Malware Analysis Report

2024-11-30 21:35

Sample ID 240104-yvlqtaabcr
Target 1f757ecf4a083364ad33710c0020ba16.exe
SHA256 d94814b7b97e9e0955a9c3e04b7eb9de7246902dd6a3f203806a9715b4e6436e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d94814b7b97e9e0955a9c3e04b7eb9de7246902dd6a3f203806a9715b4e6436e

Threat Level: Known bad

The file 1f757ecf4a083364ad33710c0020ba16.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Drops startup file

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 20:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 20:06

Reported

2024-01-04 20:11

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f757ecf4a083364ad33710c0020ba16.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3g7\lpksetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\vnH\TpmInit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\tpyE\SndVol.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\BOZ3TZ~1\\TpmInit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3g7\lpksetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vnH\TpmInit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tpyE\SndVol.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 2404 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1228 wrote to memory of 2404 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1228 wrote to memory of 2404 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1228 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\3g7\lpksetup.exe
PID 1228 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\3g7\lpksetup.exe
PID 1228 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\3g7\lpksetup.exe
PID 1228 wrote to memory of 564 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1228 wrote to memory of 564 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1228 wrote to memory of 564 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1228 wrote to memory of 1488 N/A N/A C:\Users\Admin\AppData\Local\vnH\TpmInit.exe
PID 1228 wrote to memory of 1488 N/A N/A C:\Users\Admin\AppData\Local\vnH\TpmInit.exe
PID 1228 wrote to memory of 1488 N/A N/A C:\Users\Admin\AppData\Local\vnH\TpmInit.exe
PID 1228 wrote to memory of 1820 N/A N/A C:\Windows\system32\SndVol.exe
PID 1228 wrote to memory of 1820 N/A N/A C:\Windows\system32\SndVol.exe
PID 1228 wrote to memory of 1820 N/A N/A C:\Windows\system32\SndVol.exe
PID 1228 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\tpyE\SndVol.exe
PID 1228 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\tpyE\SndVol.exe
PID 1228 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\tpyE\SndVol.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f757ecf4a083364ad33710c0020ba16.dll,#1

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Users\Admin\AppData\Local\3g7\lpksetup.exe

C:\Users\Admin\AppData\Local\3g7\lpksetup.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\vnH\TpmInit.exe

C:\Users\Admin\AppData\Local\vnH\TpmInit.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Users\Admin\AppData\Local\tpyE\SndVol.exe

C:\Users\Admin\AppData\Local\tpyE\SndVol.exe

Network

N/A

Files

memory/2772-1-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2772-0-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-4-0x0000000077176000-0x0000000077177000-memory.dmp

memory/1228-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/1228-13-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-12-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-11-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-10-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-9-0x0000000140000000-0x0000000140226000-memory.dmp

memory/2772-8-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-7-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-15-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-19-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-20-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-18-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-17-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-16-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-14-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-21-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-22-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-23-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-24-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-26-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-25-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-27-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-28-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-29-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-30-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-31-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-33-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-32-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-34-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-36-0x0000000002730000-0x0000000002737000-memory.dmp

memory/1228-42-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-43-0x0000000077381000-0x0000000077382000-memory.dmp

memory/1228-44-0x00000000774E0000-0x00000000774E2000-memory.dmp

memory/1228-53-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1228-59-0x0000000140000000-0x0000000140226000-memory.dmp

\Users\Admin\AppData\Local\3g7\lpksetup.exe

MD5 50d28f3f8b7c17056520c80a29efe17c
SHA1 1b1e62be0a0bdc9aec2e91842c35381297d8f01e
SHA256 71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f
SHA512 92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

C:\Users\Admin\AppData\Local\3g7\slc.dll

MD5 620f8a65682987b5423eb19d4b7da9bc
SHA1 980ddc87872c3e4d14cf4a39b023f090fff33611
SHA256 2ab840fb0c48a5fea26274a6620dcae44f4dba6aeebf81c28c9e701c530d9903
SHA512 e37e4ac6fbad1ec210f4f0f46c1fde679658cde81b10f65ed0a481b719594a41faf0489337adfb86ca9690385d3036e10d8acbf67d05248e29f536e4d25e58cf

memory/2132-71-0x0000000140000000-0x0000000140227000-memory.dmp

memory/2132-72-0x0000000000380000-0x0000000000387000-memory.dmp

memory/2132-77-0x0000000140000000-0x0000000140227000-memory.dmp

\Users\Admin\AppData\Local\vnH\TpmInit.exe

MD5 8b5eb38e08a678afa129e23129ca1e6d
SHA1 a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA256 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512 a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

