Malware Analysis Report

2024-11-15 08:50

Sample ID 240124-rdv5lacbgj
Target 726f982410725cb34272e9e44b3c0310
SHA256 1af3b38b228078c0c78e70ef3bf82e55635240069d5f982819899db2bf5d9972
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1af3b38b228078c0c78e70ef3bf82e55635240069d5f982819899db2bf5d9972

Threat Level: Known bad

The file 726f982410725cb34272e9e44b3c0310 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 14:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 14:05

Reported

2024-01-24 14:07

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\726f982410725cb34272e9e44b3c0310.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\vXpgWYYf\p2phost.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\j70Vbi1\StikyNot.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3ZPNdgpT\WFS.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\ZsMGn9qpQs2\\StikyNot.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vXpgWYYf\p2phost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\j70Vbi1\StikyNot.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3ZPNdgpT\WFS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2620 N/A N/A C:\Windows\system32\p2phost.exe
PID 1208 wrote to memory of 2620 N/A N/A C:\Windows\system32\p2phost.exe
PID 1208 wrote to memory of 2620 N/A N/A C:\Windows\system32\p2phost.exe
PID 1208 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\vXpgWYYf\p2phost.exe
PID 1208 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\vXpgWYYf\p2phost.exe
PID 1208 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\vXpgWYYf\p2phost.exe
PID 1208 wrote to memory of 1636 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1208 wrote to memory of 1636 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1208 wrote to memory of 1636 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1208 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\j70Vbi1\StikyNot.exe
PID 1208 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\j70Vbi1\StikyNot.exe
PID 1208 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\j70Vbi1\StikyNot.exe
PID 1208 wrote to memory of 2932 N/A N/A C:\Windows\system32\WFS.exe
PID 1208 wrote to memory of 2932 N/A N/A C:\Windows\system32\WFS.exe
PID 1208 wrote to memory of 2932 N/A N/A C:\Windows\system32\WFS.exe
PID 1208 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\3ZPNdgpT\WFS.exe
PID 1208 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\3ZPNdgpT\WFS.exe
PID 1208 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\3ZPNdgpT\WFS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\726f982410725cb34272e9e44b3c0310.dll,#1

C:\Windows\system32\p2phost.exe

C:\Windows\system32\p2phost.exe

C:\Users\Admin\AppData\Local\vXpgWYYf\p2phost.exe

C:\Users\Admin\AppData\Local\vXpgWYYf\p2phost.exe

C:\Windows\system32\StikyNot.exe

C:\Windows\system32\StikyNot.exe

C:\Users\Admin\AppData\Local\j70Vbi1\StikyNot.exe

C:\Users\Admin\AppData\Local\j70Vbi1\StikyNot.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\3ZPNdgpT\WFS.exe

C:\Users\Admin\AppData\Local\3ZPNdgpT\WFS.exe

Network

N/A

Files

memory/2040-0-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/2040-1-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

memory/1208-4-0x0000000077996000-0x0000000077997000-memory.dmp

memory/1208-5-0x0000000002170000-0x0000000002171000-memory.dmp

memory/1208-13-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-14-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-12-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-11-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-10-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-9-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/2040-8-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-7-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-15-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-17-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-16-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-20-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-21-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-19-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-18-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-22-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-23-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-24-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-25-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-26-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-27-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-28-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-29-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-31-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-30-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-33-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-32-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-34-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-35-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-36-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-38-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-39-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-37-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-40-0x0000000002140000-0x0000000002147000-memory.dmp

memory/1208-48-0x0000000077AA1000-0x0000000077AA2000-memory.dmp

memory/1208-47-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-49-0x0000000077C00000-0x0000000077C02000-memory.dmp

memory/1208-58-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-64-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1208-67-0x0000000140000000-0x00000001401F7000-memory.dmp

\Users\Admin\AppData\Local\vXpgWYYf\p2phost.exe

MD5 0dbd420477352b278dfdc24f4672b79c
SHA1 df446f25be33ac60371557717073249a64e04bb2
SHA256 1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345
SHA512 84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

