Malware Analysis Report

2024-11-30 21:10

Sample ID 231230-c398gsgbf7
Target 0be4a8ea956924495ef2a35f5bea56ac
SHA256 351e750951076c33b8e4a25c8debd81c851d25c60aadd8a93b7ac141ee4fcb83
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

351e750951076c33b8e4a25c8debd81c851d25c60aadd8a93b7ac141ee4fcb83

Threat Level: Known bad

The file 0be4a8ea956924495ef2a35f5bea56ac was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 02:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 02:37

Reported

2023-12-31 10:58

Platform

win7-20231215-en

Max time kernel

150s

Max time network

128s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0be4a8ea956924495ef2a35f5bea56ac.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Ow9Afz\BitLockerWizardElev.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\a1z\mmc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\lzD\irftp.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\VwLo6\\mmc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ow9Afz\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\a1z\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lzD\irftp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2820 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1284 wrote to memory of 2820 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1284 wrote to memory of 2820 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1284 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Ow9Afz\BitLockerWizardElev.exe
PID 1284 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Ow9Afz\BitLockerWizardElev.exe
PID 1284 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Ow9Afz\BitLockerWizardElev.exe
PID 1284 wrote to memory of 2376 N/A N/A C:\Windows\system32\mmc.exe
PID 1284 wrote to memory of 2376 N/A N/A C:\Windows\system32\mmc.exe
PID 1284 wrote to memory of 2376 N/A N/A C:\Windows\system32\mmc.exe
PID 1284 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\a1z\mmc.exe
PID 1284 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\a1z\mmc.exe
PID 1284 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\a1z\mmc.exe
PID 1284 wrote to memory of 1112 N/A N/A C:\Windows\system32\irftp.exe
PID 1284 wrote to memory of 1112 N/A N/A C:\Windows\system32\irftp.exe
PID 1284 wrote to memory of 1112 N/A N/A C:\Windows\system32\irftp.exe
PID 1284 wrote to memory of 820 N/A N/A C:\Users\Admin\AppData\Local\lzD\irftp.exe
PID 1284 wrote to memory of 820 N/A N/A C:\Users\Admin\AppData\Local\lzD\irftp.exe
PID 1284 wrote to memory of 820 N/A N/A C:\Users\Admin\AppData\Local\lzD\irftp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0be4a8ea956924495ef2a35f5bea56ac.dll

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\Ow9Afz\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\Ow9Afz\BitLockerWizardElev.exe

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\a1z\mmc.exe

C:\Users\Admin\AppData\Local\a1z\mmc.exe

C:\Windows\system32\irftp.exe

C:\Windows\system32\irftp.exe

C:\Users\Admin\AppData\Local\lzD\irftp.exe

C:\Users\Admin\AppData\Local\lzD\irftp.exe

Network

N/A

Files

memory/2912-0-0x0000000001BE0000-0x0000000001BE7000-memory.dmp

memory/2912-1-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-4-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

memory/1284-5-0x0000000002240000-0x0000000002241000-memory.dmp

memory/1284-7-0x0000000140000000-0x000000014019E000-memory.dmp

memory/2912-8-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-9-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-11-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-10-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-13-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-12-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-14-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-15-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-16-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-17-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-18-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-19-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-21-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-20-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-22-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-23-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-24-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-25-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-27-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-26-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-28-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-29-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-30-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-32-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-31-0x0000000002210000-0x0000000002217000-memory.dmp

memory/1284-39-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-40-0x0000000076EE1000-0x0000000076EE2000-memory.dmp

memory/1284-43-0x0000000077040000-0x0000000077042000-memory.dmp

memory/1284-50-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-56-0x0000000140000000-0x000000014019E000-memory.dmp

memory/1284-60-0x0000000140000000-0x000000014019E000-memory.dmp

\Users\Admin\AppData\Local\Ow9Afz\BitLockerWizardElev.exe

MD5 73f13d791e36d3486743244f16875239
SHA1 ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA256 2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512 911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

C:\Users\Admin\AppData\Local\Ow9Afz\FVEWIZ.dll

MD5 152ebda71a5bfb352e846a64e04da760
SHA1 de4daad0e8893df3f3c2f5c40caa37414f6f57f3
SHA256 eebeb729663b24dd53e4c5db58e93a348f0ede3d16fda573e492fa5d7cb827f2
SHA512 ff0b7482835de071621de1a5c74951adeb3c76a7b13bce655291e7272ce26522548673c8f2a1a6af3cfc6d20a0f12bba286eee53661a79a11b2efd5b91a49f70

memory/2708-68-0x0000000140000000-0x000000014019F000-memory.dmp

memory/2708-69-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2708-74-0x0000000140000000-0x000000014019F000-memory.dmp

