Malware Analysis Report

2024-11-30 21:27

Sample ID 231227-3d4yaadab3
Target ba31ddda85cfc93608e410fc1c3e3b55
SHA256 1d354a2854d4e2a4f5fa28d78fca5e05715141c59737bb3307d2bf24fea4b9bc
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d354a2854d4e2a4f5fa28d78fca5e05715141c59737bb3307d2bf24fea4b9bc

Threat Level: Known bad

The file ba31ddda85cfc93608e410fc1c3e3b55 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-27 23:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 23:24

Reported

2024-01-08 01:26

Platform

win7-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba31ddda85cfc93608e410fc1c3e3b55.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\QikYotqaB\SystemPropertiesDataExecutionPrevention.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\iLWXh\isoburn.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fE8lG\BdeUISrv.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\a89OFTF9DWr\\isoburn.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fE8lG\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QikYotqaB\SystemPropertiesDataExecutionPrevention.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iLWXh\isoburn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\QikYotqaB\SystemPropertiesDataExecutionPrevention.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2356 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1204 wrote to memory of 2356 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1204 wrote to memory of 2356 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1204 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\QikYotqaB\SystemPropertiesDataExecutionPrevention.exe
PID 1204 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\QikYotqaB\SystemPropertiesDataExecutionPrevention.exe
PID 1204 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\QikYotqaB\SystemPropertiesDataExecutionPrevention.exe
PID 1204 wrote to memory of 2152 N/A N/A C:\Windows\system32\isoburn.exe
PID 1204 wrote to memory of 2152 N/A N/A C:\Windows\system32\isoburn.exe
PID 1204 wrote to memory of 2152 N/A N/A C:\Windows\system32\isoburn.exe
PID 1204 wrote to memory of 1904 N/A N/A C:\Users\Admin\AppData\Local\iLWXh\isoburn.exe
PID 1204 wrote to memory of 1904 N/A N/A C:\Users\Admin\AppData\Local\iLWXh\isoburn.exe
PID 1204 wrote to memory of 1904 N/A N/A C:\Users\Admin\AppData\Local\iLWXh\isoburn.exe
PID 1204 wrote to memory of 1640 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1204 wrote to memory of 1640 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1204 wrote to memory of 1640 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1204 wrote to memory of 1036 N/A N/A C:\Users\Admin\AppData\Local\fE8lG\BdeUISrv.exe
PID 1204 wrote to memory of 1036 N/A N/A C:\Users\Admin\AppData\Local\fE8lG\BdeUISrv.exe
PID 1204 wrote to memory of 1036 N/A N/A C:\Users\Admin\AppData\Local\fE8lG\BdeUISrv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba31ddda85cfc93608e410fc1c3e3b55.dll,#1

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\QikYotqaB\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\QikYotqaB\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\iLWXh\isoburn.exe

C:\Users\Admin\AppData\Local\iLWXh\isoburn.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\fE8lG\BdeUISrv.exe

C:\Users\Admin\AppData\Local\fE8lG\BdeUISrv.exe

Network

N/A

Files

memory/1644-0-0x000007FEF6E60000-0x000007FEF6F34000-memory.dmp

memory/1644-1-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1204-3-0x00000000776C6000-0x00000000776C7000-memory.dmp

memory/1204-4-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-20-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-29-0x0000000077960000-0x0000000077962000-memory.dmp

memory/1204-28-0x0000000077930000-0x0000000077932000-memory.dmp

memory/1204-39-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-19-0x0000000002E10000-0x0000000002E17000-memory.dmp

memory/1204-18-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1644-45-0x000007FEF6E60000-0x000007FEF6F34000-memory.dmp

\Users\Admin\AppData\Local\QikYotqaB\SystemPropertiesDataExecutionPrevention.exe

MD5 e43ff7785fac643093b3b16a9300e133
SHA1 a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256 c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA512 61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

C:\Users\Admin\AppData\Local\QikYotqaB\SYSDM.CPL

MD5 6d80f414fedcff26669341ea853d284b
SHA1 20101e85bf33c810054d0024d9f0e9d41e28497f
SHA256 6e93c9b5a1d833df7035d1a3e1944735f9c934cb3ab0dded6ceadcd4527f3cfb
SHA512 a917b3c595c0466efb916c1d5fd755b8c1927f2df68954bde301285ec5870f885c5c0f7f7044eb8e34ebd8e9088134846feda22c02d95f5146fb4cc6b3067096

memory/2912-55-0x000007FEF6F40000-0x000007FEF7015000-memory.dmp

memory/2912-57-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2912-60-0x000007FEF6F40000-0x000007FEF7015000-memory.dmp

