Malware Analysis Report

2024-11-15 08:50

Sample ID 240123-3j77wscgg3
Target 70d94e86e118a27adfe3f75b8db4134c
SHA256 814d959ae1800dc9c90f630f8f204a2f36fca00c3c4fe9c460b399f957e499f6
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

814d959ae1800dc9c90f630f8f204a2f36fca00c3c4fe9c460b399f957e499f6

Threat Level: Known bad

The file 70d94e86e118a27adfe3f75b8db4134c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 23:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 23:33

Reported

2024-01-23 23:36

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d94e86e118a27adfe3f75b8db4134c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\yXZXbms\rdpshell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\XLa3BNRX\mfpmp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\I9STuLf\Netplwiz.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\qeXUgmb\\mfpmp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\yXZXbms\rdpshell.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XLa3BNRX\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\I9STuLf\Netplwiz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 792 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1388 wrote to memory of 792 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1388 wrote to memory of 792 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1388 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\yXZXbms\rdpshell.exe
PID 1388 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\yXZXbms\rdpshell.exe
PID 1388 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\yXZXbms\rdpshell.exe
PID 1388 wrote to memory of 2872 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1388 wrote to memory of 2872 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1388 wrote to memory of 2872 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1388 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\XLa3BNRX\mfpmp.exe
PID 1388 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\XLa3BNRX\mfpmp.exe
PID 1388 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\XLa3BNRX\mfpmp.exe
PID 1388 wrote to memory of 1648 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1388 wrote to memory of 1648 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1388 wrote to memory of 1648 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1388 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\I9STuLf\Netplwiz.exe
PID 1388 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\I9STuLf\Netplwiz.exe
PID 1388 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\I9STuLf\Netplwiz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d94e86e118a27adfe3f75b8db4134c.dll,#1

C:\Windows\system32\rdpshell.exe

C:\Windows\system32\rdpshell.exe

C:\Users\Admin\AppData\Local\yXZXbms\rdpshell.exe

C:\Users\Admin\AppData\Local\yXZXbms\rdpshell.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\XLa3BNRX\mfpmp.exe

C:\Users\Admin\AppData\Local\XLa3BNRX\mfpmp.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\I9STuLf\Netplwiz.exe

C:\Users\Admin\AppData\Local\I9STuLf\Netplwiz.exe

Network

N/A

Files

memory/2620-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2620-1-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-4-0x0000000077656000-0x0000000077657000-memory.dmp

memory/1388-5-0x0000000002660000-0x0000000002661000-memory.dmp

memory/1388-7-0x0000000140000000-0x0000000140220000-memory.dmp

memory/2620-8-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-9-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-10-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-11-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-12-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-13-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-14-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-15-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-16-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-17-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-18-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-19-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-20-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-21-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-22-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-23-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-24-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-25-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-26-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-27-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-28-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-29-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-30-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-31-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-32-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-33-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-34-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-35-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-36-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-37-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-38-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-39-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-40-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-41-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-42-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-43-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-44-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-45-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-46-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-47-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-48-0x0000000002630000-0x0000000002637000-memory.dmp

memory/1388-55-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-56-0x0000000077761000-0x0000000077762000-memory.dmp

memory/1388-57-0x00000000778C0000-0x00000000778C2000-memory.dmp

memory/1388-66-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-72-0x0000000140000000-0x0000000140220000-memory.dmp

memory/1388-76-0x0000000140000000-0x0000000140220000-memory.dmp

C:\Users\Admin\AppData\Local\yXZXbms\rdpshell.exe

MD5 a62dfcea3a58ba8fcf32f831f018fe3f
SHA1 75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b
SHA256 f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e
SHA512 9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

C:\Users\Admin\AppData\Local\yXZXbms\WTSAPI32.dll

MD5 5bab47ee8ba19cb9aee89f27c744d362
SHA1 5f7689ae6e4320c3e71cefb235764499912f7336
SHA256 f77206b2b83c746e17e2115d57dabb5ba7d9a0ea61d811aa2e43dc1e9d44eb5c
SHA512 5c782d0fe67918a43d35eb04d3fcd362edbd3a0337ff45d65c2bd5c409d6cf5d793843be386d2c08014640d97e0c73ff81445b63a8a0952fe76a4aed9f805526

memory/1224-85-0x0000000000310000-0x0000000000317000-memory.dmp

C:\Users\Admin\AppData\Local\XLa3BNRX\mfpmp.exe

MD5 2d8600b94de72a9d771cbb56b9f9c331
SHA1 a0e2ac409159546183aa45875497844c4adb5aac
SHA256 7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA512 3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

