Malware Analysis Report

2024-11-30 21:19

Sample ID 231230-d5ed9sffb5
Target 0d20166db5e8ca60f69590194a57f9bb
SHA256 3a64b40ea958fda7e9390275345e90aefe7f3cfe9712088e962caf1104fefe2e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a64b40ea958fda7e9390275345e90aefe7f3cfe9712088e962caf1104fefe2e

Threat Level: Known bad

The file 0d20166db5e8ca60f69590194a57f9bb was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 03:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 03:35

Reported

2023-12-31 15:54

Platform

win7-20231215-en

Max time kernel

148s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d20166db5e8ca60f69590194a57f9bb.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pmAq\SystemPropertiesComputerName.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bgGXRnmeW\fveprompt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\OIEM1U\FXSCOVER.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\sys\\qScapd2v\\FVEPRO~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pmAq\SystemPropertiesComputerName.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bgGXRnmeW\fveprompt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OIEM1U\FXSCOVER.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pmAq\SystemPropertiesComputerName.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\pmAq\SystemPropertiesComputerName.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2524 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 2524 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 2524 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\pmAq\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\pmAq\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\pmAq\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 3056 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1196 wrote to memory of 3056 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1196 wrote to memory of 3056 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1196 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\bgGXRnmeW\fveprompt.exe
PID 1196 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\bgGXRnmeW\fveprompt.exe
PID 1196 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\bgGXRnmeW\fveprompt.exe
PID 1196 wrote to memory of 2300 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1196 wrote to memory of 2300 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1196 wrote to memory of 2300 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1196 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\OIEM1U\FXSCOVER.exe
PID 1196 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\OIEM1U\FXSCOVER.exe
PID 1196 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\OIEM1U\FXSCOVER.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d20166db5e8ca60f69590194a57f9bb.dll,#1

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\pmAq\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\pmAq\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\bgGXRnmeW\fveprompt.exe

C:\Users\Admin\AppData\Local\bgGXRnmeW\fveprompt.exe

C:\Windows\system32\fveprompt.exe

C:\Windows\system32\fveprompt.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\OIEM1U\FXSCOVER.exe

C:\Users\Admin\AppData\Local\OIEM1U\FXSCOVER.exe

Network

N/A

Files

memory/1812-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1812-0-0x000007FEF7150000-0x000007FEF71F7000-memory.dmp

memory/1196-3-0x0000000077836000-0x0000000077837000-memory.dmp

memory/1196-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1196-14-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-13-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-12-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-17-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-26-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

memory/1196-25-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

memory/1196-24-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-16-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-36-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-35-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-15-0x0000000002D70000-0x0000000002D77000-memory.dmp

memory/1196-11-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-10-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-9-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-8-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-7-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1196-6-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1812-44-0x000007FEF7150000-0x000007FEF71F7000-memory.dmp

\Users\Admin\AppData\Local\pmAq\SystemPropertiesComputerName.exe

MD5 bd889683916aa93e84e1a75802918acf
SHA1 5ee66571359178613a4256a7470c2c3e6dd93cfa
SHA256 0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA512 9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

C:\Users\Admin\AppData\Local\pmAq\SYSDM.CPL

MD5 6e3ee235d68bd9ced4d6a7fb8cadb67e
SHA1 b2d003eef110b11119fb0929871f6b0c3b91c7d5
SHA256 a08f2a11dc6b70ab5ed42ea5bf3ec6351a02c21a2729ec147dde840def493dec
SHA512 f9de0a7f9adb88defc4f099b42bfbcab81e463e1c11e8fa0f2da9fed814fab13d7704106eff78744d683e18c08a0ee017373892806139f7d97d052b5d8bbb7f9

\Users\Admin\AppData\Local\pmAq\SYSDM.CPL

MD5 8e947006a1471ae86ab19f355d4ca855
SHA1 28debaec8dbe26ed133d61501c9a7c4162c65619
SHA256 0f9ca6d119fb59c4a1c697c194061cc7df046ab38a6c2eb7075c347d6cf9b368
SHA512 2327f6222d19054e042fa1f1ab499be57c8e1f130287b9010fcae7b580ac1012241a7f5684a31f0ff5ce94bf6e00ca34b9c7bb41553c21dc8b6255a67208ff57

memory/2652-57-0x000007FEF7C90000-0x000007FEF7D38000-memory.dmp

memory/2652-54-0x0000000000280000-0x0000000000287000-memory.dmp

memory/2652-52-0x000007FEF7C90000-0x000007FEF7D38000-memory.dmp

memory/1852-71-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1852-73-0x000007FEF7C90000-0x000007FEF7D38000-memory.dmp

