Malware Analysis Report

2024-11-30 21:10

Sample ID 231230-gdknrafbgq
Target 103bce51e2fb20c197343aaf2d602bad
SHA256 b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b95c5ad1c557db07298ed44764a8ba2b022c508ccef0f1a4ff87bf813e3e2463

Threat Level: Known bad

The file 103bce51e2fb20c197343aaf2d602bad was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 05:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 05:41

Reported

2023-12-31 01:39

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\9XVqQw\\FVENOT~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\9iZz\SystemPropertiesAdvanced.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\9iZz\SystemPropertiesAdvanced.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2908 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1272 wrote to memory of 2908 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1272 wrote to memory of 2908 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1272 wrote to memory of 2600 N/A N/A C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 2600 N/A N/A C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 2600 N/A N/A C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 2560 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1272 wrote to memory of 2560 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1272 wrote to memory of 2560 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1272 wrote to memory of 1976 N/A N/A C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 1976 N/A N/A C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 1976 N/A N/A C:\Windows\system32\cmd.exe
PID 1272 wrote to memory of 2916 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 2916 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 2916 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1800 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1800 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1800 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1932 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1932 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1932 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1660 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1660 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1660 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 2180 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 2180 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 2180 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1048 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1048 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1048 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1980 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1980 N/A N/A C:\Windows\system32\schtasks.exe
PID 1272 wrote to memory of 1980 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\gYXR.cmd

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\3VX9V0.cmd

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Xvwegxb" /TR "C:\Windows\system32\9iZz\SystemPropertiesAdvanced.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Xvwegxb"

Network

N/A

Files

memory/2988-0-0x000007FEF7010000-0x000007FEF70B4000-memory.dmp

memory/2988-1-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1272-3-0x0000000077646000-0x0000000077647000-memory.dmp

memory/1272-4-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/1272-8-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/2988-7-0x000007FEF7010000-0x000007FEF70B4000-memory.dmp

memory/1272-6-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-9-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-10-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-13-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-14-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-12-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-11-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-18-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-19-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-17-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-16-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-15-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-23-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-22-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-21-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-20-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-29-0x0000000001DB0000-0x0000000001DB7000-memory.dmp

memory/1272-25-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-24-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-32-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-33-0x0000000077851000-0x0000000077852000-memory.dmp

memory/1272-34-0x00000000779B0000-0x00000000779B2000-memory.dmp

memory/1272-43-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/1272-48-0x0000000140000000-0x00000001400A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gYXR.cmd

MD5 d7540481ae2421846118efcfbab5b72a
SHA1 bf392f761c8883f78a60397d5e516d8d79b60fb2
SHA256 d371444fdeb4129d496c42cf9a67a4aa1622a2a5acbb4436004c83ecb4693a7d
SHA512 36fbceadb28c8d3051111697fc283aa2049248de22dafafbda051af45f2425a5695f915187105b51c0840830fdf538ed62925d2dbaf966b0eebf950d4d699444

C:\Users\Admin\AppData\Local\Temp\FZdD421.tmp

MD5 0406ab4bb4a4f44d0c712e09a1fcece7
SHA1 44311ec84b9084c0c1d882ac42eb11983e2eb934
SHA256 eebd48f2e4ca9ff741df6757b15c58bf67e670fe550cb5157932c35f00894571
SHA512 604ca681c258f753a219507077239344f2ddaef6dd2bfca4f6b59c63d91f2e8c6c2d0fc07ef78e725664552d14303ffcd7d62d1f4d80af469fb7977cf796da63

memory/1272-60-0x0000000077646000-0x0000000077647000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3VX9V0.cmd

MD5 fdeffd1559628b6fd88dfb8f0360847a
SHA1 0abd2d1c7aaafb54af65a683c3ada02bf07ee3c8
SHA256 91cf1179038c0a3f0c47cb892b4433751836c26079ed5f1faed3f1c98251f10d
SHA512 4eb6c0868858eb0d1e5433662c5fc602fca8c3cf5f2a2878177d4a8066df9daaa18c0f9bf618efdb44030ae4efd602daeab881605e1475f713676015aae3d266

C:\Users\Admin\AppData\Local\Temp\i9OFC5A.tmp

MD5 ae3134bbe770cdcc58dee8e6731ffb2c
SHA1 a79678d9454ed8ca39cc8169437bb63af930720d
SHA256 c01eca80c1963f8b6b88a9d7ec4cb8d1ec409aac5fa648681edd6127fca9d599
SHA512 a9ca4af595aa80b4c357acf2b24e88cec85757f6317d1400e916ff8873f1c0ce7c21077f1ea65955bd09ddadef76b5a54718f19feab1c54ec1a221a0fa5d8edb

C:\Users\Admin\AppData\Roaming\9XVqQw\fvenotify.exe

MD5 e61d644998e07c02f0999388808ac109
SHA1 183130ad81ff4c7997582a484e759bf7769592d6
SHA256 15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512 310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zqonzshwxyr.lnk

MD5 e732d05275c99c4b992ed3075a68ab7f
SHA1 73cb560ab7e0d054c4fd74b5068288ba1eacdf35
SHA256 1a2c30f9e9158882c55b4c09e066f9ecd761c5bc4f6fc0064bb0220e54dfab8b
SHA512 c9bc39591a1ce4b25f9e50d52016db457bf8ed571675892fe329a151f0dc5c2184979f907f30525f441be3fa0ed1c121bf7a7ebc5cbda16f34a60ccf156d8002

