Malware Analysis Report

2024-11-30 21:45

Sample ID 231231-ra7dfshefp
Target 38f8f403c494cd304763615d922a67fb
SHA256 60df94d0fa102fe714906ec53efafa0308a79d6caf9e8688edc8525123a7b1e3
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60df94d0fa102fe714906ec53efafa0308a79d6caf9e8688edc8525123a7b1e3

Threat Level: Known bad

The file 38f8f403c494cd304763615d922a67fb was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 14:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 14:00

Reported

2024-01-05 14:25

Platform

win7-20231129-en

Max time kernel

144s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\CUST\isoburn.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\y6G5\spinstall.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\QBMIs\\DisplaySwitch.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\CUST\isoburn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\y6G5\spinstall.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\CUST\isoburn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CUST\isoburn.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 2444 N/A N/A C:\Windows\system32\isoburn.exe
PID 1376 wrote to memory of 2444 N/A N/A C:\Windows\system32\isoburn.exe
PID 1376 wrote to memory of 2444 N/A N/A C:\Windows\system32\isoburn.exe
PID 1376 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\CUST\isoburn.exe
PID 1376 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\CUST\isoburn.exe
PID 1376 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\CUST\isoburn.exe
PID 1376 wrote to memory of 3048 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1376 wrote to memory of 3048 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1376 wrote to memory of 3048 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1376 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe
PID 1376 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe
PID 1376 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe
PID 1376 wrote to memory of 2820 N/A N/A C:\Windows\system32\spinstall.exe
PID 1376 wrote to memory of 2820 N/A N/A C:\Windows\system32\spinstall.exe
PID 1376 wrote to memory of 2820 N/A N/A C:\Windows\system32\spinstall.exe
PID 1376 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\y6G5\spinstall.exe
PID 1376 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\y6G5\spinstall.exe
PID 1376 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\y6G5\spinstall.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll

C:\Users\Admin\AppData\Local\CUST\isoburn.exe

C:\Users\Admin\AppData\Local\CUST\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\y6G5\spinstall.exe

C:\Users\Admin\AppData\Local\y6G5\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

Network

N/A

Files

memory/2176-1-0x00000000002B0000-0x00000000002B7000-memory.dmp

memory/2176-0-0x000007FEF70F0000-0x000007FEF71C4000-memory.dmp

memory/1376-3-0x00000000777B6000-0x00000000777B7000-memory.dmp

memory/1376-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-26-0x0000000002A80000-0x0000000002A87000-memory.dmp

memory/1376-29-0x0000000077B50000-0x0000000077B52000-memory.dmp

memory/1376-28-0x0000000077B20000-0x0000000077B22000-memory.dmp

memory/1376-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-19-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-18-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1376-4-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/1376-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/2176-41-0x000007FEF70F0000-0x000007FEF71C4000-memory.dmp

memory/1376-40-0x0000000140000000-0x00000001400D4000-memory.dmp

\Users\Admin\AppData\Local\CUST\UxTheme.dll

MD5 50248e684c39232cd0591e1259effbe7
SHA1 72ad275a31e69ec2b760b9ca657c50d4e7467190
SHA256 144bafeefb96fcc5e9a5b91e1e5fbb06378c94383295dcb4d0fbd8dfc831f6dc
SHA512 aeab1658acaa4b97524fc4d1437cd937f0159403227785d52c09f8ed5c204f24954dc5f90fd0fdc3e0df059abe97fd01c8e3e62510a8bb68bd6db038a9b5dd98

memory/2464-55-0x000007FEF7150000-0x000007FEF7225000-memory.dmp

memory/2464-57-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2464-60-0x000007FEF7150000-0x000007FEF7225000-memory.dmp

C:\Users\Admin\AppData\Local\CUST\isoburn.exe

MD5 f8051f06e1c4aa3f2efe4402af5919b1
SHA1 bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA256 50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA512 5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

C:\Users\Admin\AppData\Local\CUST\UxTheme.dll

MD5 feb6b432629f2cfe22505ad3f7c62ef0
SHA1 4ad8b7f2ff1475d1f70773619c0dd2536c30d147
SHA256 6afe2a2a0ad0d80d3c15606af40010ccc58d00f8118d3a21288ffad7607fea47
SHA512 8933ea54369146c18f435a719c8525334d5f0c061e649029f324fc190727bab945f60957fea0a2ba9a9d5b1854a06bd30ecd07624e3daefff94084956dbfd9a2

