Malware Analysis Report

2024-11-30 21:29

Sample ID 231231-ejl3naebbk
Target 273114cbb08b140722dca5515d2c00f5
SHA256 bc04a31d7992ac28acf117baa81b425dc1f77430c0f00e4654a63b5e4d9641b6
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc04a31d7992ac28acf117baa81b425dc1f77430c0f00e4654a63b5e4d9641b6

Threat Level: Known bad

The file 273114cbb08b140722dca5515d2c00f5 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 03:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 03:58

Reported

2024-01-02 03:55

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\273114cbb08b140722dca5515d2c00f5.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\hkjkFIKF\osk.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\FYI\UI0Detect.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\O8PI9a\rekeywiz.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\GL3OE5~1\\UI0DET~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hkjkFIKF\osk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FYI\UI0Detect.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\O8PI9a\rekeywiz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 1652 N/A N/A C:\Windows\system32\osk.exe
PID 1240 wrote to memory of 1652 N/A N/A C:\Windows\system32\osk.exe
PID 1240 wrote to memory of 1652 N/A N/A C:\Windows\system32\osk.exe
PID 1240 wrote to memory of 344 N/A N/A C:\Users\Admin\AppData\Local\hkjkFIKF\osk.exe
PID 1240 wrote to memory of 344 N/A N/A C:\Users\Admin\AppData\Local\hkjkFIKF\osk.exe
PID 1240 wrote to memory of 344 N/A N/A C:\Users\Admin\AppData\Local\hkjkFIKF\osk.exe
PID 1240 wrote to memory of 2740 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1240 wrote to memory of 2740 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1240 wrote to memory of 2740 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1240 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\FYI\UI0Detect.exe
PID 1240 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\FYI\UI0Detect.exe
PID 1240 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\FYI\UI0Detect.exe
PID 1240 wrote to memory of 2492 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1240 wrote to memory of 2492 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1240 wrote to memory of 2492 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1240 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\O8PI9a\rekeywiz.exe
PID 1240 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\O8PI9a\rekeywiz.exe
PID 1240 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\O8PI9a\rekeywiz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\273114cbb08b140722dca5515d2c00f5.dll

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\hkjkFIKF\osk.exe

C:\Users\Admin\AppData\Local\hkjkFIKF\osk.exe

C:\Windows\system32\UI0Detect.exe

C:\Windows\system32\UI0Detect.exe

C:\Users\Admin\AppData\Local\FYI\UI0Detect.exe

C:\Users\Admin\AppData\Local\FYI\UI0Detect.exe

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Users\Admin\AppData\Local\O8PI9a\rekeywiz.exe

C:\Users\Admin\AppData\Local\O8PI9a\rekeywiz.exe

Network

N/A

Files

memory/2836-1-0x0000000140000000-0x0000000140221000-memory.dmp

memory/2836-0-0x00000000001C0000-0x00000000001C7000-memory.dmp

memory/1240-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/1240-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2836-8-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-9-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-7-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-13-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-12-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-11-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-10-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-14-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-15-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-18-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-17-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-16-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-20-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-19-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-24-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-25-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-23-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-22-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-21-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-26-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-27-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-28-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-33-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-34-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-32-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-31-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-30-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-29-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-36-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-37-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-35-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-38-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-41-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-42-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-40-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-39-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-44-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-43-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-45-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-50-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-51-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-49-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-48-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-47-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-46-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-53-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-52-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-56-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-57-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-55-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-54-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-58-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-59-0x00000000021E0000-0x00000000021E7000-memory.dmp

memory/1240-66-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1240-67-0x0000000076EC1000-0x0000000076EC2000-memory.dmp

memory/1240-68-0x0000000077020000-0x0000000077022000-memory.dmp

\Users\Admin\AppData\Local\hkjkFIKF\OLEACC.dll

MD5 c061ac514472ae897cdb8c7c108ce188
SHA1 421c387fe77d931d9dc16f64d2cd071a9beb32fc
SHA256 c8703b32ac7823f6f86d854dd196c548cc1f0abe62becbc63341c151ec13a789
SHA512 4da26cf5422f8df87f4a9dc89869ee0f946708286da16fb2fb7ef7315a2529a8bb3d808339304101833feaacd14b7e45a70e4b4fe14f9bfd754c97cbc52d41ec

