Malware Analysis Report

2024-11-30 21:28

Sample ID 240109-ayhasshaar
Target 4cdfba23e9edd2ec094f5c1c1933c1e8
SHA256 0acdcb4d26e6dc04f61c2af8d4ba675b34feb38520663171fc9b4b56035093d4
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0acdcb4d26e6dc04f61c2af8d4ba675b34feb38520663171fc9b4b56035093d4

Threat Level: Known bad

The file 4cdfba23e9edd2ec094f5c1c1933c1e8 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-09 00:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-09 00:37

Reported

2024-01-09 00:39

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4cdfba23e9edd2ec094f5c1c1933c1e8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Gcc484j8\msdtc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3lKg\rdpshell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\CuA1Wmri\FXSCOVER.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\FW8qF\\rdpshell.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Gcc484j8\msdtc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3lKg\rdpshell.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\CuA1Wmri\FXSCOVER.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 2704 N/A N/A C:\Windows\system32\msdtc.exe
PID 1268 wrote to memory of 2704 N/A N/A C:\Windows\system32\msdtc.exe
PID 1268 wrote to memory of 2704 N/A N/A C:\Windows\system32\msdtc.exe
PID 1268 wrote to memory of 2588 N/A N/A C:\Users\Admin\AppData\Local\Gcc484j8\msdtc.exe
PID 1268 wrote to memory of 2588 N/A N/A C:\Users\Admin\AppData\Local\Gcc484j8\msdtc.exe
PID 1268 wrote to memory of 2588 N/A N/A C:\Users\Admin\AppData\Local\Gcc484j8\msdtc.exe
PID 1268 wrote to memory of 1124 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1268 wrote to memory of 1124 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1268 wrote to memory of 1124 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1268 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\3lKg\rdpshell.exe
PID 1268 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\3lKg\rdpshell.exe
PID 1268 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\3lKg\rdpshell.exe
PID 1268 wrote to memory of 1212 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1268 wrote to memory of 1212 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1268 wrote to memory of 1212 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1268 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\CuA1Wmri\FXSCOVER.exe
PID 1268 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\CuA1Wmri\FXSCOVER.exe
PID 1268 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\CuA1Wmri\FXSCOVER.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4cdfba23e9edd2ec094f5c1c1933c1e8.dll,#1

C:\Windows\system32\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Users\Admin\AppData\Local\Gcc484j8\msdtc.exe

C:\Users\Admin\AppData\Local\Gcc484j8\msdtc.exe

C:\Windows\system32\rdpshell.exe

C:\Windows\system32\rdpshell.exe

C:\Users\Admin\AppData\Local\3lKg\rdpshell.exe

C:\Users\Admin\AppData\Local\3lKg\rdpshell.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\CuA1Wmri\FXSCOVER.exe

C:\Users\Admin\AppData\Local\CuA1Wmri\FXSCOVER.exe

Network

N/A

Files

memory/2676-0-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/2676-1-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1268-3-0x00000000779D6000-0x00000000779D7000-memory.dmp

memory/1268-4-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1268-7-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1268-12-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1268-14-0x00000000029F0000-0x00000000029F7000-memory.dmp

memory/1268-13-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1268-11-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1268-10-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1268-9-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1268-8-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1268-6-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1268-22-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1268-24-0x0000000077C70000-0x0000000077C72000-memory.dmp

memory/1268-23-0x0000000077C40000-0x0000000077C42000-memory.dmp

memory/1268-34-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1268-33-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/2676-42-0x0000000140000000-0x00000001400AA000-memory.dmp

\Users\Admin\AppData\Local\Gcc484j8\msdtc.exe

MD5 de0ece52236cfa3ed2dbfc03f28253a8
SHA1 84bbd2495c1809fcd19b535d41114e4fb101466c
SHA256 2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3
SHA512 69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

