Malware Analysis Report

2024-11-30 21:26

Sample ID 231222-s6gy4sdba6
Target deac37150b94c6871f020007e2d20de8
SHA256 b9a2afe692a14758fe22e04ec1d379839fcee981e7c82d4c884af960394ccf9a
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9a2afe692a14758fe22e04ec1d379839fcee981e7c82d4c884af960394ccf9a

Threat Level: Known bad

The file deac37150b94c6871f020007e2d20de8 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 15:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 15:44

Reported

2023-12-24 04:27

Platform

win7-20231215-en

Max time kernel

45s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\deac37150b94c6871f020007e2d20de8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\FQ\\C2EZWT~1\\sigverif.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2644 N/A N/A C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 2644 N/A N/A C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 2644 N/A N/A C:\Windows\system32\winlogon.exe
PID 1264 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe
PID 1264 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe
PID 1264 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe
PID 1264 wrote to memory of 1936 N/A N/A C:\Windows\system32\sigverif.exe
PID 1264 wrote to memory of 1936 N/A N/A C:\Windows\system32\sigverif.exe
PID 1264 wrote to memory of 1936 N/A N/A C:\Windows\system32\sigverif.exe
PID 1264 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe
PID 1264 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe
PID 1264 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe
PID 1264 wrote to memory of 1716 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1264 wrote to memory of 1716 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1264 wrote to memory of 1716 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1264 wrote to memory of 1388 N/A N/A C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe
PID 1264 wrote to memory of 1388 N/A N/A C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe
PID 1264 wrote to memory of 1388 N/A N/A C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\deac37150b94c6871f020007e2d20de8.dll,#1

C:\Windows\system32\winlogon.exe

C:\Windows\system32\winlogon.exe

C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe

C:\Users\Admin\AppData\Local\BrtoXMCfP\winlogon.exe

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe

C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe

C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe

Network

N/A

Files

memory/2664-1-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/2664-0-0x0000000000330000-0x0000000000337000-memory.dmp

memory/1264-4-0x00000000778B6000-0x00000000778B7000-memory.dmp

memory/1264-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/2664-8-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-14-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-20-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-26-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-27-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-32-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-35-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-34-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-38-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-41-0x0000000002680000-0x0000000002687000-memory.dmp

memory/1264-49-0x0000000077C20000-0x0000000077C22000-memory.dmp

memory/1264-48-0x0000000077AC1000-0x0000000077AC2000-memory.dmp

memory/1264-47-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-39-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-37-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-36-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-58-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-33-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-64-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-31-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-30-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-29-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/2300-77-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2300-81-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2300-76-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/1264-28-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-24-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-25-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-23-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-22-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-21-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-19-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-18-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-17-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-15-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-16-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-13-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-12-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-11-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-10-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-7-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1264-9-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe

MD5 b9717042f141308df5f7f3c7d4d4ed07
SHA1 210ec93a0c81d09d8052e63ec66ae357d482a31b
SHA256 33be45b91bac6e9d43754ee7f5cb0f466ded5490578ea6f1e8c953850f4c70c0
SHA512 d7bb31274145906049e05bef1722c78a9a50e8150c6cc4eb844568db4267b864e6a120a03af663a20a9c46fb794eba0f27ea237bbb5d91ed14093598c5f863d0

C:\Users\Admin\AppData\Local\ueZuSbV\VERSION.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1908-100-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1908-101-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1908-106-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\ueZuSbV\sigverif.exe

MD5 e8e95ae5534553fc055051cee99a7f55
SHA1 4e0f668849fd546edd083d5981ed685d02a68df4
SHA256 9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA512 5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

\Users\Admin\AppData\Local\ueZuSbV\VERSION.dll

MD5 175f946cbf9d5d83935954661602a1f8
SHA1 8882840b914444fc072da44b8236a22699566f94
SHA256 0ab87944f4a2ebb2381f71a06c9d60180c37d2c467620b6a967c3a9e0bcab8bb
SHA512 6537f656ca41ae9efcda89227f1d24d91f28491758db5947232cb9b3cbf21668d0408f8ccd5c293aa6c872e1a62467927ab88552788bb1301bdd4a63d0b5c281

\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe

MD5 6efb6e82714e11b7e67865bf814ece93
SHA1 31c2613b26793daee4d97f34aaebc58a31b9253d
SHA256 c948313f4d6969b0a212577b4af8e4ebaeb0d3fea1fb1a9f1f2f45a8b4493f95
SHA512 acaad443df07b1d7be19b80b93a0cd14d2d9bc8246fe475d4aee040e11eea22e0bd42610eff58bc2d81d2d5ba55ee9b6c2973d4ecde9d4f313f1ca9816528531

C:\Users\Admin\AppData\Local\jeKL\UxTheme.dll

MD5 2a946d11466ddc75e1c74a3d569505cf
SHA1 291def04fe1bb2340483592b4a0c6f0430c77498
SHA256 d7b372133c284a3ac1eb2db7b7ecc7ad4beefc06d046bba64f0f377951f86156
SHA512 ad0f8e4c49ab44a1b2db1a2b10df498feb353d7feb197ca91b845e2a3030c5acb7f261a5ed3b6302a930028d03aa1e4328b4616f4769ba8642c9803be6579c8d

memory/1388-118-0x00000000001B0000-0x00000000001B7000-memory.dmp

C:\Users\Admin\AppData\Local\jeKL\SoundRecorder.exe

MD5 db7c1b84548aca9d303b28dd2c2e0d17
SHA1 0a6559e35d73c1f47e5197ad640478a2ccc62ea3
SHA256 fa6ecd0fc3541bc48f12a59c5a42a6f4af69f29071c0b1a29a7f698654e0f219
SHA512 a48a8a929488ebb64781b478dec43028dd988b5713c9e805b6ff861195ed4f12ffb7b41a3c72e9fc1d5516dcbf57690ab8f099fb2a59bb0907cabef59dbd3e55