\Users\Admin\AppData\Local\a1z\mmc.exe

MD5 99273debf57d39fd7215c619d4ce4a71
SHA1 d5655b7687810753484b447a93d43db539427e35
SHA256 0eba19f3ba2dea1b9726c3559718c9bf468e4e3b3b69ad86c7a3b464d8ff8e5d
SHA512 a4cd3ecc6de7db849d75c2b4719fd69ff9f089b3ca8d80f68e2d607ca22635d09621d27e62d25d51f0119dd6b040dcb7f050cc143b7e1e7382d11ef5eb8800cd

C:\Users\Admin\AppData\Local\a1z\mmc.exe

MD5 9fea051a9585f2a303d55745b4bf63aa
SHA1 f5dc12d658402900a2b01af2f018d113619b96b8
SHA256 b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484
SHA512 beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

C:\Users\Admin\AppData\Local\a1z\MFC42u.dll

MD5 475fe0bf1a4264a900c221e49f8faf26
SHA1 bee373e3e6d21b1f25af8fabfb536d4f9f058c9a
SHA256 4a0096af981ef3928c286885f332d2e8e4aa8626ace0a85fc68ae5a5a9ba204f
SHA512 11fb6a382d78820c3f4437e7259318e3d924bbaf0625989e5e46e964f946947cbc652c07e16caed8fd21a2aff049bcf0dd5518cd1d0f126a90ad1994620d2280

memory/736-86-0x0000000140000000-0x00000001401A5000-memory.dmp

memory/736-91-0x0000000140000000-0x00000001401A5000-memory.dmp

\Users\Admin\AppData\Local\lzD\irftp.exe

MD5 0cae1fb725c56d260bfd6feba7ae9a75
SHA1 102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256 312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512 db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

C:\Users\Admin\AppData\Local\lzD\WTSAPI32.dll

MD5 7aaaa807e3fd492779e78381536c08dd
SHA1 0a3008772aa6debba9932187491703907e05c457
SHA256 faa6fef9bc364f454be1ebb327a894d9b2ec71f170c5201fd38313a80a14f540
SHA512 abafbe322ed7169b401593270acbb6ade9b2b6e9a7d4a111127ae1695366468d9345014387b12bb6b07d159ca09dcf1d8222e90586bfabc64fb48d018d0a822d

memory/820-104-0x0000000000290000-0x0000000000297000-memory.dmp

memory/820-109-0x0000000140000000-0x000000014019F000-memory.dmp

memory/1284-125-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 6bfb9d1b714c795773e770db37f42b47
SHA1 d61b5d021fb89bed24d7e96fb8c4e89183ce7c71
SHA256 215bee57f898c365b52263c8c13841c8946bc03f4401c072ad78537c57046970
SHA512 1113380116f135b067d57745ba29ed92cada00935f1a6f7df4b388a658c98e616df122c3583300bd2a25d5198b949d1370b139dc821c227d401f21e9c7fcc6aa

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 02:37

Reported

2023-12-31 10:59

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

157s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0be4a8ea956924495ef2a35f5bea56ac.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7Jb N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7Jb\SYSDM.CPL N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7Jb\SystemPropertiesPerformance.exe N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\K7Jb\\SYSTEM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3fE1qp\mstsc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Rws\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wp0DKY\RdpSa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 4788 N/A N/A C:\Windows\system32\mstsc.exe
PID 3168 wrote to memory of 4788 N/A N/A C:\Windows\system32\mstsc.exe
PID 3168 wrote to memory of 3544 N/A N/A C:\Users\Admin\AppData\Local\3fE1qp\mstsc.exe
PID 3168 wrote to memory of 3544 N/A N/A C:\Users\Admin\AppData\Local\3fE1qp\mstsc.exe
PID 3168 wrote to memory of 2452 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3168 wrote to memory of 2452 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3168 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\Rws\SystemPropertiesPerformance.exe
PID 3168 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\Rws\SystemPropertiesPerformance.exe
PID 3168 wrote to memory of 2500 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3168 wrote to memory of 2500 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3168 wrote to memory of 1560 N/A N/A C:\Users\Admin\AppData\Local\wp0DKY\RdpSa.exe
PID 3168 wrote to memory of 1560 N/A N/A C:\Users\Admin\AppData\Local\wp0DKY\RdpSa.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0be4a8ea956924495ef2a35f5bea56ac.dll

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\3fE1qp\mstsc.exe

C:\Users\Admin\AppData\Local\3fE1qp\mstsc.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Rws\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Rws\SystemPropertiesPerformance.exe

