Malware Analysis Report

2024-11-13 16:42

Sample ID 240126-mzhzyadcej
Target 772b68bf3048024e686be386fbfe5083
SHA256 7c62dc19058fca240cc5e8942a240f7691e6066aa3d59a51185ac3209e8f1409
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c62dc19058fca240cc5e8942a240f7691e6066aa3d59a51185ac3209e8f1409

Threat Level: Known bad

The file 772b68bf3048024e686be386fbfe5083 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 10:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 10:54

Reported

2024-01-26 10:56

Platform

win7-20231215-en

Max time kernel

149s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\bCGsop\\mfpmp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\X31h\tabcal.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\X31h\tabcal.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 320 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1212 wrote to memory of 320 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1212 wrote to memory of 320 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1212 wrote to memory of 2616 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2616 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2616 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2340 N/A N/A C:\Windows\system32\tabcal.exe
PID 1212 wrote to memory of 2340 N/A N/A C:\Windows\system32\tabcal.exe
PID 1212 wrote to memory of 2340 N/A N/A C:\Windows\system32\tabcal.exe
PID 1212 wrote to memory of 2724 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2724 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2724 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2564 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2564 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2564 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2004 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2004 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2004 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 1612 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 1612 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 1612 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2336 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2336 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2336 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 540 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 540 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 540 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 1892 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 1892 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 1892 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2460 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2460 N/A N/A C:\Windows\system32\schtasks.exe
PID 1212 wrote to memory of 2460 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#1

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wzEO.cmd

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\b7DyU.cmd

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Ajfbjcebwom" /TR "C:\Windows\system32\X31h\tabcal.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Ajfbjcebwom"

Network

N/A

Files

memory/2028-1-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/2028-0-0x000007FEF6720000-0x000007FEF67C3000-memory.dmp

memory/1212-3-0x0000000076E26000-0x0000000076E27000-memory.dmp

memory/1212-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/1212-16-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-24-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-30-0x0000000002E00000-0x0000000002E07000-memory.dmp

memory/1212-23-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-35-0x0000000077031000-0x0000000077032000-memory.dmp

memory/1212-34-0x0000000077190000-0x0000000077192000-memory.dmp

memory/1212-42-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-47-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-31-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-22-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-21-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-20-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-19-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-18-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-17-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-15-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-14-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-13-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-12-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-11-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-10-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-9-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/1212-8-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/2028-7-0x000007FEF6720000-0x000007FEF67C3000-memory.dmp

memory/1212-6-0x0000000140000000-0x00000001400A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wzEO.cmd

MD5 786ba648706ed74aeb13424773ec9fca
SHA1 111f666bbdd05088db43d0f5020f3f0ed8dc4ba2
SHA256 2967ce021e81dd1ce665190e54ffca960375c0dc25724210a02a69eb89b8bd5b
SHA512 5be81ce918a7bce13a057818d5041667ce7f20df91f099515603cdabcd83fb05fb17da773befdfdad0dee08659367a6676c077ca5250e12a1b0026c09decd20e

C:\Users\Admin\AppData\Local\Temp\FFQ455A.tmp

MD5 079720cf75d0d304b85dafc4aac97405
SHA1 77779bb972df7e91c26dc79520f81907b3fd9269
SHA256 fea7cedb9197a5035b48a46f359310e1e2bc8422e2401dbe7ff88488983e8f5c
SHA512 0c1bbd13268b5cb63df74b55480d5469284364962e7ebb8b2845ceb874a552279c89dc066f76345eb981ba47728573030e8420caef9e87301489edf64dff302e

memory/1212-59-0x0000000076E26000-0x0000000076E27000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b7DyU.cmd

MD5 33322a20c75e4ac66bb0da04c49fc097
SHA1 8446a1e4624e837f32062bff20fedb4a66df6329
SHA256 05056bc31b00453c88126ab1bbff3c3f15c650f9cb3f9e64fa18cd1cb3767b85
SHA512 f30a737438b03a5973d4fa9b097104feee48fec702f011097c0ab000a0c4d460a3abfc2bc982ed7f1c6040ecfdbc7fa62f78658352defb499ed061798e00525e

C:\Users\Admin\AppData\Local\Temp\4O66D16.tmp

MD5 55ddc88488c696a723c05159a893df8e
SHA1 51ac7f06c195feb5e19d32b2a94ad06ee48980ca
SHA256 81edde041d1107843ade613d49179aafd6232b539f3cd209ae60888b8cdf1d8b
SHA512 1f65ee5061b20c7924fe7260e561293d2167f7f5b47eda3a5dfdf70cce9fe9fdf2051aae445aa9ec1057d345d480c94258ce3d5ba556c4f27b41c150676e9f41

\Users\Admin\AppData\Roaming\bCGsop\mfpmp.exe

MD5 2d8600b94de72a9d771cbb56b9f9c331
SHA1 a0e2ac409159546183aa45875497844c4adb5aac
SHA256 7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA512 3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Bsfvntd.lnk

MD5 07658630fc8de684bb30c066c8af0603
SHA1 435d71f2ce4a906aa0e25cf01dda0b1d985646e1
SHA256 eddceccfcad986d222923ba533bff01b1b764a96387dbbadafeaa2674070b743
SHA512 f039bfdd1f4c4ed825a3158f918290ad3db313b018e1b34b7a95b3714649795c28d2030a3ff0679f1593c2505b4a9571d71946cd08c7c2563ad9e52a7b48ed15

