Malware Analysis Report

2024-11-30 21:27

Sample ID 240108-v4snyafcb3
Target 4c0c037a083e2b1f6b5fcb9c68263c5a
SHA256 7c710407ba8ed2c0d2f970a81715d7982ddd44ad0838bfefdca8119350325bc4
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c710407ba8ed2c0d2f970a81715d7982ddd44ad0838bfefdca8119350325bc4

Threat Level: Known bad

The file 4c0c037a083e2b1f6b5fcb9c68263c5a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 17:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 17:32

Reported

2024-01-08 17:36

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0c037a083e2b1f6b5fcb9c68263c5a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\eXrfX9h\lpksetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\S2fswzF\eudcedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Yzx\msra.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\Rz\\eudcedit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eXrfX9h\lpksetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\S2fswzF\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Yzx\msra.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2836 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1260 wrote to memory of 2836 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1260 wrote to memory of 2836 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1260 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\eXrfX9h\lpksetup.exe
PID 1260 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\eXrfX9h\lpksetup.exe
PID 1260 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\eXrfX9h\lpksetup.exe
PID 1260 wrote to memory of 1924 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1260 wrote to memory of 1924 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1260 wrote to memory of 1924 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1260 wrote to memory of 580 N/A N/A C:\Users\Admin\AppData\Local\S2fswzF\eudcedit.exe
PID 1260 wrote to memory of 580 N/A N/A C:\Users\Admin\AppData\Local\S2fswzF\eudcedit.exe
PID 1260 wrote to memory of 580 N/A N/A C:\Users\Admin\AppData\Local\S2fswzF\eudcedit.exe
PID 1260 wrote to memory of 876 N/A N/A C:\Windows\system32\msra.exe
PID 1260 wrote to memory of 876 N/A N/A C:\Windows\system32\msra.exe
PID 1260 wrote to memory of 876 N/A N/A C:\Windows\system32\msra.exe
PID 1260 wrote to memory of 1280 N/A N/A C:\Users\Admin\AppData\Local\Yzx\msra.exe
PID 1260 wrote to memory of 1280 N/A N/A C:\Users\Admin\AppData\Local\Yzx\msra.exe
PID 1260 wrote to memory of 1280 N/A N/A C:\Users\Admin\AppData\Local\Yzx\msra.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0c037a083e2b1f6b5fcb9c68263c5a.dll,#1

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Users\Admin\AppData\Local\eXrfX9h\lpksetup.exe

C:\Users\Admin\AppData\Local\eXrfX9h\lpksetup.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\S2fswzF\eudcedit.exe

C:\Users\Admin\AppData\Local\S2fswzF\eudcedit.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\Yzx\msra.exe

C:\Users\Admin\AppData\Local\Yzx\msra.exe

Network

N/A

Files

memory/1744-0-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1744-1-0x000007FEF6F30000-0x000007FEF7005000-memory.dmp

memory/1260-3-0x0000000077776000-0x0000000077777000-memory.dmp

memory/1260-4-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/1260-7-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-9-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-11-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-17-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-15-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-19-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-20-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-18-0x0000000002A30000-0x0000000002A37000-memory.dmp

memory/1260-16-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-14-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-13-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-12-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-10-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-29-0x0000000077A10000-0x0000000077A12000-memory.dmp

memory/1260-28-0x00000000779E0000-0x00000000779E2000-memory.dmp

memory/1260-27-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-8-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-39-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-38-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-6-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1744-47-0x000007FEF6F30000-0x000007FEF7005000-memory.dmp

\Users\Admin\AppData\Local\eXrfX9h\lpksetup.exe

MD5 50d28f3f8b7c17056520c80a29efe17c
SHA1 1b1e62be0a0bdc9aec2e91842c35381297d8f01e
SHA256 71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f
SHA512 92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

C:\Users\Admin\AppData\Local\eXrfX9h\dpx.dll

MD5 5438071d60e18dfe111c9d28a63808c1
SHA1 d23443513f642f4f366630fa996b5e533c2f89fc
SHA256 f5cf69d368c6dce7c2749ca2dc61c0552b3207b10cb4c09fbcb0d439921d3f68
SHA512 16a80f566425e06240bde3357073c86312fcd51e44255f9bef4937e2ef901b4540ed5fa60897926e7589bb12ef1843311003a8362b332a423749a3bebecff441

memory/2564-55-0x000007FEF7010000-0x000007FEF70E6000-memory.dmp

memory/2564-57-0x0000000000070000-0x0000000000077000-memory.dmp

memory/2564-60-0x000007FEF7010000-0x000007FEF70E6000-memory.dmp

C:\Users\Admin\AppData\Local\S2fswzF\MFC42u.dll

MD5 58738fab0d89de1495bc4ec4669eba8d
SHA1 a309c59d5cda4ce7a12db3a680b0d527a932e3ef
SHA256 532608c4b0a41f5b6db0ee68d339350488ea567864016fd47e91064a813d3154
SHA512 faf0fa4c0eb53e925f039a74cc99e2918425db8698191309feba5e9bb8245f356fd5ba4fbff3170b7a5b497345a1de390cec7194b9c1069a61cc8dd7bec43e6a

memory/580-74-0x000007FEF6980000-0x000007FEF6A5C000-memory.dmp

memory/580-77-0x000007FEF6980000-0x000007FEF6A5C000-memory.dmp

memory/580-73-0x00000000000E0000-0x00000000000E7000-memory.dmp

memory/1260-72-0x0000000077776000-0x0000000077777000-memory.dmp

C:\Users\Admin\AppData\Local\S2fswzF\eudcedit.exe

MD5 35e397d6ca8407b86d8a7972f0c90711
SHA1 6b39830003906ef82442522d22b80460c03f6082
SHA256 1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde
SHA512 71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

