Malware Analysis Report

2024-11-30 21:29

Sample ID 240103-r4yneahdb8
Target 4679898201806dc6de8e98d5fe539ed2.exe
SHA256 b60b7a922e6e0e011f495a1be04333582f76e52ddabefa0b020ed51a0d263cde
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b60b7a922e6e0e011f495a1be04333582f76e52ddabefa0b020ed51a0d263cde

Threat Level: Known bad

The file 4679898201806dc6de8e98d5fe539ed2.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-03 14:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-03 14:45

Reported

2024-01-03 14:48

Platform

win7-20231215-en

Max time kernel

151s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\2vlMaL\\rdpinit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\jcLVdf\fveprompt.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\jcLVdf\fveprompt.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 2528 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1220 wrote to memory of 2528 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1220 wrote to memory of 2528 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1220 wrote to memory of 2580 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 2580 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 2580 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 340 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1220 wrote to memory of 340 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1220 wrote to memory of 340 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1220 wrote to memory of 1788 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 1788 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 1788 N/A N/A C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 1612 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1612 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1612 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1700 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1700 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1700 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 564 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 564 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 564 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2712 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2712 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2712 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1956 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1956 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 1956 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2552 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2552 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 2552 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 808 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 808 N/A N/A C:\Windows\system32\schtasks.exe
PID 1220 wrote to memory of 808 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\s4y.cmd

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\fveprompt.exe

C:\Windows\system32\fveprompt.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\qMGx51.cmd

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Zkuqeumlixikgi" /TR "C:\Windows\system32\jcLVdf\fveprompt.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zkuqeumlixikgi"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zkuqeumlixikgi"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zkuqeumlixikgi"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zkuqeumlixikgi"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zkuqeumlixikgi"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Zkuqeumlixikgi"

Network

N/A

Files

memory/1260-2-0x0000000000510000-0x0000000000517000-memory.dmp

memory/1260-0-0x000007FEF7020000-0x000007FEF70C1000-memory.dmp

memory/1220-3-0x00000000778B6000-0x00000000778B7000-memory.dmp

memory/1220-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/1220-13-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-20-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-23-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-22-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

memory/1220-21-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-30-0x00000000779C1000-0x00000000779C2000-memory.dmp

memory/1220-31-0x0000000077B20000-0x0000000077B22000-memory.dmp

memory/1220-29-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-19-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-18-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-17-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-16-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-15-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-14-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-40-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-12-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-11-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-10-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-9-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-8-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1260-7-0x000007FEF7020000-0x000007FEF70C1000-memory.dmp

memory/1220-44-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1220-6-0x0000000140000000-0x00000001400A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hD28EF7.tmp

MD5 f4eeec0112bc365193cb4019b4f3d238
SHA1 c45098235dca5f28f01d7ffd2a813e58e5a1e69a
SHA256 50e3d3aee9d1b9012eca82a82978f7a9d21d6295655074f97803b8dc8995edbd
SHA512 f3e6ec875119c35692b061e3bf1ad967628a9659df4227f7a3c76eb1d33f017a8d1fc2c74ab496c4f69e2f9a341c39f3633a15ec12427d4c6b33d7b36642c964

C:\Users\Admin\AppData\Local\Temp\s4y.cmd

MD5 0b826fbe44d039c6b97d42ffbc121d48
SHA1 90343d80ce903c78f0e2698344f9f35d2ddea00e
SHA256 18c2042013ecea1b83fb931a060331ec06db2ceb21876accccebe65ff1bac99e
SHA512 fe52b680183598d86275ca1bfe9b5d75d1062c88882f90c63bfcd8f505d98c27c0e52fa35092c2a70929e020c0728fda01dc76c2fd2dda20068345ad8d46bf70

memory/1220-57-0x00000000778B6000-0x00000000778B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qMGx51.cmd

MD5 84b918a772bc2737b2920f4ffff08a7a
SHA1 c90d61a019fcbb2b3685d07898bffe8ed492811e
SHA256 e971602225baa1cfae4005a3a02ad5b6468e59b1a8fa2aa6068f52666ba2d36f
SHA512 92efb63c22e4c873a5eab7c7129f88cc680a3967c3551dedb97bc6f617ceec32b02f49883e6e6db09abd5ee5356aa520568fe74b93535ba6c0d1af90518fd88f

C:\Users\Admin\AppData\Local\Temp\jwBB06.tmp

MD5 d89895707fb449449566ca0d2e5cb0bb
SHA1 45dd38db162d8f478494e55c3bcc2c487d3fd5c9
SHA256 647b4ec0fc0187fac0c8c7add137fb5929640cfedddfec1647d017858d791e60
SHA512 0f3546af0d88df04c1b8bbe655df38af1f680f0c9532bc3d8bb70e6e08aea339d3d4fed2cbd28b8dfcfeb11c8668e2e0b8a427ab522c1b91f58d94a3ff287dee

