Malware Analysis Report

2024-11-30 21:16

Sample ID 231230-p8yg4adcaj
Target 194af32adc20c2bef3623169a2afef69
SHA256 d71f5fe8f927f07d9e298ea32336ed854624b1e728ef56721f63046885784192
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d71f5fe8f927f07d9e298ea32336ed854624b1e728ef56721f63046885784192

Threat Level: Known bad

The file 194af32adc20c2bef3623169a2afef69 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 13:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 13:00

Reported

2023-12-31 22:37

Platform

win7-20231215-en

Max time kernel

182s

Max time network

42s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\194af32adc20c2bef3623169a2afef69.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xqyEmZPgy\tcmsetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ruHzimQ\shrpubw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\TFP\BdeUISrv.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\G1QJSS~1\\shrpubw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xqyEmZPgy\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ruHzimQ\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TFP\BdeUISrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 2540 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1188 wrote to memory of 2540 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1188 wrote to memory of 2540 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1188 wrote to memory of 1980 N/A N/A C:\Users\Admin\AppData\Local\xqyEmZPgy\tcmsetup.exe
PID 1188 wrote to memory of 1980 N/A N/A C:\Users\Admin\AppData\Local\xqyEmZPgy\tcmsetup.exe
PID 1188 wrote to memory of 1980 N/A N/A C:\Users\Admin\AppData\Local\xqyEmZPgy\tcmsetup.exe
PID 1188 wrote to memory of 3040 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1188 wrote to memory of 3040 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1188 wrote to memory of 3040 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1188 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\ruHzimQ\shrpubw.exe
PID 1188 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\ruHzimQ\shrpubw.exe
PID 1188 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\ruHzimQ\shrpubw.exe
PID 1188 wrote to memory of 1484 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1188 wrote to memory of 1484 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1188 wrote to memory of 1484 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1188 wrote to memory of 1180 N/A N/A C:\Users\Admin\AppData\Local\TFP\BdeUISrv.exe
PID 1188 wrote to memory of 1180 N/A N/A C:\Users\Admin\AppData\Local\TFP\BdeUISrv.exe
PID 1188 wrote to memory of 1180 N/A N/A C:\Users\Admin\AppData\Local\TFP\BdeUISrv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\194af32adc20c2bef3623169a2afef69.dll,#1

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\xqyEmZPgy\tcmsetup.exe

C:\Users\Admin\AppData\Local\xqyEmZPgy\tcmsetup.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\ruHzimQ\shrpubw.exe

C:\Users\Admin\AppData\Local\ruHzimQ\shrpubw.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\TFP\BdeUISrv.exe

C:\Users\Admin\AppData\Local\TFP\BdeUISrv.exe

Network

N/A

Files

memory/2828-1-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2828-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1188-4-0x0000000077116000-0x0000000077117000-memory.dmp

memory/1188-5-0x0000000002220000-0x0000000002221000-memory.dmp

memory/1188-12-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-11-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-10-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-9-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2828-8-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-7-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-13-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-14-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-15-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-17-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-16-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-18-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-19-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-21-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-20-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-23-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-22-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-24-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-25-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-27-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-26-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-29-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-28-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-30-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-32-0x0000000002200000-0x0000000002207000-memory.dmp

memory/1188-31-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-40-0x0000000077321000-0x0000000077322000-memory.dmp

memory/1188-39-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-41-0x0000000077480000-0x0000000077482000-memory.dmp

memory/1188-50-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-56-0x0000000140000000-0x000000014016C000-memory.dmp

C:\Users\Admin\AppData\Local\xqyEmZPgy\TAPI32.dll

MD5 789ec449c4b70a3560f69fe32b8bbc22
SHA1 e1fc18cd45337f19f847fb5a68ebba644cb88eb6
SHA256 8d99691f61a5affb25384d0330c499330e287ae70c6fce5c9e0b771196b08be2
SHA512 6952c22b9cac8d08ede2d132081dbc5e4b8249f7f150d47f2f1b2abe8c529f9bf8ab352469e52aafbd8656a854db8c4860dffbdec0ecc21e95acecde8b80886f

