Analysis Overview
SHA256
111f54973451fe3eeb32f033532386ce223afad2191c38669adb800ad4d7c197
Threat Level: Known bad
The file 2d2b4747c5304fd9be220c55c9b76d91 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 07:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 07:21
Reported
2024-01-02 13:03
Platform
win7-20231215-en
Max time kernel
181s
Max time network
19s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\jjGwJE1i\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RbXwj\consent.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\62li4\DWWIN.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\jjGwJE1i\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RbXwj\consent.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\62li4\DWWIN.EXE | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1603059206-2004189698-4139800220-1000\\DQu\\consent.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\jjGwJE1i\SystemPropertiesPerformance.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\RbXwj\consent.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\62li4\DWWIN.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d2b4747c5304fd9be220c55c9b76d91.dll,#1
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\jjGwJE1i\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\jjGwJE1i\SystemPropertiesPerformance.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
C:\Users\Admin\AppData\Local\RbXwj\consent.exe
C:\Users\Admin\AppData\Local\RbXwj\consent.exe
C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Users\Admin\AppData\Local\62li4\DWWIN.EXE
C:\Users\Admin\AppData\Local\62li4\DWWIN.EXE
Network
Files
memory/2916-0-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/2916-1-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1264-4-0x0000000077536000-0x0000000077537000-memory.dmp
memory/1264-10-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-17-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-25-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-33-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-39-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-40-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-45-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-48-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-55-0x0000000002A80000-0x0000000002A87000-memory.dmp
memory/1264-47-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-57-0x0000000077741000-0x0000000077742000-memory.dmp
memory/1264-56-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-46-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-58-0x00000000778A0000-0x00000000778A2000-memory.dmp
memory/1264-44-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-43-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-42-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-67-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-41-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-37-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-73-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-38-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-36-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-35-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-34-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-32-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-31-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-30-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-29-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-28-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-27-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-26-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-24-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-23-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-22-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-21-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-20-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-19-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-18-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-16-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-15-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-14-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-13-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-12-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-11-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-9-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/2916-8-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-7-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1264-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
memory/292-105-0x0000000001B40000-0x0000000001B47000-memory.dmp
memory/2932-126-0x0000000000180000-0x0000000000187000-memory.dmp
memory/1264-154-0x0000000077536000-0x0000000077537000-memory.dmp
