Malware Analysis Report

2024-11-30 21:17

Sample ID 231230-c4jrxsgcc8
Target 0be77175d5db7bce6d960349865754a2
SHA256 c5c78eabafaaa221a918f4d7705abdf19bd3af2540ce416b2f82c5aa85d35f25
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5c78eabafaaa221a918f4d7705abdf19bd3af2540ce416b2f82c5aa85d35f25

Threat Level: Known bad

The file 0be77175d5db7bce6d960349865754a2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 02:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 02:37

Reported

2023-12-31 11:01

Platform

win7-20231215-en

Max time kernel

5s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0be77175d5db7bce6d960349865754a2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0be77175d5db7bce6d960349865754a2.dll,#1

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\TIX\dpnsvr.exe

C:\Users\Admin\AppData\Local\TIX\dpnsvr.exe

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\8N5kzAslg\mmc.exe

C:\Users\Admin\AppData\Local\8N5kzAslg\mmc.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\1tR\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\1tR\rdrleakdiag.exe

Network

N/A

Files

memory/2168-1-0x0000000140000000-0x0000000140166000-memory.dmp

memory/2168-0-0x0000000000390000-0x0000000000397000-memory.dmp

memory/1204-4-0x0000000077676000-0x0000000077677000-memory.dmp

memory/1204-5-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/1204-10-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-16-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-20-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-29-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-31-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-30-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-33-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-32-0x0000000001D90000-0x0000000001D97000-memory.dmp

memory/1204-28-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-27-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-26-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-25-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-41-0x0000000077781000-0x0000000077782000-memory.dmp

memory/1204-42-0x00000000778E0000-0x00000000778E2000-memory.dmp

memory/1204-40-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-24-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-23-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-22-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-21-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-19-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-18-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-51-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-17-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-57-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\TIX\WINMM.dll

MD5 1a51ce83255e3c5c3981addc70fc7c54
SHA1 c2b0a33b888aa9bb028d3c31dad4cc6c5a07457d
SHA256 1498b2b43c92e5fde8ba79c32dcaca4aff05cdf692c43556ada2ae2e78cb2b25
SHA512 473fc3ec7fb8985da9801777cc5ec714a915ea16728a38bc727a854f9787e3b8ecc563b5172698e900df1723da2652ead2790002d1411830f8f2ec4f18112176

\Users\Admin\AppData\Local\TIX\WINMM.dll

MD5 7a84e3258e09ca9d643787f8ac0e3d37
SHA1 f2d5815aaa1a278d80ce50274bb1713efb773123
SHA256 a4ce7b994a1541453da1407717505e419239651f68225a1bf28b69504c3e45cd
SHA512 64733a9f6b28c88d16ad244e49a7c2adf781af9adff0dba58cd8e992f9660daee9a76710f0bef1f63e616dcb9fd700ffee1eb1e6cf0850e7b7fcec173a41d79a

memory/2644-70-0x0000000140000000-0x0000000140168000-memory.dmp

memory/2644-69-0x0000000001B40000-0x0000000001B47000-memory.dmp

memory/2644-75-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\TIX\dpnsvr.exe

MD5 6806b72978f6bd27aef57899be68b93b
SHA1 713c246d0b0b8dcc298afaed4f62aed82789951c
SHA256 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA512 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

memory/1204-15-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-14-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-13-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-12-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-11-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-9-0x0000000140000000-0x0000000140166000-memory.dmp

memory/2168-8-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1204-7-0x0000000140000000-0x0000000140166000-memory.dmp

\Users\Admin\AppData\Local\8N5kzAslg\mmc.exe

MD5 2586242578c401d46d7df55e44246650
SHA1 e9789092fb05a1fff4d1cbf5c48424c9201ff26f
SHA256 e1f603dd2b71b281d4600ca3990bed937ad5c3b82b9a98688943cdc97e4bbf12
SHA512 cfd432411c07498e5dbe9c9e4ab0d831d7289186161c46b93060a1f84bc220d815859e1ba094956b5e7ba339e3370d345c2959c906728ec7ecc378657839e3b8

\Users\Admin\AppData\Local\8N5kzAslg\MFC42u.dll

MD5 bca39c64a1e7df9d45f39482686e8dee
SHA1 69d460d9a77fbdb8d8996aea572be113165a1d8c
SHA256 fd804311bca1a7725fb215c8b405b903b67225529da85485c2237b510f8dfac5
SHA512 8d2440324658280c7ad697958ee119dde12aa7ca0ea6be67640de95d0314e911d3fe9297e6317046201642bde74f96f7daff54da6af00b10fb9ab13c88c2a6f5