C:\Users\Admin\AppData\Local\vXpgWYYf\P2PCOLLAB.dll

MD5 c4a9023a87e0bd135e4f37fcd1742d4c
SHA1 e41a01500c2811f145781cba7be9eb3546fa77d3
SHA256 e8c4003f0fc23e8515493136840d9be36c81b35a71bc647b0d0b5c256f948475
SHA512 001d2175b10f1b9f91508d90f14eba9ea4375e57ed649bbeda6873d96daaa794918607449694d60ee7628b5670ef9fc9bbb56e485d6f72f156939478bc4a6966

memory/3060-76-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3060-79-0x0000000000100000-0x0000000000107000-memory.dmp

memory/3060-84-0x0000000140000000-0x00000001401F8000-memory.dmp

\Users\Admin\AppData\Local\j70Vbi1\StikyNot.exe

MD5 b22cb67919ebad88b0e8bb9cda446010
SHA1 423a794d26d96d9f812d76d75fa89bffdc07d468
SHA256 2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512 f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

C:\Users\Admin\AppData\Local\j70Vbi1\slc.dll

MD5 389e5f672ae14f4c6348ac833459fb9d
SHA1 885b2702fe55cc21923c89c0c311cccb4d2087f5
SHA256 c7563823eba650b99aa97a7b02e80f936b47c13edfed7206578d6224807a8333
SHA512 ce730bf4f1fe46ff414e17cf0439850468b65440cdad4eb946ae83461965c90ff753401df57bbdb0836b1e1ac4870f7a6a5c4526f9956c8073b1c96b3f6016f7

memory/1092-99-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1092-104-0x0000000140000000-0x00000001401F8000-memory.dmp

\Users\Admin\AppData\Local\3ZPNdgpT\WFS.exe

MD5 a943d670747778c7597987a4b5b9a679
SHA1 c48b760ff9762205386563b93e8884352645ef40
SHA256 1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610
SHA512 3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

C:\Users\Admin\AppData\Local\3ZPNdgpT\credui.dll

MD5 f700863ff7b9e5dffcbb473d5004aa7c
SHA1 67df03da729316ca71b93d29f76f61b7e760e864
SHA256 ee13b7d68a2029c48cd4bd59c42e0b1a612a98148c4b8b962b39f283d986396c
SHA512 574c758b2e9e9c207afc40151467b97585d0485ffcacc547e385b931294b469f25c4e113eeb4891c860a96486a017170f6609cc092fb9deea6cf82063af8d60c

\Users\Admin\AppData\Local\3ZPNdgpT\credui.dll

MD5 3465d3ca47eceb7b6f894678f79f7d22
SHA1 3225e7c426e038443ec99aaa518ebc8425a16567
SHA256 b0d42e7b78e85b58bd43732117c5aefe975f375b244d95000c39f125f7300395
SHA512 ac452a22160ea7277a0261c094bdde995398ccaf44d6899d48e1e8a99c1c1915393a8d974155ac477b7ff57698eb1741cb62208b376b34ce90f339c1b32a176d

memory/2956-116-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1208-138-0x0000000077996000-0x0000000077997000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 0da2e7a17ddc3c8a8596faf645c14088
SHA1 2e5c209e004404140b4a4747e0c032a83d5ac441
SHA256 00857d0bdc9550e97e53164f61297ba154b76f14781bced8aabc2b28549fdb6b
SHA512 393c0f39b1149b67a5cc01628b013a16b779803966ad5453424147fd421d1743b9aa5634313a3ae9c5589b21aec75b035854e59fc2fd551a967b7edad76860aa

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 14:05

Reported

2024-01-24 14:08

Platform

win10v2004-20231215-en

Max time kernel

157s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\726f982410725cb34272e9e44b3c0310.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\AnOGccnwbF\\wscript.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Lon\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QiLahXPh\wscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 4912 N/A N/A C:\Windows\system32\dwm.exe
PID 3408 wrote to memory of 4912 N/A N/A C:\Windows\system32\dwm.exe
PID 3408 wrote to memory of 2260 N/A N/A C:\Users\Admin\AppData\Local\Lon\dwm.exe
PID 3408 wrote to memory of 2260 N/A N/A C:\Users\Admin\AppData\Local\Lon\dwm.exe
PID 3408 wrote to memory of 4672 N/A N/A C:\Windows\system32\wscript.exe
PID 3408 wrote to memory of 4672 N/A N/A C:\Windows\system32\wscript.exe
PID 3408 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\QiLahXPh\wscript.exe
PID 3408 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\QiLahXPh\wscript.exe
PID 3408 wrote to memory of 3476 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3408 wrote to memory of 3476 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3408 wrote to memory of 4396 N/A N/A C:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exe
PID 3408 wrote to memory of 4396 N/A N/A C:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\726f982410725cb34272e9e44b3c0310.dll,#1

