Malware Analysis Report

2024-11-30 21:32

Sample ID 240105-q146cadbar
Target 43d5c550f2017e02401eb826dd04f724
SHA256 2cd1d3e309f32976b3d48b44f2c367c5ae338dec589efddcc94232166fa433c3
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cd1d3e309f32976b3d48b44f2c367c5ae338dec589efddcc94232166fa433c3

Threat Level: Known bad

The file 43d5c550f2017e02401eb826dd04f724 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 13:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 13:44

Reported

2024-01-05 13:47

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\43d5c550f2017e02401eb826dd04f724.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\no3f\WFS.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\TF6zGj\FXSCOVER.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\o6v4\Utilman.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\l482\\FXSCOVER.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\no3f\WFS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TF6zGj\FXSCOVER.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\o6v4\Utilman.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2624 N/A N/A C:\Windows\system32\WFS.exe
PID 1284 wrote to memory of 2624 N/A N/A C:\Windows\system32\WFS.exe
PID 1284 wrote to memory of 2624 N/A N/A C:\Windows\system32\WFS.exe
PID 1284 wrote to memory of 2524 N/A N/A C:\Users\Admin\AppData\Local\no3f\WFS.exe
PID 1284 wrote to memory of 2524 N/A N/A C:\Users\Admin\AppData\Local\no3f\WFS.exe
PID 1284 wrote to memory of 2524 N/A N/A C:\Users\Admin\AppData\Local\no3f\WFS.exe
PID 1284 wrote to memory of 1924 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1284 wrote to memory of 1924 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1284 wrote to memory of 1924 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1284 wrote to memory of 652 N/A N/A C:\Users\Admin\AppData\Local\TF6zGj\FXSCOVER.exe
PID 1284 wrote to memory of 652 N/A N/A C:\Users\Admin\AppData\Local\TF6zGj\FXSCOVER.exe
PID 1284 wrote to memory of 652 N/A N/A C:\Users\Admin\AppData\Local\TF6zGj\FXSCOVER.exe
PID 1284 wrote to memory of 2976 N/A N/A C:\Windows\system32\Utilman.exe
PID 1284 wrote to memory of 2976 N/A N/A C:\Windows\system32\Utilman.exe
PID 1284 wrote to memory of 2976 N/A N/A C:\Windows\system32\Utilman.exe
PID 1284 wrote to memory of 2164 N/A N/A C:\Users\Admin\AppData\Local\o6v4\Utilman.exe
PID 1284 wrote to memory of 2164 N/A N/A C:\Users\Admin\AppData\Local\o6v4\Utilman.exe
PID 1284 wrote to memory of 2164 N/A N/A C:\Users\Admin\AppData\Local\o6v4\Utilman.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\43d5c550f2017e02401eb826dd04f724.dll,#1

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\no3f\WFS.exe

C:\Users\Admin\AppData\Local\no3f\WFS.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\TF6zGj\FXSCOVER.exe

C:\Users\Admin\AppData\Local\TF6zGj\FXSCOVER.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\o6v4\Utilman.exe

C:\Users\Admin\AppData\Local\o6v4\Utilman.exe

Network

N/A

Files

memory/2956-0-0x0000000000330000-0x0000000000337000-memory.dmp

memory/2956-1-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-4-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

memory/1284-7-0x0000000140000000-0x0000000140205000-memory.dmp

memory/2956-8-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-9-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-10-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-12-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-11-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-13-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-14-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-15-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-16-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-17-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-5-0x0000000002240000-0x0000000002241000-memory.dmp

memory/1284-18-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-19-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-20-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-21-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-22-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-23-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-24-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-25-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-26-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-27-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-28-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-29-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-30-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-31-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-32-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-33-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-34-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-35-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-36-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-37-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-38-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-39-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-40-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-41-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-42-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-44-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-43-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-45-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-46-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-47-0x0000000002210000-0x0000000002217000-memory.dmp

memory/1284-54-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-55-0x0000000076EE1000-0x0000000076EE2000-memory.dmp

memory/1284-56-0x0000000077040000-0x0000000077042000-memory.dmp

memory/1284-65-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-71-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1284-74-0x0000000140000000-0x0000000140205000-memory.dmp