C:\Users\Admin\AppData\Local\8N5kzAslg\MFC42u.dll

MD5 c96b8348e0015996673a4a0b3222100d
SHA1 264cd4a5cd5cb3d5150f87aae9727ca1300f18d6
SHA256 7f77fca788a06e0e629c6a3bf03c964429a4a0b7b885d006a0cd2d4f3f6a90f1
SHA512 3e690edac2a54b0c7031519fedf19ec9a249263a5ee4bb80c2fcfde21ec38ad664e9de554c408f0a7de178c5b44965adf6f3cb0ad9093ce649c9f788e114a330

C:\Users\Admin\AppData\Local\8N5kzAslg\mmc.exe

MD5 b1c9b57c152c88bac9b9a054e2dcb139
SHA1 38b53f7f53db5cd4ae4801f0f14bd20e2e5f1bcb
SHA256 839211ec7f456e5f82e4b3f5c56e57cac5a35465e81fb56434493fbb0b00b08f
SHA512 16a952b644a173bb02cbb9408215bc640e587f9a5a66b13df832f1810f026c24d0a5b6311560ffb74ff42f6e9dae65fed02c185f2fe5a1f762fa4b0e715a5151

memory/976-89-0x0000000000170000-0x0000000000177000-memory.dmp

memory/976-92-0x0000000140000000-0x000000014016D000-memory.dmp

memory/976-87-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Users\Admin\AppData\Local\8N5kzAslg\mmc.exe

MD5 bb41ff971854d8618ece465860ceba66
SHA1 5f804faa4cb77282741f581bf2f6f471f74d8617
SHA256 01a68f95e209c5cd857d0abf5f628fde2c0db9245687093f1ded146e45158c27
SHA512 c7e017e4f428547d75c148a0214e8febe2942bf59be45b6b18474d19b3dabd976fa6c727c0787446d12611d81541b7703270edc115831c0cccab8ce8e4f9e02b

\Users\Admin\AppData\Local\1tR\rdrleakdiag.exe

MD5 53f6bf79a92eb8b6ad16cdc0137fd69e
SHA1 85d75f04a95369c5d5cc70b4a27df7f17bcc739e
SHA256 a2f67f23f29d238e1668e7e6b11030bc0d26f6c647c46ee9f95deb6fd7b2a346
SHA512 ae1a96f0a99908c82ae758ec32fa64f03e269ad24370470437ff9d6da35d84c07c5e69a38c9b5b98f3e8d385865ad91cf2fa2f1033bb16a3113244e55eecc690

C:\Users\Admin\AppData\Local\1tR\VERSION.dll

MD5 cb3f3eeca14e06f6f41afa011e5c36dc
SHA1 d39b1ab1dd9744a5676eece490df578b01dcf58a
SHA256 9ac6afbda1c5cee6dc21cb5245ee4e070aef4993d6e8ed4db08dbf8033c7dad0
SHA512 f900add373cba623364262bc1ca057910179df9ae5c8d925a784e0fc60e6d5c0613874d2f2841c9d9f00ca77b734bc2aeba7f25ae8c4b159f056858f867fe4ea

C:\Users\Admin\AppData\Local\1tR\rdrleakdiag.exe

MD5 2603b3b32d273dbcc7939f49a9237dff
SHA1 6991407dd14cf17c7fb513f3bf874e8c3af7dea3
SHA256 f94475e3ec889203cb649ce357dc6b1c153fe2934c827f65ec3e1d7e02cc1e6f
SHA512 e7d831fe928de409319248378d00028a005b3211c2d457bed9cd173eb870c2a0bd3add2f1ae2357098ba401cffee930e0d2af7ceffe73fa2ce21a06be5741496

memory/2900-112-0x0000000140000000-0x0000000140167000-memory.dmp

memory/2900-111-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/2900-117-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\1tR\rdrleakdiag.exe

MD5 f9ae341d22fc0261f78055b3ccc75d01
SHA1 3904030deef271ac6dfc9f970c3d1a6322b0b916
SHA256 1eff398a879e06969f3d033e66226e8795fd1b7fe66f5216d53bb0709c9388fd
SHA512 c2ca8ee0b7c18ec12d86ed20cfb4fc7b6df61d6466bf767961a4382901d30094e61f41dc55165a7804047820426716141dc445a10e8197cb241307c2388af853