C:\Users\Admin\AppData\Local\vnH\Secur32.dll

MD5 33d4c038a4e72d77500d9fd0c38135f7
SHA1 95558e4e7ed4d56ef37c68f831adda408cdbd438
SHA256 a4c9819c8aef5dd035dfc37258291eca78db0244c7bbea9e8d21905b33bf2ea0
SHA512 833bc1236b74de5dbe463d4da087cd74d028112261af3396ba962390f08605df4bc7a715af03fab4ed168a5ec8415d7de8123eb491912cf86a84700574e0b862

memory/1488-90-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1488-93-0x0000000140000000-0x0000000140227000-memory.dmp

\Users\Admin\AppData\Local\tpyE\SndVol.exe

MD5 c3489639ec8e181044f6c6bfd3d01ac9
SHA1 e057c90b675a6da19596b0ac458c25d7440b7869
SHA256 a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103
SHA512 63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

\Users\Admin\AppData\Local\tpyE\dwmapi.dll

MD5 6a860d28a9ed438ff3f5ebb78a4e8fe2
SHA1 3401760bd74a7b948df4742493a3290cc1635ccf
SHA256 b3dec0f0d9f8d6e3d3b47f769d1da5959ad1352d9f3b544af0f800fc1610fd84
SHA512 3f72a43ed346e2107c2355a584572c9f7ac8f5b545b22cbb16077e84b835891495fe01a5c9d844a6653b9e4d159e087b3ab2b987e8f1eaea29eac46356a6227b

memory/2920-107-0x0000000000750000-0x0000000000757000-memory.dmp

memory/2920-113-0x0000000140000000-0x0000000140227000-memory.dmp

memory/1228-129-0x0000000077176000-0x0000000077177000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 d7e1fde1109f76b49837e5ebc5c7eb61
SHA1 0f65e4eea570ef9c1495cfbeb9dc2d4ec0e1da03
SHA256 715fe4d1650f251cba7f0602c64eea7a1ff8b1ea4718b4dd741729b48dbbd013
SHA512 c3d47b90dd2b36618621364b47db8e06b0397e30760f77cc899a13c422c351e4abb7af0f3dacd84ebb2b65553e2077ee7f14d77049add721c5c0f13dbf826c87

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 20:06

Reported

2024-01-04 20:12

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f757ecf4a083364ad33710c0020ba16.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JNorZ N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JNorZ\dwmapi.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JNorZ\SndVol.exe N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\JNorZ\\SndVol.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ikRI\msconfig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1UomU\SndVol.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\o4Py3w\mstsc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 3104 N/A N/A C:\Windows\system32\msconfig.exe
PID 3332 wrote to memory of 3104 N/A N/A C:\Windows\system32\msconfig.exe
PID 3332 wrote to memory of 5008 N/A N/A C:\Users\Admin\AppData\Local\ikRI\msconfig.exe
PID 3332 wrote to memory of 5008 N/A N/A C:\Users\Admin\AppData\Local\ikRI\msconfig.exe
PID 3332 wrote to memory of 3628 N/A N/A C:\Windows\system32\SndVol.exe
PID 3332 wrote to memory of 3628 N/A N/A C:\Windows\system32\SndVol.exe
PID 3332 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\1UomU\SndVol.exe
PID 3332 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\1UomU\SndVol.exe
PID 3332 wrote to memory of 4428 N/A N/A C:\Windows\system32\mstsc.exe
PID 3332 wrote to memory of 4428 N/A N/A C:\Windows\system32\mstsc.exe
PID 3332 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\o4Py3w\mstsc.exe
PID 3332 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\o4Py3w\mstsc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f757ecf4a083364ad33710c0020ba16.dll,#1

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\ikRI\msconfig.exe

C:\Users\Admin\AppData\Local\ikRI\msconfig.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Users\Admin\AppData\Local\1UomU\SndVol.exe

C:\Users\Admin\AppData\Local\1UomU\SndVol.exe

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\o4Py3w\mstsc.exe

C:\Users\Admin\AppData\Local\o4Py3w\mstsc.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 34.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 36.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 47.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 15.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/4472-0-0x00000290E5D70000-0x00000290E5D77000-memory.dmp

memory/4472-1-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-5-0x00007FFB3DF3A000-0x00007FFB3DF3B000-memory.dmp

memory/3332-4-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/3332-7-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-9-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-10-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-12-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-11-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-13-0x0000000140000000-0x0000000140226000-memory.dmp

memory/4472-8-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-14-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-15-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-16-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-18-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-17-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-19-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-20-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-22-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-21-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-24-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-25-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-29-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-30-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-33-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-32-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-35-0x0000000002EC0000-0x0000000002EC7000-memory.dmp

memory/3332-34-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-31-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-27-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-42-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-28-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-26-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-43-0x00007FFB3F700000-0x00007FFB3F710000-memory.dmp

memory/3332-23-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-52-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3332-54-0x0000000140000000-0x0000000140226000-memory.dmp

