Malware Analysis Report

2024-11-30 21:26

Sample ID 231227-p9zfsaagfn
Target b122a91caaad5f9133a910107ab182f2
SHA256 f2ded2615a9ec37198c3ae0042de5ddb999eda4d0d89b5469d20c4b047e8759f
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2ded2615a9ec37198c3ae0042de5ddb999eda4d0d89b5469d20c4b047e8759f

Threat Level: Known bad

The file b122a91caaad5f9133a910107ab182f2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-27 13:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 13:02

Reported

2023-12-29 06:55

Platform

win7-20231215-en

Max time kernel

188s

Max time network

35s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b122a91caaad5f9133a910107ab182f2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\dwhYGTu\wusa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\23bjN\tcmsetup.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\YU\\wusa.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dwhYGTu\wusa.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\23bjN\tcmsetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 1984 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1188 wrote to memory of 1984 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1188 wrote to memory of 1984 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1188 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe
PID 1188 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe
PID 1188 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe
PID 1188 wrote to memory of 1180 N/A N/A C:\Windows\system32\wusa.exe
PID 1188 wrote to memory of 1180 N/A N/A C:\Windows\system32\wusa.exe
PID 1188 wrote to memory of 1180 N/A N/A C:\Windows\system32\wusa.exe
PID 1188 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\dwhYGTu\wusa.exe
PID 1188 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\dwhYGTu\wusa.exe
PID 1188 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\dwhYGTu\wusa.exe
PID 1188 wrote to memory of 1832 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1188 wrote to memory of 1832 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1188 wrote to memory of 1832 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1188 wrote to memory of 768 N/A N/A C:\Users\Admin\AppData\Local\23bjN\tcmsetup.exe
PID 1188 wrote to memory of 768 N/A N/A C:\Users\Admin\AppData\Local\23bjN\tcmsetup.exe
PID 1188 wrote to memory of 768 N/A N/A C:\Users\Admin\AppData\Local\23bjN\tcmsetup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b122a91caaad5f9133a910107ab182f2.dll,#1

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

C:\Users\Admin\AppData\Local\dwhYGTu\wusa.exe

C:\Users\Admin\AppData\Local\dwhYGTu\wusa.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\23bjN\tcmsetup.exe

C:\Users\Admin\AppData\Local\23bjN\tcmsetup.exe

Network

N/A

Files

memory/2828-1-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2828-0-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-4-0x0000000077116000-0x0000000077117000-memory.dmp

memory/1188-5-0x0000000002220000-0x0000000002221000-memory.dmp

memory/1188-7-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-8-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-9-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-11-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-12-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-10-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-14-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-15-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-18-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-21-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-22-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-23-0x0000000002200000-0x0000000002207000-memory.dmp

memory/1188-24-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-20-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-19-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-17-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-16-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-13-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-31-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-33-0x00000000774B0000-0x00000000774B2000-memory.dmp

memory/1188-32-0x0000000077321000-0x0000000077322000-memory.dmp

memory/2828-34-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-43-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-44-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1188-52-0x0000000077116000-0x0000000077117000-memory.dmp

C:\Users\Admin\AppData\Local\uT6bhFB\SystemPropertiesPerformance.exe

MD5 870726cdcc241a92785572628b89cc07
SHA1 63d47cc4fe9beb75862add1abca1d8ae8235710a
SHA256 1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA512 89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

C:\Users\Admin\AppData\Local\uT6bhFB\SYSDM.CPL

MD5 d410067acd1b165ba2c7bb13e4c87f7b
SHA1 72de35b155e505c9983626024a8c5e5830a0295e
SHA256 e708a9ae513715b4f2a1dcac55a1eb0528bcdb5c228d4fbb3047147385338a05
SHA512 7a43d973e93a82046370d3ee9e80f8a7ccdda6fba5e8bfeef7766b7d31aa745ea004ee2c0d6beb61f5aff1513e9fb9d781f973562ca72de37834a456765ca69d

memory/1676-60-0x0000000140000000-0x00000001400B7000-memory.dmp

memory/1676-62-0x0000000000070000-0x0000000000077000-memory.dmp

memory/1676-66-0x0000000140000000-0x00000001400B7000-memory.dmp

\Users\Admin\AppData\Local\dwhYGTu\wusa.exe

MD5 c15b3d813f4382ade98f1892350f21c7
SHA1 a45c5abc6751bc8b9041e5e07923fa4fc1b4542b
SHA256 8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3
SHA512 6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