memory/1196-82-0x0000000077836000-0x0000000077837000-memory.dmp

\Users\Admin\AppData\Local\OIEM1U\MFC42u.dll

MD5 7f7821cce3ac529908e54ec8f76bd3b4
SHA1 ed0b24dc9908bbb34672895200989e56449a1dac
SHA256 bc9f0f6bea48681011ab6baf05e2a5a496d151bd4944f96009f72445dc115dde
SHA512 545617664e720e6d2976338760b0535bae82312ad0b2cb4f62bff09045c02aea2b59ed7da95c9d80ead1802511f90be9f5943d2265d55e4e509c09632b683d92

memory/1684-94-0x000007FEF7C90000-0x000007FEF7D3E000-memory.dmp

memory/1684-91-0x0000000000320000-0x0000000000327000-memory.dmp

memory/1684-90-0x000007FEF7C90000-0x000007FEF7D3E000-memory.dmp

C:\Users\Admin\AppData\Local\OIEM1U\MFC42u.dll

MD5 e94ad6b9f059d11e42d7704c16c2066a
SHA1 cdeed6965d7a8f8fc5f919c175daa665464acf5e
SHA256 82fd5667552f4130f1832ef88e144e993f9ea567930a87f2675191bee2564729
SHA512 844c6ae3d0581c87391cc63f3dc73ffa9028aa5fe1e00d5b00f5e110c929d7e11f74260ffaefb350c94d4ea6a30f1542ae00111c28807851d1c8808c6c65d978

C:\Users\Admin\AppData\Local\OIEM1U\FXSCOVER.exe

MD5 5e2c61be8e093dbfe7fc37585be42869
SHA1 ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA256 3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA512 90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

C:\Users\Admin\AppData\Local\OIEM1U\FXSCOVER.exe

MD5 f7f154b7947bb0aa45343c1c224e0dc4
SHA1 917517eafe15b90d47ab4c2c2df99ff8a457ccc6
SHA256 629a08f6ba746b8d166053ac94c9fa6177584a24f7073a103de706d9ccbbed24
SHA512 ce26077864d352444a999f9c92cf32e88c66f248eae1386dc870997477f76e7fc52f7d73c96ddc44bfe22d737c58b0fd92c1dd34b4f143b022e7c4129c7f54b3

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 3b0152002a4c1e595499c7e45ee51ffa
SHA1 0bb3b60595d12d81eb9538059c55c7cfee61f20f
SHA256 900759c82b4677b49f1e9d3c54d0064518a65f950393b7a1fcc11d494dfcc351
SHA512 5f3d9538137eb6e3df3172b0f0c0274adc06e664a0511ba22a22a5003e448bc2998f70c6189426daa12c8dde6c49213a9d6618170a616039c30f6e60ce06c749

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\UvV9u9j\SYSDM.CPL

MD5 b98273862923d6590a918370275dae3a
SHA1 7e9754b6fc6e8fc0e0481fbb4fd2e44dc8746745
SHA256 b3737feed1cd3e6a7bb028014207fc20518819bac87084feb5cb2dea478ca236
SHA512 ba4f91689726f28395ab2682e280e4507169fcdb5c649164a92aacfafa3367ef75cb6be2b958a2c97d504ee3445a97f15efcc3643bcac43774c95faddd690401

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\qScapd2v\slc.dll

MD5 fa325bf6388024270f8ae1b88592c7b8
SHA1 ae40629120b10c9c7694523d1bfe7788f55ee5c9
SHA256 041b8475fb85800ad8bdc24a480e4782a0035fee31460d75c57e78e45a96a6da
SHA512 077d338d5d3fdafe727aab3d50eaea2b5d9c160ef33c3320500758c3d4f9d1c897971fb333eba7826f6bc03664f730ea2fd8546a526f61183e9820b7a736ac44

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 03:35

Reported

2023-12-31 15:54

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d20166db5e8ca60f69590194a57f9bb.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\qCtQQL4\\phoneactivate.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\X7DNSxk2\phoneactivate.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3IfRK5D\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UU1nmsN\shrpubw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 2508 N/A N/A C:\Windows\system32\shrpubw.exe
PID 3368 wrote to memory of 2508 N/A N/A C:\Windows\system32\shrpubw.exe
PID 3368 wrote to memory of 1844 N/A N/A C:\Users\Admin\AppData\Local\UU1nmsN\shrpubw.exe
PID 3368 wrote to memory of 1844 N/A N/A C:\Users\Admin\AppData\Local\UU1nmsN\shrpubw.exe
PID 3368 wrote to memory of 2052 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3368 wrote to memory of 2052 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3368 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\X7DNSxk2\phoneactivate.exe
PID 3368 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\X7DNSxk2\phoneactivate.exe
PID 3368 wrote to memory of 2028 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3368 wrote to memory of 2028 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3368 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\3IfRK5D\MoUsoCoreWorker.exe
PID 3368 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\3IfRK5D\MoUsoCoreWorker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d20166db5e8ca60f69590194a57f9bb.dll,#1

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\UU1nmsN\shrpubw.exe

C:\Users\Admin\AppData\Local\UU1nmsN\shrpubw.exe

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Users\Admin\AppData\Local\X7DNSxk2\phoneactivate.exe

