Malware Analysis Report

2024-11-30 21:31

Sample ID 231226-ekpvyacbd5
Target 5274829dfdbd08c8f993a4a31d3d6073
SHA256 14906c032956bed15a33083266a615ff7d5b24d84f0dbc36c3e245a3e46ac500
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14906c032956bed15a33083266a615ff7d5b24d84f0dbc36c3e245a3e46ac500

Threat Level: Known bad

The file 5274829dfdbd08c8f993a4a31d3d6073 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 04:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 04:00

Reported

2024-01-02 20:49

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5274829dfdbd08c8f993a4a31d3d6073.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\jqNlwmnd\spreview.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fmf\Netplwiz.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\WWsW\\Netplwiz.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jqNlwmnd\spreview.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fmf\Netplwiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1920 N/A N/A C:\Windows\system32\spreview.exe
PID 1260 wrote to memory of 1920 N/A N/A C:\Windows\system32\spreview.exe
PID 1260 wrote to memory of 1920 N/A N/A C:\Windows\system32\spreview.exe
PID 1260 wrote to memory of 240 N/A N/A C:\Users\Admin\AppData\Local\jqNlwmnd\spreview.exe
PID 1260 wrote to memory of 240 N/A N/A C:\Users\Admin\AppData\Local\jqNlwmnd\spreview.exe
PID 1260 wrote to memory of 240 N/A N/A C:\Users\Admin\AppData\Local\jqNlwmnd\spreview.exe
PID 1260 wrote to memory of 2880 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1260 wrote to memory of 2880 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1260 wrote to memory of 2880 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1260 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\fmf\Netplwiz.exe
PID 1260 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\fmf\Netplwiz.exe
PID 1260 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\fmf\Netplwiz.exe
PID 1260 wrote to memory of 764 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1260 wrote to memory of 764 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1260 wrote to memory of 764 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1260 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe
PID 1260 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe
PID 1260 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5274829dfdbd08c8f993a4a31d3d6073.dll,#1

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

C:\Users\Admin\AppData\Local\jqNlwmnd\spreview.exe

C:\Users\Admin\AppData\Local\jqNlwmnd\spreview.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\fmf\Netplwiz.exe

C:\Users\Admin\AppData\Local\fmf\Netplwiz.exe

C:\Windows\system32\UI0Detect.exe

C:\Windows\system32\UI0Detect.exe

C:\Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe

C:\Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe

Network

N/A

Files

memory/2916-1-0x000007FEF6E40000-0x000007FEF6F15000-memory.dmp

memory/2916-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1260-3-0x00000000775A6000-0x00000000775A7000-memory.dmp

memory/1260-4-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/1260-6-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-9-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-10-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-8-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-7-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-11-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-13-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-12-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-14-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-15-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-16-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-17-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-18-0x0000000001D50000-0x0000000001D57000-memory.dmp

memory/1260-19-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-20-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-27-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-28-0x0000000077910000-0x0000000077912000-memory.dmp

memory/1260-29-0x0000000077940000-0x0000000077942000-memory.dmp

memory/1260-38-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1260-40-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/2916-41-0x000007FEF6E40000-0x000007FEF6F15000-memory.dmp

\Users\Admin\AppData\Local\jqNlwmnd\spreview.exe

MD5 704cd4cac010e8e6d8de9b778ed17773
SHA1 81856abf70640f102b8b3defe2cf65669fe8e165
SHA256 4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512 b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

C:\Users\Admin\AppData\Local\jqNlwmnd\sqmapi.dll

MD5 a3c4b642b1717ce1269efceb1de32bc5
SHA1 2967f669c0b4bea6f6a9b2df874342704bcfd85e
SHA256 808c7e5ff6617a3de6b0514f3ceb29a423e069775a780fc866351b2f49c974f2
SHA512 33be8b447a8329932bdfd2aac8f8032b6c23026ab30b2fa80dd3f86f7ea212ef4b22ab7d3d682b947ea0e1cd69d62984b7251405486af8e26906a2b50a4d03bb

memory/240-56-0x00000000000E0000-0x00000000000E7000-memory.dmp

memory/240-55-0x000007FEF6F20000-0x000007FEF6FF6000-memory.dmp

memory/240-60-0x000007FEF6F20000-0x000007FEF6FF6000-memory.dmp

\Users\Admin\AppData\Local\fmf\Netplwiz.exe

MD5 e43ec3c800d4c0716613392e81fba1d9
SHA1 37de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

C:\Users\Admin\AppData\Local\fmf\NETPLWIZ.dll

MD5 40526cf39374af30b67ac410be671c32
SHA1 dbe04af72e35989241302e4fcb6f371765cea751
SHA256 45b15ea44d53f3274732eece427605b65e535d0f3bc76cea04fc79f61570cfd7
SHA512 32ba9da0a044efef88b86bf03ada526d27fee1fcae64d8e8cdf6aa57e0c19ef0fbdb2a53774ca7abae43ac42beaf1e782772ed45c3896f0c430e0d481f4c7f68

memory/1260-72-0x00000000775A6000-0x00000000775A7000-memory.dmp

memory/2624-74-0x0000000000070000-0x0000000000077000-memory.dmp

memory/2624-73-0x000007FEF6900000-0x000007FEF69D6000-memory.dmp

memory/2624-78-0x000007FEF6900000-0x000007FEF69D6000-memory.dmp

\Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe

MD5 3cbdec8d06b9968aba702eba076364a1
SHA1 6e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256 b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512 a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

