Malware Analysis Report

2024-11-30 21:29

Sample ID 240101-ewtchabdem
Target 3bde98475e14c43335fee53f75665d56
SHA256 f5ea651a5287874fc2f8eaa98420e32524d62b93f42ebbf148854f80d967add4
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5ea651a5287874fc2f8eaa98420e32524d62b93f42ebbf148854f80d967add4

Threat Level: Known bad

The file 3bde98475e14c43335fee53f75665d56 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-01 04:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 04:17

Reported

2024-01-06 02:47

Platform

win7-20231129-en

Max time kernel

3s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bde98475e14c43335fee53f75665d56.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bde98475e14c43335fee53f75665d56.dll,#1

C:\Users\Admin\AppData\Local\schmv\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\schmv\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\fKrEZN\calc.exe

C:\Users\Admin\AppData\Local\fKrEZN\calc.exe

C:\Windows\system32\calc.exe

C:\Windows\system32\calc.exe

C:\Users\Admin\AppData\Local\FS1ry\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\FS1ry\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

Network

N/A

Files

memory/836-0-0x0000000140000000-0x0000000140165000-memory.dmp

memory/836-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1372-4-0x0000000077186000-0x0000000077187000-memory.dmp

memory/1372-15-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-30-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-32-0x0000000002E60000-0x0000000002E67000-memory.dmp

memory/1372-41-0x00000000773F0000-0x00000000773F2000-memory.dmp

memory/1372-40-0x0000000077291000-0x0000000077292000-memory.dmp

memory/1372-50-0x0000000140000000-0x0000000140165000-memory.dmp

\Users\Admin\AppData\Local\schmv\FVEWIZ.dll

MD5 7d13527948dcd18e5ddbbffb1d53e73e
SHA1 3157ba50594022536836acd6a5e954f94eb25d6b
SHA256 8ebf9dea097a8cb0d9eebfe811093b66a382970e30a0311d27b1be5509c65a9a
SHA512 1828a547b6bb45f728a9fec7419cc989af54c8b9536c9ec8a8a5778d38b367bc49954aae48946e90da1f343fe2ff7bf29a3b03496522d34750ef5a22e9cf10f5

memory/2624-73-0x0000000140000000-0x0000000140166000-memory.dmp

memory/2624-71-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2624-68-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\schmv\FVEWIZ.dll

MD5 419c1699b071d2047487f1f0a449ee0c
SHA1 50cf2675a8cb695d2f75dd6baafdb439dbc93456
SHA256 9ea7581c03516952d110c66a2c318465b32cfccb5d8e23fe91e993d67a9656eb
SHA512 f26412cfa569d3a90737d76baa1a632ff7dcdf80ef738f516eff357ec0e5e2271d30129ddc1a4b97d92c1096c1ccdd198ce622d93a0ab1550eca1aa3f9bfa12f

C:\Users\Admin\AppData\Local\schmv\BitLockerWizard.exe

MD5 2c284257e311ce094842f4aa427f1a87
SHA1 408317bd40c22a2eb0a1a6ea38da4eab8b9e9d80
SHA256 e77855af33e709eb6566b64832bafd33f3186406b08a863b0adcd1f01a4522f2
SHA512 83263a5aec6a59609a23850178c4ab6896bafc55d8b9a5df21f551d12d7769adea964b09ae49f3977ee33ecb8fdd3954a06634b171c5fda9b497f977628bd98b

C:\Users\Admin\AppData\Local\schmv\BitLockerWizard.exe

MD5 f362d86ddd66a65e2133b21182ae4026
SHA1 72e12659cc362a2af262b550e63b3bcff8ed4967
SHA256 f0b7f72866ae8b554611f57e72b51c61a698d23a8404eb15fd723fc69863553d
SHA512 be4ce65a896265d26047a0dd2b7d0d52a57c683b6e68937f759230348486da89928fbe3f6bda085f031dba1d39c960678b1083559dca7327e406fb6a5e33df99

\Users\Admin\AppData\Local\schmv\BitLockerWizard.exe

MD5 1937408fe42688f553a55af1406e2d24
SHA1 9ebed436746e042201ad35802a46463996534a5f
SHA256 25baf98d01e78a467c603784ccc0721bbed2f805ff33a91407f9dba1b39dfd70
SHA512 44dd741dd4326f29792ec43251fa9f9efb0666d950931f79b5d7ca669cea3d20d7b9bb177f7a2d0e716c05fc5da146bb4a3731e9bf42519d56c59319e5132ad3

memory/1372-59-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-55-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-39-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-31-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-29-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-28-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-27-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-26-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-25-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-24-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-23-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-22-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-21-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-20-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-19-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-18-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-17-0x0000000140000000-0x0000000140165000-memory.dmp

