Malware Analysis Report

2024-11-30 21:27

Sample ID 231226-saf2yahffq
Target 772b68bf3048024e686be386fbfe5083
SHA256 7c62dc19058fca240cc5e8942a240f7691e6066aa3d59a51185ac3209e8f1409
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c62dc19058fca240cc5e8942a240f7691e6066aa3d59a51185ac3209e8f1409

Threat Level: Known bad

The file 772b68bf3048024e686be386fbfe5083 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 14:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 14:55

Reported

2023-12-28 02:24

Platform

win7-20231215-en

Max time kernel

171s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\979G\\SPINST~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\7sKi\mspaint.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\7sKi\mspaint.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 268 N/A N/A C:\Windows\system32\spinstall.exe
PID 1244 wrote to memory of 268 N/A N/A C:\Windows\system32\spinstall.exe
PID 1244 wrote to memory of 268 N/A N/A C:\Windows\system32\spinstall.exe
PID 1244 wrote to memory of 776 N/A N/A C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 776 N/A N/A C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 776 N/A N/A C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 1980 N/A N/A C:\Windows\system32\mspaint.exe
PID 1244 wrote to memory of 1980 N/A N/A C:\Windows\system32\mspaint.exe
PID 1244 wrote to memory of 1980 N/A N/A C:\Windows\system32\mspaint.exe
PID 1244 wrote to memory of 1940 N/A N/A C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 1940 N/A N/A C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 1940 N/A N/A C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 1336 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 1336 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 1336 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 808 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 808 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 808 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2908 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2908 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2908 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2920 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2920 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2920 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 436 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 436 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 436 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 944 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 944 N/A N/A C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 944 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#1

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\dzDlhu.cmd

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\yZdxQJ.cmd

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Hkckipfn" /TR "C:\Windows\system32\7sKi\mspaint.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Hkckipfn"

Network

N/A

Files

memory/2796-0-0x000007FEF6AF0000-0x000007FEF6B93000-memory.dmp

memory/2796-1-0x0000000001B30000-0x0000000001B37000-memory.dmp

memory/1244-3-0x00000000772D6000-0x00000000772D7000-memory.dmp

memory/1244-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/1244-13-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-22-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-23-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-21-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-20-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-25-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-33-0x0000000077540000-0x0000000077542000-memory.dmp

memory/1244-32-0x00000000773E1000-0x00000000773E2000-memory.dmp

memory/1244-31-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-24-0x0000000002A60000-0x0000000002A67000-memory.dmp

memory/1244-19-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-18-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-42-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-47-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-17-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-16-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-15-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-14-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-12-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-11-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-10-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-9-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-8-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/2796-7-0x000007FEF6AF0000-0x000007FEF6B93000-memory.dmp

memory/1244-6-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1244-55-0x00000000772D6000-0x00000000772D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dzDlhu.cmd

MD5 a4688edaf2def2f9ecb7e8c220f3de2f
SHA1 a14483444477d558a418bb8ece3de4403d4e69d2
SHA256 03f61e9d00a48feba9cf0317fa7c8cebed5b3cb25d5dcf1bd87e1202bd06a178
SHA512 850beecae69bce4273daf645827d9f9a386456e77429f49ab82c3adbb3b62446adf8edc90324f5463c8c34382d8e99edd38db33cc57bb849e2d20fcf8d115013

C:\Users\Admin\AppData\Local\Temp\syr6671.tmp

MD5 7026c5c2deefd569ca62985fff08ae6f
SHA1 5b46af69711e1a93ca2053edaece28a37dec0594
SHA256 efb120ed5a2cae5c0947fd03d160a178da26b20b36406c9b8909ae81ed2e13ee
SHA512 092006716dc09d6883bc854cb0a310b8154ce8a1007213b8daefe1ce15a0897df28ad4ee171c92a1e8318bd7ac065966d51ea1e77eb5cdaf727a0604ad2135bc

C:\Users\Admin\AppData\Local\Temp\yZdxQJ.cmd

MD5 19b062469fb937864622c1da5a2903c0
SHA1 f5f7aba496c79045dc9c281e488a3de85bda0c30
SHA256 5152d241b15f07a021080a63a8fb37008df05c5872e4a848b6b334a7a5a5dda8
SHA512 7dc79b56593551012cdda3f9f7db61e8a7a174f418f8d5a5fba40916a4db079392d9fff6518d3ec5784cab0522246bfb72b1de955b5f3209f8641f7830c6d7ba

C:\Users\Admin\AppData\Local\Temp\ZaB137.tmp

MD5 661348b0acdfaf708e3bd361a53833ca
SHA1 7dea4d2ce50fc42a40c55196fb34d7e7498c07ac
SHA256 ba00572a4f9b40157ee9f43c165af8fb095239fe853163005e8ca482bc270f9d
SHA512 78aa4eda2cce84d3de63f58651b9eeb95476372e6038f8647e326ad4acda817a75ee50930d0f2660dba8ad0622959ecb86e566d7aa5f96fdbb8dd0d12835126a

\Users\Admin\AppData\Roaming\979G\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fskzoiv.lnk

