Malware Analysis Report

2024-11-30 21:26

Sample ID 231222-s8ab2sdfb9
Target e06bc9c34016a67b0d3a56913db15515
SHA256 9defa598e8384355655dd2fcba9e94f1bfbb4fc1d14d4f43cef7ce3173cc8736
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9defa598e8384355655dd2fcba9e94f1bfbb4fc1d14d4f43cef7ce3173cc8736

Threat Level: Known bad

The file e06bc9c34016a67b0d3a56913db15515 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 15:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 15:47

Reported

2023-12-24 04:42

Platform

win7-20231129-en

Max time kernel

149s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e06bc9c34016a67b0d3a56913db15515.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\QlG\perfmon.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{85F2D219-4DA8-41B0-8F71-51D9FDB705AC}\\yX\\tcmsetup.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QlG\perfmon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2492 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1352 wrote to memory of 2492 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1352 wrote to memory of 2492 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1352 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exe
PID 1352 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exe
PID 1352 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exe
PID 1352 wrote to memory of 2772 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1352 wrote to memory of 2772 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1352 wrote to memory of 2772 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1352 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exe
PID 1352 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exe
PID 1352 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exe
PID 1352 wrote to memory of 2172 N/A N/A C:\Windows\system32\perfmon.exe
PID 1352 wrote to memory of 2172 N/A N/A C:\Windows\system32\perfmon.exe
PID 1352 wrote to memory of 2172 N/A N/A C:\Windows\system32\perfmon.exe
PID 1352 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\QlG\perfmon.exe
PID 1352 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\QlG\perfmon.exe
PID 1352 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\QlG\perfmon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e06bc9c34016a67b0d3a56913db15515.dll,#1

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exe

C:\Users\Admin\AppData\Local\pcHqTgC5\shrpubw.exe

C:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exe

C:\Users\Admin\AppData\Local\cQ1Qu7zw\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\QlG\perfmon.exe

C:\Users\Admin\AppData\Local\QlG\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

Network

N/A

Files

memory/2752-0-0x0000000140000000-0x0000000140212000-memory.dmp

memory/2752-1-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1352-4-0x0000000077716000-0x0000000077717000-memory.dmp

memory/1352-5-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/2752-8-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-12-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-23-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-36-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-46-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-52-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-51-0x0000000002D40000-0x0000000002D47000-memory.dmp

memory/1352-61-0x0000000077A80000-0x0000000077A82000-memory.dmp

memory/1352-60-0x0000000077921000-0x0000000077922000-memory.dmp

memory/1352-75-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-76-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-70-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-59-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-50-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-49-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-48-0x0000000140000000-0x0000000140212000-memory.dmp

memory/2532-90-0x0000000000280000-0x0000000000287000-memory.dmp

memory/1352-47-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-45-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-44-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-43-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-42-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-41-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-40-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-39-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-38-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-37-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-35-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-34-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-33-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-32-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-31-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-30-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-29-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-28-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-27-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-26-0x0000000140000000-0x0000000140212000-memory.dmp

memory/2520-114-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1352-25-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-24-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-22-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-21-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-20-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-19-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-18-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-17-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-16-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-15-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-14-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-13-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-11-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-10-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-9-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1352-7-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1864-132-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1352-158-0x0000000077716000-0x0000000077717000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Rhm\MFC42u.dll

MD5 4c31a16a7973693fb4e5873c36c77216
SHA1 5bbef481a1dda8817bd720a5c3727d0ed5894870
SHA256 4066d341d072c4b11c2fea12fe4f828b375631223db790647794e84fe114ee6c
SHA512 1acec6fde95eea48d2bb84f2de0cddb13fba5df69961257cff38233a5dc18cdd050381069e2a7e395b95a24d7fca87fd2794bcd9ab8a81be4f56811c8e3bd529

C:\Users\Admin\AppData\Roaming\Identities\{85F2D219-4DA8-41B0-8F71-51D9FDB705AC}\yX\TAPI32.dll

MD5 9a8b33a16eece2090094f7f06c7f3def
SHA1 94a7c772e20a502c2a28ac4ca14c344ff5b1b404
SHA256 f550b841b79dbda3025134baf8df84ee452c21527a44ef4e5b48ba07ae2c5b14
SHA512 eb670ea68a5ce9d0ec94aa55e2bd81a8f56f5e79d6b904939d33b1e4aff1851d71befdc4c718194c5b0d7fb7a7cb3e93128a026f1033870bb644f0d50f38ecf3

