Malware Analysis Report

2024-11-30 21:10

Sample ID 231230-b3jvvsfac4
Target 0a612c4f364319bd4698e2b32d0a3197
SHA256 a3d87f6734559fd09dd0d6a2d7807fa1d23a500a2e08bc8faa8af548ff28f14e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3d87f6734559fd09dd0d6a2d7807fa1d23a500a2e08bc8faa8af548ff28f14e

Threat Level: Known bad

The file 0a612c4f364319bd4698e2b32d0a3197 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 01:40

Reported

2023-12-31 05:06

Platform

win7-20231215-en

Max time kernel

127s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a612c4f364319bd4698e2b32d0a3197.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fRwd\tcmsetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fNr12E\AdapterTroubleshooter.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ToGP\SystemPropertiesAdvanced.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\JjlDp\\AdapterTroubleshooter.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fNr12E\AdapterTroubleshooter.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ToGP\SystemPropertiesAdvanced.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fRwd\tcmsetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 2308 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1380 wrote to memory of 2308 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1380 wrote to memory of 2308 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1380 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\fRwd\tcmsetup.exe
PID 1380 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\fRwd\tcmsetup.exe
PID 1380 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\fRwd\tcmsetup.exe
PID 1380 wrote to memory of 2924 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1380 wrote to memory of 2924 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1380 wrote to memory of 2924 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1380 wrote to memory of 796 N/A N/A C:\Users\Admin\AppData\Local\fNr12E\AdapterTroubleshooter.exe
PID 1380 wrote to memory of 796 N/A N/A C:\Users\Admin\AppData\Local\fNr12E\AdapterTroubleshooter.exe
PID 1380 wrote to memory of 796 N/A N/A C:\Users\Admin\AppData\Local\fNr12E\AdapterTroubleshooter.exe
PID 1380 wrote to memory of 756 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1380 wrote to memory of 756 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1380 wrote to memory of 756 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1380 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\ToGP\SystemPropertiesAdvanced.exe
PID 1380 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\ToGP\SystemPropertiesAdvanced.exe
PID 1380 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\ToGP\SystemPropertiesAdvanced.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a612c4f364319bd4698e2b32d0a3197.dll,#1

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\fRwd\tcmsetup.exe

C:\Users\Admin\AppData\Local\fRwd\tcmsetup.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\fNr12E\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\fNr12E\AdapterTroubleshooter.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\ToGP\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\ToGP\SystemPropertiesAdvanced.exe

Network

N/A

Files

memory/2416-0-0x0000000140000000-0x0000000140183000-memory.dmp

memory/2416-1-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1380-4-0x00000000774E6000-0x00000000774E7000-memory.dmp

memory/1380-10-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-18-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-23-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-30-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-35-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-43-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-47-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-46-0x0000000002560000-0x0000000002567000-memory.dmp

memory/1380-55-0x00000000776F1000-0x00000000776F2000-memory.dmp

memory/1380-56-0x0000000077850000-0x0000000077852000-memory.dmp

memory/1380-54-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-45-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-44-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-42-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-65-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-41-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-40-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-39-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-71-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-37-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-38-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-36-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-33-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-34-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-32-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-31-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-29-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-28-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-27-0x0000000140000000-0x0000000140183000-memory.dmp

\Users\Admin\AppData\Local\fRwd\TAPI32.dll

MD5 cd553d0d10109d832547d990b411ac78
SHA1 8be0fdfe52f4917bb45b65391b23d35b78bb830f
SHA256 bca9e3c367fe2c9f5c2e5689f2f597c8b7606aba9ec0e0a3403079ce909be0ff
SHA512 dea00287b5029d70823c4bcbe02485c8dd0bac500903105b848c4053e1beb2c83af5636404415dbbab8dd76059c2f2bfe6cb4fd389c3c47ebe8ac6262ce144c1

memory/2564-83-0x0000000000500000-0x0000000000507000-memory.dmp

memory/2564-84-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Local\fRwd\TAPI32.dll

MD5 11ed06bad77821a717d6a25257e99347
SHA1 c80a3ed1266fa50a27f4d6f114d45076dae47fd9
SHA256 d07260b18ac591fb67fa0b8f9d506291e8d3352ed99253ebc315e00b16093724
SHA512 1a1819885f896f555cb2979950b6bf4f5042e27ae6ea966d7ae9cfe6b23950d3d928809de8c0c45cc9ff20200e41197b559c2260f76469073d0c0dd9598ccf61

C:\Users\Admin\AppData\Local\fRwd\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

memory/1380-26-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-24-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-25-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-22-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-21-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-20-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-19-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-17-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-16-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-15-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-14-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-13-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-11-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-12-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-9-0x0000000140000000-0x0000000140183000-memory.dmp

memory/2416-8-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1380-7-0x0000000140000000-0x0000000140183000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\LV3xjhIuvz\tcmsetup.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1380-5-0x0000000002580000-0x0000000002581000-memory.dmp