C:\Windows\system32\RdpSa.exe

C:\Windows\system32\RdpSa.exe

C:\Users\Admin\AppData\Local\wp0DKY\RdpSa.exe

C:\Users\Admin\AppData\Local\wp0DKY\RdpSa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/4784-0-0x0000000000C80000-0x0000000000C87000-memory.dmp

memory/4784-1-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-4-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

memory/4784-7-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-9-0x00007FFCDC41A000-0x00007FFCDC41B000-memory.dmp

memory/3168-8-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-10-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-11-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-12-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-13-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-14-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-15-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-6-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-18-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-19-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-20-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-17-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-16-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-21-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-22-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-23-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-24-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-25-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-27-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-30-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-31-0x00000000010D0000-0x00000000010D7000-memory.dmp

memory/3168-32-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-29-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-28-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-26-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-39-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-40-0x00007FFCDD900000-0x00007FFCDD910000-memory.dmp

memory/3168-49-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3168-51-0x0000000140000000-0x000000014019E000-memory.dmp

C:\Users\Admin\AppData\Local\3fE1qp\WINMM.dll

MD5 a16d414d1d21d15a5678d2f1c7db8401
SHA1 a9836f1c49dde354d3b0d6b9c005fe717f521e10
SHA256 b847a223d32d9b1ac9a95ea0fb62abb1a6a00b97478d397a734d4141ae849579
SHA512 293364efaf78ac110b5feafd94364237e89a4d3ede4411d22997b9d02dd7b8c4389c497a467b843a38f2445adb2c429818920805d66b305ccdc3cac0aaafc9a0

memory/3544-61-0x000002B863550000-0x000002B863557000-memory.dmp

memory/3544-60-0x0000000140000000-0x00000001401A0000-memory.dmp

memory/3544-66-0x0000000140000000-0x00000001401A0000-memory.dmp

C:\Users\Admin\AppData\Local\3fE1qp\mstsc.exe

MD5 912f1a56dfb553e585dedf9cad7eac5d
SHA1 5e03d9a3023cb59310326a6b10c30a12fc2a8375
SHA256 c508764f687b0a1c447f5e29b7114ff668400c02e03d133d9403bef7d120b6bd
SHA512 32ab0b24a50c11a1f12d8c46fac8549877beeeb83528677c4c2265fd01e8047f7c19ccedb5f6c3441ae553f93a5ede3530fd8f796baa6d4250e746a806d7210d

C:\Users\Admin\AppData\Local\3fE1qp\WINMM.dll

MD5 352ac589cae3250f53d1f90dff8c4283
SHA1 a69a7cd72864641ee1e72250834dd6f9751507bf
SHA256 f91827efe8c37e923b86995bd9ba166f1ef4ab0fba5c68452642764285241e45
SHA512 3c3d23d6af9d975d57d76f7de27e1750d0a7572c237c673bd9b74b6d4fb42f0c3f8bd1222c3ffae17c4b1fa8906e4f98185a46698a29ac4429c502443748526c

C:\Users\Admin\AppData\Local\3fE1qp\mstsc.exe

MD5 fc06825397d85dd9339d9bec8e28cd28
SHA1 7993e88a4644be26886c96adcf5aa68eb1f181c2
SHA256 a00941f3e030f3401c03ab0ddadafc269241a33368cce57bd7e9976d7a2d307d
SHA512 8601277333658bbf32428f78729c3ce2f18c91df33d3539afd4c2fdfa2a5b8242391d1750325ce7b922d95f6ddeb96c98935a7d453bb5db7aeac60eeb511bb34

C:\Users\Admin\AppData\Local\Rws\SYSDM.CPL

MD5 2da44aeb24407255d908d51b0940a21d
SHA1 f6cc7f058567781a9325eb6c632fc1a9d7129d8a
SHA256 46f107fa61319f5e9a95c015eb6aefcdfc3abe6da211c53341fd99fbfc464be7
SHA512 673fcffae407a4f734aa54b71bd44f1997659d015c8308c9a03ab60798f7647d1e3fd05ff494cd680831c97efd2785b300577fe2b356bc8d0d3b403ef7647184

C:\Users\Admin\AppData\Local\Rws\SystemPropertiesPerformance.exe

MD5 e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1 adbfa782b7998720fa85678cc85863b961975e28
SHA256 b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512 c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

C:\Users\Admin\AppData\Local\Rws\SYSDM.CPL

MD5 6d577880696995cf9674f789a4f11a69
SHA1 9534ed7c5dcb1e80f03f9c8f88944503c1327e79
SHA256 e2d039ba935b7a1bd9885aae268fabfad372694a381ebb6bfd13956162a109a2
SHA512 ee4581f60185ed5804d44b29f018982e281182de0e35f0aee3f34a6cd872a5e2a72b66189f6901f1e03318dc00d066046f4e67250596c618714578fe87887433

memory/1152-78-0x000001D5619C0000-0x000001D5619C7000-memory.dmp

memory/1152-77-0x0000000140000000-0x000000014019F000-memory.dmp

memory/1152-83-0x0000000140000000-0x000000014019F000-memory.dmp

C:\Users\Admin\AppData\Local\Rws\SystemPropertiesPerformance.exe

MD5 df68c048b93b042d39f2dc516f849485
SHA1 bb634fe4fe4d03dc7922bb44d2e10d759bb5c26b
SHA256 7c456f200387b014fb46d59d266b22d3829f6854eee459f5be6de2f80477a3aa
SHA512 75b2aa87169262e44e0c237a7ef243a9f7158d39f07a73f9b7a25f2962bbc785c7a085a0b297b62e38524d28bf0c67b89fe7b4152f6c9810fd49ac210f5884a3

