Malware Analysis Report

2024-11-30 21:27

Sample ID 231225-jqw9esgcf2
Target 103bce51e2fb20c197343aaf2d602bad
SHA256 b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463

Threat Level: Known bad

The file 103bce51e2fb20c197343aaf2d602bad was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-25 07:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 07:52

Reported

2023-12-27 14:49

Platform

win7-20231215-en

Max time kernel

138s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\NdvH5hF\\consent.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\BAlLnB\SystemPropertiesHardware.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\BAlLnB\SystemPropertiesHardware.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2600 N/A N/A C:\Windows\system32\consent.exe
PID 1200 wrote to memory of 2600 N/A N/A C:\Windows\system32\consent.exe
PID 1200 wrote to memory of 2600 N/A N/A C:\Windows\system32\consent.exe
PID 1200 wrote to memory of 2148 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2148 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2148 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2816 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1200 wrote to memory of 2816 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1200 wrote to memory of 2816 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1200 wrote to memory of 2884 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2884 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2884 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 1852 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 1852 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 1852 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 1708 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 1708 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 1708 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 2748 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 2748 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 2748 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 1164 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 1164 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 1164 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 2536 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 2536 N/A N/A C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 2536 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\VfEQkn.cmd

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\abu.cmd

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Ajfbjcebwom" /TR "C:\Windows\system32\BAlLnB\SystemPropertiesHardware.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

Network

N/A

Files

memory/1728-1-0x0000000000390000-0x0000000000397000-memory.dmp

memory/1728-0-0x000007FEF7AD0000-0x000007FEF7B74000-memory.dmp

memory/1200-3-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

memory/1200-4-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/1200-16-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-23-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-31-0x00000000024D0000-0x00000000024D7000-memory.dmp

memory/1200-34-0x0000000077E40000-0x0000000077E42000-memory.dmp

memory/1200-43-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-48-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-33-0x0000000077CE1000-0x0000000077CE2000-memory.dmp

memory/1200-32-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-25-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-24-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-22-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-21-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-20-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-19-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-18-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-17-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-15-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-14-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-13-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-12-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-11-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-10-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-9-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1200-8-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1728-7-0x000007FEF7AD0000-0x000007FEF7B74000-memory.dmp

memory/1200-6-0x0000000140000000-0x00000001400A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VfEQkn.cmd

MD5 57128ccfeed83e637d38163ff3be92a4
SHA1 4270ff1c25d1786ce0d91bd608af8e2cdf4e32a0
SHA256 6b203be8a29335a9cead11e1387d4d863983baf35975a1e80463cb2bd11cef03
SHA512 fddefcc94911b890a0df1dabeb58fcb0f2f09e1a12612bbd9271d9fe4522a864b8feb22ce4457b9dfc2436049be834473af931a62e19e0cff006302eae0442cb

C:\Users\Admin\AppData\Local\Temp\UTw3BC8.tmp

MD5 db9b41311c937b2b6ff982bfebda0c5a
SHA1 32d3fb8ebf5148cf5eac6f9ff2c07cc1794b85de
SHA256 0564da405563b6b5f0c217d351451c391dc6e7bcbdc223a62a705d2da73f0526
SHA512 413c777bd2fd4dfdc1e06a70a91dd90f3650b9b86b0d33338695c2687c546b243191c8becd6ae3df943461f1a6ac2cd82c140780f9faaf8f4173aa4fbf082c87

memory/1200-60-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abu.cmd

MD5 72e1216c3e9ad375d4a89d780e90a6b4
SHA1 127dcf53e4f2e8a5d82c5ee26834ade103b2d023
SHA256 761bee2bef44a6e94777c583e0c938971396661e4729f3a07e8ccaf68267138d
SHA512 cc3b1cd8a56b7984a92c1cc95a1e4e8e9df21e880f1d16618dba478af29de48460491f82b7c3671f0e73db1d0aa6bfab5a5d00fd2a534e41fc8137b4fb619a0f

C:\Users\Admin\AppData\Local\Temp\HHX6356.tmp

MD5 172640f7888fe44d8bb0601d72a06119
SHA1 cb34531771e3b91bca9d3b16cc4d692b3d2dc9a7
SHA256 efceacb585220dfe17d617218b28ddede99f21f2e6ee86e0cca68208a327742a
SHA512 22a432ed462a45aac70b322bc603d2ea34552a31f9a536d8148598a08a38ccf0b75c484cf6850d8bed4407ca9482e801284790726247c05b518b45cfc00e5d34

C:\Users\Admin\AppData\Roaming\NdvH5hF\consent.exe

MD5 0b5511674394666e9d221f8681b2c2e6
SHA1 6e4e720dfc424a12383f0b8194e4477e3bc346dc
SHA256 ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b
SHA512 00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Bsfvntd.lnk

MD5 d6f72802e685797edf3b7781e00eb04b
SHA1 49ff7e5a7b2c231147044f0610a28be6729a1fb2
SHA256 ff8646dc1bff42ed47093b60fc43252e4edbc7cc00a3bc8911e8d164f0156a3f
SHA512 a4d3ca4ffa41c9e8ea5d717e341448b55906dcb668ca25ab10d04bdb17a197a7d09aac925c8c8203b10937805b27dd2c93e8bf1c53a0b3ec9c7f590b357a43ec