\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\EMD0HGW\rdrleakdiag.exe

MD5 5d6920a0c6c1e086df1504e9e50937f3
SHA1 d1cb6e91a1c7d6b2a165df42c450e7da94ccfb25
SHA256 f372e7565dc4c1e08a05d58972e5cdd8ba89b3bfa05227132824b597983bb794
SHA512 b835a40117e4152b1db00fda375739018dfd1856656de444e659ade8193a13a52719ae5dddff3c7cb23f8b84e8fe190fcdf8048bd8a4f5fd7f9f023413a8e7a4

memory/1204-131-0x0000000077676000-0x0000000077677000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 44625db09f3d9614282c2ae5d1c30fbe
SHA1 146a6615c73896f97567367e205a0f684c1a616b
SHA256 dd04553dca22e049da6aa0b83fcf6ea326f4e983ccbd5965c6defed0c1fd1211
SHA512 52191a0eb439e6ef85149f2018ae499fb16a2594217a879835c8575f93bf08058172e40ed6dc264a08b17159d3bd01a1ca009e29e7493c62cbc34002957afdf6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\DF6X8\WINMM.dll

MD5 067a47a0d2d1237075d56d513e75cf85
SHA1 3f709c26e277742a9378047bb0435ef5afd5e6ce
SHA256 c1c540274fadac24bb6774b119d61cde3d8c9aaca373fdac45af1e41c1be35db
SHA512 c05e40348b890337969532505f89d84e964657a53acb5ddbf69fa66ecd3a4b538c60026637b53da4ee8146117d22cfbc1762ffc532cd0360312d9216978c6281

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C02Wj8jjPvo\MFC42u.dll

MD5 a3bc65b99e3a0f5a76e4a868d0d6f89d
SHA1 2f46fed1e866e3df717b8c745d782d0d4d403045
SHA256 b0ee30dbe2a1539639b381d7b36223e0decfe966ad98ddd5991bdde2fd5a849e
SHA512 5fcfac25de7be111dd0c0c78230b391089fd5f1fe2531bf2c997d108b02adc468e9ad9242e6f67fc65b9547c57290e7987eb91a9a5af25b5ffbde813ee2117a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\EMD0HGW\VERSION.dll

MD5 fc43317708b28bb3a336fa4767c9429c
SHA1 1dffc0e27d77c24ddd55c5a2110caf41e3a194d1
SHA256 f42360c68a5eefe1470ceee8fa702968a0759fc19704ca32ba5928148b632680
SHA512 8e5e8a1ac02b154f5f46ecf44f64fa496177db9c415ca410147b6ecc907c6c9288db546a3da57ee9690954b71fc1b2a1e8082bdd2be6a66b6e8a6f5fc5d133db

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 02:37

Reported

2023-12-31 11:03

Platform

win10v2004-20231215-en

Max time kernel

115s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0be77175d5db7bce6d960349865754a2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\lgD8nLG\\systemreset.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6bw\systemreset.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 2468 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3492 wrote to memory of 2468 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3492 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe
PID 3492 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe
PID 3492 wrote to memory of 2212 N/A N/A C:\Windows\system32\systemreset.exe
PID 3492 wrote to memory of 2212 N/A N/A C:\Windows\system32\systemreset.exe
PID 3492 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\6bw\systemreset.exe
PID 3492 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\6bw\systemreset.exe
PID 3492 wrote to memory of 432 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3492 wrote to memory of 432 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3492 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe
PID 3492 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0be77175d5db7bce6d960349865754a2.dll,#1

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe

C:\Windows\system32\systemreset.exe

C:\Windows\system32\systemreset.exe

C:\Users\Admin\AppData\Local\6bw\systemreset.exe

C:\Users\Admin\AppData\Local\6bw\systemreset.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe

C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 185.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/2696-1-0x0000012578790000-0x0000012578797000-memory.dmp

memory/2696-0-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-4-0x0000000008160000-0x0000000008161000-memory.dmp

memory/2696-7-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-8-0x00007FF8D923A000-0x00007FF8D923B000-memory.dmp

memory/3492-9-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-6-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-10-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-11-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-13-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-12-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-14-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-15-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-16-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-17-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-18-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-20-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-19-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-22-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-21-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-23-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-24-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-26-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-25-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-27-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-28-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-30-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-31-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-29-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-33-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-32-0x0000000002760000-0x0000000002767000-memory.dmp

memory/3492-41-0x00007FF8DB120000-0x00007FF8DB130000-memory.dmp

memory/3492-40-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-52-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3492-50-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\9UF\SYSDM.CPL