C:\Users\Admin\AppData\Local\dwhYGTu\dpx.dll

MD5 13caaa94ecd7fc7747b65ed2b12031b1
SHA1 b649ea8b1cc9bd697f53a22f1a7c7b791c538949
SHA256 b8793c85b611e20711edc20870845196ef0a2456abe6050a0ed8577e1302a4ce
SHA512 599d2b86400b60b2a57362e897d24b5001b3ffb4bf68de64d1fa73820861d771d6aa21d89b45d16a55003faa94357361dd7ba0b9c51486fedd2831e590f83f0e

memory/1052-80-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1052-84-0x0000000140000000-0x00000001400B7000-memory.dmp

\Users\Admin\AppData\Local\23bjN\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

C:\Users\Admin\AppData\Local\23bjN\TAPI32.dll

MD5 a10dafdc447283f38823e97445bb0715
SHA1 7a8604b56d4d92f134e9f9f22b112589746b0613
SHA256 42e8a2a36f1fe9f6948696d9907f0866e6823c666777f28fde29f4cba44a4f81
SHA512 4ac57dbdd358157e2fc99b89e8bcb7703e9b5ec9452f1af3d489fcb70710b77b3dc9269d1607ba42b61a2a7976eb97c5a208c64b571d853022cacefc5834d3dd

memory/768-96-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/768-101-0x0000000140000000-0x00000001400B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 3a68295874964b48796955813ce9b7a6
SHA1 955fa74ab3c5b577bdd9753fef90bb2df483db87
SHA256 8efa420c7e4ccdddda0fdd646615df1768f17fd7c3356961381f5f00ba470980
SHA512 2d2b6ea3ee78540fa20d29802df6c10ff570659132a0d5f9a0703f89a6eaf7345f377e90a64b9599e56e938da1975e76c08d389c8bc0229b7ea8cdc9b2b94918

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\9vd3NH4t\SYSDM.CPL

MD5 ce3dd7dc00d7ebe3fe2b45d2a66b726d
SHA1 bd2b67f99f97b8d376cfbcaaac8d0b321038816c
SHA256 02515cef327a9647c59453b2c5b1686f1cd27eb065ea3106b78589961b850de0
SHA512 dcf4a65804d84c7516c49edf367d2f7af2916e3817479a8bc9b8389af33cbef57eda7232f3e410f77a47664a731aca7850e6ee0a8b07ad038251e687e197bfa0

C:\Users\Admin\AppData\Roaming\Microsoft\YU\dpx.dll

MD5 902fcc4fc8799c8f1f391d4f54ce6429
SHA1 8204c8e3e352a1968940d11b598c8218efb9afd3
SHA256 e92b9c6c75b4ac8c6b81c6b8358a37615c9a51164918591a326c3b6301f6cb28
SHA512 c96353ffe52a689f1352a5f22812b9192787ff41c116e2be9d4d4d2c6513d1d8f3b9441f5bcfa9bc0396a04c35907ff8648f4d39289118c7375dfb1106ceef99

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\yFHsBZI9b\TAPI32.dll

MD5 3e5044fa5597f21bd0bc9cb2a002bb64
SHA1 0609f90f33db3ed3139bdd0800b3612d0f79e1a8
SHA256 c5191eb223716ea02c403b9d1eb276d2b98b7774ea99164edc141c34ba7be235
SHA512 20f80f4bbc47df23777db8d0945a0f1dbafdcc80696ddfdbab54d0002ed2a29f57108d39ccacc717298c36d639ef32ff6267e8ecdccced93e269d068e6d5c9ce

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 13:02

Reported

2023-12-29 06:51

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b122a91caaad5f9133a910107ab182f2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\zRxVPbtoC2k\\WFS.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xFx1yOt\WFS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 2348 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3512 wrote to memory of 2348 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3512 wrote to memory of 3580 N/A N/A C:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exe
PID 3512 wrote to memory of 3580 N/A N/A C:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exe
PID 3512 wrote to memory of 3116 N/A N/A C:\Windows\system32\WFS.exe
PID 3512 wrote to memory of 3116 N/A N/A C:\Windows\system32\WFS.exe
PID 3512 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\xFx1yOt\WFS.exe
PID 3512 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\xFx1yOt\WFS.exe
PID 3512 wrote to memory of 3568 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3512 wrote to memory of 3568 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3512 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exe
PID 3512 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b122a91caaad5f9133a910107ab182f2.dll,#1