C:\Users\Admin\AppData\Local\Gcc484j8\VERSION.dll

MD5 25f805609c924aa76767968ad908ffcb
SHA1 191c36a856126af5946e9de9cea3a7cca9d8a961
SHA256 384e3ceb6e99ca5fd18c7acad5e19854eb15dfeee39eddef8635d2b65be15901
SHA512 334526e7f8b539fc079c1a8fc2b75ad0639f9149eb55651cbda11a2f7be30f9f1de8fe7882aca33d5f906c3a38b8fb17b68ad3b5282c1fa4339fb0f97656328d

memory/2588-50-0x0000000001AA0000-0x0000000001AA7000-memory.dmp

memory/2588-51-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/2588-55-0x0000000140000000-0x00000001400AB000-memory.dmp

\Users\Admin\AppData\Local\3lKg\rdpshell.exe

MD5 a62dfcea3a58ba8fcf32f831f018fe3f
SHA1 75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b
SHA256 f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e
SHA512 9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

\Users\Admin\AppData\Local\3lKg\WINSTA.dll

MD5 551c56a5dd44632dba1058d26deb2fce
SHA1 f160c54abfeb843c44d85abd9d7eb88519d1c104
SHA256 6603627b822e6cddf2cb9cd264d26ebc46790f4ca90c6806e06a4b3c1be6a14d
SHA512 c72c753caf8cd7f1c9be2cd4776be3175704acbdecb0494cd9734d84fab04f12a1d419954ac1ba985b03ba863a7a946c94b5bfe572eef8c4134e0221f3499160

memory/1268-67-0x00000000779D6000-0x00000000779D7000-memory.dmp

memory/1772-68-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1772-70-0x0000000000080000-0x0000000000087000-memory.dmp

memory/1772-73-0x0000000140000000-0x00000001400AC000-memory.dmp

\Users\Admin\AppData\Local\CuA1Wmri\FXSCOVER.exe

MD5 5e2c61be8e093dbfe7fc37585be42869
SHA1 ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA256 3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA512 90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

C:\Users\Admin\AppData\Local\CuA1Wmri\MFC42u.dll

MD5 4848c690c04d7d1cbdaf49d36b413966
SHA1 2efa6b0a68fb5a209e59d54eaccbd30d4eebf1d1
SHA256 1e6d4986d910e4bbd06ebe5e8840f8377a66a3cd247878cb0a24368c0cf2b4ba
SHA512 f40869abbd1ec169f1ce42ad2ad9963a04c5cd062ec2328a8a4b87902e232b28284eba9e4ad9f3b3cbc2f17cabc709b7b2ac2b409799dcc5cdc113be67df0e0b

memory/1292-86-0x0000000140000000-0x00000001400B1000-memory.dmp

memory/1292-85-0x00000000001F0000-0x00000000001F7000-memory.dmp

memory/1292-90-0x0000000140000000-0x00000001400B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 ed800f045f1dfd781cca6dadb7028b1e
SHA1 13d1c9961cbb9184d6deb704eab39ba88208aa67
SHA256 c47b085973f4582083fcc262d85265d61d6d027654c62e1d82cba79dc127c03e
SHA512 7f5f0844331f0c9b8adfae8ba312f051cc541e4d62756ddd060712a9bd178a07e8ee8d1d68c93c03e3d7708f3dba239b7a4a21981be03db08afd77c08219e9e4

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-09 00:37

Reported

2024-01-09 00:39

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4cdfba23e9edd2ec094f5c1c1933c1e8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\otyQCxdvGw\\sppsvc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cnILK\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5iLfO\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uCvUf\wbengine.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 3476 N/A N/A C:\Windows\system32\Narrator.exe
PID 3492 wrote to memory of 3476 N/A N/A C:\Windows\system32\Narrator.exe
PID 3492 wrote to memory of 2440 N/A N/A C:\Windows\system32\wbengine.exe
PID 3492 wrote to memory of 2440 N/A N/A C:\Windows\system32\wbengine.exe
PID 3492 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\uCvUf\wbengine.exe
PID 3492 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\uCvUf\wbengine.exe
PID 3492 wrote to memory of 1268 N/A N/A C:\Users\Admin\AppData\Local\cnILK\sppsvc.exe
PID 3492 wrote to memory of 1268 N/A N/A C:\Users\Admin\AppData\Local\cnILK\sppsvc.exe
PID 3492 wrote to memory of 1800 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3492 wrote to memory of 1800 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3492 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\5iLfO\DisplaySwitch.exe
PID 3492 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\5iLfO\DisplaySwitch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4cdfba23e9edd2ec094f5c1c1933c1e8.dll,#1