C:\Users\Admin\AppData\Local\fKrEZN\calc.exe

MD5 23bc3ef6125285306658ae83eea2801a
SHA1 e8ba4abee6906e8f14078b5c26695aa69d662521
SHA256 a9e426de146b3a82e15fb8d258f9de3ff67aa4d5504fec5e535b87b00630db1e
SHA512 36b89f3db390c9f3739327f3b5ba5932f35aa66ac866ae0a1949f57777ed09b59d82a175bee62ace0eb15591a5d16105b3d1259fdec94720d97dfef9cb1cd70a

memory/1060-92-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1060-97-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1060-95-0x0000000000190000-0x0000000000197000-memory.dmp

\Users\Admin\AppData\Local\fKrEZN\WINMM.dll

MD5 7c9549dc890d36138b36272ca53adcb9
SHA1 1ba7cd6cc47d2b4145887811541551fb0f83d249
SHA256 559ea36c82590faa6a0a9b130e2745b43af79d71873f4a760f72a7a4cd024475
SHA512 d74d8a034f5d46af64e5eab8a0b16cc5bc3791d45dad0ec7c4e5e3f7cae2f13c496efeaceabc6b96261607575b1394c36b18ea7bd1579395c25ca1ee5a283fb0

C:\Users\Admin\AppData\Local\fKrEZN\calc.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\fKrEZN\WINMM.dll

MD5 a386cb57e4196748fa55421bfce7dadd
SHA1 2b5babda1e5275a6828f84208a1a331359aa993c
SHA256 18cca07409ac6091a920e57a889546acb47dc0d653c9c681bfb71646339fe07f
SHA512 a589738a1023e68661ec6750f9e7f4b840e90498cb2253f7036dad83612fa3faf60cda5cc196925e56302cb5a2d466016871df467f774ac9f48e71edd20f39d3

\Users\Admin\AppData\Local\fKrEZN\calc.exe

MD5 52fba9fdcbda1aed9ff58eeb0a44314d
SHA1 3bde97a3715b9758e5cb0cea73b60bd1268d8601
SHA256 4a986d0164ec778fbe45cae68b30ee8262d59022b9110e1883f642b1a246bdc2
SHA512 fc75544759de2e466d68908a2a97f48ae35c04c2c7be93bbb33abdc2b4e9574668ddaa22c5c02cdfc1bfb072ac28a225f1af6b6d9fabae6bf11d2e57c1b755a0

memory/1372-16-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-14-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-13-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-12-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-11-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-10-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-9-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-8-0x0000000140000000-0x0000000140165000-memory.dmp

memory/836-7-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1372-5-0x0000000002E80000-0x0000000002E81000-memory.dmp

\Users\Admin\AppData\Local\FS1ry\SystemPropertiesComputerName.exe

MD5 3442c9353291d10148f50dd7c4d50bb5
SHA1 e10e1e80783c7b6ef6c7eb8614ba3d427d43400f
SHA256 be08e473a905bae470e86e78ce2c7f84b521ab1fbce06ac4b0611a369e75917d
SHA512 cc307891a62e917d0d721d2e62d62b41c982f5786a24c39fa12a97cf35f23d03389bf89decdd004f29d49a9ae2c937c7b19b3fecb6bd21a4bba04a72cbc01096

\Users\Admin\AppData\Local\FS1ry\SYSDM.CPL

MD5 b0c6dea91187b39f5270749b001d9242
SHA1 5f563bb74124ffddcbcc247e006368ac50f8fd2e
SHA256 701c7587b71da55a0808d8608a5d5ba50be637fc98e08951614c3b7f795a8d09
SHA512 160e388f16bf11868ed917f689ca730599e4300ce4e479ea2979add3246cc555885c4bd2d9968b0759594617329f78fd564eacbc4e9e34a9c96d9d124778a1c6

memory/1692-120-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\FS1ry\SYSDM.CPL

MD5 5f175afb20a45691d4a9b154abfd2c21
SHA1 7ef9b09f9392623c60119989ee97720ff687c21d
SHA256 f551bd1c3374c7264ab5ef5b38284530bcdcbebaa2d14e3101e890313e44ca1c
SHA512 1bb031d39a66c93322519f7fbeab324b32b6174ad93a2625d1b0514c189a45e7bced11a245e0432256c9b2d01d9c3feb141b19b115259f00d0ab9cd6dbfd75bf

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\0FOpkt9N1P\SystemPropertiesComputerName.exe