C:\Users\Admin\AppData\Local\XLa3BNRX\MFPlat.DLL

MD5 adc27ed190805f426a47276e6eb0860c
SHA1 dc76857edce83d98a0134c7c7b5dd229e9393396
SHA256 bb6fd2aaa03affc185a1eef0852b766b4b070624251587da955e7e10cf44992e
SHA512 bbd9c050f3d607b48f30b63ba666b2daa66452fe5f3e09219d5609d61c0ee9b1fab0cd023918092c28c2b9f0dd5e3c50aa6b0e14fc229bbfa598ca5da9577733

\Users\Admin\AppData\Local\I9STuLf\Netplwiz.exe

MD5 e43ec3c800d4c0716613392e81fba1d9
SHA1 37de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

C:\Users\Admin\AppData\Local\I9STuLf\NETPLWIZ.dll

MD5 8b4ba01cdf461baa5ca482bf14764ba3
SHA1 6dca238f72a1746b8d200e4288c79a5188af0c16
SHA256 67b8a717482394a88562c9d1b4d716b97847f6e48d293d03c556f5e8e3b42914
SHA512 8a727b66a716a52ddbd5f4e76c81d8a6ccfef79b1ca30b619e128c75decd6fbf45f25d7c925a364d335275f40b160b1df64896ca309be0103f8fe604d03a6793

memory/1388-140-0x0000000077656000-0x0000000077657000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 e39f8b28f846139d2278941c9fdb6e38
SHA1 54e132ca6d3aee5badb0b3679225d941b84dbd61
SHA256 e0a10d6d2ec3d922fa4a2a1725d80d581d35e0ba95e9db0232ddeaa080b6e229
SHA512 42ff14eae0411e1cd4e2e42a7b0ec1730a8a1a0590a551055352793fd8527ecd6fa101395aa8ebddd132c6888ae1761d4dd41cf858e4e075a18cf5b011970801

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\AlBs0LYBY\WTSAPI32.dll

MD5 a42d3eb85cf075abfbe414b34c8dfe07
SHA1 4460646fc55d8649bc2988cb0508c430a4a354c3
SHA256 12826290bb2c318c338b2aca289749d6a74330cb2585334912ce7b4c32c89b16
SHA512 0fb6767fa7786c53f1425f331e90a2cf521e03a9e6a128a88c004a2a29a3b59accbf0d001db5bdf070618b4f9f72e9a961c76a5c7c89b21382b994498cab6a54

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 23:33

Reported

2024-01-23 23:36

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d94e86e118a27adfe3f75b8db4134c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\UhFAo1NN\\dxgiadaptercache.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dObU8T\dialer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3304 wrote to memory of 4332 N/A N/A C:\Windows\system32\dialer.exe
PID 3304 wrote to memory of 4332 N/A N/A C:\Windows\system32\dialer.exe
PID 3304 wrote to memory of 1192 N/A N/A C:\Users\Admin\AppData\Local\dObU8T\dialer.exe
PID 3304 wrote to memory of 1192 N/A N/A C:\Users\Admin\AppData\Local\dObU8T\dialer.exe
PID 3304 wrote to memory of 3932 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3304 wrote to memory of 3932 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3304 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe
PID 3304 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe
PID 3304 wrote to memory of 1852 N/A N/A C:\Windows\system32\AgentService.exe
PID 3304 wrote to memory of 1852 N/A N/A C:\Windows\system32\AgentService.exe
PID 3304 wrote to memory of 5044 N/A N/A C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe
PID 3304 wrote to memory of 5044 N/A N/A C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d94e86e118a27adfe3f75b8db4134c.dll,#1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\dObU8T\dialer.exe

C:\Users\Admin\AppData\Local\dObU8T\dialer.exe

C:\Windows\system32\dxgiadaptercache.exe

C:\Windows\system32\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe

C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/4812-1-0x0000000140000000-0x0000000140220000-memory.dmp

memory/4812-0-0x000002097B570000-0x000002097B577000-memory.dmp

memory/3304-5-0x00007FF82CC1A000-0x00007FF82CC1B000-memory.dmp

memory/3304-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/3304-7-0x0000000140000000-0x0000000140220000-memory.dmp

memory/4812-8-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-10-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-11-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-9-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-12-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-14-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-13-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-16-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-15-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-18-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-17-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-19-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-20-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-21-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-22-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-25-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-26-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-27-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-24-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-23-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-28-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-29-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-30-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-31-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-32-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-33-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-34-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-35-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-37-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-36-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-40-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-42-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-41-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-44-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-46-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-45-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-43-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-39-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-38-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-47-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-48-0x0000000000E90000-0x0000000000E97000-memory.dmp