C:\Users\Admin\AppData\Local\wp0DKY\WINSTA.dll

MD5 facc14f1a973c6e670bfe9123d2fc581
SHA1 794bc202fe51e53b5db955c82ff5f1cf051d43ab
SHA256 5c2cd05de3503981081676426c408d66b26ec94befb17ed907e71be0e518c7f4
SHA512 884ff3589a374124f39c06e1bbaab88dd87fa7282fffc23f7c70c5695cb43605342751f6927f1dc86b9968c9e2890d6cbf3582b75989e40bbfe75a54f6845195

memory/1560-95-0x0000028258580000-0x0000028258587000-memory.dmp

C:\Users\Admin\AppData\Local\wp0DKY\WINSTA.dll

MD5 69908d4802a122da0c539a3e2458b2ed
SHA1 5cd68966e4ff079b62a2608d297c53d8747f12bd
SHA256 78f37d110f05ac64617852ff06cab3754bd74b3c5f3e77d886b0f664ab94ff7a
SHA512 cc7743d39dc6e581654d589eb5661660920ef98b8de5e3c7fd02db9ef469b1fe826d442ab8910beff5bd1bdb57bbd0f123b6ff0d1d0d44881837d326fe336561

memory/1560-100-0x0000000140000000-0x00000001401A0000-memory.dmp

C:\Users\Admin\AppData\Local\wp0DKY\RdpSa.exe

MD5 622e707968d875a316c5edb30db37205
SHA1 94e7f15fe8f513cace2da5f7b27e90df4d7896d7
SHA256 3308479856d3f408481ebf26d0807cc4e1199ec079b1f286605f36ab0560f3f6
SHA512 dc92a93b5beebdb578ab4af92ab0ca19017bb90265b6f29f3d3ad1b2e306dc23767b041c6bea45233424960e59e93b3fc67f642d37943e1914ac3a16c27b81a9

C:\Users\Admin\AppData\Local\wp0DKY\RdpSa.exe

MD5 5992f5b5d0b296b83877da15b54dd1b4
SHA1 0d87be8d4b7aeada4b55d1d05c0539df892f8f82
SHA256 32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c
SHA512 4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

MD5 f8f1009ca926daf133c1611b976270c0
SHA1 646748f2c6007695cf084c945901628e187d6c6d
SHA256 73fe2f182056fb5d84f75ed24f7b0b2ccb993bb45c2c8500e922859280d5f165
SHA512 d54f5bf9f43a2f27769b65d4feafa157c2c77dba4b17717a2ad71025d40d7a211cc91a72fc7914811a57b9838e28857a2570076d629eb7eface62662b51c5f51

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\gmtGr\WINMM.dll

MD5 21e0bf7439839aa4835249d15b27a8e7
SHA1 5ab706cc3303d7381854a1f4acb6f4e8052d8d85
SHA256 f3735b7a8f11052895d5d159c838e138e05bae7b40a720c0a93459555ae7d8c1
SHA512 1da9df9f99f315b1de45cfb2be3fc80f099ce6f3c8748755dabd68eba92983a2e9344f1c206e709205bd3d6591566ac0b856a1f22b3ad9cd73e3ac689c36a2e4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7Jb\SYSDM.CPL

MD5 55081b954c84bfa46f29cbae561c3e98
SHA1 33f9e8dd42ae50a58867d9458e7dd86cc73da224
SHA256 00bc58ddabe2f4da9720e35f6245b9f3e6abc476ad2b09684b7df4b8d5ad661a
SHA512 964e4dd7671de582f4f2c886df16a4c83ba31133d1b8146dade1b71e973880f5f744bf389f50e98d3f86cd48a1b94771d6ca3020529d4f1e2a656b8ea930dda7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CloudStore\Gnb286dfXQ\WINSTA.dll

MD5 91519ebf2b141af29968389e6a2923e4
SHA1 2a7520c3d1e139d8c93ea45f371a971fcec06490
SHA256 371c543f9f2542d128c397bb7a0d0368242801b03d8a8e6cc6c2ede4c48dd847
SHA512 b4e5bc641810c4d8b9e1fd67cdecebc65d1679afb7623283e43e30d62e17a501ed66f38703652a30e7e635d4f3bfaa31e1f4c95b3166e849c5e58a7b6029f070