C:\Windows\system32\Narrator.exe

C:\Windows\system32\Narrator.exe

C:\Users\Admin\AppData\Local\Z4iY\Narrator.exe

C:\Users\Admin\AppData\Local\Z4iY\Narrator.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\uCvUf\wbengine.exe

C:\Users\Admin\AppData\Local\uCvUf\wbengine.exe

C:\Users\Admin\AppData\Local\cnILK\sppsvc.exe

C:\Users\Admin\AppData\Local\cnILK\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\5iLfO\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\5iLfO\DisplaySwitch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/2392-0-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/2392-2-0x0000016CE7440000-0x0000016CE7447000-memory.dmp

memory/3492-8-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3492-10-0x00007FFD1596A000-0x00007FFD1596B000-memory.dmp

memory/3492-12-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3492-14-0x0000000007EC0000-0x0000000007EC7000-memory.dmp

memory/3492-24-0x00007FFD17490000-0x00007FFD174A0000-memory.dmp

memory/3492-33-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3492-23-0x00007FFD174A0000-0x00007FFD174B0000-memory.dmp

memory/3492-22-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3492-13-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3492-11-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3492-9-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3492-7-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3492-6-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3492-5-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3492-3-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

memory/2392-36-0x0000000140000000-0x00000001400AA000-memory.dmp

C:\Users\Admin\AppData\Local\Z4iY\Narrator.exe

MD5 d92defaa4d346278480d2780325d8d18
SHA1 6494d55b2e5064ffe8add579edfcd13c3e69fffe
SHA256 69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83
SHA512 b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

C:\Users\Admin\AppData\Local\uCvUf\SPP.dll

MD5 76530562fca837206f8ab2f43b2dc1d6
SHA1 c4e54aca8e0ee4226721b1ad827226f4ed951d42
SHA256 ad6a8e68059ecddcb1c05bb21583de4facc3ce872664c60b77a883c94913ca73
SHA512 551d10a213cdd320eada1c46a9d7e405a22cfb2b0fa821347641ce032b9a1132b0a1429715b8873053bbb88df53f032f9d6d81b9e87216652c34d7dfae92db5b

memory/4728-56-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/4728-53-0x00000283F9D70000-0x00000283F9D77000-memory.dmp

memory/4728-51-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Users\Admin\AppData\Local\uCvUf\wbengine.exe

MD5 17270a354a66590953c4aac1cf54e507
SHA1 715babcc8e46b02ac498f4f06df7937904d9798d
SHA256 9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4
SHA512 6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

C:\Users\Admin\AppData\Local\cnILK\XmlLite.dll

MD5 7b09ee10ce53f33249ae021697020860
SHA1 a4a9f75ca0ae53a09655900bb55af7040d31290e
SHA256 ecb97f0fc0cef3cb01aa45d8f969dd94d87293ab31b2adac82ca75ea0c28c87a
SHA512 49e41216f704e6c7c992b783c521b664303d7005e3eea226d6b6d8ad7b656f2eecd06572738bc45e1ad7d732deb7bceacdb14634afc2b963a8fbbf51cb908b51

C:\Users\Admin\AppData\Local\cnILK\sppsvc.exe

MD5 d2848245128abf475c72a96c39acf5a4
SHA1 3083ea0b4fe7dfe6558588600aea2d9ad7925cba
SHA256 d321c5b9b3f4255608fa8bbb260e0c21c60e297f01ec6610f9e920ae02bfb841
SHA512 417b0ba11044eee640d5f021de616c2abec9e5ce1afa1445bc1b8fde252b383537cd0cbd755a216ca371ca76b7eb6115eb206434828025f6f342de2c4be8bb40

memory/1268-72-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/1268-67-0x0000027855260000-0x0000027855267000-memory.dmp