\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\E2\SoundRecorder.exe

MD5 0c9601edb5c26d816a4ade92604aeb30
SHA1 505ddffb06f07e8f7ce193e86204f4b6f15a1728
SHA256 e425496039ac6d193fd71b75f20a3f3475a0af1aeebf1205345b16a23f6f5def
SHA512 baee81ebdd97fb10ea6072b735938550b8f16fbc36712e79e52e08055236798395a3ce7172e820ef83d164c414bc24752b74a9e99ef49512f028fef9260333d1

memory/1264-141-0x00000000778B6000-0x00000000778B7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 15:44

Reported

2023-12-24 04:27

Platform

win10v2004-20231215-en

Max time kernel

98s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\deac37150b94c6871f020007e2d20de8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\5E3UIA~1\\sdclt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\moZL7\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 3348 N/A N/A C:\Windows\system32\wbengine.exe
PID 3552 wrote to memory of 3348 N/A N/A C:\Windows\system32\wbengine.exe
PID 3552 wrote to memory of 4492 N/A N/A C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe
PID 3552 wrote to memory of 4492 N/A N/A C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe
PID 3552 wrote to memory of 3200 N/A N/A C:\Windows\system32\sdclt.exe
PID 3552 wrote to memory of 3200 N/A N/A C:\Windows\system32\sdclt.exe
PID 3552 wrote to memory of 648 N/A N/A C:\Users\Admin\AppData\Local\moZL7\sdclt.exe
PID 3552 wrote to memory of 648 N/A N/A C:\Users\Admin\AppData\Local\moZL7\sdclt.exe
PID 3552 wrote to memory of 4708 N/A N/A C:\Windows\system32\cmstp.exe
PID 3552 wrote to memory of 4708 N/A N/A C:\Windows\system32\cmstp.exe
PID 3552 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe
PID 3552 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\deac37150b94c6871f020007e2d20de8.dll,#1

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe

C:\Users\Admin\AppData\Local\BDsfjXfc\wbengine.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\moZL7\sdclt.exe

C:\Users\Admin\AppData\Local\moZL7\sdclt.exe

C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe

C:\Users\Admin\AppData\Local\Ki96x\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/456-1-0x0000015BD1A60000-0x0000015BD1A67000-memory.dmp

memory/456-0-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-4-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/456-7-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-6-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-9-0x00007FF9C739A000-0x00007FF9C739B000-memory.dmp

memory/3552-11-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-12-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-13-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-14-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-15-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-10-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-8-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-16-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-20-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-25-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-30-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-32-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-34-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-37-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-40-0x0000000000C10000-0x0000000000C17000-memory.dmp

memory/3552-39-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-47-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-48-0x00007FF9C78E0000-0x00007FF9C78F0000-memory.dmp

memory/3552-38-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-36-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-35-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-59-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-57-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-33-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/4492-69-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/4492-74-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/4492-68-0x000001D69E690000-0x000001D69E697000-memory.dmp

memory/3552-31-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-28-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-29-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-27-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-26-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-24-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-23-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-22-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-21-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-19-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-18-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-17-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/648-85-0x0000026967C40000-0x0000026967C47000-memory.dmp

memory/648-91-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1580-106-0x00000267E73A0000-0x00000267E73A7000-memory.dmp

memory/1580-110-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1580-104-0x00000267E74F0000-0x00000267E76E9000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 410e9dda3899daec560597e1a2089af7
SHA1 9458a4e231b1cdcf4074d4657e02e883bf0e4868
SHA256 8ef93b655645f595b8b8188d2531f7f4750e3d1912812f1ed6b5e691cc11fb62
SHA512 34fce71c8dad4324793ab1fec5227e9a935baa3e332c7b2f688412b926b262fc7fab3f2f639853ae7a456cc8acc992be5783f6789e86829e223b30c7f9b87661

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\dK\SPP.dll

MD5 8fae34af42f84b2579dfe7b8597bac5d
SHA1 ac10b24681744e83f65356dc3c75ab9f4a67d556
SHA256 c05a1e78ea9ac5ebe178c19af69c6f6142a4b461db19a087febea2d5ca8b6483
SHA512 366b84a762ea97788d3e32ae5eae3d04a0d9659e40497fb7fc2d5a6bf94bbd7e0822cc69e624ec42f9d0abfd6e5ba177cb9bea40db0fe5ac89f6495958de2210

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5E3UiaFIPt\ReAgent.dll

MD5 5f04e842eeb866dfc780944f9aefa0c4
SHA1 69b79de26f4179d92e3b276711fa51b95120572f
SHA256 d59f31c5d50df792fe322e23c59a2df5035b2da0a6bab2d74245116287bcf398
SHA512 a86d2709ff51cc9b074bcd476fa8d97f769e791b4f18d183b8af63272108269de633ef354278949fbcc351539ee491f75bb1133e010be3e17b5de5a4573a128f

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\1BbZP\VERSION.dll

MD5 72c68d2e4d307a9d661d573eb3602614
SHA1 608ebe396145a6b33676266255dd28f3a2961df8
SHA256 63d7daae2811fa2c777ec92b9fcaf6254697bbf3d6259bcf1e7fcdb57ca5a768
SHA512 24201d951323ac4f75324cbc1b3e5803a0b845f4823b30021e0ea4ac41216a4544a4a90a19ccd46104c5a979a762026cbd56ac5bdd9ed7318a4cd3501c0d5033