\Users\Admin\AppData\Local\no3f\WFS.exe

MD5 a943d670747778c7597987a4b5b9a679
SHA1 c48b760ff9762205386563b93e8884352645ef40
SHA256 1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610
SHA512 3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

C:\Users\Admin\AppData\Local\no3f\MFC42u.dll

MD5 afb2dacf19f374ec3afaafe93ea1feba
SHA1 6dc7b81a583d8f11dbabfedc6245826d162d82d0
SHA256 5664b191819dd10b28850ffbacd54c8af01ba5eb391c603e687942ea2861372e
SHA512 32a4112aabb3ba6f327f41086473753f7d623aeec4628009c4ca55b65c9a2bae2928f0b4bbecff0ec6a413352aa1c979a0564048b5033d3716935082923b1fc0

memory/2524-84-0x0000000140000000-0x000000014020C000-memory.dmp

memory/2524-83-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\TF6zGj\FXSCOVER.exe

MD5 5e2c61be8e093dbfe7fc37585be42869
SHA1 ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA256 3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA512 90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

C:\Users\Admin\AppData\Local\TF6zGj\MFC42u.dll

MD5 65155402f11db6a4f5f9fb4a011de622
SHA1 25ac2b4177ae4eeb69fea7ad7382cc9a6ffce5d9
SHA256 e1346aabe7d18fd62a98ed0a52081739feced485ad34b70c1d6e4438b916a4ff
SHA512 309d457d4d551d17a0a88f99e25bc1e392464d942e0815fcf8f5f2046b478d26b8c6d639f920fa8dfe66935b27b9153e7132d270e0f567c9c409b9ac2d888a50

memory/652-101-0x0000000000080000-0x0000000000087000-memory.dmp

\Users\Admin\AppData\Local\o6v4\Utilman.exe

MD5 32c5ee55eadfc071e57851e26ac98477
SHA1 8f8d0aee344e152424143da49ce2c7badabb8f9d
SHA256 7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea
SHA512 e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

C:\Users\Admin\AppData\Local\o6v4\DUI70.dll

MD5 3d255eed73b928c67263601eeb22649b
SHA1 9bdc9af04289f0a6e3801718584a2fbf122859f1
SHA256 3d44675464287692a4ad7d2cee4d811c242083eae7703dfdf782a88b7ca77096
SHA512 199400a65e183f004b990a264dc82d03ee51fd987f657d8792e1beb1e322ca87b20ae42f7a0a800b349327e10c327457614f72050dbbef45518d04336bc34637

memory/2164-119-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1284-138-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 360e268a7c3cd734ecfb062d8558f687
SHA1 3493c8e39d32d75c46c9869931f85b353133ac60
SHA256 3a28fe0b400970c995798b7f2ac8cd2dd983a3779de8eb38f8bb7a1afa7ac69d
SHA512 02ae4c0ee7826353125775d962900f7dceda693def060aff7525a0287010441dbe885421f28d521ba626d3d9da211a11973cb9d96adffa9b70c0500350e2bcfe

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 13:44

Reported

2024-01-05 13:48

Platform

win10v2004-20231215-en

Max time kernel

202s

Max time network

213s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\43d5c550f2017e02401eb826dd04f724.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\lMTs5sUsiR\\SystemPropertiesPerformance.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SvHKOSL\systemreset.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\V5K\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mrHR\ddodiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3400 wrote to memory of 2932 N/A N/A C:\Windows\system32\systemreset.exe
PID 3400 wrote to memory of 2932 N/A N/A C:\Windows\system32\systemreset.exe
PID 3400 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\SvHKOSL\systemreset.exe
PID 3400 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\SvHKOSL\systemreset.exe
PID 3400 wrote to memory of 4584 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3400 wrote to memory of 4584 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3400 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\V5K\SystemPropertiesPerformance.exe
PID 3400 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\V5K\SystemPropertiesPerformance.exe
PID 3400 wrote to memory of 476 N/A N/A C:\Windows\system32\ddodiag.exe
PID 3400 wrote to memory of 476 N/A N/A C:\Windows\system32\ddodiag.exe
PID 3400 wrote to memory of 4924 N/A N/A C:\Users\Admin\AppData\Local\mrHR\ddodiag.exe
PID 3400 wrote to memory of 4924 N/A N/A C:\Users\Admin\AppData\Local\mrHR\ddodiag.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\43d5c550f2017e02401eb826dd04f724.dll,#1