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 05:41

Reported

2023-12-31 01:39

Platform

win10v2004-20231215-en

Max time kernel

95s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\SEPnxr\\INFDEF~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\j1lW\rdpclip.exe C:\Windows\system32\cmd.exe N/A
File created C:\Windows\system32\j1lW\rdpclip.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 1708 N/A N/A C:\Windows\system32\InfDefaultInstall.exe
PID 3368 wrote to memory of 1708 N/A N/A C:\Windows\system32\InfDefaultInstall.exe
PID 3368 wrote to memory of 3408 N/A N/A C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 3408 N/A N/A C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 4268 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3368 wrote to memory of 4268 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3368 wrote to memory of 2496 N/A N/A C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 2496 N/A N/A C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 4280 N/A N/A C:\Windows\system32\schtasks.exe
PID 3368 wrote to memory of 4280 N/A N/A C:\Windows\system32\schtasks.exe
PID 3368 wrote to memory of 4960 N/A N/A C:\Windows\system32\schtasks.exe
PID 3368 wrote to memory of 4960 N/A N/A C:\Windows\system32\schtasks.exe
PID 3368 wrote to memory of 4276 N/A N/A C:\Windows\system32\schtasks.exe
PID 3368 wrote to memory of 4276 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\103bce51e2fb20c197343aaf2d602bad.dll,#1

C:\Windows\system32\InfDefaultInstall.exe

C:\Windows\system32\InfDefaultInstall.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\1B5dA6.cmd

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Zrgvsavwkfmqvw" /TR "C:\Windows\system32\j1lW\rdpclip.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\3u0eJ4K.cmd

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zrgvsavwkfmqvw"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zrgvsavwkfmqvw"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zrgvsavwkfmqvw"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zrgvsavwkfmqvw"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zrgvsavwkfmqvw"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/2664-0-0x00007FFEDD9A0000-0x00007FFEDDA44000-memory.dmp

memory/2664-2-0x000001D254950000-0x000001D254957000-memory.dmp

memory/3368-9-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-16-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-20-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-25-0x0000000008480000-0x0000000008487000-memory.dmp

memory/3368-26-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-24-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-32-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-23-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-33-0x00007FFEEBC40000-0x00007FFEEBC50000-memory.dmp

memory/3368-22-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-21-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-19-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-18-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-17-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-15-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-14-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-13-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-12-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-11-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-10-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-8-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/2664-7-0x00007FFEDD9A0000-0x00007FFEDDA44000-memory.dmp

memory/3368-6-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-4-0x00007FFEEA7EA000-0x00007FFEEA7EB000-memory.dmp

memory/3368-3-0x00000000084A0000-0x00000000084A1000-memory.dmp

memory/3368-44-0x0000000140000000-0x00000001400A4000-memory.dmp

memory/3368-42-0x0000000140000000-0x00000001400A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yCF66.tmp

MD5 f334ebabd6a0e8f6f81f7f6ed13ef79f
SHA1 425508769b7eef519fd82cf31ff5297ba7300f89
SHA256 d4748a6fa7d5fb6c0273201fb88e7e328c64f40480ab9014c9527ad0420ca087
SHA512 2a1ed48c74190b20d2bc6e4b6a21c62ab96353309f7645b129463f156642a8d2025838dae2fb5769cef666328fe62aaffd554792d26a9378d6916fc0ed477398

C:\Users\Admin\AppData\Local\Temp\1B5dA6.cmd

MD5 798d5b21e509d76a43f1d445da71a59d
SHA1 ed9759e4727a589d36bf988225ada1352c516198
SHA256 5c602ccc14c66078fdaa36ba3aeb5018b649cdf37f7908042fe8e18354104f4d
SHA512 7eb3d745342843291d1cd1e88e9c8c35043da742778eb0d7b0c0e3611e80f9725b5a269d10c682eed5228076235b50e26a20ec71a5f3fed2c6166717932ae4e7

C:\Users\Admin\AppData\Local\Temp\GFEC4.tmp

MD5 6b2f4f3166714d6bdce2dc9d0d60b417
SHA1 0dbbd154452bc639c52470adc9de24d15e3ab52f
SHA256 a7e7303e2d3728c3d1616377465d077b2c90d8497d0254792e1427057f274e6c
SHA512 331dad5f3d952b66c06c990461ee3d9b034fd764bb7fe74ec021416d30e78c902bd9a38882d2f504ab3232db634507b0a117536c719eadd250c9a4d9595732da

C:\Users\Admin\AppData\Local\Temp\3u0eJ4K.cmd

MD5 e003287dbc5a7376be05e17bfd3d9739
SHA1 401392cfc152864aa9809c7f061c4f6c52375b49
SHA256 45144fcf322873ee08ea34bcb960b95bfd0e74192bdaf52ea7ac46c4575360da
SHA512 799da28eba9445c5e612e015d030191313cbc53d672286de79a084864c61605acd83ce6d0a8c16b6400d500446e4d20b69d99d1673bdccdb2826fb773a49e149

C:\Users\Admin\AppData\Roaming\SEPnxr\InfDefaultInstall.exe

MD5 ee18876c1e5de583de7547075975120e
SHA1 f7fcb3d77da74deee25de9296a7c7335916504e3
SHA256 e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d
SHA512 08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fidpgamyc.lnk

MD5 7f62e8f2fe5bf2e4036e5c802177e04d
SHA1 7e61d9d85e22edc7edea0674793d1010dccfb764
SHA256 1e022468c07556af20dd846ae86315f624f0b010cea970fdc20cd8e5806a9bb5
SHA512 2a37ef2ce4e6f025293f4b1c116c14f9fa76d2f7bf69ac5f63bdc326ebda77ddf221ddbb099657c525d258c17aa06d19ce9e55964eac70bcaf1792e8873e7f3f