MD5 1c0c33cb4513b1bebb4e5325e3c9c28b
SHA1 c240581bf20be30bf7cafa73a7013b57513635cd
SHA256 fe87e3d0e96325b61b73e609f17c03067063cd5f4ca2b3bac9cf60f62b1d3db8
SHA512 9f2d57761f063e4c0d1ea27011d11aafd39b34ea757f009c8ff88c4f2bfa0d47d10fb8a5e355459eadd70e271fe46f82eb461181ceca79bd2406db318fba825e

memory/2960-62-0x000001CA61A80000-0x000001CA61A87000-memory.dmp

memory/2960-67-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe

MD5 e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1 adbfa782b7998720fa85678cc85863b961975e28
SHA256 b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512 c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

memory/2960-61-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\9UF\SYSDM.CPL

MD5 e4c2edfadfb827c3a48f5eb69c00aae3
SHA1 decc1fa8a64711dbebbfdaa1e4fede1b742d433a
SHA256 b948326442418f9f705beff2d38552f2a3b200b35dc626e079984b1b9a2b103e
SHA512 b23d7e9a1e8150d37dcdc0b054f940fd3b35a7fcdef3abc98d0d0c7450eaee28ac5c55b050af21e6b08d9e9f264cf221f9d0a00996d3cf3079a4a5075a1db021

C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe

MD5 0080d4b639afe0835f38f3a9520cc8ba
SHA1 145223c003c82bb0a2234db5659573541390b13f
SHA256 a4f38b0bd5ff0bf9cf1eaeb4bd76458834b5f379bbda49b307b547dce1dee0dc
SHA512 3edf989d8d6e54ff4ae0743ee32f20ce422f83aafc537a6e1e5216660f591b0ae5721ece1d07bca1b79e0820356aa3b30ca22c9e9d5c9bdfc8221565ffe67c5b

C:\Users\Admin\AppData\Local\6bw\systemreset.exe

MD5 84bf40f223b9e98c7f860600f1c065c2
SHA1 c1b7c0ce7ea3a1509da2ae2207e209a01b7ad52c
SHA256 70b6911340a24de99bb371a1e4eea5fcd1e1eed6efafac3fbd9db2560e64a918
SHA512 794757b1ae5055b1e752be8c0e79165fdab8b70568fefb024538a765341f54f0c26f21c92eafae515cd20731338426960f6b89f3836bf2a6763143ea66992ff8

C:\Users\Admin\AppData\Local\6bw\ReAgent.dll

MD5 5454ef9b44e37d9d99844796ecc24e4d
SHA1 a38bd79b3248008563dc58d8fe3ce11e86dc0157
SHA256 430eb867bed91fcfad5509d3faa6ccb86979eb21f5acb4de46f0415048e39160
SHA512 c789b29abeb94f51d43d06220b02afa684bb8e0fe070bb6adf85efe3522465f6911e9a19c0388ead5e6f41ed34a9de50bb8ecfc00e527c00126a14e7e41b21a6

memory/1380-78-0x000001373EBA0000-0x000001373EBA7000-memory.dmp

C:\Users\Admin\AppData\Local\6bw\ReAgent.dll

MD5 33391ba6dd8c5d11111e514c2a0ac62e
SHA1 d0814e977ffe4606822c52db145c800c5abbe914
SHA256 97ed1db9d2ba822add67cb791b167f50b406cada786d1580189640b330eef0d7
SHA512 6f84e3f8a5f8ebdd3ced07d7ef9f750d5e08899087e833cdc28098a36e595e1c04bb0f804bcdbe732e7f630e5af554ef63d144dc34dc1452a99c6ba58299136b

memory/1380-84-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\6bw\systemreset.exe

MD5 007142dce05a58bda84fcc27e0c624a2
SHA1 2e9c96ea5ecc69ed52cf6da851cb38d752cdc40c
SHA256 f91427b1414fddb2a699804317f7addee027f47186852bf1df23ecaaafe1df9c
SHA512 7d392186917f1e058c771454c88bacb9dec6c42f92be697596ca9c1c0a83b8375d79c009467715f7ede1ac9a04c3bc46d323fecb58e6fb5c1af4c59caf28eee2

