Malware Analysis Report

2024-11-15 08:50

Sample ID 240121-tg9hhaeaap
Target 6d6d6e2d25e5004f0487405fdb25a600
SHA256 6c28f1dd1c3bbf1187846af408ba671bf0fb28984469e666b284d4f4b1c3a823
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c28f1dd1c3bbf1187846af408ba671bf0fb28984469e666b284d4f4b1c3a823

Threat Level: Known bad

The file 6d6d6e2d25e5004f0487405fdb25a600 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 16:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 16:02

Reported

2024-01-21 16:05

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d6d6e2d25e5004f0487405fdb25a600.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\2AOpVFzcLX\\tcmsetup.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 2620 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1188 wrote to memory of 2620 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1188 wrote to memory of 2620 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1188 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe
PID 1188 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe
PID 1188 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe
PID 1188 wrote to memory of 2028 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1188 wrote to memory of 2028 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1188 wrote to memory of 2028 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1188 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe
PID 1188 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe
PID 1188 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe
PID 1188 wrote to memory of 2816 N/A N/A C:\Windows\system32\osk.exe
PID 1188 wrote to memory of 2816 N/A N/A C:\Windows\system32\osk.exe
PID 1188 wrote to memory of 2816 N/A N/A C:\Windows\system32\osk.exe
PID 1188 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe
PID 1188 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe
PID 1188 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d6d6e2d25e5004f0487405fdb25a600.dll,#1

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe

C:\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe

C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe

Network

N/A

Files

memory/2496-0-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2496-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1188-4-0x00000000773A6000-0x00000000773A7000-memory.dmp

memory/1188-5-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/1188-7-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2496-8-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-9-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-10-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-11-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-12-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-14-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-13-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-16-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-17-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-15-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-19-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-20-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-18-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-22-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-21-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-24-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-23-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-27-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-25-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-26-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-28-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-30-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-29-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-32-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-31-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-34-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-33-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-35-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-38-0x0000000002A50000-0x0000000002A57000-memory.dmp

memory/1188-37-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-36-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-45-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-47-0x0000000077710000-0x0000000077712000-memory.dmp

memory/1188-46-0x00000000775B1000-0x00000000775B2000-memory.dmp

memory/1188-56-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1188-62-0x0000000140000000-0x000000014016C000-memory.dmp

\Users\Admin\AppData\Local\hAkyUKUK\SystemPropertiesDataExecutionPrevention.exe

MD5 e43ff7785fac643093b3b16a9300e133
SHA1 a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256 c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA512 61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

C:\Users\Admin\AppData\Local\hAkyUKUK\SYSDM.CPL

MD5 c2643eae06ac9cc0fda13c796c36131e
SHA1 51316ed272064e37e459f20a8c8a2f6add3412b2
SHA256 bfaeec6613997bcf82e41077fa1d02a934cd361e1d168ad1e7d9a50b9ae96d97
SHA512 b81551be9ca442da82e2ddf901f03a2033eb90343a58756ce95bb89d32ca939e233b2ccffa9ca41ec22648a0039c09897ea662f3c69b0a71ddf9106dc439d984

memory/2640-74-0x0000000140000000-0x000000014016D000-memory.dmp

memory/2640-75-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/2640-80-0x0000000140000000-0x000000014016D000-memory.dmp

\Users\Admin\AppData\Local\y8jTT\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

C:\Users\Admin\AppData\Local\y8jTT\TAPI32.dll

MD5 f5aaf822675f3ff5565f64ebac272d39
SHA1 c687794391440629118bfa9e3d16f51e9c9510f8
SHA256 fd61a51c15cbf35e632938333ac5e1f3c472bb7760e6645ad1e9a5fdf586e111
SHA512 be7541443ef8841103000470f21121ef83f59b3e639fa36e4f9fba898b5644a5b55a91c831d195f4aad8b069739a52707876314f41d2a1bbc92554c9b9ec7f14

memory/1588-92-0x0000000140000000-0x000000014016E000-memory.dmp

memory/1588-94-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1588-98-0x0000000140000000-0x000000014016E000-memory.dmp