\Users\Admin\AppData\Roaming\2vlMaL\rdpinit.exe

MD5 664e12e0ea009cc98c2b578ff4983c62
SHA1 27b302c0108851ac6cc37e56590dd9074b09c3c9
SHA256 00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332
SHA512 f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Srfjajs.lnk

MD5 f9e3cc5d05c046a3438869f2f835b4f7
SHA1 159b84f2170f8c769a799e4f07d35fce6692054e
SHA256 7659f7029514e51cf6d59784d40bab1d94ad775602a1d4bce4068df9835a04d7
SHA512 2f0450b4a96abf18f94d26ba6ceefa9d63cf913f209a12807da34a1d367c0def153631fde94a868e86886f80c7001cfb2e59d5c9c552c9f750cdc62dd218cdea

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-03 14:45

Reported

2024-01-03 14:48

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\9Amn\\RDPSAU~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 3472 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3500 wrote to memory of 3472 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3500 wrote to memory of 3656 N/A N/A C:\Windows\system32\cmd.exe
PID 3500 wrote to memory of 3656 N/A N/A C:\Windows\system32\cmd.exe
PID 3500 wrote to memory of 2084 N/A N/A C:\Windows\system32\raserver.exe
PID 3500 wrote to memory of 2084 N/A N/A C:\Windows\system32\raserver.exe
PID 3500 wrote to memory of 2156 N/A N/A C:\Windows\system32\cmd.exe
PID 3500 wrote to memory of 2156 N/A N/A C:\Windows\system32\cmd.exe
PID 3500 wrote to memory of 4772 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 4772 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 3168 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 3168 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 408 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 408 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 4316 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 4316 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 3416 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 3416 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 4472 N/A N/A C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 4472 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\K8z.cmd

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\XYL.cmd

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Ugwggfx" /TR "C:\Windows\system32\eV6tTjx\raserver.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ugwggfx"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
GB 96.17.178.209:80 tcp

Files

memory/8-0-0x00007FFC82DF0000-0x00007FFC82E91000-memory.dmp

memory/8-2-0x0000014A0AA90000-0x0000014A0AA97000-memory.dmp

memory/3500-3-0x0000000007C20000-0x0000000007C21000-memory.dmp

memory/3500-5-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-8-0x00007FFC905EA000-0x00007FFC905EB000-memory.dmp

memory/3500-9-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-10-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-11-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-12-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-13-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-7-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/8-6-0x00007FFC82DF0000-0x00007FFC82E91000-memory.dmp

memory/3500-14-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-15-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-16-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-17-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-21-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-23-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-22-0x0000000006F30000-0x0000000006F37000-memory.dmp

memory/3500-20-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-19-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-18-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-29-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-30-0x00007FFC91240000-0x00007FFC91250000-memory.dmp

memory/3500-39-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3500-41-0x0000000140000000-0x00000001400A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\K8z.cmd

MD5 d29921e767474f4e223ee2fa9a6f2a0b
SHA1 db7212552803fc07f771cba3ce0ba572fe8bef39
SHA256 52146a577cebed6fd08d3bbf2d8d793a91dbd4ab3a910d8a194602af1e760a89
SHA512 418153578be80942cec5a4d3edaa086e047d4007040a99c315e7da85a1abf26022674037cde9f9ca9ce58abdf0cbccac46bd9c2787c8c5e104bc51a67bcba77a

C:\Users\Admin\AppData\Local\Temp\N0pA78A.tmp

MD5 644cd63411ca8218e218d932382b1bd8
SHA1 6d841b79197fda7209fe3838b6a6fb8abe4c9f0b
SHA256 d4f3cecca1aeb77668c2b63672e4fee50e2d8d886396aeee0eda226ff1514dfa
SHA512 8e80f3cbea1067753e45835e99448b6b4158734e8e7e26e74eb2d2cf0dbde3fa90a6730b99b7d3cd8dd0002e726c308a7ade78cb64a20baaba9fb555ec35f9cb

C:\Users\Admin\AppData\Roaming\9Amn\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qoccyyzfzcu.lnk

MD5 9cd79a1602d3c15db9b3e07f0fe982d8
SHA1 c685bb34acaf0704bc0679a702239eee32a0438e
SHA256 31025f87cd8f37dad77d5994dda796deccbede42d4a286fdc0aad3737819d385
SHA512 9e64df2641db915bc2839f75b8ec84e06911608df7b80678a1941bbf81bb955e45a8c217648d9468fa8908f11d1ddf0bb34de47c089d3fd82afdacea3282d848