C:\Users\Admin\AppData\Local\cnILK\sppsvc.exe

MD5 83baeecddb815022ac5efbbfa6def2a5
SHA1 499ed2c15734a8c55a3ec93bffbb0d5516b30ef1
SHA256 18d25b14b5134b1c37daa9b25302bc8f05c90cc446f560932cb3647c0a2755b2
SHA512 f8d54f2f32ebf9b4677b29e67bba96a26bec05ad540cd05e8967914403119439547be78eb5c56b041e15698dd8a01956d577d0baf21d3e49c586c4fe1dd45873

C:\Users\Admin\AppData\Local\5iLfO\DisplaySwitch.exe

MD5 b7bc664185bf2bbdc3397cd242f4331d
SHA1 dafc1b2e0a49ea6cba4f0124b2931c6b8dd423e0
SHA256 a301d55486d1ebcd93ac51aaf9e7a6eae6f2ee37ab28c23f1aa3cd7933acea03
SHA512 6336cb70e9a1446634a2b9816b8949aa176ef786f6c69e52f273a7d3ed642e1a60f7e40ea83957ce39bcc77044d172cf101336d5a051f6de597d228cad66b10a

memory/1436-83-0x0000000140000000-0x00000001400AC000-memory.dmp

C:\Users\Admin\AppData\Local\5iLfO\WINSTA.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1436-88-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1436-85-0x000001E6378D0000-0x000001E6378D7000-memory.dmp

C:\Users\Admin\AppData\Local\5iLfO\WINSTA.dll

MD5 a8ad0100cb35d06f6cc7057cbe75ea35
SHA1 381c0f5009e81d3b8f5255d65e8133e5ce8166af
SHA256 4126521316b48849cb2f912c1d6699d226653e2503aaf2b77bcea95a3f771d76
SHA512 a36caf346c04b8ca4103207e980ccabbaf80e7d15ff2cba624ba972bc28cc2c99095813fd0aaa980b56feb1ae2da84953b7dca39724202bd892f6ed2ec6e4bcf

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 7fb9bfd50c0fab60d91a9ff8b40e19a4
SHA1 03ae408ab6d97f21205354b54981e334eedaacea
SHA256 0fa2dac1c10f99c6418e18211aaf3fdf8a1f3aa18877365f0fff44995ecaddf5
SHA512 cd32eaf947fd45ea7d260b4df6a6a2fea72e5a75000a109cfa6e84d580b6c05e7b5990fcfd212f40409238e235ffc9f9cd2f252914cafae65767a1480ebebd3f

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\otyQCxdvGw\XmlLite.dll

MD5 906ed4f1c15ea3e6cf8d3bc271ba5d07
SHA1 897965a6c69be2b105847ee4ab1ca5d704eb53a4
SHA256 c6ce1e919d846871e82fefd5a57f6a7af4a5e729ee1b9c0f67d4fd71807ef7e3
SHA512 c498880b98d3b4cbc67c0784a2b80426f937ce7f6160f460b01b69b3d2e6cb3e2545fd50ecfd3eefbf3df960e3489dfb2c1c536fad1d32f8e65e6b54925a0061

C:\Users\Admin\AppData\Roaming\Microsoft\awm\WINSTA.dll

MD5 f3fc01c6ad9d5fb00a1fdef8eab86949
SHA1 9a38ddc3ddb79527712a4a936ffc1d0e4defacac
SHA256 0841d28b6ba31fe850de3eaf45b631c2304ffa0b5d3e2ff6cdff61922aab7527
SHA512 69ccab6883223f83b680a697e5d0c04471d85c87e48a2054e9c95663c980a4bb5f14872d49daca21d665ad89d92a45d85b65e65c2dfdede55df84deeb9ea3924