Malware Analysis Report

2024-11-30 21:38

Sample ID 240104-yx1mrabac3
Target 0ecd6fbf320e70c4a34a5c3ec82a418c.exe
SHA256 cdb5e75841cdd400ef88879799480357211372e7ea884fcb228efc941cec8b58
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdb5e75841cdd400ef88879799480357211372e7ea884fcb228efc941cec8b58

Threat Level: Known bad

The file 0ecd6fbf320e70c4a34a5c3ec82a418c.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 20:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 20:10

Reported

2024-01-04 20:16

Platform

win7-20231215-en

Max time kernel

151s

Max time network

131s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ecd6fbf320e70c4a34a5c3ec82a418c.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\hVK5\\EHSTOR~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 2616 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1376 wrote to memory of 2616 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1376 wrote to memory of 2616 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1376 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe
PID 1376 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe
PID 1376 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe
PID 1376 wrote to memory of 336 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1376 wrote to memory of 336 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1376 wrote to memory of 336 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1376 wrote to memory of 696 N/A N/A C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe
PID 1376 wrote to memory of 696 N/A N/A C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe
PID 1376 wrote to memory of 696 N/A N/A C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe
PID 1376 wrote to memory of 2764 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1376 wrote to memory of 2764 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1376 wrote to memory of 2764 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1376 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe
PID 1376 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe
PID 1376 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ecd6fbf320e70c4a34a5c3ec82a418c.dll

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe

C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe

Network

N/A

Files

memory/2252-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2252-1-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-4-0x0000000076F46000-0x0000000076F47000-memory.dmp

memory/1376-5-0x0000000002590000-0x0000000002591000-memory.dmp

memory/1376-7-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-13-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-18-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-20-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-22-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-23-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-25-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-30-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-32-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-41-0x00000000771B0000-0x00000000771B2000-memory.dmp

memory/1376-40-0x0000000077051000-0x0000000077052000-memory.dmp

memory/1376-39-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-31-0x0000000002570000-0x0000000002577000-memory.dmp

memory/1376-29-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-27-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-28-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-50-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-26-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-56-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-24-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-21-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-19-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-17-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-15-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-16-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-14-0x0000000140000000-0x0000000140124000-memory.dmp

C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe

MD5 73f13d791e36d3486743244f16875239
SHA1 ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA256 2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512 911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

\Users\Admin\AppData\Local\uOAV\FVEWIZ.dll

MD5 bc2328391caeac2aeb82a3fb75777fed
SHA1 9aeb0ca334bc92700855de33257886b8c545be3f
SHA256 c3e4959de2cca846296a925512cbb4ec7b1239098c4e73cc52290f7771559fab
SHA512 a3ca9263d8e932d6f7793d15ee465119509edc608f45facecce200ddae5421292908838479f2e9b03a360cb43f5d652127a2043b6ba3ce60dd5783596ac01697

memory/2168-69-0x0000000140000000-0x0000000140125000-memory.dmp

memory/2168-73-0x0000000140000000-0x0000000140125000-memory.dmp

memory/2168-68-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\uOAV\FVEWIZ.dll

MD5 2b879d8fc0324b1b28d6fb825412a1aa
SHA1 f1d8c31ca2f454cc450cc121293b5933bcd35072
SHA256 d3dfda3b4395040157209336a16f9a3aaecee9e82aa62b8bffe5e9c7eab7eeb3
SHA512 8dcb665698606b9c1ffa7e31b427705896d6136862c28c9cf6906e5a681386b4b96bffe84b9dc139a52acedbaeb59142c8fb55bed278e5a6e5dcd881146a8762

memory/1376-12-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-11-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-10-0x0000000140000000-0x0000000140124000-memory.dmp

memory/1376-9-0x0000000140000000-0x0000000140124000-memory.dmp

memory/2252-8-0x0000000140000000-0x0000000140124000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\papwAL\BitLockerWizardElev.exe

MD5 3dc03c9e6fa6cbca801060de6def5a95
SHA1 75cc801082cb868a34ee68e068f19ba5ba6f7f8a
SHA256 7f9793beced6eda291be9f9a080400922ad8510c0be6e67dd1b6151b4d2943c6
SHA512 45b8c71e9c8ee9b3ef0424290587d8aecb06f4e5bdeda43e8c7216700d43995876c141d7c63ad4e1ffc155dd74138997b0ae78df80a5e7d08be2bc0014725bfd