C:\Users\Admin\AppData\Roaming\Identities\{85F2D219-4DA8-41B0-8F71-51D9FDB705AC}\yX\oHmj\credui.dll

MD5 de52fa31c439d86a2687b8254e816cbf
SHA1 6b0765a28aaf48ba54c80a68fa6c37043a847e6e
SHA256 d6a7e8fe85e67697f65271e6c19f3b77df0d7555bc44b3ec9319672bd4dcf021
SHA512 8a43704ef37a2a3018316531856101900abd40cbaaa36397a31ccefc34a02188d7b4ffbadc129a6739b05408ef236762af2845c88b81e60c0741f369176fde46

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 15:47

Reported

2023-12-24 04:42

Platform

win10v2004-20231215-en

Max time kernel

35s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e06bc9c34016a67b0d3a56913db15515.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wWGTTbGvc N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wWGTTbGvc\VERSION.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wWGTTbGvc\unregmp2.exe N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\trxFE74dJ\\psr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RWqIx\unregmp2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 5096 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3444 wrote to memory of 5096 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3444 wrote to memory of 444 N/A N/A C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe
PID 3444 wrote to memory of 444 N/A N/A C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe
PID 3444 wrote to memory of 4192 N/A N/A C:\Windows\system32\psr.exe
PID 3444 wrote to memory of 4192 N/A N/A C:\Windows\system32\psr.exe
PID 3444 wrote to memory of 4832 N/A N/A C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe
PID 3444 wrote to memory of 4832 N/A N/A C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe
PID 3444 wrote to memory of 3732 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3444 wrote to memory of 3732 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3444 wrote to memory of 768 N/A N/A C:\Users\Admin\AppData\Local\RWqIx\unregmp2.exe
PID 3444 wrote to memory of 768 N/A N/A C:\Users\Admin\AppData\Local\RWqIx\unregmp2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e06bc9c34016a67b0d3a56913db15515.dll,#1

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe

C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe

C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\RWqIx\unregmp2.exe

C:\Users\Admin\AppData\Local\RWqIx\unregmp2.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
IE 20.54.110.119:443 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/3720-1-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3720-0-0x0000020ECB270000-0x0000020ECB277000-memory.dmp

memory/3444-11-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-14-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-19-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-24-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-27-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-29-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-32-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-35-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-38-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-41-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-44-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-48-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-51-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-52-0x00000000011F0000-0x00000000011F7000-memory.dmp

memory/3444-50-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-49-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-59-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-47-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-45-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-46-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-43-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-42-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-60-0x00007FF90E900000-0x00007FF90E910000-memory.dmp

memory/3444-40-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-39-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-37-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-69-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-71-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-36-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-34-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-33-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-31-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-30-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-28-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-26-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-25-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-23-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-22-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-21-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-20-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-18-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-17-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-16-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-15-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-13-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-12-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-9-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-10-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-7-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3720-6-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3444-8-0x00007FF90CCAA000-0x00007FF90CCAB000-memory.dmp

memory/3444-4-0x0000000003220000-0x0000000003221000-memory.dmp

C:\Users\Admin\AppData\Local\SCrbFWM9\UxTheme.dll

MD5 c9152e5603808531454be9b35963dd79
SHA1 26d4c433162f3cca192a75abb71de22cff464c9e
SHA256 52204e278ed9947a7f418a4eec471320a09ad614c0edb0cadbce27178bff6a79
SHA512 ec6f4a85a7fc774318d505188d6ecb7a78fa608c1823375f5a51ad06929903ab2a06a8506d4ba92b373c187b623b19011f326b90dded7f9b11278c904ca0cad4

C:\Users\Admin\AppData\Local\SCrbFWM9\UxTheme.dll

MD5 c76b9a123bbf634dab6a70e52ee79a6b
SHA1 f321f6d0d6fe9bcb039dc53d4116606eb6797661
SHA256 538475c550db7be565756440b793f63c1a6c46b224db9c1f2f5e5cd84288f235
SHA512 bb20c9ef2acd46fe11a40954775e08de2e85554ce46969cccf0454ffb5c9a0964a92f1795272b95320460b790a295ba3d232b5506f2f98acf4cba625e447a14d

memory/444-81-0x00000217FD7F0000-0x00000217FD7F7000-memory.dmp

memory/444-80-0x0000000140000000-0x0000000140213000-memory.dmp

C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe

MD5 5af41fc5e4994b377c9883c0ba505380
SHA1 b1d7e37c20c4c0944f744ae6d9d44c32f87eee2d
SHA256 416466638ffd182b04a22208af4598f48d7e402932f7eaf84a7fda7644c286c1
SHA512 728adfdeba91eadaf6210cd054dce64c8d17025f6f55e511086c1f508529a25ecd2943a35f3a59c6548e1ba55d693644efd1f36c9e4c0c8445ad7538c3a8a11e