\Users\Admin\AppData\Local\fNr12E\AdapterTroubleshooter.exe

MD5 d4170c9ff5b2f85b0ce0246033d26919
SHA1 a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256 d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA512 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

C:\Users\Admin\AppData\Local\fNr12E\d3d9.dll

MD5 e2ea513859108e5821321ac39c19fa41
SHA1 466aa8b91acb502aaf5e0f8cbeaff1e7aec793f3
SHA256 419937a73e46b8c35f7b72bd47dc493c9d75d4b6ca9ffbd16d8e1e513c708a82
SHA512 c3af8bf708d4af72705919280abb1e69a2f1479bdef3b66d34194ad01571e29b35583220300789f2e74a6ea06961e1cfe48adf6b161c969b1eca62e225fbcbc1

C:\Users\Admin\AppData\Local\fNr12E\AdapterTroubleshooter.exe

MD5 ae6c4ee740c66561ca2db031b0549388
SHA1 2f008bc62ebad93babd2fc31296b86b163a85eb5
SHA256 f1b261ea6e416a55ceef74c30d8869e0aaf6a7946276eb50eb7e7e779e3430ae
SHA512 9727e81581eeadae5fa660bef71ded70d3d57f8a5532969c2795d298fac42f30bb63e2938cb0166c208b954c41ac4ebfb1f18ab11b37b4c0dee03e5ba06692aa

\Users\Admin\AppData\Local\fNr12E\d3d9.dll

MD5 9b5a209ff89eb06dd9b732aa7a6dc5bb
SHA1 efe0df54db5c75656938e0bc1579b5bfd18e1af0
SHA256 c10a2d58f3ff635cf5bb46acaece09bb99162eab458bdf3fcebc0197c004af1f
SHA512 17f7b8ada432007445bcf345288af36f2ec0310a6d53ed1c59baae2c4f0a4b9219eebe579f4b6d16a4d497feac8113e8129b80734f4815bc7cbb47faa1597eb9

memory/796-100-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\ToGP\SystemPropertiesAdvanced.exe

MD5 332b947249c3a04c10ffc8a649d4290c
SHA1 7d2b5f650a1798482005f9c37c4c895ed582bf90
SHA256 681c3d459335b019ed7c499b70f114fccc8c936029ca64361ae3fc29f8631276
SHA512 d1d6dbba12daa9a9477178a734c11e7a9a99702befa5fc6425384dba09268b8b5c59068821d8b7717aa04ec23b31478a1fb2dbca4a7f2c03b81eeedaa5d1a1e0

C:\Users\Admin\AppData\Local\ToGP\SYSDM.CPL

MD5 fe18e0957b4f9876127c2cc08dd60d8b
SHA1 630236c832130f9fb616c165f4b97f83b7dc515c
SHA256 f89b94d6f9560b98a8711cb64706dcf2111f9bf59b77e2fa496ee2c055f46113
SHA512 acad2c5715f34805a114eeb8b6145eeda0011ceb34655596c658e5e5a6cbcc3367e0703fda28dc5c7e0c560652b10105509a2a0f9b072bf2a6d1d2ffea4bb572

\Users\Admin\AppData\Local\ToGP\SYSDM.CPL

MD5 8df124721077aebf708a5c1b64709b7b
SHA1 aada6eef7e206213688c1d9a1e0d6e3c10e7a772
SHA256 339682b2c8606aee7d10840e91e170fabca2bf8b6a910ee4cf4fc4b80b2dd9f2
SHA512 e0862ca2583c6d2f23a5f9b91a3532374d26179c93c09c232505fde86ecb623eecccffee35237a1c319189b0c27f11b951f086087a1ec3f12000afb8b6709db0

memory/2480-118-0x0000000000210000-0x0000000000217000-memory.dmp

C:\Users\Admin\AppData\Local\ToGP\SystemPropertiesAdvanced.exe

MD5 9af3659bf2776ac3daec2146b257013e
SHA1 df8afd941b73e43c5bba781ee55e96eeb598fa70
SHA256 61a8d562e11d5237d2888d0e18e7c1850c6559da4fa226c296377be307c84c7e
SHA512 458fc9f65f5e5d9ae9d12fecc5af4a8b4a4833446f4337eab22eb52a77591aee2d57648a10a37bfe54d1db84fb399f0a0797bce7f2ebc423c15b4790a619ec7d

