Malware Analysis Report

2024-11-30 21:30

Sample ID 231229-19nj3adabl
Target 057bb2ade128476e59bac8ad60086d9e
SHA256 2fd1f1b0c7fb142aa3c4e81bedb7e6722acede96384123b60c86b2dca501b50a
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fd1f1b0c7fb142aa3c4e81bedb7e6722acede96384123b60c86b2dca501b50a

Threat Level: Known bad

The file 057bb2ade128476e59bac8ad60086d9e was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Drops startup file

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 22:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 22:21

Reported

2023-12-30 04:14

Platform

win7-20231215-en

Max time kernel

151s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\057bb2ade128476e59bac8ad60086d9e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\auAD8i N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\auAD8i\FVEWIZ.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\auAD8i\BitLockerWizardElev.exe N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\auAD8i\\BITLOC~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 1484 N/A N/A C:\Windows\system32\osk.exe
PID 1200 wrote to memory of 1484 N/A N/A C:\Windows\system32\osk.exe
PID 1200 wrote to memory of 1484 N/A N/A C:\Windows\system32\osk.exe
PID 1200 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe
PID 1200 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe
PID 1200 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe
PID 1200 wrote to memory of 2944 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1200 wrote to memory of 2944 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1200 wrote to memory of 2944 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1200 wrote to memory of 108 N/A N/A C:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe
PID 1200 wrote to memory of 108 N/A N/A C:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe
PID 1200 wrote to memory of 108 N/A N/A C:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe
PID 1200 wrote to memory of 1696 N/A N/A C:\Windows\system32\msconfig.exe
PID 1200 wrote to memory of 1696 N/A N/A C:\Windows\system32\msconfig.exe
PID 1200 wrote to memory of 1696 N/A N/A C:\Windows\system32\msconfig.exe
PID 1200 wrote to memory of 2984 N/A N/A C:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe
PID 1200 wrote to memory of 2984 N/A N/A C:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe
PID 1200 wrote to memory of 2984 N/A N/A C:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\057bb2ade128476e59bac8ad60086d9e.dll,#1

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe

C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe

C:\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe

Network

N/A

Files

memory/816-0-0x0000000000330000-0x0000000000337000-memory.dmp

memory/816-1-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-4-0x0000000076C06000-0x0000000076C07000-memory.dmp

memory/1200-5-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/1200-11-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-10-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-9-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-8-0x0000000140000000-0x0000000140338000-memory.dmp

memory/816-7-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-15-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-16-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-14-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-13-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-12-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-21-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-20-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-27-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-26-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-25-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-24-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-23-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-22-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-19-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-18-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-17-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-31-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-30-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-35-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-36-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-34-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-33-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-32-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-29-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-28-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-39-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-40-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-38-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-37-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-41-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-42-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-44-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-45-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-43-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-46-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-47-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-48-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-49-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-50-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-52-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-51-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-53-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-54-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-56-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-55-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-58-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-57-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-60-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-59-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-61-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-62-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-64-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-63-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-65-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1200-67-0x00000000029C0000-0x00000000029C7000-memory.dmp

memory/1200-75-0x0000000076E11000-0x0000000076E12000-memory.dmp

memory/1200-76-0x0000000076F70000-0x0000000076F72000-memory.dmp

memory/1200-96-0x0000000076C06000-0x0000000076C07000-memory.dmp

C:\Users\Admin\AppData\Local\vKXB2V1Za\UxTheme.dll

MD5 22865f64942a35ac74e9e1de662f6187
SHA1 a0a0655bf377cba9308ac9886e005e01f1bc8165
SHA256 09b400db84593b024ebb0ba979c79a463c9f54953ff3e2db88151179dbe407dd
SHA512 ee0d789ef0cf25a952f8026d005905827f6bd4849b63bbe411405c5912a62c25188cbc72a1d7a2341db8da44998aa54aeb4edcd05eed6e2159e11b40b763de87