MD5 be1be27c8e713ad62d40841c2f445b3d
SHA1 d02c0e98c19993e232605e99cd905c493c6e50ca
SHA256 5ff78e23d75d47681db07e7a2139201b030d42d4119e32d1fe95261d94f979c8
SHA512 f1f30eef24744e99017bf9359b8b1882388170153b10a7676ec1653e84e46c9112fcd1208c91b39fc4819b6a7869422a920d623b993457fa18f4f6a5f19719d1

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\0FOpkt9N1P\SystemPropertiesComputerName.exe

MD5 04ae8061c1ddefcf78b4ada8467a00b1
SHA1 151d915fbef21cedcfcaea05aa1ef2bec0aae732
SHA256 fc672497472caab5f82252b67fd361959776bd0ede44c28a3e5ea4a5bd26f1f5
SHA512 ee19fe58366da401c4b3084149f546141ffb9d2916299d62d917c7364f29122a7be28be8975ebdf1d55b0c271f3e1a1bdbaf67ca515368fe9d6c2798dd43af50

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 94db66db5cba9cbb1d7d19fdcc4c2db7
SHA1 8b6236a7172e11acd35819f897a1508bc729fed7
SHA256 769182fff73c31fdd9481bc6d66ee87aba59fb3579e9decd1984ccc409725f2c
SHA512 611824ea9be775bc4b70db3b05ac08ce2f1330de436ecb78b5ed648d5ab2af2dbb0b9bfec5dc01fe0e244c4cc9e49174dc1e4b08a78706262bbbe8258d7a8972

memory/1372-139-0x0000000077186000-0x0000000077187000-memory.dmp

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\76RVLVYY\oTXc3\FVEWIZ.dll

MD5 985c98c608c0645557b4d54565c5fdc4
SHA1 8fc029f0b21b2e72412e0f28156fae7d3ea03751
SHA256 cf7a553dd807bf5b0b6fc457472a348d7836a40e848b64a265e12d12ddb6fe7b
SHA512 da2d6f4da39b55fc59c149d170125a88d1a56d93055857c324fee3c1b1612566c60fc35abc5aae338bf8c105f8083e9a22400564268c418a5056ca4f995cc19b

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\WGKxYFIp2\WINMM.dll

MD5 4c6df402a6ceb980cb85fa3fe823df9c
SHA1 89db36a399c29d10a0bb95e7ff69c0318beb4d38
SHA256 0857cdd68a2de2f9905264633df7e277701f5aa456ec349164e6e9e9be6f8c08
SHA512 74a10e8c9236ddb5c50f1dbc957dcccfe7124a8c62714bbcc6b6f2dee94808cc8ef4b7f70132f03bde184d7122be04421b1e26da38cf78726c28213d1c579d97

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 04:17

Reported

2024-01-06 02:46

Platform

win10v2004-20231215-en

Max time kernel

116s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bde98475e14c43335fee53f75665d56.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\ePLj7WkNXJ\\SystemPropertiesRemote.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4qi385\quickassist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3304 wrote to memory of 2140 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3304 wrote to memory of 2140 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3304 wrote to memory of 4592 N/A N/A C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe
PID 3304 wrote to memory of 4592 N/A N/A C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe
PID 3304 wrote to memory of 3560 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 3304 wrote to memory of 3560 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 3304 wrote to memory of 460 N/A N/A C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe
PID 3304 wrote to memory of 460 N/A N/A C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe
PID 3304 wrote to memory of 1436 N/A N/A C:\Windows\system32\quickassist.exe
PID 3304 wrote to memory of 1436 N/A N/A C:\Windows\system32\quickassist.exe
PID 3304 wrote to memory of 3960 N/A N/A C:\Users\Admin\AppData\Local\4qi385\quickassist.exe
PID 3304 wrote to memory of 3960 N/A N/A C:\Users\Admin\AppData\Local\4qi385\quickassist.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bde98475e14c43335fee53f75665d56.dll,#1

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe

C:\Windows\system32\quickassist.exe

C:\Windows\system32\quickassist.exe

C:\Users\Admin\AppData\Local\4qi385\quickassist.exe

C:\Users\Admin\AppData\Local\4qi385\quickassist.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/3828-1-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3828-0-0x0000018C39DA0000-0x0000018C39DA7000-memory.dmp

memory/3304-4-0x0000000002760000-0x0000000002761000-memory.dmp

memory/3304-6-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-10-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-17-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-24-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-30-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-31-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-32-0x0000000002740000-0x0000000002747000-memory.dmp

memory/3304-29-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-39-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-40-0x00007FFB70240000-0x00007FFB70250000-memory.dmp

memory/3304-28-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-27-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-26-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-49-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-51-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-25-0x0000000140000000-0x0000000140165000-memory.dmp