C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe

MD5 3022e575cb03c376d8c6db479c2a8e2b
SHA1 9e3473dd1a6aca74f676038871ee326c311647b8
SHA256 4eaae0b8bf8400389de0f9f863c7d6174f7c6fb9b837b275b9f17e5ba4459285
SHA512 707371ea1d532b26515747304af7496bb0ef4a98fbba44eafe387f991b5823221c51b0c3c09baea2d2d196c6e1333972116a868e5e6a72bb5d73d967a4e37326

memory/2692-77-0x000007FEF6AC0000-0x000007FEF6B95000-memory.dmp

memory/2692-75-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1376-74-0x00000000777B6000-0x00000000777B7000-memory.dmp

memory/2692-72-0x000007FEF6AC0000-0x000007FEF6B95000-memory.dmp

\Users\Admin\AppData\Local\AGLuh\slc.dll

MD5 fbaed2cca816e25e61de1a9ddfd9c205
SHA1 ff1de9a3ffb3e796c79939b33502434f37d770bf
SHA256 9b4f1eadd9b1f525f486f587b72ed319f3146c653a2ff7d64cf92e015ad51d97
SHA512 08f45acf4a2bf6c635f7f31c46ee168c15a65c830e969f5439b016f5c26eb21ea2856bd0ba4625157ebea2a88620682ed44d2deb6643a4231764bea3ccffe67f

C:\Users\Admin\AppData\Local\AGLuh\slc.dll

MD5 b183ba330074484594294168dc3e3f7c
SHA1 92f992a31eb45f47a764b7cc04ba767a9eccf554
SHA256 5853c01bcf74a5d079659acab8fad71509e8cc5349bdb368d8a707724e121a5e
SHA512 547c39c2a54aea6d6661413ab49d09f8b09a930bac872b65c408b22ad9a93cb0332282fbcfa627b45f32020585b37fc99b136b7394d25449a07135225d9f31ec

\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe

MD5 00a8af9951e0475f880898587cb8dc9d
SHA1 86f7c2832adb08ac6f72659a262cb05339d73dd1
SHA256 4dc90332391bec21c16a0584093783ab3efdb1e8f3c8ccdc2492e6f6e9954131
SHA512 c2700b0890bc1e7c015de5f23067cbb84025a28a509ae2b391814375d97a7490689f7d3ad5410c1999b79b888592dc2b3212db8f8b4524af13e870c595484e73

C:\Users\Admin\AppData\Local\AGLuh\DisplaySwitch.exe

MD5 91dc004f6ac7ed5986f4068500f0cbbc
SHA1 a93b8662ff69301319fd2e0b770f135e3dddcb16
SHA256 140348291d2dff91be0ddb57b2efff572753ceb713c048753e67c3ec335d7883
SHA512 1efc2dcd91dd89ab8a4b6e0c05c4bea1ab5a43863cad1bb4656be03201eac523566a04af38b49cb3c54f1d6642ac07aefbcbe38f4f0c6d8be04a4d245e9bf4b6

\Users\Admin\AppData\Local\y6G5\spinstall.exe

MD5 337ad813cbf12ae44d92b3942a0b0f26
SHA1 6286367360e2dede3cceff1ca8332ffe47c2cdfd
SHA256 e3586c60c509eb97a522c611837ca908f3f6075d17e47b67af5b72a98df60515
SHA512 eb7d77f7ca8e78daa326c33cf702327aafa4d39e41e91ac57026331bdbee07f64cafa16f109e8bd2358c2228f57ccd2071c824b449e7a9d36e0a6b91078f681f

memory/2648-92-0x00000000000E0000-0x00000000000E7000-memory.dmp

memory/2648-94-0x000007FEF6AC0000-0x000007FEF6B95000-memory.dmp

\Users\Admin\AppData\Local\y6G5\VERSION.dll

MD5 178e42ce54404a2e334b04ad3eb7e495
SHA1 bb8ec96650ce5d40d9b8e315b759854308de34d8
SHA256 fd98fb27176cfc7ff946cb14d19abdd84f6f6d99141f871052b40993ec5e64c3
SHA512 41ddae55dad0493fa210347b71fd09199cd636b6603c1bc316db5871d5c2dffb4794d7e1f78a2d919fb10ff8af084dd8a841a67fe5ccbd7ee823e8129ae598b0

C:\Users\Admin\AppData\Local\y6G5\VERSION.dll

MD5 0a680b8854d1444fc6b84adc92796ea3
SHA1 44796311dfef6b1299cf20c826039ef96d1f96a1
SHA256 dd2bf1f6bcb5339fddbbf25a7b560a1ab7422f2e01a523d6ef94cd253867f683
SHA512 0ca41a613ca56fc62e6e222053790d2137c1d09ab57aa4b5c74cc3bda8c5db7be48f51ffd2ef71297b39ad8607a8ae1920f2b51a9b9710641289d878e306327b