C:\Users\Admin\AppData\Local\iLWXh\isoburn.exe

MD5 f8051f06e1c4aa3f2efe4402af5919b1
SHA1 bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA256 50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA512 5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

C:\Users\Admin\AppData\Local\iLWXh\UxTheme.dll

MD5 6ec971ea149366fa0fe10b31ca74402f
SHA1 5831774f59a08d6a357f50b279abd0c74f894d57
SHA256 f679520333131c2d329fd0bf86d7c0a9ae29020f0bad5a3369d0125bb075ace5
SHA512 af5c42a36a332e9696ae4ab350990196accbcd8c536726b72dc29dbf9b75219036675c0e3a50ae5b370b15a3a669e3d5ccb1dd62886a32ab8f0fe7fe4b9e9675

memory/1204-73-0x00000000776C6000-0x00000000776C7000-memory.dmp

memory/1904-72-0x000007FEF6920000-0x000007FEF69F5000-memory.dmp

memory/1904-78-0x000007FEF6920000-0x000007FEF69F5000-memory.dmp

memory/1904-75-0x0000000000190000-0x0000000000197000-memory.dmp

\Users\Admin\AppData\Local\fE8lG\BdeUISrv.exe

MD5 1da6b19be5d4949c868a264bc5e74206
SHA1 d5ee86ba03a03ef8c93d93accafe40461084c839
SHA256 00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA512 9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

C:\Users\Admin\AppData\Local\fE8lG\WTSAPI32.dll

MD5 a369a727b6fc425b746027c5128b8e40
SHA1 7de26c163e4b515da04759feeaaa878b659ecde6
SHA256 52fd4277462b3bc976f5beced0ab7f430c3f3e1ba70c429c4cf1681fda5c4bd1
SHA512 617ee7815c71b2091a78f23bb3d3fb305a3fe4d4dc0cf8267f2b5646fa8a2d39e1d788905f588f69ccdc060d56592c94a86ae3b58b61a2aa066046307201fa0f

memory/1036-92-0x0000000000210000-0x0000000000217000-memory.dmp

memory/1036-95-0x000007FEF6920000-0x000007FEF69F5000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 562dc9bb8f5d4326d3169c4093815066
SHA1 38d77b04cbb82c816e7238fa890629fcaf79e3ff
SHA256 5519028a711ec4ffe320689b20111142e7ced661844d9bbdbdb9d6c84878deaa
SHA512 407b29f631f625960831251836bd7bc76f8bd77a7f95282e6b4be4ce7ac5754c8934581aed7feaf6972973eeb67507573ac922b7b7c38b67da4a33189ef3d8d6

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 23:24

Reported

2024-01-08 01:26

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba31ddda85cfc93608e410fc1c3e3b55.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\RXglQS\\FXSCOVER.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dnOXL\FXSCOVER.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9L9vXLy\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\EPZkWjv\tcmsetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 3648 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 3388 wrote to memory of 3648 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 3388 wrote to memory of 3332 N/A N/A C:\Users\Admin\AppData\Local\EPZkWjv\tcmsetup.exe
PID 3388 wrote to memory of 3332 N/A N/A C:\Users\Admin\AppData\Local\EPZkWjv\tcmsetup.exe
PID 3388 wrote to memory of 852 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3388 wrote to memory of 852 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3388 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\dnOXL\FXSCOVER.exe
PID 3388 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\dnOXL\FXSCOVER.exe
PID 3388 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\9L9vXLy\sppsvc.exe
PID 3388 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\9L9vXLy\sppsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba31ddda85cfc93608e410fc1c3e3b55.dll,#1

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\EPZkWjv\tcmsetup.exe

C:\Users\Admin\AppData\Local\EPZkWjv\tcmsetup.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\dnOXL\FXSCOVER.exe

C:\Users\Admin\AppData\Local\dnOXL\FXSCOVER.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\9L9vXLy\sppsvc.exe