C:\Users\Admin\AppData\Local\XF0jjxz3\WINSTA.dll

MD5 33b74ac6c89f99da4f8c4080618d7039
SHA1 54bf25a081b153d1aabe7b4965d34453653a5941
SHA256 bf48af4daf0d90a34172f0f78684d4899d1343f6cdfe475af65402fa46cf3c55
SHA512 ae8dfb515be28fab573780fe617735f78caf3b9e69d535221e22f5706469216cfe9543f8d88144ba115b405b5f6bf9096e1a5937e08ec10ae6e0a8b6231382a6

memory/2500-90-0x000007FEF6900000-0x000007FEF69D7000-memory.dmp

memory/2500-94-0x000007FEF6900000-0x000007FEF69D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 bfc76b6e3c952b6c374fa63ada4e82bf
SHA1 d5d9ef3529797df35a3b172d7a87b8e6949e586b
SHA256 ce61a4cde43d90511820e848a33d6ed9aa0b8e9618f5a67d2352a9dccc9aeebb
SHA512 0615fbbf427dd83dab3fe8caff064039dd7c2cc5011c9720fe338c81284c1ed02a0131e60f0241213661683ff03f1d060916f61534bb001c2b1c38eccff47a42

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 04:00

Reported

2024-01-02 20:50

Platform

win10v2004-20231215-en

Max time kernel

156s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5274829dfdbd08c8f993a4a31d3d6073.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\1aVTZZ\\isoburn.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Gu6ss7HPb\CloudNotifications.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DgD1mb6o\isoburn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1jyVliA\ie4ushowIE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 1372 N/A N/A C:\Windows\system32\CloudNotifications.exe
PID 3376 wrote to memory of 1372 N/A N/A C:\Windows\system32\CloudNotifications.exe
PID 3376 wrote to memory of 960 N/A N/A C:\Users\Admin\AppData\Local\Gu6ss7HPb\CloudNotifications.exe
PID 3376 wrote to memory of 960 N/A N/A C:\Users\Admin\AppData\Local\Gu6ss7HPb\CloudNotifications.exe
PID 3376 wrote to memory of 1940 N/A N/A C:\Windows\system32\isoburn.exe
PID 3376 wrote to memory of 1940 N/A N/A C:\Windows\system32\isoburn.exe
PID 3376 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\DgD1mb6o\isoburn.exe
PID 3376 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\DgD1mb6o\isoburn.exe
PID 3376 wrote to memory of 2128 N/A N/A C:\Windows\system32\ie4ushowIE.exe
PID 3376 wrote to memory of 2128 N/A N/A C:\Windows\system32\ie4ushowIE.exe
PID 3376 wrote to memory of 4452 N/A N/A C:\Users\Admin\AppData\Local\1jyVliA\ie4ushowIE.exe
PID 3376 wrote to memory of 4452 N/A N/A C:\Users\Admin\AppData\Local\1jyVliA\ie4ushowIE.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5274829dfdbd08c8f993a4a31d3d6073.dll,#1

C:\Windows\system32\CloudNotifications.exe

C:\Windows\system32\CloudNotifications.exe

C:\Users\Admin\AppData\Local\Gu6ss7HPb\CloudNotifications.exe

C:\Users\Admin\AppData\Local\Gu6ss7HPb\CloudNotifications.exe

C:\Users\Admin\AppData\Local\DgD1mb6o\isoburn.exe

C:\Users\Admin\AppData\Local\DgD1mb6o\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\1jyVliA\ie4ushowIE.exe

C:\Users\Admin\AppData\Local\1jyVliA\ie4ushowIE.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Windows\system32\ie4ushowIE.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
US 20.231.121.79:80 tcp
GB 96.17.179.68:80 tcp
FR 2.18.110.57:80 tcp
GB 96.17.179.68:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.68:80 tcp
US 8.8.8.8:53 udp
N/A 52.111.243.31:443 tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp

Files

memory/4516-1-0x00007FF926FE0000-0x00007FF9270B5000-memory.dmp

memory/4516-0-0x00000211A50A0000-0x00000211A50A7000-memory.dmp

memory/3376-8-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-12-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-18-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-20-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-19-0x00000000038B0000-0x00000000038B7000-memory.dmp

memory/3376-17-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-16-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-15-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-14-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-13-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-27-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-29-0x00007FF935A90000-0x00007FF935AA0000-memory.dmp

memory/3376-28-0x00007FF935AA0000-0x00007FF935AB0000-memory.dmp

memory/3376-38-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-11-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-10-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-9-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-7-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-6-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3376-4-0x00007FF934CFA000-0x00007FF934CFB000-memory.dmp

memory/3376-3-0x0000000003A20000-0x0000000003A21000-memory.dmp

memory/4516-41-0x00007FF926FE0000-0x00007FF9270B5000-memory.dmp

memory/960-48-0x000001E446240000-0x000001E446247000-memory.dmp

memory/960-53-0x00007FF9175B0000-0x00007FF917686000-memory.dmp

memory/960-49-0x00007FF9175B0000-0x00007FF917686000-memory.dmp

memory/2152-66-0x0000021774A60000-0x0000021774A67000-memory.dmp

memory/2152-69-0x00007FF9175B0000-0x00007FF917686000-memory.dmp

memory/4452-80-0x000001EA7B6D0000-0x000001EA7B6D7000-memory.dmp

memory/4452-85-0x00007FF9175B0000-0x00007FF917686000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\JXJlIeRBJ2M\VERSION.dll

MD5 57ed4c756cb9212cb27136094182653e
SHA1 5a745aedc9f4b654748180dc2d97d9c75b912566
SHA256 3c69f1a8f15659e303c9f7a966110cea9bb0c740225b9dded4e9ed5d897aaee9
SHA512 abca6fc9c87266c9e7bc91a8378f7da18c3ea4e935dad3562c261cbc97675b519ef28bbadeac0de56201a7cf41f1832842e1c973519fc50cf929ce9b4379fac5