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\IWo9c\SYSDM.CPL
| MD5 | c151a9e1a8b6320f06c2e87abab341dd |
| SHA1 | 55f648f9d0499fe4d92a0e8087bfb9a9f16ee82a |
| SHA256 | 18ed5f1daf58c0b84204fbb940441a22fa05628c5bcd86e4f8bd456f0726ad06 |
| SHA512 | 03630ca7efc3cb85ac507df7f3b83d3b920cdec8aefcbf8652c7da2220e43bfb7dd8c211340372e38d848d3830b0d1afb5dff90556953000ecb5b9fe4e77681c |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1603059206-2004189698-4139800220-1000\DQu\WINSTA.dll
| MD5 | f38e5f714d7c44d9dd27e0eaf544a07a |
| SHA1 | 52555cc0046d3600c8c1b725960b1cfd128e7f80 |
| SHA256 | 4ce8dd45593d1cf601af4eaf188c30d0d15c0e69be0b487184681b32e9e86e88 |
| SHA512 | 2977f3e63a131a72a6cf318e83efee05b47111862bc5bffd9c12a19a64968e42cbdb109a5cac92edce39d90ad2368324a483404291c8eaf7656d188a02268c0a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\1fkYTk\wer.dll
| MD5 | c7a181f7c23f48ef8e63e66ac70d016c |
| SHA1 | ae30610ad7d06df7ed68b8d75ac03ef24b9c25fe |
| SHA256 | 3ca92c23a673cb6cf69086369fc1cca75df68aeb655251afb19a31a8afc2f1ec |
| SHA512 | dd58ccb8af4fb7874a1e52def4f695e41390d303d0ada317650b1bd5a3cbae12f86c513b02ae6ab81d1c708d372bf56ae0e632455b50db42fb7bcf32d5c6e067 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 07:21
Reported
2024-01-02 13:03
Platform
win10v2004-20231215-en
Max time kernel
158s
Max time network
177s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\wRx7DoG\MoUsoCoreWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\r0xXjaFZ\BdeUISrv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sAOitd\Netplwiz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\wRx7DoG\MoUsoCoreWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\r0xXjaFZ\BdeUISrv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sAOitd\Netplwiz.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\Ts2r6i4\\BdeUISrv.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\wRx7DoG\MoUsoCoreWorker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\r0xXjaFZ\BdeUISrv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\sAOitd\Netplwiz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3588 wrote to memory of 4544 | N/A | N/A | C:\Windows\system32\MoUsoCoreWorker.exe |
| PID 3588 wrote to memory of 4544 | N/A | N/A | C:\Windows\system32\MoUsoCoreWorker.exe |
| PID 3588 wrote to memory of 4316 | N/A | N/A | C:\Users\Admin\AppData\Local\wRx7DoG\MoUsoCoreWorker.exe |
| PID 3588 wrote to memory of 4316 | N/A | N/A | C:\Users\Admin\AppData\Local\wRx7DoG\MoUsoCoreWorker.exe |
| PID 3588 wrote to memory of 3976 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 3588 wrote to memory of 3976 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 3588 wrote to memory of 3332 | N/A | N/A | C:\Users\Admin\AppData\Local\r0xXjaFZ\BdeUISrv.exe |
| PID 3588 wrote to memory of 3332 | N/A | N/A | C:\Users\Admin\AppData\Local\r0xXjaFZ\BdeUISrv.exe |
| PID 3588 wrote to memory of 212 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 3588 wrote to memory of 212 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 3588 wrote to memory of 1760 | N/A | N/A | C:\Users\Admin\AppData\Local\sAOitd\Netplwiz.exe |
| PID 3588 wrote to memory of 1760 | N/A | N/A | C:\Users\Admin\AppData\Local\sAOitd\Netplwiz.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d2b4747c5304fd9be220c55c9b76d91.dll,#1
C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\wRx7DoG\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\wRx7DoG\MoUsoCoreWorker.exe
C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
C:\Users\Admin\AppData\Local\r0xXjaFZ\BdeUISrv.exe
C:\Users\Admin\AppData\Local\r0xXjaFZ\BdeUISrv.exe
C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
C:\Users\Admin\AppData\Local\sAOitd\Netplwiz.exe
C:\Users\Admin\AppData\Local\sAOitd\Netplwiz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3240-0-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3240-2-0x000002389D870000-0x000002389D877000-memory.dmp
memory/3240-1-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-5-0x0000000002790000-0x0000000002791000-memory.dmp
memory/3588-7-0x00007FFC0502A000-0x00007FFC0502B000-memory.dmp
memory/3588-8-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3240-9-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-10-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-11-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-12-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-13-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-14-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-16-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-15-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-17-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-18-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-19-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-20-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-21-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