\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe

MD5 3abe95d92c80dc79707d8e168d79a994
SHA1 64b10c17f602d3f21c84954541e7092bc55bb5ab
SHA256 2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad
SHA512 70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe

MD5 43030409ed34426b7922f5a84d52f181
SHA1 a4655a13c716f8f28c9173ffbe137d2ad14f76e7
SHA256 c0c838842df520cd417a8052e5792e90aa6d6f65aee147e5e3fc6b24a6e04d12
SHA512 8432f56ec215c9a624dca897ef360ba3554a1fd6a123f97dafbcc96e897881c7f928d3bbafd6ec90bbc2da2d54a3268d70d28eb3b10aaf6b035560bf80f9773a

\Users\Admin\AppData\Local\K1Iec5F\WTSAPI32.dll

MD5 3b3ce388656359f6a1bb281a4db5979f
SHA1 878ee468aeb7db10913b76c8c1d98ad7a01c5fcb
SHA256 7bc799ac45c0a76a30da737ba3d21c859a2c327c82666f85b7018d944a3e8310
SHA512 0e9faa10cf459924879becbee17758f8902535fab93fe191b98bedf037c229ddf81c926f0aadbb6cab7869e95ee44d5a9c35668a178682e1eeb5067ebeb7ed1a

memory/696-90-0x0000000140000000-0x0000000140125000-memory.dmp

memory/696-86-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\K1Iec5F\WTSAPI32.dll

MD5 dcf95c9d786dd5800699d3a5721921a0
SHA1 0458d55efca864257f15eb7c3c2b382a8f4f0123
SHA256 c5a0f5039d10fb4522d755cda5e1e87ad2e0050b97778b75718f5ccb93bfee46
SHA512 575ec9f41c6a1e7cfae4534c614c07f3f9939f0b2f54213247205bd70fe0daa1918dbaacc965754f4f69abeedbdc6bafe0e4467d12e3601e6a49342726c9b681

C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe

MD5 7dab86e4566f94e7b7fcf8988a94d9a8
SHA1 3d03e26c83d9a4ccb4b64e998ac8c6fe5a5bdcda
SHA256 0999dc8a6de77deeb00668039686b83342320593387b02be5f30b2a9713dcc49
SHA512 f2462a460775b4398a4064b813f6c36cdd85535c23898073d0957b61b687b45809c0cd76dbcd38615f6b92507c459bc824614dc14bced8fa262c1e34b180365b

C:\Users\Admin\AppData\Local\C10L6\DUI70.dll

MD5 836a3004f0587e59e2e6812e2b500407
SHA1 7c16ad6e60e6ad3af6cef9f3575f33f9deac445e
SHA256 f7c32d086d515f3e00975a468f5a3eb64661a939706a1f6b0f1638332c02308d
SHA512 efd27743b46120311e3ac53e8db43abda895985395bccc54158289c66861b766fe26f1d6ddab7e7b64749120fb1806d5a8fd7bd506dc365082d47cd66734c238

C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe

MD5 f26502e8a03b6f04a230364ffde0b28d
SHA1 c6470dd60e15c313876654340fb4cb91b83bb70c
SHA256 38341ff1e418179952ea863fb46e35e5c10a20dfb5573024e7d0cde493cff831
SHA512 90dae2512f566992c858938a75769b04eef84716522b76e90024e671f01a163622502aa6a0852c701f1c0c51584a02c1e1397a5bb2d42ddd0243575f90ce0495

\Users\Admin\AppData\Local\C10L6\DUI70.dll

MD5 c9dbcd26e505121ab8fba7368c4a2e14
SHA1 d8552f0ed8090b07b76481a317556b1cb8432a69
SHA256 6c9aca6116232c9dbec492a410f0ffa4da9c3b9aea33fa030e2f7912e5fe9a45
SHA512 f61c06006c3e3ec26db7387a2bafdd5316bcf7461225aec5c7ca461b4efea02d4e13669b596224510c265457a58de402be5610ddc455be05747c7ba8b9ed026e

memory/2860-103-0x0000000140000000-0x0000000140158000-memory.dmp

memory/2860-109-0x0000000140000000-0x0000000140158000-memory.dmp

memory/2860-105-0x0000000000200000-0x0000000000207000-memory.dmp

C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe

MD5 7d9e3895ed4a46741c91568460b78942
SHA1 03d19bd19005d21ce981c77c15cb3af5f3ca6009
SHA256 c5dce4cda7c43cf97f9243cdc06373647467f73fa1c8c839fb17f4723e1e134d
SHA512 161d6c1e290a2d5495878127e9e80182cf693be71d8660ffd630526f2066025c091fac2393829cfb166dfc7af35b2517124c7b868d472374dc2f08d65e6e0ddb