C:\Users\Admin\AppData\Local\S2fswzF\eudcedit.exe

MD5 8d85860dc6869af0a6fdc597d9f4cfa9
SHA1 3c205dcbab36f99f2816f0ade9a73389e6b73399
SHA256 449ffa9cc3687349ff7a3b89447c7b9ef7bcf2d00ed66fb7a2f262dd65835b59
SHA512 55850657a72fe089db8e9c0c9eb3a453f8f70308ff06cb15cdae140dd10edb6d2a4c10769a30139a2b3ea228ce878fe1f84166c4b5efaf62231d5db19720b68d

\Users\Admin\AppData\Local\Yzx\msra.exe

MD5 e79df53bad587e24b3cf965a5746c7b6
SHA1 87a97ec159a3fc1db211f3c2c62e4d60810e7a70
SHA256 4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d
SHA512 9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

C:\Users\Admin\AppData\Local\Yzx\UxTheme.dll

MD5 3be8370cf527df271804f15608f44904
SHA1 c4ea3c42b5f5cb321f8df1548139bc50f2fc76c7
SHA256 f7776723e6722f0e6816dc44466a7c3697e19a3b0ad29abf6c658f888dcf5d61
SHA512 96469ae47032587e069f84a52ec5f47415a6edb6b8f27e0941cb0ba40f2c7de696590a97a23683fd9285f6731177d80c9f2f850ba804e7189cc38b118fb5e29f

memory/1280-92-0x000007FEF6980000-0x000007FEF6A56000-memory.dmp

memory/1280-91-0x0000000000170000-0x0000000000177000-memory.dmp

memory/1280-96-0x000007FEF6980000-0x000007FEF6A56000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 d902737ebe651cad773c8935bd8b6958
SHA1 e8f07bc4ed4693fd38513a0999e0d5f3f14bbdf7
SHA256 c4debce91e45169e456433cde9421136a88e53c16b01ff662d666868fd6821a8
SHA512 b3ac2d93164ca15ddc5534fa160d4c16e318e1b90e592996afbec187040c9497263814a3fd613538e6350d30d83ae58259c86fa3ed1dfa0e122122c544655816

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Rz\MFC42u.dll

MD5 ff0d35abd92f50ac9e5d7ecd2b0c863c
SHA1 56b05020f47d0fdfa37465ab059e54e62ffae133
SHA256 ffbdba4e41f10c845a7a20e60142a53dd9becc575efc0ebf31e920e79f3eb13e
SHA512 995ab3d2e4ad5f0a03a8d58e21d38d45945e243347e0e9c94eaad975fda092a4b67b8d50c1551252c795898511435e960f295a58bbbf65533a0105c1dc8b5dff

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 17:32

Reported

2024-01-08 17:35

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0c037a083e2b1f6b5fcb9c68263c5a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\uN\\ddodiag.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kpkq2\rdpinput.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hc7\ddodiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aio1e4\InfDefaultInstall.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 1136 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3516 wrote to memory of 1136 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3516 wrote to memory of 2080 N/A N/A C:\Users\Admin\AppData\Local\kpkq2\rdpinput.exe
PID 3516 wrote to memory of 2080 N/A N/A C:\Users\Admin\AppData\Local\kpkq2\rdpinput.exe
PID 3516 wrote to memory of 4468 N/A N/A C:\Windows\system32\ddodiag.exe
PID 3516 wrote to memory of 4468 N/A N/A C:\Windows\system32\ddodiag.exe
PID 3516 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\hc7\ddodiag.exe
PID 3516 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\hc7\ddodiag.exe
PID 3516 wrote to memory of 1524 N/A N/A C:\Windows\system32\InfDefaultInstall.exe
PID 3516 wrote to memory of 1524 N/A N/A C:\Windows\system32\InfDefaultInstall.exe
PID 3516 wrote to memory of 4856 N/A N/A C:\Users\Admin\AppData\Local\aio1e4\InfDefaultInstall.exe
PID 3516 wrote to memory of 4856 N/A N/A C:\Users\Admin\AppData\Local\aio1e4\InfDefaultInstall.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0c037a083e2b1f6b5fcb9c68263c5a.dll,#1