C:\Users\Admin\AppData\Local\y6G5\spinstall.exe

MD5 d75d8b18ab57ebf060dc40ddeda83196
SHA1 626c510561ae8662c14a5b0ec0c51c29c0b5b769
SHA256 266f9a0cc86fef8a52a2443096a60976a3d05f958f89405de64196c4156f1aeb
SHA512 df4c4708e7de657a6d1773008a1778fbf7405a16bd8622549874a0647f7f36d1bbe375882ab716ca31e8481b414bc3b0f3cf90502db50c1854f0576bc43a2acc

C:\Users\Admin\AppData\Local\y6G5\spinstall.exe

MD5 53d2c0776e6a005fb5e82791850181fb
SHA1 14898bf52d4e5b789be4af96995b144bfb4039e4
SHA256 508cecd471b6ed3bea318744b2e7952ed2a68de303c2a4350e2ebc91fa52c49e
SHA512 27c6bb7e0e6cc867fb7424d64c0d977b9388ca73da6b3d197ce633ee65a3b7aaede3400c641d60b8a8c89281170ae3dd3c1436443a01db0a60e23043e1da09f6

\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\ZIwBy1N6wuL\spinstall.exe

MD5 b99369e32a53bba7194eb3127639022e
SHA1 91b871c330fbac870a7a55a9907f750f4cd6de18
SHA256 78ede9d0e06d43711f75e71ecc43415745edfc35d43e43e51626350497726eb9
SHA512 33e349278de65eecc6e7a25204fb050c893138c896e056379c1a875741a4889c2953ddca0fe01fc1f1a7bb53ca179664d68f9ec94bd016dc5b3f36d3e172b507

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 e90b35555813cf089261a04fa50ac51f
SHA1 d54af25407400f98f90d99268f898ec1ca2a29bd
SHA256 ada27f28f9c5b603e3e6aa2d8307cefe0cc03fb17d4e2f0c5e8517bf8447b122
SHA512 7297ed7bc676a65b336523389818390aa320dcdf3fa0766476863c14b12779e8bcdc5e2222f1cf0629a09fb92a5f83bce4b77501f3dc35f23685b868a9b98f51

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\OmTB9\UxTheme.dll

MD5 f8202aa272de4ac3f58679c78f445892
SHA1 00a36c2e9e26356fc7cc7e6a69e3980bfe806f3d
SHA256 53cf7ac7ef5442d265e35849487e89964cd33492133d07d5340238f2a153c077
SHA512 6804d4542d64e662357b593f961fda2e689d0925c963b999ac3793d8c41c089a120573e178da96d8391ef60b578d6b77ca94610108ab012d96214d0c842ca315

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\QBMIs\slc.dll

MD5 5e861e2d087dac8f23b2c8eac1bc26c9
SHA1 011b32062245e098274622f0bba785384dfad47c
SHA256 f71cf158ea837e07202f91d37f4e732980db743cc77bca70a626b3d9a0a77c32
SHA512 4915add0ee87b62839543ddb4c882d79fa7b18b27fd809e8dcf104e44dd7b1b093abec989601f291c3163bcd69debd4f8fe856b7a596bf3c86d19a6dffa9d0c1

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\ZIwBy1N6wuL\VERSION.dll

MD5 15ad0c727ad8fb6c7b02325c330639fd
SHA1 da616d22d06bed95a8325db7699427dac88b4515
SHA256 d4e13a528b52517485d900910ac07e7f8acafafc2b29f0504fb4686b571c5aea
SHA512 3316730e4d1fa33b580ca11bfa97aea694c36366b3d8a9e6f231a8c79b06ccb2209ff46fbcddd7f8ec2143e00165999d4fc0442c040054a8f5436fec3a091829

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 14:00

Reported

2024-01-05 14:37

Platform

win10v2004-20231215-en

Max time kernel

2s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\38f8f403c494cd304763615d922a67fb.dll

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\eN0\msinfo32.exe

C:\Users\Admin\AppData\Local\eN0\msinfo32.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\erGfzyXY\osk.exe

C:\Users\Admin\AppData\Local\erGfzyXY\osk.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\CDUkQ2\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\CDUkQ2\SystemPropertiesPerformance.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.205:80 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp

Files

memory/1052-0-0x0000000000E70000-0x0000000000E77000-memory.dmp

memory/1052-1-0x00007FFCDFA60000-0x00007FFCDFB34000-memory.dmp

memory/3472-4-0x00007FFCEC36A000-0x00007FFCEC36B000-memory.dmp

memory/3472-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-18-0x0000000000690000-0x0000000000697000-memory.dmp

memory/3472-20-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-19-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-29-0x00007FFCEDFB0000-0x00007FFCEDFC0000-memory.dmp

memory/3472-28-0x00007FFCEDFC0000-0x00007FFCEDFD0000-memory.dmp

memory/3472-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3472-3-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

memory/1052-41-0x00007FFCDFA60000-0x00007FFCDFB34000-memory.dmp

C:\Users\Admin\AppData\Local\eN0\SLC.dll

MD5 50360e27993b94ffe446f98a877d5812
SHA1 d97d6182d2342048ccbb9d3ad28b10f251897908
SHA256 a3fbecae74012a87c8d9a5af7fde055f1eaed3c63dc066893a5a9dd36c267299
SHA512 5b4ac7ab75ca5d0cb288709d3a0736d0ca0a6d7af10df9ffa5a499f8c2abef57213f242ccc06edd86599fe7c620f8762be33f027d0a2ec90048b5b1a92572296

C:\Users\Admin\AppData\Local\eN0\msinfo32.exe

MD5 315fbb621e18406c97f9b42d19101ad9
SHA1 cc7babb43fd756b213ad3f3cfeb764ea566c76c3
SHA256 8ba26dfd1e6dc83c214f338e79a545ff8f4c2961ea21008105bb987c01d3524f
SHA512 7917f61ffcae7139f4b18aeb36f5705ad6668e1c8a70f805b02b989b767b44af2407e0dc6a15cb44220b80c8f1dc3ee5ea288fdf0d320d5ca91beb3c81d88ce7

C:\Users\Admin\AppData\Local\eN0\SLC.dll

MD5 8b9820436497c55d4245b347ce3ce5b0
SHA1 cb75c6c194f4903ae4b52acc33534a02998945d0
SHA256 d2fb79f2fffdb958b2f3e8237ca1b3521e96bbd7a774a7510a59bdc1978cfa85
SHA512 2e1ddf2f6f663ec8b1aedf7072984fd1cc0b80a261f41d8034c1f51dc8ad70af00d21dea32d6915b2698a737de972aa6a132d9528282dcc5a32147da3327822c

memory/3436-53-0x00007FFCDF520000-0x00007FFCDF5F5000-memory.dmp

C:\Users\Admin\AppData\Local\eN0\msinfo32.exe

MD5 ca23da6c81165df8e94309b517db7c8c
SHA1 fba57a166fc006779376d6ebd30925f2107a22ad
SHA256 a1be267e050d6ffc61e7f3616774066c45b92c6c7ff0b1c3a490e29825c7bb28
SHA512 019a589287e3d931fd9773954405ebc471e7207fe16aee4c837e92946ef450a7b6f8faf000f05785feddcca5c87f8ed2fdd8884668d89b142026bcc54d9e8b69

memory/3436-48-0x00007FFCDF520000-0x00007FFCDF5F5000-memory.dmp

memory/3436-49-0x0000010752420000-0x0000010752427000-memory.dmp

C:\Users\Admin\AppData\Local\erGfzyXY\osk.exe

MD5 522b865175d8df291df23707912d143d
SHA1 637bd73deea0aa18e9ef9386c3b90a00730bc5f6
SHA256 ac435a6e18551b969395c8d933f5f44855e096d2914aa9a2626204f0fc0dc818
SHA512 882c35b5e4aa8c35be0b95fabc5e7b1683e62f9589b7570dff5185be2d2f85a670e85f022289696cb76bb7a0c910fb42fbbf04ccc908929318553cdadc7ae17a

memory/2664-64-0x00007FFCD03F0000-0x00007FFCD04C6000-memory.dmp

memory/2664-66-0x0000024ACD230000-0x0000024ACD237000-memory.dmp

memory/2664-69-0x00007FFCD03F0000-0x00007FFCD04C6000-memory.dmp

C:\Users\Admin\AppData\Local\erGfzyXY\osk.exe

MD5 91f496111a7e36d085589dda454aaac7
SHA1 d7993e1b4f6259c6d7b6274b31eb3012d1b99610
SHA256 3d4c46036e276b70f05cdf2d7b928043d015859dde576dfc47b2950d33df9508
SHA512 ce52bc461b361671c1b92f4bea24b4fc4cd3afe6458be026fbebdde4c6e5a7c3d09bf497bdbd9c77946ea4f30d426b1d8f3d64cf611bef8eb90d676a92ca436a