C:\Users\Admin\AppData\Local\SCrbFWM9\FileHistory.exe

MD5 c7c16c482b23fff3f45dbdc3bfd4c990
SHA1 cd4a240e23569edfc197abd1b5dac6c27317891e
SHA256 7563f2925de20cf66ca6bd308f2d4c50238965d2ff60dda164483601d49c7655
SHA512 4316693060cd663ea650dbea3309357e68b6963a30e637a0fb948e2b877f720ea2104d4cc987e891a626b37de1cb7e33e8478e3dfcf68badf9d54c50b76cabd7

C:\Users\Admin\AppData\Local\WbHcFlDX\XmlLite.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe

MD5 4535b8763ab2bfec6f3bd25884a3e6dc
SHA1 3de2f480b9264a982719c252fa72b13485a10e5d
SHA256 9db005d5330f09f6d7f9df1818017e3f4a06bce661b8d02bf2a8f1a415fe49a8
SHA512 53a2be72b582a0ea0246d609bffcc655fb7c93a2169e2058cfbd2a4179401a1202c4a59daa5356ebb6ac5dafee488b3837e6ccae2051d5d2d9a662bc5181a215

C:\Users\Admin\AppData\Local\WbHcFlDX\XmlLite.dll

MD5 4ab8f088085a132fe120809edaba76cf
SHA1 ce71f5a4e848543508078e82daa369392ce2db00
SHA256 a410be9fe7df49032b84b3e0cfb5f6f73f42983a481dfc98eee6c3aaffd6928f
SHA512 9766f2a96d277f9e794d4d43193a78a4bfa6a2150e12bacc97bafd4410861d68c9bcbd42006469b65fd3b85c42d474538caec9f6c683fc2c6e93fd7e2495b1ce

memory/4832-101-0x0000017477E40000-0x0000017477E47000-memory.dmp

C:\Users\Admin\AppData\Local\WbHcFlDX\psr.exe

MD5 d550310aee9d62163fdc222bb78ff2c7
SHA1 038be4f23803a6ead9c1c19c4767f680e363743e
SHA256 5c4fd95c5b3864a3ecd2addf774948d0d84a65d60e7eb044f7590f287faf0101
SHA512 598276ece227cebc1ec4b84ec1069c2f019fb279221f531b92d41655bc2157d235bfb20465ba243ebaea51869e65c820474919c190dd6d434e015b3a2cec1b1a

C:\Users\Admin\AppData\Local\RWqIx\VERSION.dll

MD5 86530fcec58475907541563e349660c4
SHA1 ce0bf5ca0dcfaa0cdf85ab19b0613c8c299d9b1e
SHA256 abd60ca614536e6baafd32cdce866f436390cc518b4d930db596d7b5d9d9b18f
SHA512 7d6a06d441db099872d49df1c371aaac5079df73eadda93cdc445846c433d1c2bb91a6757cf05e583df401cb12ed7d651316fe5cef351fc126d197584f329a50

C:\Users\Admin\AppData\Local\RWqIx\VERSION.dll

MD5 7ce177cc2245fe154827a45e0a90cad4
SHA1 08bc4eced6f0caa1eba32841ade084bbc86586fe
SHA256 32600bc424fc355cb92144f52920e4e6634c37a178eb131a2a63ba13ef19696b
SHA512 e1b60ae726d3d920ebd04ded17de8d8b1ff912aac92d092ac4ffdc2dd7d424663f8e1515503b47cc559cbc742ef5cd06b442a1981314534f4662f442314f3081

memory/768-119-0x00000252133E0000-0x00000252133E7000-memory.dmp

C:\Users\Admin\AppData\Local\RWqIx\unregmp2.exe

MD5 47aede7b66c8a8bdc032e87c2780480b
SHA1 88bd0c1c94373a8de32c078f9d64d86c5bfc9902
SHA256 f1254505ef3248878e9b89df444e5645653b1ade0e419fbe933cbd049f840c4c
SHA512 65704c2989825c00a7478303cac4361ac0ddb428ef9944007371622e83c1cd5e2bff4cbf4e512f4bc592c45b46d5896f0ec660dbe686e08b41d0847cd585c9ef