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exe

C:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\xFx1yOt\WFS.exe

C:\Users\Admin\AppData\Local\xFx1yOt\WFS.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exe

C:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/1848-0-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1848-2-0x0000020579CF0000-0x0000020579CF7000-memory.dmp

memory/3512-4-0x0000000000630000-0x0000000000631000-memory.dmp

memory/3512-7-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-9-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-8-0x00007FFCC502A000-0x00007FFCC502B000-memory.dmp

memory/3512-6-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-10-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-12-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-11-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-13-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-14-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-15-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-16-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-17-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-18-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-19-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-20-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-21-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-24-0x0000000000600000-0x0000000000607000-memory.dmp

memory/3512-23-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-22-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-31-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3512-32-0x00007FFCC6A90000-0x00007FFCC6AA0000-memory.dmp

memory/3512-41-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1848-44-0x0000000140000000-0x00000001400B6000-memory.dmp

C:\Users\Admin\AppData\Local\zoZBJC\phoneactivate.exe

MD5 32c31f06e0b68f349f68afdd08e45f3d
SHA1 e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256 cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512 fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

C:\Users\Admin\AppData\Local\zoZBJC\SLC.dll

MD5 7ff15326fc377b6423911e72e2649c8e
SHA1 e67f27ebbc0668b7a00cfd502cc96228fc9b6f5b
SHA256 eaf571769be6508c887d887ccf4da10aaec1860530b2a302f5ee59cb4cc1e350
SHA512 4796da4499c00ae3155ddf91955bbc664f8ba0abf388d53530fd43043c4ff5e2313ee27795ec427d7441c95f8dddc91b947f714953905251b34dc9996910df04

memory/3580-51-0x0000027C97AE0000-0x0000027C97AE7000-memory.dmp

memory/3580-52-0x0000000140000000-0x00000001400B7000-memory.dmp

memory/3580-57-0x0000000140000000-0x00000001400B7000-memory.dmp

C:\Users\Admin\AppData\Local\xFx1yOt\WFS.exe

MD5 3cbc8d0f65e3db6c76c119ed7c2ffd85
SHA1 e74f794d86196e3bbb852522479946cceeed7e01
SHA256 e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4
SHA512 26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

C:\Users\Admin\AppData\Local\xFx1yOt\credui.dll

MD5 16082cd7084cd0a2422862d1d08fd303
SHA1 28da451426d2663c5ffd7ac1f9146bc8c59e13df
SHA256 ba917a5e69d008aecb7630eededb9daa9520b9a613d5ad68a537554fd5ee668c
SHA512 d9c51da2c24fa77c447870c9786d368ff9533941031a855e601cef621aaab249f30ef65661e03603e03de32b260bde5782d00a4fb455be31c5af7ed9e12f6dc4

memory/2336-68-0x00000235D9960000-0x00000235D9967000-memory.dmp

memory/2336-74-0x0000000140000000-0x00000001400B7000-memory.dmp

C:\Users\Admin\AppData\Local\5iWWlGY1R\dpapimig.exe

MD5 b6d6477a0c90a81624c6a8548026b4d0
SHA1 e6eac6941d27f76bbd306c2938c0a962dbf1ced1
SHA256 a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb
SHA512 72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

C:\Users\Admin\AppData\Local\5iWWlGY1R\DUI70.dll

MD5 0d945fb531da801c8a13e7c5d1346e5b
SHA1 25585ab94362e7c6b57981f11df2a96db4bd87d8
SHA256 4b900740e933d61f05abc2bb6f3f3273d558d7f15b26e9ffadfbfe4cd23e25eb
SHA512 ded6c44aa897aadb167cff5b65fb7d3f4fb5061cb86475675e8473fb565790b26386be31ffb91d4b11f0b90fac6f770b8b915c6334f3288464b561aa052cada3

memory/3920-87-0x0000000140000000-0x00000001400FC000-memory.dmp

memory/3920-88-0x0000023687D10000-0x0000023687D17000-memory.dmp

memory/3920-93-0x0000000140000000-0x00000001400FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 497cfe49ccc51a232548f21de8e0c9c7
SHA1 ab28381097759d4a86f5bcde328be1ffd3079db6
SHA256 1ca9a90614120b0bcb3d2cf3f5a9f89233ea01e96742d770a042865106867a0d
SHA512 407f17dee85d2e61d5356732ee49f4b6dd3aab00ddb343d65466804b846cb8b5c4afcca28a33eb030d8529be0e80fb96cb91c2bb9bdcfa081ad0f3ebecc23e1d