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\Lon\dwm.exe

C:\Users\Admin\AppData\Local\Lon\dwm.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\QiLahXPh\wscript.exe

C:\Users\Admin\AppData\Local\QiLahXPh\wscript.exe

C:\Windows\system32\dxgiadaptercache.exe

C:\Windows\system32\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 9.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/3756-1-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3756-0-0x000001989B050000-0x000001989B057000-memory.dmp

memory/3408-4-0x0000000003850000-0x0000000003851000-memory.dmp

memory/3408-7-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-9-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3756-8-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-5-0x00007FFD96C5A000-0x00007FFD96C5B000-memory.dmp

memory/3408-10-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-11-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-12-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-13-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-14-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-15-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-16-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-17-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-18-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-19-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-20-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-21-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-22-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-23-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-25-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-24-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-26-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-27-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-28-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-29-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-30-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-31-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-32-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-33-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-34-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-35-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-36-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-37-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-38-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-40-0x00000000031A0000-0x00000000031A7000-memory.dmp

memory/3408-39-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-47-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-48-0x00007FFD97820000-0x00007FFD97830000-memory.dmp

memory/3408-57-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3408-59-0x0000000140000000-0x00000001401F7000-memory.dmp

C:\Users\Admin\AppData\Local\Lon\dwm.exe

MD5 5c27608411832c5b39ba04e33d53536c
SHA1 f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA256 0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA512 1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

C:\Users\Admin\AppData\Local\Lon\dxgi.dll

MD5 ba5bc234bab1074284c75a7a5061abd2
SHA1 42b69a8a48846a96dae731d35d572d91b50f5349
SHA256 bf931d98854caaa34f32ad71bb0b5426f960f9dc92f13d985acafe63d7c32d71
SHA512 3ee9598562262df8a422f0e5c264a70e6ccf72abc4ec436549b3acdced811ac73cf128a8dbb7abe8d8fdca0d3c46a6c044575d78d961da7c51f4eb2e570fb3d6

memory/2260-72-0x000001D73DDA0000-0x000001D73DDA7000-memory.dmp

memory/2260-73-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/2260-76-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Users\Admin\AppData\Local\QiLahXPh\wscript.exe

MD5 a47cbe969ea935bdd3ab568bb126bc80
SHA1 15f2facfd05daf46d2c63912916bf2887cebd98a
SHA256 34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512 f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

C:\Users\Admin\AppData\Local\QiLahXPh\VERSION.dll

MD5 cdd945637df738d5e01f46dadc42150f
SHA1 a2653caf9defd9c4ac10abcba29497e53c017548
SHA256 5e8b2944c60588abf9dafd922207ec9d1affd026bbd90b56fdb257b95456071c
SHA512 2debce4a16eda445949d2f38f1aa760b983d8a3a341c22fbdc5da4a1e66a22b3a948dac5eb27d7739cf57c5bd9956bc7aebccbb17baa74279793198030ee6fa0

memory/2468-86-0x0000011DACED0000-0x0000011DACED7000-memory.dmp

memory/2468-91-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Users\Admin\AppData\Local\2E7\dxgiadaptercache.exe

MD5 e62f89130b7253f7780a862ed9aff294
SHA1 b031e64a36e93f95f2061be5b0383069efac2070
SHA256 4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5
SHA512 05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

C:\Users\Admin\AppData\Local\2E7\dxgi.dll

MD5 16c98692c5084c130b1e879d2a897d9d
SHA1 251f0fc95f148648d70765dd56015b0448f35ed6
SHA256 1004e2a96c12a2e36ff82b030e9e52e29709be8711692036b73ec68485393468
SHA512 4ba9fabd865fdef392ccd655c94178e094fd3214d960b116f59203f27718380aa15a7eb1c536a8644b2a2fd14da15d08569c3f14952eca700894f6c81a41c1f0

memory/4396-104-0x000001F450900000-0x000001F450907000-memory.dmp

memory/4396-109-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 19cbd2347125c2aebda1917c9e9203ef
SHA1 57653a3ea430e99adc834f056101e9d0211af67c
SHA256 e2cd6d8174ba1e4ebe1ca5d2e880ee9e309c62f78f7ec99b765011d380f0d5ee
SHA512 cad13580d54aa26ec8cecb3a46b01c948eba5f9719cb604faf15f0038757414849e269279797d1e73d3b4114d7fd14c90f15be281d8bfd76bb34f2a1226d0f6d