C:\Users\Admin\AppData\Local\xqyEmZPgy\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

memory/1980-68-0x0000000140000000-0x000000014016E000-memory.dmp

memory/1980-71-0x0000000000310000-0x0000000000317000-memory.dmp

memory/1980-74-0x0000000140000000-0x000000014016E000-memory.dmp

memory/1188-79-0x0000000077116000-0x0000000077117000-memory.dmp

C:\Users\Admin\AppData\Local\ruHzimQ\shrpubw.exe

MD5 29e6d0016611c8f948db5ea71372f76c
SHA1 01d007a01020370709cd6580717f9ace049647e8
SHA256 53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512 300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

C:\Users\Admin\AppData\Local\ruHzimQ\MFC42u.dll

MD5 22a73c97a91909eece802b67cdf8d093
SHA1 a866fa2c53100768b5e60b9a5d8ae68d1e81c6de
SHA256 b80332e47886f8e177562589baf756849bf43af9f30849411a1b6ee5aca50576
SHA512 8e0b7531593a0afbc7ade7405f95a4d01823f970eace8a102db8ec70b22e1c43c14f055145a4247b6c4db6ddeb5851407a64407485aae5cce1a804a3b1c64ed7

memory/1664-87-0x0000000140000000-0x0000000140173000-memory.dmp

memory/1664-89-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1664-93-0x0000000140000000-0x0000000140173000-memory.dmp

C:\Users\Admin\AppData\Local\TFP\BdeUISrv.exe

MD5 1da6b19be5d4949c868a264bc5e74206
SHA1 d5ee86ba03a03ef8c93d93accafe40461084c839
SHA256 00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA512 9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

memory/1180-106-0x0000000000270000-0x0000000000277000-memory.dmp

memory/1180-105-0x0000000140000000-0x000000014016D000-memory.dmp

\Users\Admin\AppData\Local\TFP\WTSAPI32.dll

MD5 277a637ca292ee8f6ca56bd8d943500b
SHA1 77fd7d0039c5cdef0648138ced5ecdd9266a8d6c
SHA256 09687bf46ab0a3fc636f884b9b35db1b6ea32ae1e64efe197f6bcd445bb2fcda
SHA512 2d7dcd92f6c75cc7e21bc195f93387a2c855a81d6ee72b97902005962e902873f0b4eb26bf6cebc164bfb6d10dacd6d25283d69b1071f4b53b6da192cf23b3f6

memory/1180-111-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 850f6172ac7e5e6e28cae9e69e54fa85
SHA1 34f68fcba66dbb3ab09791e977ef148be8b08070
SHA256 4398e54e7b5b397fbf52f65849c55216b4cffde1e3f9cc88e7eb50863e02e2b2
SHA512 4b8337087153775845e9aff4377074fffd4489c981205800c6e2da52d59e86eacf73ffc313525ce7813915c7daef263ab36c2d4d8ead7015c2e5891a20166182

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 13:00

Reported

2023-12-31 22:36

Platform

win10v2004-20231215-en

Max time kernel

129s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\194af32adc20c2bef3623169a2afef69.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\iI\\Taskmgr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FKUYt\tabcal.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\GSx3\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eSCks\RecoveryDrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3572 wrote to memory of 4824 N/A N/A C:\Windows\system32\tabcal.exe
PID 3572 wrote to memory of 4824 N/A N/A C:\Windows\system32\tabcal.exe
PID 3572 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\FKUYt\tabcal.exe
PID 3572 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\FKUYt\tabcal.exe
PID 3572 wrote to memory of 2404 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3572 wrote to memory of 2404 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3572 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\GSx3\Taskmgr.exe
PID 3572 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\GSx3\Taskmgr.exe
PID 3572 wrote to memory of 3864 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3572 wrote to memory of 3864 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3572 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\eSCks\RecoveryDrive.exe
PID 3572 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\eSCks\RecoveryDrive.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\194af32adc20c2bef3623169a2afef69.dll,#1