C:\Users\Admin\AppData\Local\X7DNSxk2\phoneactivate.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\3IfRK5D\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\3IfRK5D\MoUsoCoreWorker.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/3904-0-0x00007FFEDD9A0000-0x00007FFEDDA47000-memory.dmp

memory/3904-1-0x0000021E4CBC0000-0x0000021E4CBC7000-memory.dmp

memory/3368-3-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/3368-5-0x00007FFEEA7EA000-0x00007FFEEA7EB000-memory.dmp

memory/3368-6-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-7-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-8-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-9-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-11-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-12-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-14-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-13-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-10-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-15-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-17-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-16-0x0000000000F20000-0x0000000000F27000-memory.dmp

memory/3368-24-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3368-25-0x00007FFEEBC40000-0x00007FFEEBC50000-memory.dmp

memory/3368-26-0x00007FFEEBC30000-0x00007FFEEBC40000-memory.dmp

memory/3368-35-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3904-38-0x00007FFEDD9A0000-0x00007FFEDDA47000-memory.dmp

C:\Users\Admin\AppData\Local\UU1nmsN\shrpubw.exe

MD5 9910d5c62428ec5f92b04abf9428eec9
SHA1 05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b
SHA256 6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e
SHA512 01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

C:\Users\Admin\AppData\Local\UU1nmsN\srvcli.dll

MD5 52f739fc6ae85b726b7a06f2076a9a98
SHA1 1091d4d3825a5f707eb5b375c3247c143f2e0566
SHA256 638b3dcb4529f9f55571dacdee8416e61c94a85863d42a5cc48beee7b5dab0d3
SHA512 ab6bb402603ca50f9b5193db4d02db654fec15852acb97a05b7a8054fc003d7e7b9ab50624ffaa1b07436b8f3b61b3a557425f9d7daf30a778b5c76f0f88357a

memory/1844-46-0x00007FFEDCCB0000-0x00007FFEDCD58000-memory.dmp

memory/1844-45-0x000001B0E15C0000-0x000001B0E15C7000-memory.dmp

memory/1844-50-0x00007FFEDCCB0000-0x00007FFEDCD58000-memory.dmp

C:\Users\Admin\AppData\Local\X7DNSxk2\phoneactivate.exe

MD5 32c31f06e0b68f349f68afdd08e45f3d
SHA1 e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256 cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512 fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

C:\Users\Admin\AppData\Local\X7DNSxk2\DUI70.dll

MD5 4e111ffa3076992b9a87010d042a3033
SHA1 70da4e3f1eb8207ad9ffb6087901a567ed4c2a68
SHA256 144a9fcf4f7e26f11051f699a70b8da82781367e3b7d39cbd286c924344b4aa8
SHA512 fd14fd99d9003c9b190a46784b6d47d0a680d2013fa1521e7a8fb6b93056c010cfcb3cf70a7008efc5e4d76441587311cfc56c3a0ad1695fefce329cc5e3ec7c

memory/4104-62-0x000001B490CF0000-0x000001B490CF7000-memory.dmp

memory/4104-61-0x00007FFEDCCC0000-0x00007FFEDCDAD000-memory.dmp

memory/4104-66-0x00007FFEDCCC0000-0x00007FFEDCDAD000-memory.dmp

C:\Users\Admin\AppData\Local\3IfRK5D\MoUsoCoreWorker.exe

MD5 47c6b45ff22b73caf40bb29392386ce3
SHA1 7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9
SHA256 cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0
SHA512 c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

C:\Users\Admin\AppData\Local\3IfRK5D\XmlLite.dll

MD5 da65a5ff7e13af05a2f9f62ca338f9db
SHA1 45dc2b5fe17786be495dc65d7bc6055907579727
SHA256 1a081731a8967b6268c8304a0ed69d9d0da1502e23dfa91be321f076a2cdabee
SHA512 10c94e4c8f25c38fd6b8d8a5d467e49cb031098d8b60e15aba204adbe5b308a9a15d4573612e9a9d61af235944a1b4df52569b2bc3f1193181497f7b98915c55

memory/4288-77-0x00007FFECDEB0000-0x00007FFECDF58000-memory.dmp

memory/4288-78-0x0000021CD0970000-0x0000021CD0977000-memory.dmp

memory/4288-82-0x00007FFECDEB0000-0x00007FFECDF58000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

MD5 4b5d1c4626375a0550869f13921b7751
SHA1 51e4a9e90b3e77cfc45415f68f28189aad2648df
SHA256 5047c7ccae24c59aac4a9840ca7f49e6ca4b5c5f0ce612aecc11031ab2145d35
SHA512 0b3a24717d0ff0d5db5278f4e63a9db5f53cb25631f85ac867ecc01939441e3eddce47bccba03d374e71dcced84b663b01dc9f75191b405881a7a17c0032f7a0