Malware Analysis Report

2024-11-30 21:26

Sample ID 231225-xmfzxshec2
Target 362efdb462f7563b069081e0de821389
SHA256 36cce483a655202788e541b658a2c9afe18d4b1868199231874dd1c10fb8962c
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36cce483a655202788e541b658a2c9afe18d4b1868199231874dd1c10fb8962c

Threat Level: Known bad

The file 362efdb462f7563b069081e0de821389 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-25 18:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 18:58

Reported

2023-12-29 06:47

Platform

win7-20231215-en

Max time kernel

152s

Max time network

41s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\362efdb462f7563b069081e0de821389.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\FkR\icardagt.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\NT\\isoburn.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FkR\icardagt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 1500 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1204 wrote to memory of 1500 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1204 wrote to memory of 1500 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1204 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe
PID 1204 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe
PID 1204 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe
PID 1204 wrote to memory of 1052 N/A N/A C:\Windows\system32\isoburn.exe
PID 1204 wrote to memory of 1052 N/A N/A C:\Windows\system32\isoburn.exe
PID 1204 wrote to memory of 1052 N/A N/A C:\Windows\system32\isoburn.exe
PID 1204 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe
PID 1204 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe
PID 1204 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe
PID 1204 wrote to memory of 1268 N/A N/A C:\Windows\system32\wermgr.exe
PID 1204 wrote to memory of 1268 N/A N/A C:\Windows\system32\wermgr.exe
PID 1204 wrote to memory of 1268 N/A N/A C:\Windows\system32\wermgr.exe
PID 1204 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\L3G\wermgr.exe
PID 1204 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\L3G\wermgr.exe
PID 1204 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\L3G\wermgr.exe
PID 1204 wrote to memory of 2504 N/A N/A C:\Windows\system32\icardagt.exe
PID 1204 wrote to memory of 2504 N/A N/A C:\Windows\system32\icardagt.exe
PID 1204 wrote to memory of 2504 N/A N/A C:\Windows\system32\icardagt.exe
PID 1204 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\FkR\icardagt.exe
PID 1204 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\FkR\icardagt.exe
PID 1204 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\FkR\icardagt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\362efdb462f7563b069081e0de821389.dll,#1

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe

C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\L3G\wermgr.exe

C:\Users\Admin\AppData\Local\L3G\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\FkR\icardagt.exe

C:\Users\Admin\AppData\Local\FkR\icardagt.exe

Network

N/A

Files

memory/2976-0-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2976-1-0x0000000000330000-0x0000000000337000-memory.dmp

memory/1204-3-0x0000000077676000-0x0000000077677000-memory.dmp

memory/1204-13-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-15-0x0000000001D80000-0x0000000001D87000-memory.dmp

memory/1204-14-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-8-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-25-0x0000000077910000-0x0000000077912000-memory.dmp

memory/1204-24-0x00000000778E0000-0x00000000778E2000-memory.dmp

memory/1204-23-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-6-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-4-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/1204-34-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-36-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2976-37-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1204-46-0x0000000077676000-0x0000000077677000-memory.dmp

C:\Users\Admin\AppData\Local\iwfkVgNb3\MFC42u.dll

MD5 0c9b13defb490d13937d56de9c2367df
SHA1 a11d94638e69cc5a2fcd3f6c7cb61a924027c72b
SHA256 8388a07ecbc1c55aab4509a94107616a607948a17bf0c0dcaf6a10563977b6d8
SHA512 d7149319a59dac441f8fe846638933d62666232cd0550160f0d0f939b42a86bb7ebbff4dddbbf3bd485e71e39a3bfcce6da478ca686de48c42e906adef0ba606

C:\Users\Admin\AppData\Local\iwfkVgNb3\DevicePairingWizard.exe

MD5 9728725678f32e84575e0cd2d2c58e9b
SHA1 dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c
SHA256 d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544
SHA512 a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

memory/2884-53-0x0000000000200000-0x0000000000207000-memory.dmp

memory/2884-57-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/2884-52-0x0000000140000000-0x00000001400B5000-memory.dmp

\Users\Admin\AppData\Local\iwfkVgNb3\MFC42u.dll

MD5 adc269dafc7051b4c624cbba2d451801
SHA1 dabba25df48ae71364b27cbb409b5b169f6b9ffd
SHA256 c71edc0a27b5325587a941e7e09cbf000fb55163bd561476115b80e236511e90
SHA512 26989ac9d515fe0f6d1f90a7f49648507d651a5691a01439c387f9c1a00e9ccfe9eee89756bbc7336d96132e27af4a0a26f856fe378f502738a37a798ea30c70