C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe

MD5 618e9398b1448072e3b2b8656bc47d5b
SHA1 a027aa406c10116bab6974ad724e9a10bef8bdf0
SHA256 1caf017abb647a5148d8b5cce396e163f16dd8fe5414ba4c54e38eb5a197e4f5
SHA512 7f87d3bac33be13968e2412260f3a206510a18a46bcedb03ec43c4efb628a27a079eb3ff4817bfde92cca706e2f64587051ff7a1d0381113e2248d7ab61e1e20

C:\Users\Admin\AppData\Local\cPgaJ9f\SYSDM.CPL

MD5 7e289a19c7da9385409335462ee22f57
SHA1 79ee9a01545ffb6b46112fb946435d2d48e6ea4e
SHA256 63aa97f972b8c85c1752d371cf93e8225c8809a75b2f61c05871d312ae6c4fd6
SHA512 9d7474d123b7a6492842b04989816d06287a1f7188c822546e64c66c9afe49e3bd2c9349f92a4ea16fd6c80f34c0d338fde4d3dbc681822a2a8567393f0ae7b1

memory/4592-61-0x00000134A5AE0000-0x00000134A5AE7000-memory.dmp

C:\Users\Admin\AppData\Local\cPgaJ9f\SYSDM.CPL

MD5 c14fe11878d81025a50ef667f039453f
SHA1 a9bf68f393af6f22c3cd56064a03ef8e9d861ce8
SHA256 a3df0bdbd561da98161c2f9a6550f67503d066b045f200c9b812510a92fcf0f7
SHA512 f6f6e6d6db59051a4dda1503fc1e5310c90493e60db7db3ab4dcc10beabbae22076de20507f06959550182e81e2a37e735e560309e9a0c361e17443c7523bb2b

memory/4592-66-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe

MD5 5d8949297ad42ee1157524894a4a5eb1
SHA1 ccb53d4e5f9d6db98eeaf079ec8323578106475e
SHA256 49e5392e30c9c3c3e6c1c63f5da7a6b843cd23fe2ffc657b4c1ce1b321fe6167
SHA512 b8c3f22f048d5a5b4ba94c8e32262ab20f692a16e630b306c8a0557dcfbd32dd11c25726d606beeeef24eb2fe5db4a034ab7eac362969754351cb05ea0c22b12

memory/4592-60-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3304-23-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-22-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-21-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-20-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-19-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-18-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-16-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-15-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-14-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-13-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-12-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-11-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3828-9-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-8-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3304-7-0x00007FFB6EC4A000-0x00007FFB6EC4B000-memory.dmp

C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe

MD5 8536e90bcaef78af556a71c3310244c9
SHA1 24324c5e839609ba276e06a67e27abfef9e4936a
SHA256 350f328402040e8b3dcdce71331d5b941c08e3a7cff060e5f14c4cd2b5028922
SHA512 719b8c436b0721ddc566f34652899b31aa27a133c326541f9a4d612c6814125d960fc30b095bc2d7c854d53f55cd9279c2c9a78775e59dd7572ef5284621d58f

C:\Users\Admin\AppData\Local\77aSs\SYSDM.CPL

MD5 8220e24a4d9c6199b99bd38310839817
SHA1 5dee5b472ce70fc8317c89e412e9660a81034e75
SHA256 21d5ae44b9294615e8befb8b6acdcc7e08884d1093bbb53b1a8e231649d82aad
SHA512 7bb101806ddeac561c978206098b31fde156686e3533eeb9113bf24bc061db7c45ab322b4a12d6ca45463c3d5dc4a741417fb25bc77bc6ee64f852cca60b4a93

C:\Users\Admin\AppData\Local\77aSs\SYSDM.CPL

MD5 5f175afb20a45691d4a9b154abfd2c21
SHA1 7ef9b09f9392623c60119989ee97720ff687c21d
SHA256 f551bd1c3374c7264ab5ef5b38284530bcdcbebaa2d14e3101e890313e44ca1c
SHA512 1bb031d39a66c93322519f7fbeab324b32b6174ad93a2625d1b0514c189a45e7bced11a245e0432256c9b2d01d9c3feb141b19b115259f00d0ab9cd6dbfd75bf

memory/460-78-0x000002360D4F0000-0x000002360D4F7000-memory.dmp

memory/460-83-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe

MD5 cdce1ee7f316f249a3c20cc7a0197da9
SHA1 dadb23af07827758005ec0235ac1573ffcea0da6
SHA256 7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932
SHA512 f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

