0000000000080000-0x00000000000A4000-memory.dmp

memory/1108-153-0x0000000000080000-0x00000000000A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-12 18:08

Reported

2023-06-12 18:19

Platform

win10v2004-20230220-en

Max time kernel

600s

Max time network

564s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#1

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3884 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3884 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3884 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 3272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1916 wrote to memory of 3272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1916 wrote to memory of 3272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1916 wrote to memory of 3272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1916 wrote to memory of 3272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 3272 wrote to memory of 4636 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 3272 wrote to memory of 4636 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 3272 wrote to memory of 4636 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\ping.exe
PID 1916 wrote to memory of 1772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1916 wrote to memory of 1772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1916 wrote to memory of 1772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1916 wrote to memory of 1772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1916 wrote to memory of 1772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1916 wrote to memory of 4908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
PID 1916 wrote to memory of 4908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
PID 1916 wrote to memory of 4908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
PID 1916 wrote to memory of 4908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
PID 1916 wrote to memory of 4908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
PID 4908 wrote to memory of 3480 N/A C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\ping.exe
PID 4908 wrote to memory of 3480 N/A C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\ping.exe
PID 4908 wrote to memory of 3480 N/A C:\Windows\SysWOW64\backgroundTaskHost.exe C:\Windows\SysWOW64\ping.exe
PID 1916 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
PID 1916 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
PID 1916 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
PID 1916 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
PID 1916 wrote to memory of 1744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\backgroundTaskHost.exe
PID 1916 wrote to memory of 5076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 1916 wrote to memory of 5076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 1916 wrote to memory of 5076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 1916 wrote to memory of 5076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 1916 wrote to memory of 5076 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 5076 wrote to memory of 4992 N/A C:\Windows\SysWOW64\dxdiag.exe C:\Windows\SysWOW64\ping.exe
PID 5076 wrote to memory of 4992 N/A C:\Windows\SysWOW64\dxdiag.exe C:\Windows\SysWOW64\ping.exe
PID 5076 wrote to memory of 4992 N/A C:\Windows\SysWOW64\dxdiag.exe C:\Windows\SysWOW64\ping.exe
PID 1916 wrote to memory of 388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 1916 wrote to memory of 388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 1916 wrote to memory of 388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 1916 wrote to memory of 388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\dxdiag.exe
PID 1916 wrote to memory of 388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\dxdiag.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bd4ee25df0e3dd99a0c1839afb5699f52667a2feeaa4091cc8eb18543fbc67.dll,#1

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\ping.exe

ping -n 3 yahoo.com

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1772 -ip 1772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 352

C:\Windows\SysWOW64\backgroundTaskHost.exe

C:\Windows\SysWOW64\backgroundTaskHost.exe

C:\Windows\SysWOW64\ping.exe

ping -n 3 yahoo.com

C:\Windows\SysWOW64\backgroundTaskHost.exe

C:\Windows\SysWOW64\backgroundTaskHost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1744 -ip 1744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 288

C:\Windows\SysWOW64\dxdiag.exe

C:\Windows\SysWOW64\dxdiag.exe

C:\Windows\SysWOW64\ping.exe

ping -n 3 yahoo.com

C:\Windows\SysWOW64\dxdiag.exe

C:\Windows\SysWOW64\dxdiag.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 388 -ip 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 464

Network

Country Destination Domain Proto
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 240.232.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cisco.com udp
US 72.163.4.185:443 cisco.com tcp
US 8.8.8.8:53 www.cisco.com udp
NL 104.98.129.232:443 www.cisco.com tcp
US 8.8.8.8:53 commercial.ocsp.identrust.com udp
US 192.35.177.23:80 commercial.ocsp.identrust.com tcp
US 8.8.8.8:53 185.4.163.72.in-addr.arpa udp
US 108.190.115.159:443 108.190.115.159 tcp
US 8.8.8.8:53 23.177.35.192.in-addr.arpa udp
US 8.8.8.8:53 232.129.98.104.in-addr.arpa udp
US 8.8.8.8:53 159.115.190.108.in-addr.arpa udp
US 108.190.115.159:443 108.190.115.159 tcp
US 108.190.115.159:443 108.190.115.159 tcp
US 108.190.115.159:443 108.190.115.159 tcp

Files

memory/3272-133-0x0000000000AB0000-0x0000000000AD4000-memory.dmp

memory/3272-134-0x0000000000AB0000-0x0000000000AD4000-memory.dmp

memory/1772-135-0x00000000012E0000-0x0000000001304000-memory.dmp

memory/4908-136-0x0000000000A20000-0x0000000000A44000-memory.dmp

memory/4908-137-0x0000000000A20000-0x0000000000A44000-memory.dmp

memory/1744-139-0x00000000005D0000-0x00000000005F4000-memory.dmp

memory/5076-140-0x00000000009C0000-0x00000000009E4000-memory.dmp

memory/5076-141-0x00000000009C0000-0x00000000009E4000-memory.dmp

memory/388-142-0x00000000003B0000-0x00000000003D4000-memory.dmp