MD5 3225b1b3eaa5e1f4877abaf407b6e83e
SHA1 95ab5abe4ee59b878c2a51855076924621b1b8e3
SHA256 c28086e72ff84db7d5a6bb0d8f78387cef37ec403d1e53b9ee8bbbf5f3da5555
SHA512 beef4cfcc03a905fe467d255de5b015491802e3f1a9f19f8c986b98f0350fde88852a00fba90edcc2525b98b812b89d172910ca0081625a36a57cb991e2744d2

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 14:55

Reported

2023-12-28 02:23

Platform

win10v2004-20231215-en

Max time kernel

51s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\yVtwNVk\\rdpinit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\J0u34\WMPDMC.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\J0u34\WMPDMC.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 2320 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3448 wrote to memory of 2320 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3448 wrote to memory of 4840 N/A N/A C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 4840 N/A N/A C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 4088 N/A N/A C:\Windows\system32\WMPDMC.exe
PID 3448 wrote to memory of 4088 N/A N/A C:\Windows\system32\WMPDMC.exe
PID 3448 wrote to memory of 3968 N/A N/A C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 3968 N/A N/A C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 3224 N/A N/A C:\Windows\system32\schtasks.exe
PID 3448 wrote to memory of 3224 N/A N/A C:\Windows\system32\schtasks.exe
PID 3448 wrote to memory of 832 N/A N/A C:\Windows\system32\schtasks.exe
PID 3448 wrote to memory of 832 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wwPwGp.cmd

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Mtkoqsmyqyvls" /TR "C:\Windows\system32\J0u34\WMPDMC.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\XbR9A.cmd

C:\Windows\system32\WMPDMC.exe

C:\Windows\system32\WMPDMC.exe

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 88.221.135.211:80 tcp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp

Files

memory/1208-0-0x00007FFE37110000-0x00007FFE371B3000-memory.dmp

memory/1208-2-0x0000025C34AA0000-0x0000025C34AA7000-memory.dmp

memory/1208-6-0x00007FFE37110000-0x00007FFE371B3000-memory.dmp

memory/3448-22-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-24-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-31-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-43-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-41-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-32-0x00007FFE45A80000-0x00007FFE45A90000-memory.dmp

memory/3448-29-0x0000000000E90000-0x0000000000E97000-memory.dmp

memory/3448-23-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-21-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-20-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-19-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-18-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-17-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-16-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-15-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-14-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-13-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-12-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-11-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-10-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-9-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-8-0x00007FFE4448A000-0x00007FFE4448B000-memory.dmp

memory/3448-7-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-5-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3448-3-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bsv72EE.tmp

MD5 483fd818df66e432f2232f4617e10d39
SHA1 8ec7f41d0863a05665f571fc34e4c9362153ab79
SHA256 0070cd47d3c7b852db51a891fcd08c25a5e7dc049ba946700b8b9e4c30234bc0
SHA512 7b55185e7cc35a674a13cfff48dc07f654a59d67b22e8c7c99532e542003e12dc420731a6e5ffeed18edf5d2e7f627372f43f71e4ac87d16322bcc140af7c68a

C:\Users\Admin\AppData\Local\Temp\wwPwGp.cmd

MD5 c1531074ed36eb217c0ba2adc63136e4
SHA1 c87f6544c63df73515e2e4c23b1d059823f5270c
SHA256 3fcfc7e9c24e140b0f1754b57b3e3e10265294cbcbfb31b1314caf5017724202
SHA512 6487906c1e65c04c4dfb670946791a19a0786f5ebb89652e283bb11c9b657710ef5b60952629a7e9a659cdd41807d31acf79176d63747c21e40cc9f00e2d11ce

C:\Users\Admin\AppData\Local\Temp\UW9A5C.tmp

MD5 79165f482d17ced2e968edd56ec75d1b
SHA1 cbe4f04cb0c8d06bcff42b43716fd1a1d6096095
SHA256 3bf7312b661fef1e4e6f54e866a365f096e109adca1f716257cca1b8e65b3442
SHA512 6e7fb8bf5e6631fc1691298d1867492e6edd19660912a65bdbdad989817591b3d88c9cc7134b05a4a23877adb693595340f35040968ae0f687410a2ce18881b4

C:\Users\Admin\AppData\Local\Temp\XbR9A.cmd

MD5 933ad1e2f3e1d49ef8cd8a59f3affe09
SHA1 7a8a816d6d595f395b5a10043dfc868d02194f89
SHA256 7245c7cdc720710c22a7af2a738b5d8e740d07e2309255af20708de7d3a73772
SHA512 efaa481ce78a9d1762cf1e0443956e03d49b8ca2fde2c1db1a186acde1220ff17f18e522bff332edc310cce99ed0bd0833c5f6cba4e22579af19835ffe601e39

C:\Users\Admin\AppData\Roaming\yVtwNVk\rdpinit.exe

MD5 b0ecd76d99c5f5134aeb52460add6f80
SHA1 51462078092c9d6b7fa2b9544ffe0a49eb258106
SHA256 51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b
SHA512 16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367