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 10:54

Reported

2024-01-26 10:56

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\s0mBf\\WerFault.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\KzwGYeZ\FXSCOVER.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\KzwGYeZ\FXSCOVER.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 4136 N/A N/A C:\Windows\system32\WerFault.exe
PID 3436 wrote to memory of 4136 N/A N/A C:\Windows\system32\WerFault.exe
PID 3436 wrote to memory of 1268 N/A N/A C:\Windows\system32\cmd.exe
PID 3436 wrote to memory of 1268 N/A N/A C:\Windows\system32\cmd.exe
PID 3436 wrote to memory of 2140 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3436 wrote to memory of 2140 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3436 wrote to memory of 4768 N/A N/A C:\Windows\system32\cmd.exe
PID 3436 wrote to memory of 4768 N/A N/A C:\Windows\system32\cmd.exe
PID 3436 wrote to memory of 3892 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 3892 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 4348 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 4348 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 1404 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 1404 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 1636 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 1636 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 3632 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 3632 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 1364 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 1364 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 1124 N/A N/A C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 1124 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\772b68bf3048024e686be386fbfe5083.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ngA.cmd

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\PSg.cmd

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Kjaztdntfug" /TR "C:\Windows\system32\KzwGYeZ\FXSCOVER.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4040-0-0x00007FF9BD360000-0x00007FF9BD403000-memory.dmp

memory/4040-2-0x0000022E08030000-0x0000022E08037000-memory.dmp

memory/4040-6-0x00007FF9BD360000-0x00007FF9BD403000-memory.dmp

memory/3436-5-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-10-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-22-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-24-0x0000000000420000-0x0000000000427000-memory.dmp

memory/3436-23-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-21-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-20-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-31-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-25-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-19-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-32-0x00007FF9CBD80000-0x00007FF9CBD90000-memory.dmp

memory/3436-43-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-41-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-18-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-17-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-16-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-15-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-14-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-13-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-12-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-11-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-9-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-8-0x00007FF9CB3BA000-0x00007FF9CB3BB000-memory.dmp

memory/3436-7-0x0000000140000000-0x00000001400A3000-memory.dmp

memory/3436-3-0x0000000002070000-0x0000000002071000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ngA.cmd

MD5 de7a83ce8e0cc2c0bd6a45dcda94a874
SHA1 011ec12bc392664c8d94cbb897ebc94021016a68
SHA256 526a0a6e92bfb44bc2a2b6f878aa139360efc8abf91466b5079d7768298915f8
SHA512 f9757d8c3dd2382789bbf899a19f22fa23ffc1d88bec9b5bddac28006ac70d645bea0951ca11176d3942e1ac9fd76d9efb05fb7e368c284ff0c375de05f47def

C:\Users\Admin\AppData\Local\Temp\88925.tmp

MD5 7e37856e497c97ca21e397d66be195f9
SHA1 11e348971810c462b5dc59666e2dbdd18bed2799
SHA256 57fbde9909fd7ee79f54e60e79b9e9c5bf1dbabb832ac125fb73132bc5b1674a
SHA512 745fc8e5ff68897c20ac80c124e776a8aa1b2fdddb4a87abfd158d824a51a77d289bea9db2d2d617a68e6a34089d2885ff59f83319554ce70180f55a65420883

C:\Users\Admin\AppData\Local\Temp\PSg.cmd

MD5 2c54eb2c47fd6a2858fa5df349a401ce
SHA1 f40d125180e681baa872d1cbe0d4f0477d978761
SHA256 a42fbf0d2ed7b52de4c49c6e5f022df85ead2358f9e22828ce0ec534dfbd2a44
SHA512 ca194b0eb0cb2f13a1f48f70425130d223bbb0b090d4a013fdec4d49de449382933395c901c30ecf728f1bc2bc4486f5092fc105310629ad7e4a43c1222a09d2

C:\Users\Admin\AppData\Local\Temp\qnB45D.tmp

MD5 97c8a57cf4340f43f23b74a2170224e1
SHA1 55999d97bccc210b7c1ed4dbe34b347b4553c1fd
SHA256 dc46fff961493ca3e6345a6d401aab9be463d06515f74dcf17f46b6d52ebf5d9
SHA512 b30c49554c057fa5529668999d596e463b0a2071ae4a140c7612cd9c5cc097eee836b3cb58c128598309d057a66dbc17eaf75959d18a862ba0f3eccd4c27ef86

C:\Users\Admin\AppData\Roaming\s0mBf\WerFault.exe

MD5 5c06542fed8ee68994d43938e7326d75
SHA1 dd5f35048d912997edb108f80c9d2ce47e3b684a
SHA256 df42a4557521bacae0d4982ed804762a2815dc157723725a19304632d9b49204
SHA512 329d8cca981c4f64df112830d69166aa3915c14be794238bcde363127b437c7b149ae91f372ac63f5b772c7d2b1b7591d288e9c2a3ec334839e8466e960eab19

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tgnmvdx.lnk

MD5 9f271940ab6a88c7329597b664842af1
SHA1 75299ba2a987e1986350a0d2c03410b330cad311
SHA256 4740f076d7720b26e6f2133ae2427d55348285da6892af6f203dc287237b2135
SHA512 eb1d099d0be8e1daffc7c8700ed24746304708049e4538d110359ef5357797b394ef634e5d5c4b069cfd14116e0d6f5cb3409543e0b22f0af7edd1af214b9e45