C:\Users\Admin\AppData\Local\9L9vXLy\sppsvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3016-1-0x000001E7A53E0000-0x000001E7A53E7000-memory.dmp

memory/3016-0-0x00007FFD90640000-0x00007FFD90714000-memory.dmp

memory/3388-4-0x00007FFD9F6EA000-0x00007FFD9F6EB000-memory.dmp

memory/3388-3-0x0000000007900000-0x0000000007901000-memory.dmp

memory/3388-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-20-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-19-0x00000000078E0000-0x00000000078E7000-memory.dmp

memory/3388-29-0x00007FFD9F970000-0x00007FFD9F980000-memory.dmp

memory/3388-28-0x00007FFD9F980000-0x00007FFD9F990000-memory.dmp

memory/3388-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-18-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3388-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3016-41-0x00007FFD90640000-0x00007FFD90714000-memory.dmp

C:\Users\Admin\AppData\Local\EPZkWjv\tcmsetup.exe

MD5 58f3b915b9ae7d63431772c2616b0945
SHA1 6346e837da3b0f551becb7cac6d160e3063696e9
SHA256 e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39
SHA512 7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

memory/3332-48-0x00007FFD82150000-0x00007FFD82226000-memory.dmp

C:\Users\Admin\AppData\Local\EPZkWjv\TAPI32.dll

MD5 4515118bb68cc2157314b21d84adecb3
SHA1 e50de7f91f6c3c092deed933e3b7f1d634c24543
SHA256 de3505b56137d4d753e6cadcde2749b79fe92247122770c674ee2634f7498c7a
SHA512 349519d76dfd3512926c5c8d9d3f6650010ecfa9d870deb64aea94167b70435d6bd09ea1f46b2ac0ff65cb6e16d714b4893a84537af5d21ae8a9c4350b97640d

memory/3332-49-0x000001B452F70000-0x000001B452F77000-memory.dmp

memory/3332-53-0x00007FFD82150000-0x00007FFD82226000-memory.dmp

memory/1864-64-0x00007FFD82150000-0x00007FFD8222B000-memory.dmp

memory/1864-69-0x00007FFD82150000-0x00007FFD8222B000-memory.dmp

memory/1864-66-0x00000158E6FE0000-0x00000158E6FE7000-memory.dmp

C:\Users\Admin\AppData\Local\dnOXL\MFC42u.dll

MD5 92f70d2821c7d94685ebd065af456242
SHA1 f81afccab188bbd98aa6628664a6cab625725a08
SHA256 82bfe0203e53395d8f9146f30625163b2cee3aa5b12dfe8ad51cec32620a2427
SHA512 53027454fc87a08a9a29d1e0d8e167d02d94de44519e37e374fc02bca12251b25216f04f0e242e40d949d665660f3299a3172f55e0d3e35653bbebb36e9f8526

C:\Users\Admin\AppData\Local\dnOXL\FXSCOVER.exe

MD5 5769f78d00f22f76a4193dc720d0b2bd
SHA1 d62b6cab057e88737cba43fe9b0c6d11a28b53e8
SHA256 40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31
SHA512 b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

C:\Users\Admin\AppData\Local\9L9vXLy\sppsvc.exe

MD5 ec6cef0a81f167668e18fa32f1606fce
SHA1 6d56837a388ae5573a38a439cee16e6dde5b4de8
SHA256 82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8
SHA512 f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

C:\Users\Admin\AppData\Local\9L9vXLy\XmlLite.dll

MD5 6784e45c0f030345c8b3a9908d6c4d61
SHA1 536b673337b406affae5921237a34abff3b1cab5
SHA256 61ad0b91dead59ae5c375c67efa8d91b6642d5637ac9687ceff74aaf76262369
SHA512 7ca490926f5c84d8f179468568f9919b92b2c774998b43c728da886bf4c1b8128eca64ee6201d9d9815b7ade2aae94619a62b1a0272586214361eb90e3febc6e

memory/2820-81-0x0000025D86850000-0x0000025D86857000-memory.dmp

memory/2820-85-0x00007FFD82150000-0x00007FFD82225000-memory.dmp

memory/2820-80-0x00007FFD82150000-0x00007FFD82225000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk

MD5 1e4a59ce50b655c48dc9f38d7481291c
SHA1 f044076a52d6a65f5e98d4e22a02082a27255698
SHA256 7a96f791f6d7a08137f7a8c99ed6a9a2087161294451c559610cb56f5fcd6ff5
SHA512 fe8983500ea574251c1628e0e288500070689995bffdcf4bc68dd9d1f71be6699fdf6b574c64636eaded702101f7fbec703938348b2b1233c1493b2f4ec61bf9