\Users\Admin\AppData\Local\BHKZxD0\osk.exe

MD5 b5ccc580308ea920c8c0e31d17f21b23
SHA1 0d760edb7f98c92a96ee84870f160ca282863763
SHA256 49bd64d5d22fe03b6fcdb6651c97e99e77c86d1bfc338f51879bb6b5cd597781
SHA512 18f6065b985197f0c3764da8f22ae9f56d589c1b83f447a2b0bbb6287c43059d7d534b90a7ce660e8a5a36e1a8a2a0cfe6f944b4b384e14901d6b66461ccf272

\Users\Admin\AppData\Local\BHKZxD0\dwmapi.dll

MD5 62a31f0c69e4e51ba92f9ce221491ba5
SHA1 1fc006d6fe2cb3b510e25c7ff7e0619061fb2ae8
SHA256 ddf59b686325b020bf449b76cbd93f716854c3075f239f2cb37ef9400c7e9566
SHA512 d579914db5e53b527172bac4b67705eac8af1364a0f553929d8a607d498a9baf07794fd4966b96b46b9942bffa3d45dfc2ada9317642422be42b13d26a7c91f8

C:\Users\Admin\AppData\Local\BHKZxD0\osk.exe

MD5 b918311a8e59fb8ccf613a110024deba
SHA1 a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b
SHA256 e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353
SHA512 e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

memory/1188-131-0x00000000773A6000-0x00000000773A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 4226746aea5e60126dc602df3d4a0de4
SHA1 b296a138183d36798e6b6bac886f43bbd7e45bf8
SHA256 76e13d0cf8e2d2e699532d880ab6862794248a51b818a56700fac621f02d50a7
SHA512 3a858b5796626a82e506f257403234c7205522855ce085f2b463bb4b5bea39d215b4b2ec5cb5947065175e6266bf6cf8c2aaf079a99bcec6f0162e17a8d2ca67

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 16:02

Reported

2024-01-21 16:05

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d6d6e2d25e5004f0487405fdb25a600.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\553\\DWWIN.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kQjfp\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 2884 N/A N/A C:\Windows\system32\msra.exe
PID 3540 wrote to memory of 2884 N/A N/A C:\Windows\system32\msra.exe
PID 3540 wrote to memory of 3324 N/A N/A C:\Users\Admin\AppData\Local\kQjfp\msra.exe
PID 3540 wrote to memory of 3324 N/A N/A C:\Users\Admin\AppData\Local\kQjfp\msra.exe
PID 3540 wrote to memory of 3352 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3540 wrote to memory of 3352 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3540 wrote to memory of 3456 N/A N/A C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE
PID 3540 wrote to memory of 3456 N/A N/A C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE
PID 3540 wrote to memory of 4620 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3540 wrote to memory of 4620 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3540 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe
PID 3540 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d6d6e2d25e5004f0487405fdb25a600.dll,#1

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\kQjfp\msra.exe

C:\Users\Admin\AppData\Local\kQjfp\msra.exe

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE

C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE

C:\Windows\system32\RdpSa.exe

C:\Windows\system32\RdpSa.exe

C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe

C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/4680-0-0x00000194B8FA0000-0x00000194B8FA7000-memory.dmp

memory/4680-1-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-4-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3540-6-0x0000000140000000-0x000000014016C000-memory.dmp

memory/4680-7-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-9-0x00007FFC3775A000-0x00007FFC3775B000-memory.dmp

memory/3540-10-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-12-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-13-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-11-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-8-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-14-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-15-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-16-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-17-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-18-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-19-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-20-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-21-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-22-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-23-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-24-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-26-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-25-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-27-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-28-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-29-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-30-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-31-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-32-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-33-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-34-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-35-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-36-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-37-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-38-0x0000000002AB0000-0x0000000002AB7000-memory.dmp

memory/3540-45-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-48-0x00007FFC378E0000-0x00007FFC378F0000-memory.dmp

memory/3540-55-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3540-57-0x0000000140000000-0x000000014016C000-memory.dmp