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 07:52

Reported

2023-12-27 14:49

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\BH6a7Wl\\Netplwiz.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\d2sfFF\sppsvc.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\d2sfFF\sppsvc.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3304 wrote to memory of 2256 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 3304 wrote to memory of 2256 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 3304 wrote to memory of 4972 N/A N/A C:\Windows\system32\cmd.exe
PID 3304 wrote to memory of 4972 N/A N/A C:\Windows\system32\cmd.exe
PID 3304 wrote to memory of 4928 N/A N/A C:\Windows\system32\cmd.exe
PID 3304 wrote to memory of 4928 N/A N/A C:\Windows\system32\cmd.exe
PID 3304 wrote to memory of 2640 N/A N/A C:\Windows\system32\schtasks.exe
PID 3304 wrote to memory of 2640 N/A N/A C:\Windows\system32\schtasks.exe
PID 3304 wrote to memory of 1320 N/A N/A C:\Windows\system32\schtasks.exe
PID 3304 wrote to memory of 1320 N/A N/A C:\Windows\system32\schtasks.exe
PID 3304 wrote to memory of 1312 N/A N/A C:\Windows\system32\schtasks.exe
PID 3304 wrote to memory of 1312 N/A N/A C:\Windows\system32\schtasks.exe
PID 3304 wrote to memory of 3444 N/A N/A C:\Windows\system32\schtasks.exe
PID 3304 wrote to memory of 3444 N/A N/A C:\Windows\system32\schtasks.exe
PID 3304 wrote to memory of 3688 N/A N/A C:\Windows\system32\schtasks.exe
PID 3304 wrote to memory of 3688 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\e7w4f.cmd

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\shWw9.cmd

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Ugwggfx" /TR "C:\Windows\system32\d2sfFF\sppsvc.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
PH 23.37.1.217:80 www.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/868-0-0x00007FF81F990000-0x00007FF81FA34000-memory.dmp

memory/868-2-0x0000015260EA0000-0x0000015260EA7000-memory.dmp

memory/3304-3-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/3304-5-0x00007FF82CC1A000-0x00007FF82CC1B000-memory.dmp

memory/3304-8-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/868-6-0x00007FF81F990000-0x00007FF81FA34000-memory.dmp

memory/3304-9-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-10-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-12-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-11-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-13-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-14-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-17-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-18-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-19-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-21-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-22-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-24-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-23-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-27-0x0000000000D10000-0x0000000000D17000-memory.dmp

memory/3304-26-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-25-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-20-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-16-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-15-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-33-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-34-0x00007FF82DC40000-0x00007FF82DC50000-memory.dmp

memory/3304-43-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3304-45-0x0000000140000000-0x00000001400A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e7w4f.cmd

MD5 0e5fb56c50a141153e51759216fa6d65
SHA1 354b56159d73316413d398fa80cbf25ec305c403
SHA256 66189aa4c73cbe0d4a6ad80d84cab75cb84d09282671df02b36ec0c68ace36d7
SHA512 adc3bee081d1306ae00630777d2fd34061f68e3374f6ac0a80d18990dd702172cb75d893bfd73f8c0b314de67085b7bc6217514d35eddabae199b587fbeaddad

C:\Users\Admin\AppData\Local\Temp\sC272A.tmp

MD5 3d40f4374a2c93faa226f3f7b7b531f7
SHA1 336d39d536a26daa8192a04e41f56beaec0d02fd
SHA256 253b0ef52576aa33ad330ad903de70eab25d1720046b3628169e5ce2cd82e18d
SHA512 d5647fed54573e52f2b4eca551bf80c96e71f64afbe614efa18846f0a358c97e0652baddb6d62e635d4988c1a5e987946fbcba8b09a19a66829c4f56e72eb5ed

C:\Users\Admin\AppData\Local\Temp\shWw9.cmd

MD5 f7a0ef0f6df7536e5cc743a22d73d57a
SHA1 a5ed97ef7cc1d58c46fbdca9d03e2347ba511320
SHA256 28ff24aa6893ca4c51831d5e11fa5eaeedf9422d2443c7293f657eac63686af3
SHA512 86b659eb6447242425a6c99d855b6e138202c4d81b1d3d0b0a19b8d22f9b9330133c75ea8163405f524e03d7c282687d69d5d0f708c0785dd5d2d41893330920

C:\Users\Admin\AppData\Local\Temp\xj4FE1.tmp

MD5 646fa71e1b3cb064ccedfd76e5a63e20
SHA1 a4be0178e112a3265f1c75cf8c5a04891b4f7742
SHA256 63f893e6046b43071d252d55782279575e70bd9638615886926939fd9823c8c2
SHA512 86076e6302f825d80f274df44058d57b4a4d9037522c1240930cffbb75e28a6a6ad06260029748311f18a8493a6644365f912ed10f33420fa03acd90da35bbcb

C:\Users\Admin\AppData\Roaming\BH6a7Wl\Netplwiz.exe

MD5 520a7b7065dcb406d7eca847b81fd4ec
SHA1 d1b3b046a456630f65d482ff856c71dfd2f335c8
SHA256 8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d
SHA512 7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qoccyyzfzcu.lnk

MD5 5cbd6aa25ed9d120a7e4100552c08150
SHA1 829b135bd7b2f641afd582a324cab010b82b336c
SHA256 084946bc6e69ddf1afa5de57ca359ec3d479bc877865bc7f98f90f6f303bb4fa
SHA512 386d39be79d884f0d2273dce9b080b15d1a44e91bf2348e1517353e25b6199f7b2abcb119e14e8bd186714bc02d764fd80d1ddfa87a33154f27fc72f9cf81c82