\Users\Admin\AppData\Local\RFFvRDXM\UxTheme.dll

MD5 46d8a51aea115f4314007c3f5047a460
SHA1 6b269fcdcdc8c03aa039f2d5e0ea1c7fbe474d2d
SHA256 a2f4ac0cd30589f10819c8626ee1b9b5ee870f9c2b139c7a3a1469316ab5cece
SHA512 cb109949a41a8ca3cf62851893741739680962247fedc631f9ee7f826c4fecc1279b141c0b5957c4e13e5b09c9135db13530c338303e750ff6cd0c6dfdc4be0e

memory/2912-71-0x0000000000270000-0x0000000000277000-memory.dmp

memory/2912-69-0x0000000140000000-0x00000001400AF000-memory.dmp

memory/2912-73-0x0000000140000000-0x00000001400AF000-memory.dmp

C:\Users\Admin\AppData\Local\RFFvRDXM\UxTheme.dll

MD5 bf05c1f0cede1ce92cc2ee3e7b6f0a2f
SHA1 e0ef49f41f4212c448e8ddea5e1dfe4ba0ac61d7
SHA256 85b770e24a6d75935f7516b0500766518da39cbe2d10e557a955cb8c893851cb
SHA512 4f58651d22d69af84ce0674be3bc7f6f47dd3699ebebf4385a349213663a20beffe3a460acc98cc09b6fc56005e1d097fc09c8ce530e55d56fb9c6b56828ad41

C:\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe

MD5 f8051f06e1c4aa3f2efe4402af5919b1
SHA1 bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA256 50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA512 5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

\Users\Admin\AppData\Local\RFFvRDXM\isoburn.exe

MD5 c4002c6e4e91b4a659f5b51882aa26ec
SHA1 bacfbc6f5b3be3e3e416cf872f3c087a90aede0d
SHA256 918d0a3592293179291b692f8172be3418b45041b285cd6b62d56130ade4c037
SHA512 01b9ef6a896c9a9b0954bd2a051ff050d0e5b88863a0f35f4ac4a241b5243182705f6ef8e079c6c8d42110683816fb23378fd57fb8f9a9b944a851291cdd1188

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\NT\isoburn.exe

MD5 33c1a81df7f9cf9556dc66751f9cf3b8
SHA1 8046e6da99778f893650f76c1dfeb452a8ae379c
SHA256 fdf76764af52efaec55874a8f34653027700008d9136f78be867cfead2b7b4ab
SHA512 73933983c0ce595edb5fc292e7b5cff1572f9ff5862a5ee24992b2a362834f85d18f5a738a0e6940cd9979456e49836ead6535b8767f6c4964a0be8b1f057e42

C:\Users\Admin\AppData\Local\L3G\wermgr.exe

MD5 41df7355a5a907e2c1d7804ec028965d
SHA1 453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256 207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA512 59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

\Users\Admin\AppData\Local\L3G\wermgr.exe

MD5 16d5b66819e4e4ae8ca357f7aa02ffaa
SHA1 0889ea9c0ec516bc6b1aec5ab6ed34d484665856
SHA256 cce68dd60f7c84dd555bda1ab0097b2fc280ba8bb395bc6013cfd3633af2a665
SHA512 35472e2a0f1a650d27a98d89b711b18d82e2dd7e74a594242b9f3490eb83f5e6fdf505137f2cc39b714ae072c0c4481c06385659beb242eecf84c6cde1f5632d

C:\Users\Admin\AppData\Local\FkR\icardagt.exe

MD5 c02f61848cb04603350ed53b69e08b2c
SHA1 5a3ed41c57456441023c7b484ae8ae1ed7cff04b
SHA256 7271996f23c832f0cd32cfddd376d8a30c3dd62300de9a2f145a2c81c5e0ef91
SHA512 23fcfcb349198ce0a9461c0b8fae56b64a30d0a6a7ebd19b168d3351d2d47d2d8337388fb14f43dca2bdf38db16a4f0faff5a4eead1e33703b2e77ad197b3be2

\Users\Admin\AppData\Local\FkR\UxTheme.dll

MD5 3f8b567b9ecb1d9c6bd8a980d6262adb
SHA1 40b78c32d15112c0044e25095d79ad12c9c4255a
SHA256 33bbece7295f1465bdd106b058ffc53f29cb78d6b279fd40811bf91f6f84e6dd
SHA512 b5939b4c8bc80ce99ea707c8c2c1e739fead7977ceba63b1237171ab5c1703ba703be65b92bbb92db4909abfd54219cac6a334092bde9422367e7d0c41df5fbf

C:\Users\Admin\AppData\Local\FkR\UxTheme.dll

MD5 dbd9bcfc5e1723ec725bd87b42786c4f
SHA1 9c39b2806668741dad49354f8b6739711c7ef964
SHA256 004b888330a9893a0312daa49487f77e0e12ce2aed604a8f65595550ca68118d
SHA512 5d2299487870262c7c247de26b4fbb2c83878d95925fb6334a017c0718354df6a43c36295c6d8b2d432dde93012e2d8edde675eb8cb28b6ad7c7f6122f42be3d

memory/2496-95-0x00000000003B0000-0x00000000003B7000-memory.dmp

memory/2496-99-0x0000000140000000-0x00000001400AF000-memory.dmp

\Users\Admin\AppData\Local\FkR\icardagt.exe

MD5 a3930bc881089abb2df025abfeac46fa
SHA1 d4488e5b9db6b0d294dcbe5f1601535d4593768a
SHA256 7982639ca04b46befc2ff1d4a19830b33bc198ef49e04d2f041609bc55168b5f
SHA512 e1fa2a5e8fe937b4233c334f682e916e2bf960bdde6372dce8d57928368e9355a292587768fbd732fafd624f1c6d963040a510640e5a55784aaf990196ad175a