C:\Users\Admin\AppData\Local\ikRI\VERSION.dll

MD5 05faabfdccb20564488acad29bfca71d
SHA1 e6dd6122a90868dbcdaaf70f12985e8559dbf26e
SHA256 58509e148108f2868dbdeed64563ff90eb214b6ecf45fff82f76e10e8abb8896
SHA512 4e58b4e2b330a269b2cb496aea6fc2dc7497d2b0dade9bca470207125f6c0cf5fc38d7c5b7c3c7b00f8cf3aee7fa33fed52af1574f38d6ca247da828d84c569c

C:\Users\Admin\AppData\Local\ikRI\msconfig.exe

MD5 39009536cafe30c6ef2501fe46c9df5e
SHA1 6ff7b4d30f31186de899665c704a105227704b72
SHA256 93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04
SHA512 95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

C:\Users\Admin\AppData\Local\ikRI\VERSION.dll

MD5 0c8e50b4d1bc4f7c23d99dcbf2509746
SHA1 8151890deebb6ac3d58b22dbd3e199b3629dfdc2
SHA256 912a00cb8c54cc723b38e60ac065b0e24030192e667295d697bae32895922b25
SHA512 9b85642ef99009f654a4e6c5931b707aa843776b40822765f15cc47f221f04275ee739d5bb88ff42ea88214c0787c826c3651515429c207428979e4b0b24f975

memory/5008-64-0x0000000140000000-0x0000000140227000-memory.dmp

memory/5008-63-0x0000018441380000-0x0000018441387000-memory.dmp

memory/5008-69-0x0000000140000000-0x0000000140227000-memory.dmp

C:\Users\Admin\AppData\Local\1UomU\dwmapi.dll

MD5 a3dc2381dbc6e9b85de1bad84f7105c0
SHA1 25f6c9ba6f6746b4d1817cacb5043425dc62ecb4
SHA256 e6b9d28871145a1c15151b1a44818189c6ecfb16f54fa2cc87e85b1dbc53bfd5
SHA512 9135bb8f9991b61968f44775aa1e7e6370171eaccee027f9e6f87644257bb7e9e95007fdc5a85dc0d57ce2d747ebdb770c9b8ca3469ae6e0aa4458b7636662b5

memory/1724-81-0x00000215ECE20000-0x00000215ECE27000-memory.dmp

C:\Users\Admin\AppData\Local\1UomU\dwmapi.dll

MD5 9c4001b928317f5b9475c2d23247c55c
SHA1 fd4daf14d577e6f618ec951ebeb1f20ec0037b3f
SHA256 05e5c6053191c51a41b15626a37ade5ccd9a5718d6e103840ca36ffd3b29c1df
SHA512 01d70e9677493d2c9f16542a292a8981ba850b8a642bd52173f6fff61e27056b5140c7b3fabd065a39cea3a705b7fec22d0c01e41283807b71e7fe8aadc02a22

memory/1724-85-0x0000000140000000-0x0000000140227000-memory.dmp

C:\Users\Admin\AppData\Local\1UomU\SndVol.exe

MD5 c762f4f7dbb22c074f499328b8378850
SHA1 9b739f93815700f8b07103fb5df4d1bdcd35527f
SHA256 ff96a7882166aac361f95abbc41809e46d82047deff3e15d4d1e2f0190647456
SHA512 21e21894b750e5ca5227d0f00ae4d0309f9ff6fbb479678ac7ba8c76fd81a720fc094ac541e649db9afa560082a3a65d85ab871723622a4458afd3977c1ddbd2

C:\Users\Admin\AppData\Local\1UomU\SndVol.exe

MD5 fc9e41c12e398a684cddd75a47f54849
SHA1 1986d462d01a3908717c665916afca4dc8656a62
SHA256 7ccef572a6d7aa635e98fb3109370e96d894aeaf45f6b2b62c9ff00b245179aa
SHA512 1bc843c03251098840ef391d82433fb19af9288746993ae77aab5e8df52cd6f93a87aaa1f9ccbd58c273a74115849c05ea9589a1e9994cbe932a9af0bab7f058