C:\Users\Admin\AppData\Local\4qi385\quickassist.exe

MD5 dea3f86e93707867ed687aadcca4d4fd
SHA1 9a23453c2d62f4787e9876a817caee4e29e41c32
SHA256 61e6b9a824ae1f35187941b6427c912a0e5c13cbac3b448327a2fe08619a7bce
SHA512 ed2648603ff5cc4625491b8008799fffdb8276ce2f26ee4824aba1b29fac85a1903ab32f7664cc63de1105b0772886555e3908ec64c67c2cb30d75a69e00702c

C:\Users\Admin\AppData\Local\4qi385\UxTheme.dll

MD5 02c7252d139da762c7a084bef8bafe1a
SHA1 236798f0592c0360802de7ef51e3363745fd1bcb
SHA256 b7681def407e7a996aa43057fa403f7c7f53cc0c9f07ee4ebd0253565e581702
SHA512 3658d71d56de3f0255ffaa05ed87c6ddfa32f1b4e025718f2087b44a20e4ad368e1be9050354a26048699708cfce14f08544fd4eff23f03a396ee3f1b2993d66

memory/3960-94-0x00000142EBB40000-0x00000142EBB47000-memory.dmp

memory/3960-100-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\4qi385\quickassist.exe

MD5 e98f31fa90c2d8bcd9ccb7b1059c51ac
SHA1 896a11e82015db4caf1246c0ebfb756debf3feb3
SHA256 d8ddd3ccf16c62d3854fabced0aa326a5fb4180ddd13db2640821a448ee784c7
SHA512 3b726a539140a7aaf3adc121c26e6f2135d589be83a6b668185a4f48df3e3c1839cabe541a2bcccfb2c8f32f16494b07cbf81163046d7003a0481370f13c2f5a

C:\Users\Admin\AppData\Local\4qi385\UxTheme.dll

MD5 b1d733def65a23d0059e67a17120b51f
SHA1 c6c5befc49143ee20cbb839c6103d1569676c7e8
SHA256 88b3be4d617dfac670149f5b4b08212b2a1ec08e03d65607726bb5ffc100f90c
SHA512 67a3d29366719e5c03453e2e8cc12835f8f118ddff959bfbae6be6232f256041fc3c114467d6649e4b3f20ba3f1b56c8bc649259ed54d14cd9db061001325dc8

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 a4dbec6160ec21beb8d2981bdb7af5f4
SHA1 970c1e34132b3c61dbd37fd7745854a2251e7b24
SHA256 0cba14f3005b0e9486a3874e1b151a815dd91a4d2ac0f12a66b5180752137f42
SHA512 101511e8302a12e98e9ddfb991cc9a1936a5fda766ae5fe2729061cd58af91b14f2d76c696e493c85e62c5bbb5d928262bc30ec1d8ebdf3881c7144af19cf796

C:\Users\Admin\AppData\Roaming\Microsoft\Office\5dewJw\SYSDM.CPL

MD5 70a533cf98f011ac29b44f9981af1b56
SHA1 8aba403f76277ccfc11a09eb2b691eb97bb528a5
SHA256 731bcc7c1b4c07d1bb597f99b737e7eecaf5a0de3b06a88a702e6037651816cf
SHA512 aa865c301fca768ff6bc1f5c7e942ca7b805ca7388cda70f50fc6fd52622fd428e7f5619cf69344c2aefb08447fa164ea805bba2505d2de519e51a837ce6755a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ePLj7WkNXJ\SYSDM.CPL

MD5 f61b3ca17980346d95b87dbd7ac0106b
SHA1 f576eb453026c1fbbd3dbc75113d0eb38073ac85
SHA256 999f293fea5f55c7206dd7de7bd276a2f3e280185558d09dac11d9e614566b9d
SHA512 e457216a0b24b60cacaf905262d873670311313e6876648580cbaf6659089c5a624e6379eadd287a99adf6344354b9efcab39d4ae4ec5c7912497a61cf5fc9a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\rJFsKsq\UxTheme.dll

MD5 9b4bcee2730846587720a51c6eaaad37
SHA1 6863ba7ea97f5d9cc656aab65602a65c156df503
SHA256 a2d7bc00fa15f126ed56713a7da4dbd6fc87a5ed6258ddd28a193040ca558427
SHA512 4ce20f4eae4aade4d8dd341c029458ba859fdf4058904ab08c924ebac5434ca3a348e9dfff763cf69d380bac7c8b33410706f624952571570a915cc6c4723d21