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\GSx3\Taskmgr.exe

C:\Users\Admin\AppData\Local\GSx3\Taskmgr.exe

C:\Users\Admin\AppData\Local\FKUYt\tabcal.exe

C:\Users\Admin\AppData\Local\FKUYt\tabcal.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\eSCks\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\eSCks\RecoveryDrive.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
GB 96.17.178.211:80 tcp

Files

memory/3804-1-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3804-0-0x000001DA9EEE0000-0x000001DA9EEE7000-memory.dmp

memory/3572-4-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/3572-9-0x00007FF9B35BA000-0x00007FF9B35BB000-memory.dmp

memory/3572-14-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-16-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-17-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-22-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-26-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-29-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-31-0x0000000000A70000-0x0000000000A77000-memory.dmp

memory/3572-32-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-30-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-28-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-27-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-25-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-24-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-39-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-23-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-21-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-20-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-19-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-49-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-51-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-43-0x00007FF9B5300000-0x00007FF9B5310000-memory.dmp

memory/3572-18-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-15-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-13-0x0000000140000000-0x000000014016C000-memory.dmp

memory/4540-60-0x000002B097B70000-0x000002B097B77000-memory.dmp

memory/4540-61-0x0000000140000000-0x000000014016D000-memory.dmp

memory/4540-66-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1792-77-0x0000000140000000-0x000000014016E000-memory.dmp

memory/1792-78-0x00000227A50E0000-0x00000227A50E7000-memory.dmp

memory/1792-83-0x0000000140000000-0x000000014016E000-memory.dmp

memory/3572-12-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-10-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-11-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-8-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3804-7-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3572-6-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2956-94-0x000002375EFF0000-0x000002375EFF7000-memory.dmp

memory/2956-100-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 c8a1a2362704518acea8aa3429c98bd8
SHA1 726162ec8bc7106cc3d1e3946b164d325cd57ab5
SHA256 27a5ad0a3d6b23df19175fa73c78e07cea28f56522c6fe610a6c9f81f6903e67
SHA512 42b4720c19cc6c76c1e0920ef835e3aec7e0188bfd895ee2dbc7313e4a1fa159ab52ba2145f65c1570b007cf6f826f3d201f9f094ac8b82c2988221be39d88db

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\uSGooXA\HID.DLL

MD5 127d997a612d016f64e03002a00f7213
SHA1 4de851a4adc7a577458becc32a95b9a6fc44c032
SHA256 00f26654c60389bffb56a45d1c5166b014ed1647a2e1ab7b6d3bf69f2bac1d93
SHA512 6a4c3fa0e9dae418bc1fd7da09f2effc7463df973a1d90c53adcd24973c1a98516ef34ba2ac0eae5a32a8147b8bf5644cbb915c9ee05ae9626d142c175ee0b74

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\iI\DUser.dll

MD5 8ca144e725dd55a8d84356063601e495
SHA1 f8caea6612de2ccaf96af3e6bef9b00a1cc8544a
SHA256 35366dbcc73d80f27a7ec26aa51edcdbbbf3661e2dd0f816d2cb01a6f56b5c9a
SHA512 7a7280d58480fba66ec8eb470792802f956a4648b4f8e99c226f0168fed90eefd36fd9852849654e255b92edf63b1caf4c671869543954ec6c94195e0847658b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\3K\ReAgent.dll

MD5 3fbb3b9f0e329176dab69cd4ef3ae854
SHA1 47f76397bd216ed53baa71d134b46bc1704b4d3a
SHA256 e2c56c02ef93a2c3f6e148ae404c8e87d7c652df5426964a7c1c173dbcff35a1
SHA512 ae0fa4ee0810348806643295859af3d271182da446f46ca88e917f9692ad5d9addafd158a226dd6a8c663c4ab0b1195ad02ad6003d1fc581afe42dec05b4dc3d