\Users\Admin\AppData\Local\vKXB2V1Za\UxTheme.dll

MD5 4e4544649d2317c011ad1c2c978f2644
SHA1 57ccef9cbf2d088b8a5ef7cc3fdab4a3a524c8e8
SHA256 9276d5256acb2fc3cb22e07ec372f620ed145ece00f5f310767f0ee61966ca0a
SHA512 37134db0abc4585d273c1b9e84003238e3b35df799b206c0a1f2f40094c2eb808cc16b243dcb03bcc032d9d83eb757bf6fbdfb67b3e74b9007c4328f944aa83c

memory/2968-104-0x0000000000110000-0x0000000000117000-memory.dmp

C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe

MD5 35272a16c4af43a850240bdc01eb34aa
SHA1 7431345b5818da148828cca7608c7f46eb0270c0
SHA256 db801a8805d39506ce60df4cf2f0197fdee534ded7747af14153023ffd87ff39
SHA512 de9b077e984d244e8cd5f704536825041f0d7496eafe67fd3ffee507010004c85625875ff0140fc9d5aad4b665f0b4758d30cca1275d5dab89ef62d995c5de7d

\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe

MD5 06d0bd2c078e2e114054dc291218037c
SHA1 118e0a2a0b22a51a32e2b77fe5f0a8a5e7649582
SHA256 250801b30ab992f654fee07a5acddb057e98a2c7b6b04acc9c28da4b1f613f77
SHA512 8c0fb37e518ca78b96a909273b64c0e976f125ee32d9ea8bedb3ad74c446b2c4b5b125c93653a3d741798b8695e48c49a235eff97ac6b7dbe1daa0b06851e230

C:\Users\Admin\AppData\Local\vKXB2V1Za\osk.exe

MD5 898f9e44da78d76a4f62d05bef5f5926
SHA1 94c1b10199a09cd711ab2bd2dbd91584bdf6b897
SHA256 1509b680653247b8086cdddd9994b1c719fe51abdeb92ca54584c850e48c86ad
SHA512 f7a080507a024740f28bd1bb0eaa0ee015ec4fdc1c91c627ed6cef902cdb19d231fb90673e3b53817fc412e43c8de3aa3107f60a4d916cd3167341e0b5c6bbcf

\Users\Admin\AppData\Local\2jZyUH\BitLockerWizardElev.exe

MD5 73f13d791e36d3486743244f16875239
SHA1 ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA256 2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512 911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

C:\Users\Admin\AppData\Local\2jZyUH\FVEWIZ.dll

MD5 aa8647851f92c87f2e174fbdb2208842
SHA1 9f630a3fcfcf4cc37751a107ad301a5a26780ae3
SHA256 7c2da0e82df081ef17e4451457832056a43827d80422f71ee6da6ad28e958831
SHA512 a37e7474ffe4971a17ccf9c362b9f7ce43e5165a4c4d6879b5a16ad736ee24b185c350f6b0bc5fbb7915877a7c9e8d8393d3ef1448f6f35d616db1234db0ce7a

\Users\Admin\AppData\Local\2jZyUH\FVEWIZ.dll

MD5 f55f199a48855e441c14ffbc9226c1af
SHA1 46afbdd481d6bd500f318bc9cb159094dde56885
SHA256 35cdead7a6b2f352e534808e7f960d2883497ee3096bd0606d1483b138542ef1
SHA512 1ec997812d92273a365fae47c65ffcc8eac66e509e723b104afbcfc9ec0ed745344f061d81f5f50ee24b1e7166ab877b238c23d14bf27047ae9b14dbdadc214a

memory/108-128-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\PFWHWG8\msconfig.exe

MD5 e19d102baf266f34592f7c742fbfa886
SHA1 c9c9c45b7e97bb7a180064d0a1962429f015686d
SHA256 f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1
SHA512 1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

C:\Users\Admin\AppData\Local\PFWHWG8\VERSION.dll

MD5 966f88d18a8f2728ca44993f228cefc8
SHA1 65c8baeb31b4c8bb7fadd24623aaebee77bdd710
SHA256 3da9b3376d0769503c3ea6c1de2cf871bc1c2199da1274d39a8e931ca249682c
SHA512 5f386156f999032d7a85c6c7e68013ca4b6cc71da30787ae83b64c6c680cc37b8aa0d3ce4add6b73d25adc10fb5aea5929a6e3a5527dd4c945dc7c60592ea24a