memory/3304-55-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-56-0x00007FF82DC40000-0x00007FF82DC50000-memory.dmp

memory/3304-65-0x0000000140000000-0x0000000140220000-memory.dmp

memory/3304-67-0x0000000140000000-0x0000000140220000-memory.dmp

C:\Users\Admin\AppData\Local\dObU8T\TAPI32.dll

MD5 18ff33271362fa7aeeccac00ed472cda
SHA1 3a9067b8fa660e86e411161fac7ef2664d9e09d0
SHA256 d7882a450813586315ffa892fc43914680882406abc5718a9a0ad3a20849f111
SHA512 27dc999ca1adf7ef93c4f73778a6f7195e8d09abee8dc63115c5f8b34cb1d901d5a5113bc7aea34efc5c7373f009523d1ee4c64adeb5f9ed2994cfa00565d45e

C:\Users\Admin\AppData\Local\dObU8T\dialer.exe

MD5 b2626bdcf079c6516fc016ac5646df93
SHA1 838268205bd97d62a31094d53643c356ea7848a6
SHA256 e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb
SHA512 615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

memory/1192-76-0x0000000140000000-0x0000000140222000-memory.dmp

memory/1192-78-0x00000169513F0000-0x00000169513F7000-memory.dmp

memory/1192-82-0x0000000140000000-0x0000000140222000-memory.dmp

C:\Users\Admin\AppData\Local\dObU8T\TAPI32.dll

MD5 b09301c0687735309662d8fbd07b52d4
SHA1 e36035771c0466cfb084f41fdab27a22182c7ac7
SHA256 b7d15b24a1019e3afb95b9202bed18400942141d3584780f83a4ef9d21ce9d44
SHA512 e935b022b6799fa0cad7af0e1ab975c2d86528f2a4b768049b71646d200f009a802138776a2299d1c3fb67553b6036c2075c3096786bc6b4dcd33e5061065418

C:\Users\Admin\AppData\Local\1kYp\dxgi.dll

MD5 390f005f3c3837f40b0c36ad5c11c9af
SHA1 f701d9368afb0d9f53e20a394e03d1d8f7fcf41c
SHA256 3cf15b7971db2d84174df43dfab63cc25ccf2729e320be98fffca3474fe99dbc
SHA512 cf108decfca258499181106f40d05ef83cb115e7babcd2f53805cce9963f8055fa52231332d6fa1f952150be20e3a5745fa3443b5cc734d10b9fe5e6d164eee5

C:\Users\Admin\AppData\Local\1kYp\dxgi.dll

MD5 aa043d56d9f02fd33dc69aa642ea0050
SHA1 cf04dcce34df71970be898678a8b13b8a87ee42f
SHA256 059ebca03641f9907e8b872d2fcae4e01ca7d98b883889701a4248cce682910d
SHA512 01352b3a860cb702ede03e00825e2392dc0606014bf70a24b4cbaa34874496ac896dbe6d1367ab1abc6a164a2ccdb06a449075f1fed2d30a5ae0ab0b6f05a5cd

memory/2168-94-0x0000029B368B0000-0x0000029B368B7000-memory.dmp

memory/2168-95-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Users\Admin\AppData\Local\1kYp\dxgi.dll

MD5 64130f620a69efaa52755c54beb53300
SHA1 1f571c422e322317bfb419c97fb05317893f1126
SHA256 8a22f9562b4d7e5a8170a6d6a1fc3fe0566f523c030d066704430c97c66ec910
SHA512 f7509cf580d1ac337b5f6af528115071e1ff8da8dd4e2e77a6a695a3229ef41c90b7e5a748feae0465ef6173790e7f6659bb621d14769b630994b85a0e192526

C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe

MD5 5af3821df5f10b3e9427ddee30de9ee8
SHA1 8b0084a20a4b279baedcd92900743dc0e0f1d291
SHA256 2c54b5c8c327244a503a25edc30ab4411e2f0d9ed3f25af325bc17dd3f055068
SHA512 1844b96eec4b356d5c526cb32a5d23a3eca4231b688e9cb9343d39c939b9fd9cf163fb554d6ccda0314b312aefd302b3d0cc96719f79816e52fa59bbb168eb08

C:\Users\Admin\AppData\Local\1kYp\dxgiadaptercache.exe

MD5 ee91e5bb1a037013b1e51ada11e6b523
SHA1 b790ac32f6ac13eaaf0950e104fc7be270d03fd6
SHA256 857882938b2cca6054d0dcd026c7f4f98bec05f7e58aab15341bf44b48e9cf6b
SHA512 8a69f123f3dbfed490a473eff3a0fea107e1ee2ac0f83d6710854e7e652ad6e5a218a70bb3cee705ce30b05c945dcdbaeef301cb263dd5760e46a218bc88ae22