C:\Users\Admin\AppData\Local\o4Py3w\WINMM.dll

MD5 694c9b500366a20f08b7866c44f58d0b
SHA1 10070476f71e12ec5d48b8384f1fc14bdadcc15e
SHA256 a470b0273fb691a9e08fe58fa140915ce4b2dd2dc689e7372e8c90afe471061e
SHA512 6d545e6c848c2b931f1d5f4cff3b8612a458829b233ae4d0539e652bd19e368e8bee8bcc6efa6c1557942a711fae8a429ddd3eb5c7d3c51b9979da96dca7d187

memory/2424-97-0x00000176841A0000-0x00000176841A7000-memory.dmp

memory/2424-98-0x0000000140000000-0x0000000140228000-memory.dmp

C:\Users\Admin\AppData\Local\o4Py3w\WINMM.dll

MD5 921db23a6bdac192d00cd5cb5ac32e3b
SHA1 9e04248c767c2c44a078f2d1c0e5592ece561268
SHA256 5f5d406e07fb92364cb58e39c4ced6dace21e1f5426fdedbac38fca058c94b37
SHA512 59a1f4a9993b9f44eaa9215d84f1189f73bba772d82a38caee98c547afabc12113c45f8b0490ec7139c33c6f9655298dffb15632beb966d35e84312e2b653e80

C:\Users\Admin\AppData\Local\o4Py3w\mstsc.exe

MD5 8657ef73257a8a755b197d1ef089476a
SHA1 bf2698f9fe35f0edbfa8a4c23753ed9035713c62
SHA256 6c99be7dc9f13aac4a72cb99fed9abd966a59b27478fddcab67146f66b787b63
SHA512 49d815610daa895c08563f6829dff68ca823c3e45e9b4f95fd3050dc39af7a8e6d126dbc9f6325157a113789e3b0e2276687bd0f8e2a81b2ef4462775020751a

memory/2424-103-0x0000000140000000-0x0000000140228000-memory.dmp

C:\Users\Admin\AppData\Local\o4Py3w\mstsc.exe

MD5 7c2557fc6fc9abdca241f8a1f942cdbe
SHA1 bfd3fae46a9855d4b2d7b95dcd4529dbeee4623c
SHA256 61816fa483152d12fa4c8ac538f0e78adf441844f134b28e8088c33803c2c124
SHA512 84766b6efcbb58ddcace8ee1e61e93040082d851cd4d4ba5e6ad714c315e3c18d700f835e66bd93a4088240be9502c89a143d8c7012d8086e54adda2622752e6

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 811d4acb01ebbe0cebd15a8619e72909
SHA1 72c7666ea12e9d3989265b55134964835af6dfc0
SHA256 cb49bf79fe81ccd205456d1f1230dbdd3b46f90bb76617cec5988b81a42309e9
SHA512 9b6626eb153a37f23656a29322adb8ae08401836282eec13c55f81d7f9994ba57f380bd05bfc7932d217ffcebfb993ff3f8c287db802d77a486813e36b338c9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\daTf5\VERSION.dll

MD5 fcf1455c1a485f93bddb1dc92117496b
SHA1 527c20ffd076772b94898b861b01cf5005368984
SHA256 85d2eba6223af4da201308aeca7a421e4bda7712e46d4bdb91ec762f033e6e95
SHA512 9bc9a0b5f00879b13dc3f7ec1097e4d3fe15db3e5b78e173d7327dc9b8f4a2b7b9891eba0cc0a441b6a3db2d4ae14cce75a57cc06d70f1971d02061a00626df0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JNorZ\dwmapi.dll

MD5 1dbd930e28a81ca97764c860fe79753a
SHA1 dc107651cd5b65a0385ff3fb3fc507bc127bd01c
SHA256 67134a8ba5870d909ac87f26ed8b036e5c29c8554fb819ce2cc49eb106e70d7e
SHA512 9fc4683e9712feac9f45db0d8bfe9bb42ed395265674027a7682874082cbe5d70eccbc219542257d8887c464750a1ca29d094446024b0af5b6d0095bfd2048e0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WTgy\WINMM.dll

MD5 5b05d52a4dd938e4d9a9d5b0db73175f
SHA1 aac588c2189b2cac8c98f0fd537afebd2aa7b105
SHA256 a70ce2f3069af0228b2bd378ef8318d36dc7f90aafc05e6878eddc5b29f6fc1b
SHA512 46a229b14a848e8c0a9d5f4ac34b788b8d6f4c54026e040bab56c581e9d2818795afc0b5755d3855d2e55785a3b027ebe1cf5c4692d49bb3ea863ba9ca6edd14