C:\Users\Admin\AppData\Local\FkR\icardagt.exe

MD5 2288d3b6d05f84b40aef932a4848120c
SHA1 11260bacdb663fb04e0ec6ef2b2b204778fe7362
SHA256 39142fee79a058d4b67357fa00c39385d8a7e59eb235dc285852fbd99b08a030
SHA512 721e81d76bb0041397108b654f8fc6fc3c278f65decba37ca4c90c6be1fc73e99f8aebe06e48a3375030fa9f040a2ef828e452fc038896442bd1b940306f42ce

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\ogAHD81arQ\icardagt.exe

MD5 00ba321bb13c59d14c3eb3dffecfa04a
SHA1 73ef4eb00227b9bf6846d61be1182599ce1bcc19
SHA256 a69aaaf07193de10c28897f3bdd3dc566a192c2ea71de1068f16eadd6b06db00
SHA512 d4c1abfefed2e60e12942a519272fa1cae4e4b4682e47e6db2f75199bd0c07ee55454041fa32b3011c202cf7c1917c8573ff27ca9945aafd0c59c2cdb74037f1

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\NT\UxTheme.dll

MD5 b5dfaacb58e04a624efe333ab5b50a42
SHA1 50c21475b111c4bb6135b526bcfc105e4392806a
SHA256 f9a9a871a19f7ece776f467053a3cf74c9b0a11118bab50f5b156d46edcd00cb
SHA512 50d71c541edeaee1656c8ee6fa651da61149f5dffa872fbb0c2d8361a7d08f18dc2d5cd99d13fd8c21b3ea79e4dc988e6ed0301894291f3158320ecb2b3821f4

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 5b70ceeb0d90403f90f3b6ad53899933
SHA1 e965c52554411ae62e9d405ae2bf665e01076f25
SHA256 c1592880fb41040eb3848f642ec0169803bc31f19259c306dc1c3103b5bea920
SHA512 2e34d6ef4a33d2a25032a247f18f0aadbdea489cefd69e552327a5398667f46744e5f3ab4ae7e97c89736cd31bcf780fe2ae0e10c2527813d9861988597dc2b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\UU\MFC42u.dll

MD5 da2a5426976e984fc6cef2bf16c2de4d
SHA1 b3b1c1ebafa1f54c65ce7b37d2115f5d0fcd4f7a
SHA256 700c30076555e5b2ec81bcbda00d6931cc86e4670897566b733f6150de8fb6d7
SHA512 4b2cc748a0ba26473719c30f8b321144d35cc04c4e8312f40a6786fef1be9ea0cc6e262c703e249832c55733717dbf2e94e5773231ab90e14c396bdca1db8e2b

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 18:58

Reported

2023-12-29 06:45

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\362efdb462f7563b069081e0de821389.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\362efdb462f7563b069081e0de821389.dll,#1

C:\Users\Admin\AppData\Local\1pMz\ie4uinit.exe

C:\Users\Admin\AppData\Local\1pMz\ie4uinit.exe

C:\Windows\system32\ie4uinit.exe

C:\Windows\system32\ie4uinit.exe

C:\Users\Admin\AppData\Local\yNLrN\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\yNLrN\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\b50\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\b50\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2480-2-0x0000029F498F0000-0x0000029F498F7000-memory.dmp

memory/2480-0-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-9-0x00007FF8344EA000-0x00007FF8344EB000-memory.dmp

memory/3348-14-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-25-0x00007FF835090000-0x00007FF8350A0000-memory.dmp

memory/3348-34-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-24-0x00007FF8350A0000-0x00007FF8350B0000-memory.dmp

memory/3348-23-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-22-0x0000000000DD0000-0x0000000000DD7000-memory.dmp

memory/3348-13-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-12-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-11-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-10-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-8-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-7-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-6-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-5-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/3348-3-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/2480-37-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/4964-51-0x0000024AB40B0000-0x0000024AB415F000-memory.dmp

memory/4964-47-0x0000024AB41B0000-0x0000024AB41B7000-memory.dmp

memory/4964-46-0x0000024AB40B0000-0x0000024AB415F000-memory.dmp

memory/852-64-0x000002D3A56A0000-0x000002D3A56A7000-memory.dmp

memory/852-67-0x0000000140000000-0x00000001400AF000-memory.dmp

memory/852-62-0x0000000140000000-0x00000001400AF000-memory.dmp

memory/1548-83-0x0000000140000000-0x00000001400AF000-memory.dmp

memory/1548-78-0x00000283C70C0000-0x00000283C70C7000-memory.dmp