C:\Users\Admin\AppData\Local\ZeCnj7u\VERSION.dll

MD5 17205ab6e5db08b01f15506d1f48e76b
SHA1 77c9cbeec9d517a591dc3ec56ed05227e97c7c88
SHA256 7aa6b4041bc8d801c34f8c099c6c6fde7bbecc88e22899cda581c7bdc3550157
SHA512 dd75545acacda8b4a8e74752aa570a623d0b3f0ad3ff6442bdb8e1cb902ae127856fb44f997be0d5beb4bf3f26d1019b3b639f6fc731bb5fc32c84471fbcdc8e

C:\Users\Admin\AppData\Local\ZeCnj7u\VERSION.dll

MD5 f19d189e42774c3b169fee6f15d7b8f5
SHA1 ca96c3870891f6bcfa68a148217ad9fb44f6363e
SHA256 2fe6bb5c93fdbe0d35df548cfad2cd5b31784368499b86b78104012c8deffea0
SHA512 1f3de62caea2506db659a23b5658ffc06e0958f662041307b281fb07854a14723e2b834a2d01165fc41c813d5e911c608670b46c7c1711f8f29d5fbe2aa6bd2b

C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe

MD5 2e900fe44836e7b4c659a5fd65fb8e6f
SHA1 72a3c7b6f7a1ec1652d1a440fa392f7e7493f12e
SHA256 1be17ef566d442bdb3df7786f21516e0b72f365f5e83e40dc931fc98332a768a
SHA512 ff4471aa35d7f88b59f41650e3e501aea7a3c84e8211af40f50526b6d3affc9911c7b490ad2ea587999f19003755faaf0aa4a3adb3668f9eda64570a03d44fc7

memory/5044-111-0x000001AE86FA0000-0x000001AE86FA7000-memory.dmp

C:\Users\Admin\AppData\Local\ZeCnj7u\AgentService.exe

MD5 b8c247cfbb54f2d783661d6861f2e9f4
SHA1 0c15398d26a63ffcdaccdc89f1326d019188d5a4
SHA256 d7ba62d489904737d8b453e03307fa29bc2386af085f9c87b57c89d5ff800bbf
SHA512 83f630c61f671e1ac5171590344255fb88a4fec8773379edf9baf0456971cca5a84173028e6c0506231e876c908ba835bfb09f98d1a484b71a0cc41f8cd10d5a

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 0033d767b7d3a696616321de5a00ad6c
SHA1 0d38b29b91945e6841a013bd5fede12703924719
SHA256 5013c3b752f514decc35e7c5a19ec43a5cf62f09483e0369d9303ba96a6b8826
SHA512 80c8be8c23307fa919c33282ab726f8b7f7bc9f68a2e32ada65205ed9c3cdeee2a5ebb556524a4c2314c1f5602064756e93cdf6cb5e45979844eb26d716d86b8

C:\Users\Admin\AppData\Roaming\Microsoft\Vault\yLsw\TAPI32.dll

MD5 b05d3562ed4c1d95f54e558cbe271043
SHA1 4f470c9d0cac038993d1ddf70ad9f3246e71130f
SHA256 2c52b52d2dd338aba1ce422df13decac098da4b52004314d87035bec074cbc6d
SHA512 5f9fcd86dddb0a8df41dd6b751fefe480917cfa869b773fc8283810fc58ac265f4f5fdc802ea68638080b3780354095e4050527393eb008ca12acc44ba1bf92a

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\UhFAo1NN\dxgi.dll

MD5 68e9e31081046b6caea90f472e106df4
SHA1 e4dec62d59a4eb61a7aa1b4816b6276c2f9666d6
SHA256 c2793e2680ffc3206cb5f933aa96363aca2270dba4d2fad5a48164dac3e32dc4
SHA512 49be414f4ccd37c6a7a3a0295431666b87705168e984fedcbe7685b06fda9245f70e1677cd11fbfa3ba90ecac7e72fc14c9f6e27673b3980bce616833bcbfc58

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\LH1ssw\VERSION.dll

MD5 12eaa2702daa737186a435f027928272
SHA1 cf7b84dca4e43e05b94a85dec7a011798acb25c3
SHA256 a9291a10f6abd2e387985c8b0545fae726915dc0ec802344419d6a3784ef1e94
SHA512 9878b40abd6b15e55be24865474f64983b5a37bc59c0a4d6cf4551e97230163c7727507be53908808adf1857a7047777c69162db1bcc66bb2c76d2bca36332f9