C:\Windows\system32\systemreset.exe

C:\Windows\system32\systemreset.exe

C:\Users\Admin\AppData\Local\SvHKOSL\systemreset.exe

C:\Users\Admin\AppData\Local\SvHKOSL\systemreset.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\V5K\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\V5K\SystemPropertiesPerformance.exe

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

C:\Users\Admin\AppData\Local\mrHR\ddodiag.exe

C:\Users\Admin\AppData\Local\mrHR\ddodiag.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp

Files

memory/2428-1-0x0000000140000000-0x0000000140205000-memory.dmp

memory/2428-0-0x0000025FABE00000-0x0000025FABE07000-memory.dmp

memory/3400-4-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3400-7-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-6-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-9-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-10-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-8-0x00007FFE7327A000-0x00007FFE7327B000-memory.dmp

memory/3400-11-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-12-0x0000000140000000-0x0000000140205000-memory.dmp

memory/2428-14-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-15-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-16-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-13-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-17-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-18-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-19-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-22-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-23-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-20-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-21-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-24-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-25-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-26-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-27-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-29-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-30-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-28-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-31-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-32-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-33-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-34-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-36-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-37-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-38-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-39-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-35-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-41-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-43-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-47-0x0000000000B60000-0x0000000000B67000-memory.dmp

memory/3400-46-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-45-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-44-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-42-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-40-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-54-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-55-0x00007FFE74D40000-0x00007FFE74D50000-memory.dmp

memory/3400-66-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3400-64-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Users\Admin\AppData\Local\SvHKOSL\ReAgent.dll

MD5 2b7382edb180e8f2dc6d04fdcd538130
SHA1 6505b69c26641de120a9fca4585b8c7ebeffcfc3
SHA256 cbb99cb18b023dab849ffdc1db839fb49da60182a331308826680cabacbfb96b
SHA512 30776cf4599dd3e204aa74b5093e4e49e7dd8b20c457b6d48bbad858b32a3a897458241c1defa18aac13aa0ce39046bbcb5d5d1ddb1e9e0978accc342bf7dfa7

memory/1676-77-0x0000000140000000-0x0000000140206000-memory.dmp

memory/1676-82-0x0000000140000000-0x0000000140206000-memory.dmp

memory/1676-76-0x000001F971A50000-0x000001F971A57000-memory.dmp

C:\Users\Admin\AppData\Local\SvHKOSL\systemreset.exe

MD5 b1ed7ad3ff840f5bc252fa64127d7948
SHA1 af4217417f1b0ba06bd80eb3ac3bfbac8ff204f9
SHA256 94df0bca41f34cb154095b56bcde2f8f4c2c77a2d0919eb940b4e9f0250b744c
SHA512 b7a41f15b6c26158f615d70e7f1da353a503441e01568741f1f130714d77b8e5a4de78a55dc27eec756f9f312217d95d9041e3c28523ccc1da0d1805599dedfb

C:\Users\Admin\AppData\Local\SvHKOSL\ReAgent.dll

MD5 fd92672032a5cd63d773b961b7a8dc31
SHA1 0c82a5f6f25fa03577ada0d53cd89f92f52d4b88
SHA256 adbd0f3796a738c5530270339e387a63ffeeaf25ea225ba396d425a2a99aff6e
SHA512 39574e0d5e97456bf7c3be18629c556e043f5908bc73f06cae05407ca98b445bd317a0cb4b6ef482c8919f057ab6cf5e91d0f1b0f09baaa048b6aa9c02cf7800