C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe

MD5 6d8858f0818676f141f5bcaf122afcce
SHA1 371daa8c91de3e0fda1602f3e1b812f8abb44cb0
SHA256 beb2faed46b0b810d0ea8d0821eb08133a4d3bd3431f016a289a25780ec7aa8a
SHA512 15f194e09cd734f2838c87c72a5280502c6293e5da11155a4e49f82bf60ba15982dbd6bb36cf1da2b3b057eb4b33c06fa29bba3e704a1934f73d38797c409874

C:\Users\Admin\AppData\Local\vwt\MFC42u.dll

MD5 dc3f0925637489c956a7066a20d4a64a
SHA1 727ccd82ce0847adc744e5e53a599c56ca28249a
SHA256 877850a6e01df118e50a9714114b3b3606f7cfea4969f8e8553b33fd3f55b282
SHA512 087e37800e12004740ef7c5c419c9b86072469f59d6ce75064b03f52bc04c8885db4c247af138dbb3a0db25521f901c876a1b94ac754f3d83540be253609aaa7

C:\Users\Admin\AppData\Local\vwt\MFC42u.dll

MD5 625d8f5abe5cd125a4ce7cfd589fdea0
SHA1 2ee0cf06bd5c2fc5869eeb5e7ff3c55655963baa
SHA256 c98f6d45dac4db29b464a5ea9fc6d2149da426d62c7a1c92ac33b7c55a1b04ad
SHA512 6fb42c1165f69cacf3cd9e49565c7ee4b711ef304887ee4861a9ce438c4c6e9e61de0e9aa3384783b9a7f423f675cb0295d6bfa427355ba988a01bab6759f9c1

memory/2312-101-0x0000000140000000-0x000000014016D000-memory.dmp

memory/2312-96-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe

MD5 b8bd808f3921dcba3aefa4f3d4422b41
SHA1 2d758db395f94513c9d8ac8e7329fc12395f272e
SHA256 76d7336fd97d98bc6229ab4c7e58efeff06410ecee3f25cd8f8d1a752f42a7b1
SHA512 e37a3c842a82599f4ba11da2275629538373f23020a50ce6d2641ba72ecb5fcf53f4e3cad9156d19e53a479240bcb285fa47ae127330398288fabbeb9836b9b8

memory/2312-95-0x000002BC85520000-0x000002BC85527000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

MD5 69259dafa3c12e68a47518e0c5fd436e
SHA1 c280a184d500e8edfaa8aa6048ac7e8fea19760d
SHA256 dc682eadc6cda36865ce4ed89521e33ab039ad55960832c0d2b71234ccce176b
SHA512 0077fc9948c796ec741a6d451d1166dedc079b25345ade427169371a0d524ef7cbdfd7d1cf2603f7e604f559f54491c7c12b76be8bb74c5fa8e94e3d900a1516

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2398549320-3657759451-817663969-1000\C3OFBs\SYSDM.CPL

MD5 85c693722c93cd243b3478a9c52c5d2f
SHA1 ef667ba0bfe3dfdb05832fb48b480671e7a28103
SHA256 9381163af383ba7686fbf9cf0223059ed0c54080084fea192a340534427fe093
SHA512 29273de9248b5eb6557d6e3dc7fd4a672539907f464332edd89b9153f677cd3a819eeb205b0da46f85b5e3b3da2c1cf2e0c7403175175d6b1962145361ce7965

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\lgD8nLG\ReAgent.dll

MD5 884461bd084812090210f00f47359c4b
SHA1 236a2d9bd96a96ae2eba008a1a289fffcbe9f73d
SHA256 7da4206716e01d12fbe0217a8d7e2db11d78f044f4c392ddc356a6483abf5024
SHA512 9aee83ea3bee14c727fdea9a20c2706563ecf3dd1c439b0f2da4959356357729f4287a49b973186ad6264cad71449a6b99c8896e66e474dee0a537e3cd8a40cd

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\wB39\MFC42u.dll

MD5 585bb7925e1ff17281c7519ac4987261
SHA1 3431aaca19d1e628745041740c3480d9498aa013
SHA256 cfb51ab6597ac44fc411a3ffadb67e2ad8e8a0741e1832ad9ddbbc9550b4a27f
SHA512 6ad406a8f60a0a7bd2aa2b198149a0758d170fe99c869c523a79394e3672db3a457908467fdbc8c4f9b8db3383bd5e39ff6dd3777f9398405e13681bc3064d0b