\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\j2Rp2jVc\dpapimig.exe

MD5 0e8b8abea4e23ddc9a70614f3f651303
SHA1 6d332ba4e7a78039f75b211845514ab35ab467b2
SHA256 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA512 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 872bebfc297f3ca277482e3697a69acb
SHA1 246a7706f91323ea82c9871b4b3016ae24dc7858
SHA256 3425fc1e3f782cf3754b0c9137596ead4b05cc7d28989bad368d4c169a5750ff
SHA512 9c3ff580f20d11f14e4c037e66eb7d48bb5277348c27d34b363904f7804eb1eb3cc5ee5cd967ff96a5236b3ff72d33567cb84a7e2ecb3d8af17eea1111e8b62c

memory/1376-128-0x0000000076F46000-0x0000000076F47000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\papwAL\FVEWIZ.dll

MD5 cf23abc8937f23bb5febcd2236810e6c
SHA1 b18f9dc7d9634d5b5625d2359bb37f948b8e34ee
SHA256 261530f4cce1cf4a4bbef33b64df797595856b2493321eb749d22701ba3e48ae
SHA512 99df532754757de376c0984831f6ea1ecfd878cf441b8aec6e92b074a06f7ba101353635aa2ca760da9b300de758cb450c8c1239d6ef1888eafc0df458b884f0

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\hVK5\WTSAPI32.dll

MD5 a798a0f9e3dc476d43dca891b44be237
SHA1 93178b00b2f3b1802e144f02317112582cb09738
SHA256 1e50c1b46bc55e10957139af315f23dec9149057f03753eb8bc92a30a15c04ee
SHA512 8675c783894506a828a22b0f51712d82f97ba7f0f7b601060708207e87ecec70d4e6cc854a1f7e033f2e8fef6c3a947e5ed5cbe07b1eac9703fce784ea675527

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\j2Rp2jVc\DUI70.dll

MD5 fa32ca22e18ac4c0db5d4579ac4118e0
SHA1 a02140e35126802f06dfa570cd7632893d780523
SHA256 310631bd4e760c666074632ccc213f6b722ddbcd995a2a18c7a2dabb8bfcf3af
SHA512 3e42845fd548972e2751cff9049a6e0c01ed3332dbf57b1f94f7316027d62b37c586c5c3ba900c06ca21c70bb36498fbab5db0c9058b190db6eb8d4a36104560

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 20:10

Reported

2024-01-04 20:14

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ecd6fbf320e70c4a34a5c3ec82a418c.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ecd6fbf320e70c4a34a5c3ec82a418c.dll

C:\Users\Admin\AppData\Local\DnH2aDC\tcmsetup.exe

C:\Users\Admin\AppData\Local\DnH2aDC\tcmsetup.exe

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\OlCCLu\lpksetup.exe

C:\Users\Admin\AppData\Local\OlCCLu\lpksetup.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\dZdH\sppsvc.exe

C:\Users\Admin\AppData\Local\dZdH\sppsvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 27.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 6.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 78.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 143.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2288-0-0x0000000140000000-0x0000000140124000-memory.dmp

memory/2288-1-0x0000000001440000-0x0000000001447000-memory.dmp

memory/3456-4-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/2288-7-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-9-0x00007FF83678A000-0x00007FF83678B000-memory.dmp

memory/3456-10-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-11-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-6-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-8-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-12-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-19-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-22-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-26-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-29-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-31-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-32-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3456-39-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-30-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-40-0x00007FF837C00000-0x00007FF837C10000-memory.dmp

memory/3456-28-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-51-0x0000000140000000-0x0000000140124000-memory.dmp