C:\Users\Admin\AppData\Local\SvHKOSL\ReAgent.dll

MD5 176def2a8c4dc7505fd96d0762f05cb3
SHA1 ceae0d31bd718c6fe1f96a1a04051817a45097be
SHA256 d6381f088d3cf0681caafb2e368c8e3519fbbfe7791ef48c4c01ded0f8558c2d
SHA512 e642b1a77af59936302ec719a4399fcc51db7495c55f6ccb036ab91472c19501b83508fcf18c24042e7104282d24dfbb40a3faae03b4fea9ee0cda88d22ac5af

C:\Users\Admin\AppData\Local\SvHKOSL\systemreset.exe

MD5 5dfc9c6cb23abe3052aae56a1b0d6e99
SHA1 adfc7fc50e627c690399af2bfd599e4d80b68c9d
SHA256 eccdc88b487d81959f922be4ca9fb6044cd687eb1be80d6588c8e8e886457d74
SHA512 d07eb12c57bc218ec2c7b26966795c5ca3f54a23a845ed5dc304b47ed3fd78b84933ac8063440d4f71bc431c0dd572de3044a61ff126c599cbefd7e5ecf91a8a

C:\Users\Admin\AppData\Local\V5K\SYSDM.CPL

MD5 f68c521b8935ce29ec12593f76b46d3e
SHA1 06f8ca2e267853fefe664832fb039fa1239cf5af
SHA256 ae36040747353ae413c7a0c83bc68402dd82ccd3bc676ba82890eb45fe4e5390
SHA512 0feddf568fb9ba31200638d729cf7f478abf15dd092619d9c077db1536a61331fbb1a8cc0e1e5e0d87493d74c85dfce1176bd2cf4b817fe20a1fdad94d55b8ce

C:\Users\Admin\AppData\Local\V5K\SystemPropertiesPerformance.exe

MD5 e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1 adbfa782b7998720fa85678cc85863b961975e28
SHA256 b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512 c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

memory/3024-94-0x0000018A78840000-0x0000018A78847000-memory.dmp

C:\Users\Admin\AppData\Local\mrHR\XmlLite.dll

MD5 99c51283bb494342c6c94863b0873bdb
SHA1 8aa06dcfd3aa69d6b7344deedba1bea839e83ccf
SHA256 195d182f6c4397cfeb8e9b6ad3cbc52cbbd53bbbfd0ebffb9a8c507fabb79dbd
SHA512 9128bf86212d91112e0bfac0e22704f9aa55be1fae512dfe31c9953e1ce3d12709526f6e575affe8ae4964681dc2877b7fd597477749360fafeea8a4ba96454e

C:\Users\Admin\AppData\Local\mrHR\ddodiag.exe

MD5 85feee634a6aee90f0108e26d3d9bc1f
SHA1 a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2
SHA256 99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6
SHA512 b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

memory/4924-110-0x000002605D3D0000-0x000002605D3D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 de013d2b7ce6cfa43bafee571bc9814c
SHA1 6cb5893560d779da8a44313d24c355a9cdc3beeb
SHA256 0d995b2feb271fc9535af6d0b54f11d376df7a80a5cca38be5ac1c3b9242c8ce
SHA512 a631af56a95b505ec1e6592996e89f5af9628818651b971de421f0c9b1a63ad969de2ed395f5f58b6ee9c49ed3d1efbf2a0e3ff7322b6edc39be0465489f3e45

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\DV\ReAgent.dll

MD5 a639964c49a3828af842c651f5e89b13
SHA1 0d6612d9709bd7aa6c1b5c9a10573a72f749996c
SHA256 c7aafd1eb07fdc508ac41871532c2807acf327507b997aa967be06b60f805f71
SHA512 24c76147fe876bcba4902841f646b9910892c3ffc2b47c892ed67dfc0d8c397c8c00c2974cd71336a43d0febce993856724ff2da53928ac0aab6f85b2dd33e46