C:\Users\Admin\AppData\Local\ToGP\SystemPropertiesAdvanced.exe

MD5 7eddb8647f66b938ab7b098e5ad88645
SHA1 5a3c098d7a535724a59088500e308e227b751465
SHA256 08eec5e3e1bd46d3f1badcbda0f5bd4017e335f486a2bf1a59dc280a30a76bb4
SHA512 e94b337580e21e70342e5dd0f9543046826e0b7b9503c5956a2ce8a8b12117e80b7e2c4ebb2a172cabbf3500a5f4c6d1f68b151e7d368a60d1037b301652bd0c

memory/1380-130-0x00000000774E6000-0x00000000774E7000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UNYu\SystemPropertiesAdvanced.exe

MD5 4940c9f81b244b6e1d886b366c264237
SHA1 43ad557a889bab02a764779501a81470d1dd6111
SHA256 5e056cc7c12686a4124e4aff360766acbee71e4bdfaf7e8ee89eddb0e70173d6
SHA512 67f5f07ac9ee62eb73a0a9d70458e9f84257ef88492279ae723e0fc7f4f8f8bc1d253198d7784d270a1ea7c7792949c00bb3f25e160bd4599a7496462487c564

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 9bd4d5b19ebc5fe26cde8e7c8b3c3c53
SHA1 bd881e7fecfd2f4e761f50bcc88c25512cd6193d
SHA256 6e8fd82f8faac78f98eedeb4a256751879c54307f6a2a942af8c279a05487f49
SHA512 a9b0b82b67f29e81fd902fa81cddf803a2c3b3e5b67b954a7ceda5eb7169bf4adbf1c56f7d78d8dc981b4171daaabe98c833e7b4014aa4103b6dbc3399624115

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\LV3xjhIuvz\TAPI32.dll

MD5 2874ec8cb61f3ea1d78ad56cc33ec5b8
SHA1 37b8b2618154d9f3df478ccd120fdbb2979147a3
SHA256 1eb3c55d22cb9f65c382e5176279a2b4af24ad4a49d596a5327565f3785384c4
SHA512 1ab98664e2b58e9dd1cf72fb462779e7399f4a0df3b37e018a1b9681f4c6fda5dcff474093b09dc7aeca5493ca5087671d58075a9bcad7bbe76fb6468f29a398

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\JjlDp\d3d9.dll

MD5 d8c5a61bcb24cc57e8edbc11e31cbb21
SHA1 42cd79cc635d2063466502548e858772c9ed5f74
SHA256 051561799bbf42dc11e84ee890c71e4ea08b12c81864c8b83224a2d110231ead
SHA512 92ed5acc324d815ef3304c1dab88878d8f2006469c7a5286bfb8bd49e22620196017a1d8fb54c86ad5c571bd27c97b66e658427ce9a21d713c1051b0b6a163ce

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 01:40

Reported

2023-12-31 05:06

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

65s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a612c4f364319bd4698e2b32d0a3197.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a612c4f364319bd4698e2b32d0a3197.dll,#1

C:\Users\Admin\AppData\Local\WR9\rdpinit.exe

C:\Users\Admin\AppData\Local\WR9\rdpinit.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\GgAXdQI\mspaint.exe

C:\Users\Admin\AppData\Local\GgAXdQI\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\skcTKB8\SysResetErr.exe

C:\Users\Admin\AppData\Local\skcTKB8\SysResetErr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp

Files

memory/2796-2-0x00000270C72C0000-0x00000270C72C7000-memory.dmp

memory/2796-0-0x0000000140000000-0x0000000140183000-memory.dmp

memory/2796-7-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-14-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-21-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-28-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-35-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-43-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-49-0x0000000007A50000-0x0000000007A57000-memory.dmp

memory/3512-54-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-55-0x00007FF8E0F80000-0x00007FF8E0F90000-memory.dmp

memory/3512-66-0x0000000140000000-0x0000000140183000-memory.dmp

memory/396-75-0x0000000140000000-0x0000000140184000-memory.dmp

memory/396-81-0x0000000140000000-0x0000000140184000-memory.dmp

memory/396-76-0x0000015CCC890000-0x0000015CCC897000-memory.dmp

memory/3552-92-0x000001BD03140000-0x000001BD03147000-memory.dmp

memory/3552-93-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3764-112-0x00000270683F0000-0x00000270683F7000-memory.dmp

memory/3512-64-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-46-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-45-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-44-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-42-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-41-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-40-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-39-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-38-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-37-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-36-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-34-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-33-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-32-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-31-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-30-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-29-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-27-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-26-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-25-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-24-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-23-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-22-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-20-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-19-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-18-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-17-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-16-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-15-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-13-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-12-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-11-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-10-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-9-0x00007FF8DF6AA000-0x00007FF8DF6AB000-memory.dmp

memory/3512-8-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-6-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3512-4-0x0000000007C00000-0x0000000007C01000-memory.dmp