C:\Users\Admin\AppData\Local\erGfzyXY\WINMM.dll

MD5 fb209fdab3dbc1d839cb812a5ee16342
SHA1 ea951984c6e52d71f5db34dc75921b26ad09ad87
SHA256 60a29b63f81576b97eb3afc720e3fd9056e8c76c8dd3bd85c03b556a17579d95
SHA512 9fe393e4691da91a10e7634cfe5ce6f27828c06e9f3bb042191c8d78c99598f023f168ce6baaff54cd023dd17ac4517f093fbb499a33cabfc960db1ed6fa0c3f

C:\Users\Admin\AppData\Local\erGfzyXY\WINMM.dll

MD5 cc23382e06151fb9ed7158d7c16830e6
SHA1 39b3a006765140dc301466b58933d0d5cd744b06
SHA256 56558ae29d54344c2003520fca21fa0ebc057b06f5dc1a660a4159d5c821c53f
SHA512 9576235eeaa495e310d1dd7052b72287fd62fc4b15a5efe34d6b439f30614ca54b7d5b3a96ca29b3fccc8425a791b926a103fdf825c90b13dfb1a6f211def9ed

C:\Users\Admin\AppData\Local\CDUkQ2\SYSDM.CPL

MD5 e6614ed210a60d417bbc43ddd716125b
SHA1 109831a2e2446a06e95442586ffa06ba3e33e6ce
SHA256 70855b6493e056aae4a7a4ae1d637fc9ab7df1637f5d7d44784a5c9131f483db
SHA512 e07e78dcdd93f959b5694a95e0364d918a0308f9ffa3e273d667b4c6829eff5f20a7e13fdd3444807d7a3dbd7198f54563cae6dc4e4dfa2a6d3417e8accdaf42

memory/1304-80-0x00007FFCDF430000-0x00007FFCDF505000-memory.dmp

memory/1304-82-0x000001D826900000-0x000001D826907000-memory.dmp

C:\Users\Admin\AppData\Local\CDUkQ2\SYSDM.CPL

MD5 ef33d8fa014b05f779d1db544b5fdee9
SHA1 7983267441c35de2bf139a804bd9fc8934534f2b
SHA256 e9bb22a44f0b696497707c5a2cc4e67634634d5620308bb9ab47d3776a5621dd
SHA512 6fc68de5b391954d840156cebe962e79cb1c0d84b3d748ef4841010bd7d059e4211513f055ce3c709c5983d61d674b2557f8541db7f79a5d82a68b5862ecb681

C:\Users\Admin\AppData\Local\CDUkQ2\SystemPropertiesPerformance.exe

MD5 2f365f49fbd94a283f0f442a3641287e
SHA1 eadf0dd6234f7853c8d4881b1de6106b8a016bd0
SHA256 c99136569f6b830b6fe2ea3f1c97f30a9af2f9f79238a0d3465508061aa791ef
SHA512 0431257dc2e7b7d277dec55ea4340effbea142c2270aef2e1f4f7bd3392a61fa11eea9d0db469c4df8904336f7a3e999e480b81c5986849a807595da9f558034

memory/1304-85-0x00007FFCDF430000-0x00007FFCDF505000-memory.dmp

C:\Users\Admin\AppData\Local\CDUkQ2\SystemPropertiesPerformance.exe

MD5 e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1 adbfa782b7998720fa85678cc85863b961975e28
SHA256 b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512 c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

MD5 d62bc849c329198569c2baff623f7898
SHA1 c2f9c62a414578cad331b7a9db1fc478802b945c
SHA256 1764364ad38734487c2a711c67b7e7df33335ba2320a157da37606f4c05856df
SHA512 bffc7f4b82db09fde2b8229b5ddabc5170983a0addfd1058aff15c7c2ff2bfa2dc35386ec6ff6b91c15f6a8b7884dad6b412217bd1168f68b1e672801f2a97c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\5w\SLC.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Sun\MktQtVq\WINMM.dll

MD5 116d2f11aff132bef13d2505a872e8b8
SHA1 592e8ae23c3ed0e98819912f5756f21ab327d8d0
SHA256 9ae14fefbf5fb880ecb343e1e8bb9abd6a455fe8f654585a29870e793ce51373
SHA512 ae0afbb6c838ecbcea95cd05ac3c06134ebe3436dcc9fc4e84531fd5d3ceb96c1ed671fcfc50835541b6bef8969253183ff85ce0a9b1279176979231e19724c7