C:\Users\Admin\AppData\Local\hkjkFIKF\osk.exe

MD5 b918311a8e59fb8ccf613a110024deba
SHA1 a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b
SHA256 e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353
SHA512 e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

memory/344-99-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\FYI\VERSION.dll

MD5 c5ed2d6d59b0623978a07cadc91ca72d
SHA1 de46ee6eb1a9d81133d0b46b270d4326aa815467
SHA256 8ed3349d634b81acabb15661563e685d87446f9d78211f8d54a9c0cda4a7ac8e
SHA512 1a4010964a5c07c297af361e6ca73128526b3236d5e5db63f448fee98a1dcf74f622dc66e4b8d4d3816ceca8513a8988c3aee35e4d157fc93d6efb9545a6afc8

C:\Users\Admin\AppData\Local\FYI\UI0Detect.exe

MD5 3cbdec8d06b9968aba702eba076364a1
SHA1 6e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256 b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512 a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

memory/2868-114-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\O8PI9a\rekeywiz.exe

MD5 767c75767b00ccfd41a547bb7b2adfff
SHA1 91890853a5476def402910e6507417d400c0d3cb
SHA256 bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512 f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

C:\Users\Admin\AppData\Local\O8PI9a\slc.dll

MD5 cfa3257523844f78a6f031dfbdf9e2e8
SHA1 091921fc010cc8840e216b926f95408c18152938
SHA256 f3206fc7474533850e5114c3c648b6d1d1b6c25990467023a6d4b6455b1397c6
SHA512 39ec61d2000624b3d92240458a06268bc96e50370caf50c241c18dcd14dc1b4e723f0a420a0a148240897795b7f4675e458c5b6855fcefbce094cda0fe3f9191

\Users\Admin\AppData\Local\O8PI9a\slc.dll

MD5 9fbd89bc2ae2c373cd8eda369592bf77
SHA1 ba12161e1c104efa96e5311b15d0c47ca640c88f
SHA256 ec1e5cd455396ffe4e67fcbb3a1ce84554b5027f1839622ee030285d72243f16
SHA512 c4e8e63b38cc91ea3d07f07950fe457c01f60e358a402489d06f4bb400f6fd4dc3b89e76d7ebcf3cb33a656081040b9fa57eb9ac65600426eda5c5939ab25a84

memory/2024-133-0x00000000001E0000-0x00000000001E7000-memory.dmp

memory/1240-153-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 068b8cdc13b0b471766ba3603c9b9ccf
SHA1 c1a6f8ab2430b5eca6bce1159a42d4e3b51c3988
SHA256 ee0fa52308aa7e64ccb6bac42ddf1afb47a1358e20e46fa15177f20cfc2d5387
SHA512 995a756cde6e539073fab555185899e909393e28f92a5a5cbe8bfee5ee88dfa6db39ca273e55fb73f2e551e98a9af9283c6fda81ba814ea12fb0ab02242507f9

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 03:58

Reported

2024-01-02 03:55

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

155s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\273114cbb08b140722dca5515d2c00f5.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\uKYcp2XXfA\\sppsvc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Of6\ie4uinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WLot\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bgbP3\phoneactivate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 2368 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3352 wrote to memory of 2368 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3352 wrote to memory of 4548 N/A N/A C:\Users\Admin\AppData\Local\Of6\ie4uinit.exe
PID 3352 wrote to memory of 4548 N/A N/A C:\Users\Admin\AppData\Local\Of6\ie4uinit.exe
PID 3352 wrote to memory of 4940 N/A N/A C:\Users\Admin\AppData\Local\WLot\sppsvc.exe
PID 3352 wrote to memory of 4940 N/A N/A C:\Users\Admin\AppData\Local\WLot\sppsvc.exe
PID 3352 wrote to memory of 3664 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3352 wrote to memory of 3664 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3352 wrote to memory of 3136 N/A N/A C:\Users\Admin\AppData\Local\bgbP3\phoneactivate.exe
PID 3352 wrote to memory of 3136 N/A N/A C:\Users\Admin\AppData\Local\bgbP3\phoneactivate.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\273114cbb08b140722dca5515d2c00f5.dll