C:\Users\Admin\AppData\Local\kQjfp\msra.exe

MD5 dcda3b7b8eb0bfbccb54b4d6a6844ad6
SHA1 316a2925e451f739f45e31bc233a95f91bf775fa
SHA256 011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae
SHA512 18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

C:\Users\Admin\AppData\Local\kQjfp\UxTheme.dll

MD5 2fba5de7ba6b557726088ea7c8c84781
SHA1 77a388982aab793366cb89fa261c26f93b9d7ede
SHA256 a365bb94cb6595eb832995201a3ae9882c24d44d7a47fb40bcce6202698a1105
SHA512 da4454b10968f1d99cc1d279742b79ea276bbba1a01d21e4533baa84fa51f28713c978a32a1076498093883afbdac4eec4726ec485f3f495931bbf3814ffc66f

memory/3324-67-0x0000018E811B0000-0x0000018E811B7000-memory.dmp

memory/3324-66-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3324-72-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Users\Admin\AppData\Local\MNL7M7zBh\DWWIN.EXE

MD5 444cc4d3422a0fdd45c1b78070026c60
SHA1 97162ff341fff1ec54b827ec02f8b86fd2d41a97
SHA256 4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0
SHA512 21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

C:\Users\Admin\AppData\Local\MNL7M7zBh\VERSION.dll

MD5 66ca5a0eaf9e1bf0a134f662fa2ce506
SHA1 20d8862053be86331311621939d4e6e8cb862eae
SHA256 7090ac75b5724e680cfacd55fc25c64ac72024d7579225259fce7160c12e2004
SHA512 c92a306c9e7ca9ba12f01e3c1f58ac6017323c2daa81a6f3c1fb5cf651f691adeb6b3fbc791bed27d1e2a12ac0bbe17a0f3a3e02889be166599372d526098330

memory/3456-84-0x0000020E48740000-0x0000020E48747000-memory.dmp

memory/3456-89-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Users\Admin\AppData\Local\JjoqkoObI\RdpSa.exe

MD5 5992f5b5d0b296b83877da15b54dd1b4
SHA1 0d87be8d4b7aeada4b55d1d05c0539df892f8f82
SHA256 32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c
SHA512 4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

memory/3956-98-0x00007FFC36D26000-0x00007FFC36D28000-memory.dmp

C:\Users\Admin\AppData\Local\JjoqkoObI\WINSTA.dll

MD5 eec26e04b45dad57fafcb27ac62eeecf
SHA1 68029a8151014499ab334cca7d926f6ab49b3b03
SHA256 8304782d65bfa7ffe4845d0b3aac4483e80a7d0b6e973952a7156b343f1baea2
SHA512 bc47d142f704926fa5f5979434f99a31f647e1f51b31dbfbc04f05d08b5c822a75b3cba8eee7873f809458a9fefa486225175d8afbd8f7976296ce80af142451

memory/3956-101-0x0000000140000000-0x000000014016E000-memory.dmp

memory/3956-102-0x00000251C23E0000-0x00000251C23E7000-memory.dmp

memory/3956-107-0x0000000140000000-0x000000014016E000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 b126b6c783d8f6e63c8b79d221394148
SHA1 5009faaf3de959c8a367f29924d34cb576ea4189
SHA256 e44c5ac9655e84335d276050144819f118ea74f05428966148e9cc0a83896859
SHA512 38f60923e0a0546ac1bc047a955c137d071ae5db5e752e82fc7b37eea9d560857e4de0d02a5b2dffd90320cb38e7ac69ea51d4540cdeeac1454a9c9fcf8585c0