C:\Users\Admin\AppData\Local\DnH2aDC\TAPI32.dll

MD5 7040c293315814674fb636518da218c7
SHA1 a42be9067b774714e3d54ec5b3eba7492ef647c8
SHA256 ebabfc376a09d7cbaeceea687472ac6167703f4d9cf9bcd9349e6ecc75fc3970
SHA512 89820e295160e862df7f31e0e652d1d7168beeefb1942f38f10dc19e37a0e26fc4067459f7a14635f460cdcf8d84a1754c8591405bf0bed08c441111c0ccfac8

memory/3892-60-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3892-66-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3892-61-0x000001F2423A0000-0x000001F2423A7000-memory.dmp

C:\Users\Admin\AppData\Local\DnH2aDC\TAPI32.dll

MD5 372f101c459540c0cba5bccc00677470
SHA1 13710b9b12d7bbd0225ae74876cb5b415f00cd0d
SHA256 a3817c223a724efbcb89f02b2957b8cc3fd21d6f70d6554598f23c3076eca224
SHA512 8d632304fa4c09a2569fa7623f00f96adeffa914d4de9bb3c8e7b425709bcf1c64c105ae830d61d6cd2c0af68ca1dda4cb56167e5a69e45ba660e126455e79a2

C:\Users\Admin\AppData\Local\DnH2aDC\tcmsetup.exe

MD5 58f3b915b9ae7d63431772c2616b0945
SHA1 6346e837da3b0f551becb7cac6d160e3063696e9
SHA256 e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39
SHA512 7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

memory/4700-77-0x0000000140000000-0x0000000140125000-memory.dmp

memory/4700-83-0x0000000140000000-0x0000000140125000-memory.dmp

C:\Users\Admin\AppData\Local\OlCCLu\lpksetup.exe

MD5 a1744e9cca51b2907ef62ea8edf746d9
SHA1 0ca2c89e6f4a0ea076cd620e8e1bbe0e9d25b3d1
SHA256 1e3ec0f2fa9b935a5fb8859f37924234cb0b0c55eab6290ece0586ed281a85a0
SHA512 29a1b758befe7aaa927f53bf833203b88fd76dea1a60e50b386cb210a2cb51a61fca8bba25c2d5fa6be25d8116b56e21297bf13191e2f0422f70930f94067c2d

C:\Users\Admin\AppData\Local\dZdH\sppsvc.exe

MD5 fe0401f6a742da34052d4e1e660125b9
SHA1 a2d27a8209f9cda5fef5269beafd3d86840a1103
SHA256 6d38a17f7bae0fb41e4a02fd93276a95685c50f026bfc7b01308e51c8dfbbeaf
SHA512 5cb439edbaeec065de5ed3ecb304b3cc677e3fe9a87fd3eb01fae3d75d4b0b7867a3ee399eddb60057610379283f8239dc9bb829fb5f0423877e4b59ccb4e4dc

C:\Users\Admin\AppData\Local\dZdH\XmlLite.dll

MD5 082ca1e032e84292bd126ba35f0f26f8
SHA1 7ab3071f1e43f04b985e0be33cee51708da9d5a3
SHA256 87596aac5a9104a1e0b608c343d262b547a2c24d7fec4dde2210b093f5592953
SHA512 7dcad8cabbace0740bbb50552b1e3318348ce7f402be864a7a3ffb6eb1d959e8e6fe2fe5e455e616954b4d642a582bebe681d836f19154b43b8e2de32e970aa1

memory/4936-100-0x0000000140000000-0x0000000140125000-memory.dmp

memory/4936-96-0x000001B3D59B0000-0x000001B3D59B7000-memory.dmp

C:\Users\Admin\AppData\Local\dZdH\sppsvc.exe

MD5 4df9c93280a9582d5e9d857d91f81f65
SHA1 372ced29add7b923f91e65cf88e08c0c6f22e3bb
SHA256 34a34c8b2af3581a0864d39e96f4af8ddb15d3d1e525b1ec1015e8dabae756a6
SHA512 3a9bce2581e11be4d5b57468e9f1c473bdf8ec86cceac54f4522c38820fca3b2ef8754b3dc0ad05df18f0a59afefafb95924439d6f320543360363c11cda191c