\Users\Admin\AppData\Local\PFWHWG8\VERSION.dll

MD5 6cd6f03144050649059edd44c5ddf317
SHA1 4d618d46c470d56dd896785a0e1cde2f15591b1c
SHA256 4e64b738c12290b6cbcf397817430861c91a84228a49b6a80d401c575cdf527f
SHA512 73910150335af660bbcd491d2cd4c785f523f8272e4800b6cd0ec74c21a8b99a03e05622172d9df27871cc0d58ace384334b3aec0029a19a0582ae38a3e2ba7e

memory/2984-147-0x0000000000290000-0x0000000000297000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 c1e1f6de88099e5bf84c94dc1164a0a7
SHA1 6af22c95d21cae0bc4ab3946483c484ce9d3efc0
SHA256 2bfe0dd679ae026fa35b5b752c34ca00c402898f3e997952fa3072eb36ba449a
SHA512 7bf18afe46a49b604e8c8cd47862993d312dcee6861785121f7a1b850ef9cade954b80cea6ca6523157aa53acb2408777383dc3d8fd1a4f712a39b98896d6fde

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\hpjMSAJ\UxTheme.dll

MD5 96651dc9ee1fc6b648e4ec49cd8fed4c
SHA1 befc482e57da3b1165076969cbc957088f3fc8ae
SHA256 78d76173c90eac79aaabc26250f40419f84216dffb65428a31fcc30a6b1b5a1d
SHA512 669aade51f2478c437c52e8a018eb79508ab0f79d7997d1b148e43562c596cb655f5bf27d90c0a3617a2dde003e4403a82554154019f2ce4cf8956f2b4b90a8e

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\fRyH\VERSION.dll

MD5 8731d1de7b8b62e75f63918c9546f526
SHA1 d5ac88bb4d6f826118aeb4a377b0baf8821198a1
SHA256 2077dfc770226f92f14f57a8a1dd24b7e70ccfcf52f9addc3bb7364edc93b9ea
SHA512 24bb17cb309070827c65b4d52dcf276e7143e13e71111cce397c7c4b2c3a936a2f6abd9328fb7b2323c482ef1f7f240a2552d14fa3b40b44c849501d1944410a

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 22:21

Reported

2023-12-30 04:14

Platform

win10v2004-20231215-en

Max time kernel

1s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\057bb2ade128476e59bac8ad60086d9e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\057bb2ade128476e59bac8ad60086d9e.dll,#1

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\iKEJno\DWWIN.EXE

C:\Users\Admin\AppData\Local\iKEJno\DWWIN.EXE

C:\Windows\system32\WMPDMC.exe

C:\Windows\system32\WMPDMC.exe

C:\Users\Admin\AppData\Local\W37Ok1My\WMPDMC.exe

C:\Users\Admin\AppData\Local\W37Ok1My\WMPDMC.exe

C:\Users\Admin\AppData\Local\Fg5wWVuQ6\wlrmdr.exe

C:\Users\Admin\AppData\Local\Fg5wWVuQ6\wlrmdr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
NL 52.142.223.178:80 tcp
GB 87.248.204.0:80 tcp

Files

memory/3180-0-0x000001DFFCA70000-0x000001DFFCA77000-memory.dmp

memory/3180-1-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-4-0x0000000006F90000-0x0000000006F91000-memory.dmp

memory/3540-7-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-12-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-17-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-20-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-24-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-29-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-32-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-35-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-39-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-42-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-46-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-51-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-55-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-58-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-61-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-64-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-67-0x0000000000840000-0x0000000000847000-memory.dmp

memory/3540-65-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-75-0x00007FF8BB780000-0x00007FF8BB790000-memory.dmp

memory/3540-63-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-62-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-60-0x0000000140000000-0x0000000140338000-memory.dmp

memory/2268-96-0x000001B13B490000-0x000001B13B497000-memory.dmp

memory/3540-59-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-57-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-56-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-54-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-52-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-53-0x0000000140000000-0x0000000140338000-memory.dmp

memory/4156-112-0x000001DF5CC50000-0x000001DF5CC57000-memory.dmp

memory/4944-131-0x000002B56EA10000-0x000002B56EA17000-memory.dmp

memory/3540-50-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-49-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-48-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-47-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-45-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-44-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-43-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-41-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-40-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-38-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-37-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-36-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-34-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-33-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-31-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-30-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-28-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-27-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-26-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-25-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-23-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-22-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-21-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-19-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-18-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-16-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-15-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-14-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-13-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-11-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-10-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-8-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3540-9-0x00007FF8BB59A000-0x00007FF8BB59B000-memory.dmp

memory/3180-6-0x0000000140000000-0x0000000140338000-memory.dmp