-22-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-23-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-24-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-25-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-26-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-27-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-28-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-29-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-31-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-32-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-30-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-33-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-35-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-34-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-37-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-38-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-36-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-39-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-40-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-41-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-42-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-43-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-44-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-45-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-46-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-47-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-48-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-50-0x0000000002680000-0x0000000002687000-memory.dmp
memory/3588-49-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-57-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-58-0x00007FFC05C00000-0x00007FFC05C10000-memory.dmp
memory/3588-67-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3588-69-0x0000000140000000-0x00000001401C9000-memory.dmp
C:\Users\Admin\AppData\Local\wRx7DoG\MoUsoCoreWorker.exe
| MD5 | 47c6b45ff22b73caf40bb29392386ce3 |
| SHA1 | 7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9 |
| SHA256 | cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0 |
| SHA512 | c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331 |
C:\Users\Admin\AppData\Local\wRx7DoG\XmlLite.dll
| MD5 | 2c7b54e23b01cd448dd8cf00814f4891 |
| SHA1 | 85c80f8d7248ff4da415e6b39b1eb69e547e8df1 |
| SHA256 | ceaccfd9c1aa55fbbca3bc8ef279191c77146ab848789fbc85427bbf005f8d65 |
| SHA512 | 96cfb586cb57b2c25cbe4dcb58215e9a2d3f13ad0e45556bb965353de223404832351886ecdc8a543af25194585449f467bc6bb614bdba9d3e76d9bb6d0f7a37 |
memory/4316-78-0x0000000140000000-0x00000001401CA000-memory.dmp
memory/4316-80-0x0000000140000000-0x00000001401CA000-memory.dmp
memory/4316-79-0x00000237951E0000-0x00000237951E7000-memory.dmp
memory/4316-85-0x0000000140000000-0x00000001401CA000-memory.dmp
C:\Users\Admin\AppData\Local\r0xXjaFZ\BdeUISrv.exe
| MD5 | 8595075667ff2c9a9f9e2eebc62d8f53 |
| SHA1 | c48b54e571f05d4e21d015bb3926c2129f19191a |
| SHA256 | 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db |
| SHA512 | 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88 |
C:\Users\Admin\AppData\Local\r0xXjaFZ\WTSAPI32.dll
| MD5 | 3771e2dc32d1fee4a103afe930297e20 |
| SHA1 | 20f814527e49fd3d557ada6994ebda3149510549 |
| SHA256 | 40a4d97dd6b5d8599a25ce9de37b31eddd958f776be46c3dc1d68f06883dff69 |
| SHA512 | 28abaaa116f91b19807b6758534811f0ed270d5c8c39ded9100f9618c932c68a8b571d831b0890d26ff736508218ac23702c07e4c7a5fda76432854e098baefd |
memory/3332-97-0x0000000140000000-0x00000001401CA000-memory.dmp
memory/3332-99-0x000002052FC20000-0x000002052FC27000-memory.dmp
memory/3332-104-0x0000000140000000-0x00000001401CA000-memory.dmp
C:\Users\Admin\AppData\Local\sAOitd\Netplwiz.exe
| MD5 | 520a7b7065dcb406d7eca847b81fd4ec |
| SHA1 | d1b3b046a456630f65d482ff856c71dfd2f335c8 |
| SHA256 | 8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d |
| SHA512 | 7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914 |
C:\Users\Admin\AppData\Local\sAOitd\NETPLWIZ.dll
| MD5 | 2e27c986169699b7cb0981916b66235d |
| SHA1 | 3c2dc4178c9c90ef47849db36ed1b1266f8d6f1b |
| SHA256 | 37007a300106e2ea7e995f57e280cd168db331225ee28df551526f42a3c28fd3 |
| SHA512 | 41e33f3e7aefa5f7c766cb2b6d2c6cb0de15725d8df9d78cfb8026aa5bda13721be2f405735edb3a8b36521d4dfd817bd00eb2cd8259f7a83ed4f74df92830c0 |
memory/1760-118-0x0000019D63210000-0x0000019D63217000-memory.dmp
memory/1760-115-0x0000000140000000-0x00000001401CA000-memory.dmp
memory/1760-125-0x0000000140000000-0x00000001401CA000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 883468e475f784f43aae645ae31ca580 |
| SHA1 | 2febdde2236320c7213631f6fd08dc17a0f4e4cd |
| SHA256 | 4f8e8403b4ae1f2322f21ff1929785a7392af396750afbd8e44b6c507a70ef1d |
| SHA512 | a55007108a2a7b2a233ed515ad7f538bb274e41f5ae17045748e95dbec548eddfdf0e269ff40d535448dd0ec4fafe4b533a96ba340ae337a9b3b64bf24c5324f |