C:\Windows\system32\ie4uinit.exe

C:\Windows\system32\ie4uinit.exe

C:\Users\Admin\AppData\Local\Of6\ie4uinit.exe

C:\Users\Admin\AppData\Local\Of6\ie4uinit.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\WLot\sppsvc.exe

C:\Users\Admin\AppData\Local\WLot\sppsvc.exe

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Users\Admin\AppData\Local\bgbP3\phoneactivate.exe

C:\Users\Admin\AppData\Local\bgbP3\phoneactivate.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/2076-0-0x0000000000EB0000-0x0000000000EB7000-memory.dmp

memory/2076-1-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-4-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

memory/2076-7-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-8-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-10-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-11-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-12-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-13-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-9-0x00007FF9C68AA000-0x00007FF9C68AB000-memory.dmp

memory/3352-6-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-15-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-19-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-22-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-24-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-28-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-29-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-31-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-32-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-34-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-37-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-41-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-45-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-49-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-52-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-53-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-55-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-59-0x0000000002910000-0x0000000002917000-memory.dmp

memory/3352-58-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-56-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-57-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-66-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-67-0x00007FF9C76A0000-0x00007FF9C76B0000-memory.dmp

memory/3352-54-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-51-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-50-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-48-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-47-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-46-0x0000000140000000-0x0000000140221000-memory.dmp

memory/4548-89-0x0000020EC5EC0000-0x0000020EC5EC7000-memory.dmp

memory/3352-44-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-43-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-42-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-40-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-39-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-38-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-36-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-35-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-33-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-30-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-27-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-26-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-25-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-23-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-21-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-20-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-18-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-17-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-16-0x0000000140000000-0x0000000140221000-memory.dmp

memory/3352-14-0x0000000140000000-0x0000000140221000-memory.dmp

memory/4940-106-0x000002B2B12D0000-0x000002B2B12D7000-memory.dmp

memory/3136-123-0x0000024D09540000-0x0000024D09547000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 c7b7ce074d30cfc2d53f18209580b96e
SHA1 bfa587bef74e8d329bd134f442b672e3016759b8
SHA256 1301a829c558c5403e9433651ca1018dafb041e5ea162f32a5620ef34c1f09f4
SHA512 b1dd556710e4621c3d9855738969ec52fc1cd60f87086658406c528886bb61df36cc7e27a82b03faad50c52a47964044f65f57fd0e78efbb07dc4179cebd5cdb

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\87fawzpPP\VERSION.dll

MD5 dfa751dc1e615179103ccadf568b0dbe
SHA1 eae3d694868629a1323b28d66b1d71ff92c90afd
SHA256 0e3ab2171fed46969a0c6240da01e888e06edd5f883e7232cb16c2a885c6fe4c
SHA512 19f89b4aa47167b063b01058a24c4156e8fcd5a563a1063185a515c9711aeaf2b5dc0cedd2d75fc3f7d7396f0b4695022a6e600dcbb4e372d17a55c0c73139c6

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\uKYcp2XXfA\XmlLite.dll

MD5 e5a8e8a9af47d5c4f5bf97eea56c6dc8
SHA1 97745b68e1b9bc54f83ff9edc769d888a4d8f37c
SHA256 3f7e084470ee53aa555a3f94f3255c3d3c4d78b0745b8c802cf55e4ae545023f
SHA512 af9bb2742a4654a50bf6b5c2efc08ed4adaf9e1bdc2f8e29d5dd64e5e7eb915e18f2ac28e26caf8cb205b35c05c18a8afdc1684f6320bba28f8d753d95203f49

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ufYCjpQF\SLC.dll

MD5 12e3b286235e9248759772b69dc85660
SHA1 42d39811f67ec41ca76ee6661741969fdac51944
SHA256 4c0098625650273a43a7384bdc349ec46d9b53f52bd645e898bafe701151076d
SHA512 c0f2d2f68055a8425a7a946f4f7471168e92960ea13afc53c5be6376dea3dcbed6b0c83a8b8bfd9516f4c2200ef262d8002aaadbcdc550560409a942c573e970