C:\Users\Admin\AppData\Local\dZdH\XmlLite.dll

MD5 52ed0da3a5e05de8e4287229c6622f25
SHA1 75077e1a12432b8814bc8da37f399f1e9d95020c
SHA256 4b8f2e449253b4442937de9ec3fff0a1da181fb20ea8bd6166d2a13efe82d057
SHA512 119378c5371721376bc4876e8a11c6e9cc8183373f34239e5fb802adc7738df92a07c34e04717c473ef6c10469dfa69f5dc6112f1def21aa9cd75a6a789095ff

memory/4700-80-0x00000205852D0000-0x00000205852D7000-memory.dmp

C:\Users\Admin\AppData\Local\OlCCLu\dpx.dll

MD5 f5ef62e798eb554af9f4103510a8e585
SHA1 2aa97b94f6049145070f542a3c4a7dab096dfcca
SHA256 35b60a90bb88921b62872f92c8ffda57ba29d0006904149729dfe374503ad50a
SHA512 4edf629b9d0c71c5c3a161bbac48d0ad5b2c3119b08aa32c4fc583d9bfc64f3e796c3d0b225db060e2bdec1995723a73eed8fb77015937f1920894a882daa960

C:\Users\Admin\AppData\Local\OlCCLu\dpx.dll

MD5 96b2aebcd0de8cfd357baff261f29df3
SHA1 9d0bfd1190f4cc8c264249e4948a61f72d8741c4
SHA256 3a04de4b8c4132cd0e6a1b076226c311b228d12707d64614b7ca716623854883
SHA512 9f9d89d5a376431b419a775ef94978bfba6b56af3346878c1ea0cf7bfd21e7e91b5d3e63c3cf8c5eb0f413d274582e9ee1a7d95a29bf028743fac3888e1e7e07

C:\Users\Admin\AppData\Local\OlCCLu\lpksetup.exe

MD5 8d3dd1a565d3a7fdc8c0768f8cd2c335
SHA1 30f3c23693bc6332207703c7dbbeb08c4d526190
SHA256 6f5a87fa3ce81dce0fee22ab787fd73910e0a690af33e3ebf20918a1029b0466
SHA512 ffa49898fc442c8795b8d55957e03b9d604b644ddca039a7e55038c907872d93a2bb2a3c5282535654fc10e5e9455113f1bf1fe51d30dec049f1d7e9b9e09067

memory/3456-49-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-27-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-25-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-24-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-23-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-21-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-20-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-18-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-17-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-16-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-15-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-13-0x0000000140000000-0x0000000140124000-memory.dmp

memory/3456-14-0x0000000140000000-0x0000000140124000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

MD5 9a6e3fd838aa70c4a0ca6694dde6babe
SHA1 843b0917686189cbc12a351e7877146eeeaaf0ca
SHA256 d7c0fd1f2ad2369894a553d9e9bd74751d8508b6f4de9bff7606da41e7933cd9
SHA512 6d322877616f8903ed53ede4fd5dd6866c35ddecd814d121b688034adeeeda11a4e618d5169f0a829411b54c677b7c2dd7c26f576f0cf5e3871df23a860754f6

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Khm\TAPI32.dll

MD5 ab408ee234639e5eaabc43f18ca9ec76
SHA1 8b23897c2366f759f82990a49bd8ad49872c829a
SHA256 d4f0f4cd15d54e2c93b3af6ff508206b8db5d759b0ea803146ee6a5d8049e8e5
SHA512 0d27409aaff06c4eda05b64da2a9684ba37e8b7aec070e87321626744653d883e0b347aa6480e3fce51c299fd68271292a9a1b2f5313e12a843ee60017b1b374

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\8vp9Dpn\dpx.dll

MD5 f414f46c15077cb4b33b84d64957379c
SHA1 7537eed2724b5f6b8d086534dac5957fe3d8f0f7
SHA256 484ac003f23a2c1ba0bf3fcc86a7f29ffce8a891069831b1f5d68b297bd17a96
SHA512 3b6a6b3674eb37ec004ee9d1dee8550708783c34ce388a983766d7fb118fc7edfb6e124b351230b723fa4d02a688e59f037c44af534cafca1e00d42b9149cbb4

C:\Users\Admin\AppData\Roaming\Adobe\onM\XmlLite.dll

MD5 f95018509e619d771f03abb48675187f
SHA1 27a671b791bc00c7aa6d9c09a63522fdac1ac09d
SHA256 4638288827c96d6d09099d71d58830d90859ad9e3648155d73cd169282a51b39
SHA512 ab6b941d075ad555a983562fcf71219ef7a79b0a4eb1770ec81713b55296135d7a1e048147e0b6a5c31c0d547bf1e79d7554838a600d9f59ac66823df34d7d6b