C:\Windows\system32\rdpinput.exe

C:\Windows\system32\rdpinput.exe

C:\Users\Admin\AppData\Local\kpkq2\rdpinput.exe

C:\Users\Admin\AppData\Local\kpkq2\rdpinput.exe

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

C:\Users\Admin\AppData\Local\hc7\ddodiag.exe

C:\Users\Admin\AppData\Local\hc7\ddodiag.exe

C:\Windows\system32\InfDefaultInstall.exe

C:\Windows\system32\InfDefaultInstall.exe

C:\Users\Admin\AppData\Local\aio1e4\InfDefaultInstall.exe

C:\Users\Admin\AppData\Local\aio1e4\InfDefaultInstall.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/444-0-0x0000017B74970000-0x0000017B74977000-memory.dmp

memory/444-1-0x00007FFF439D0000-0x00007FFF43AA5000-memory.dmp

memory/3516-3-0x0000000002190000-0x0000000002191000-memory.dmp

memory/3516-5-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-7-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-6-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-8-0x00007FFF50C0A000-0x00007FFF50C0B000-memory.dmp

memory/3516-9-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-16-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-17-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-20-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-19-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-29-0x00007FFF51F70000-0x00007FFF51F80000-memory.dmp

memory/3516-28-0x00007FFF51F80000-0x00007FFF51F90000-memory.dmp

memory/3516-27-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-38-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-18-0x0000000002140000-0x0000000002147000-memory.dmp

memory/3516-15-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-14-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-13-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-12-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-11-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3516-10-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/444-41-0x00007FFF439D0000-0x00007FFF43AA5000-memory.dmp

C:\Users\Admin\AppData\Local\kpkq2\rdpinput.exe

MD5 bd99eeca92869f9a3084d689f335c734
SHA1 a2839f6038ea50a4456cd5c2a3ea003e7b77688c
SHA256 39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143
SHA512 355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

C:\Users\Admin\AppData\Local\kpkq2\WINSTA.dll

MD5 4ecbe568f4f96a6da5e34bc640539d0d
SHA1 0f5ef876cd6e87a0f8dae8dd075b906b9bbc149f
SHA256 b1488b322cbe57ca2926f061302c0b25653f2d770c60185449453bf7f009494c
SHA512 ecd819114c152fe91fad7ca228ed5c23d6e3d6ff44ddf2958c30b1374ae8e9be346e6ad651d45e4a57a8c0e3ff48f5a06859d5ef6070c30891e1fc598f88ad63

memory/2080-48-0x00007FFF43270000-0x00007FFF43347000-memory.dmp

memory/2080-49-0x0000016D7F2D0000-0x0000016D7F2D7000-memory.dmp

memory/2080-52-0x00007FFF43270000-0x00007FFF43347000-memory.dmp

C:\Users\Admin\AppData\Local\hc7\ddodiag.exe

MD5 85feee634a6aee90f0108e26d3d9bc1f
SHA1 a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2
SHA256 99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6
SHA512 b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

C:\Users\Admin\AppData\Local\hc7\XmlLite.dll

MD5 3f3f4fc5be2b3824bc421dfa4a56e160
SHA1 104953960a38d66b582942f6b6275d5128e2b3d8
SHA256 18c6e5809501c47ca214b4031663fee8c79248e21a17d1e65f3ea3eba748024b
SHA512 7339df868d9a7ede4cd9a0c1dacb02975ef0d2dd3e2ef6084f0577f5f17aaf2537b34ff6f61b913b2bfd6dc9628885ccd494a4877689e685e5eac0cdbd358abc

memory/4576-63-0x00007FFF34650000-0x00007FFF34726000-memory.dmp

memory/4576-64-0x000001BEF6930000-0x000001BEF6937000-memory.dmp

memory/4576-68-0x00007FFF34650000-0x00007FFF34726000-memory.dmp

C:\Users\Admin\AppData\Local\aio1e4\InfDefaultInstall.exe

MD5 ee18876c1e5de583de7547075975120e
SHA1 f7fcb3d77da74deee25de9296a7c7335916504e3
SHA256 e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d
SHA512 08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

C:\Users\Admin\AppData\Local\aio1e4\newdev.dll

MD5 6ad69c7ca79e446e4529a845914ca5ac
SHA1 7df9ef87ad7b445746af26d7d50e6af03a1261e2
SHA256 585cb20dbc88c0b2a8a3c9740c1f69c4976168c07dcdb543a1da2cccab0073c2
SHA512 e7698779c5b9991581ecd55750cfaf4d6289d8226eab15f6f724e39545d0496619eec2a2a0bd31d0931d36f02bb3be1d4dfbcf7c49ef36196b5c95975a40b7c2

memory/4856-80-0x000001D3DB420000-0x000001D3DB427000-memory.dmp

memory/4856-84-0x00007FFF34650000-0x00007FFF34726000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

MD5 648aa7db6539946d79e3c2947f907d9e
SHA1 91123048d74c2293c8df73262ac6fb7fd2e5dc6d
SHA256 5fbd0651525ef798ed811de6e32c26aa78a6fe822bca102ae7d29598ab5bb2b0
SHA512 6e99ef0b9cc5657446fb949a3ace62cda1f897ed7b945419c435083ef1f0a7ecb34f518d5584e27721f0542344fee9c32c3af2e7ee2889df412db81041967701