Malware Analysis Report

2024-11-30 21:26

Sample ID 231226-h9vdhabgbp
Target 5c73ce8acd26a01655041010b2d4ff6a
SHA256 03691ec0a206c672022cbf25d02a4b0ab1f67bd6acf5782de498977d88e41474
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03691ec0a206c672022cbf25d02a4b0ab1f67bd6acf5782de498977d88e41474

Threat Level: Known bad

The file 5c73ce8acd26a01655041010b2d4ff6a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 07:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 07:26

Reported

2023-12-27 12:06

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c73ce8acd26a01655041010b2d4ff6a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\YCL\\perfmon.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 2600 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1384 wrote to memory of 2600 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1384 wrote to memory of 2600 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1384 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe
PID 1384 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe
PID 1384 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe
PID 1384 wrote to memory of 568 N/A N/A C:\Windows\system32\perfmon.exe
PID 1384 wrote to memory of 568 N/A N/A C:\Windows\system32\perfmon.exe
PID 1384 wrote to memory of 568 N/A N/A C:\Windows\system32\perfmon.exe
PID 1384 wrote to memory of 1784 N/A N/A C:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe
PID 1384 wrote to memory of 1784 N/A N/A C:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe
PID 1384 wrote to memory of 1784 N/A N/A C:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe
PID 1384 wrote to memory of 1864 N/A N/A C:\Windows\system32\wermgr.exe
PID 1384 wrote to memory of 1864 N/A N/A C:\Windows\system32\wermgr.exe
PID 1384 wrote to memory of 1864 N/A N/A C:\Windows\system32\wermgr.exe
PID 1384 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\nVSMvE\wermgr.exe
PID 1384 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\nVSMvE\wermgr.exe
PID 1384 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\nVSMvE\wermgr.exe
PID 1384 wrote to memory of 1912 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1384 wrote to memory of 1912 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1384 wrote to memory of 1912 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1384 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe
PID 1384 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe
PID 1384 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c73ce8acd26a01655041010b2d4ff6a.dll,#1

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe

C:\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe

C:\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\nVSMvE\wermgr.exe

C:\Users\Admin\AppData\Local\nVSMvE\wermgr.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe

C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe

Network

N/A

Files

memory/1888-0-0x000007FEF62F0000-0x000007FEF63C4000-memory.dmp

memory/1888-1-0x0000000000310000-0x0000000000317000-memory.dmp

memory/1384-3-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

memory/1384-4-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1384-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-18-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-19-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-21-0x00000000025D0000-0x00000000025D7000-memory.dmp

memory/1384-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1384-28-0x0000000077350000-0x0000000077352000-memory.dmp

memory/1384-29-0x0000000077380000-0x0000000077382000-memory.dmp

memory/1384-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1888-44-0x000007FEF62F0000-0x000007FEF63C4000-memory.dmp

memory/1384-39-0x0000000140000000-0x00000001400D4000-memory.dmp

\Users\Admin\AppData\Local\TWcSZI\mfpmp.exe

MD5 2d8600b94de72a9d771cbb56b9f9c331
SHA1 a0e2ac409159546183aa45875497844c4adb5aac
SHA256 7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA512 3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

C:\Users\Admin\AppData\Local\TWcSZI\MFPlat.DLL

MD5 269ad9f031e0c4e99d2e23c56de3d27a
SHA1 00fdfd4df643743e58daa755e61734bdf3b0b332
SHA256 1a9ee8e0308b959d4de8f935eb561ce0f6b597f66a377f6013236d6ef6c6e3e0
SHA512 df8dcab347cafaa72c16a04a04fbb01fc6b5e1af5d16d3b9ef33475a7c0237a02ca563c0faea1c93ef32eaaa9b35469b23f21ae6fb0dce00b804b5220ebe9998

memory/2512-56-0x00000000001E0000-0x00000000001E7000-memory.dmp

memory/2512-55-0x000007FEF6950000-0x000007FEF6A26000-memory.dmp

memory/2512-60-0x000007FEF6950000-0x000007FEF6A26000-memory.dmp

\Users\Admin\AppData\Local\N1yJU0zy\perfmon.exe

MD5 3eb98cff1c242167df5fdbc6441ce3c5
SHA1 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA256 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512 f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

C:\Users\Admin\AppData\Local\N1yJU0zy\Secur32.dll

MD5 6b40e5433a62f7cd745f59d375112868
SHA1 35f16f3a2dac0ed9fb226d4bab356dc567bda4fb
SHA256 a3946aa3282391dc534903acf7a54d4fb3a7f50758cf2383b991293067b75ca1
SHA512 ea23552c722028aedc2ec46194a7a0a2dbe5caaf5d648e509d7e7a09a1ddd9fa3905ff52d36f754747145c044e1aa50aee08c69e9ccbbddc22714ff5c8796838

memory/1384-72-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

memory/1784-74-0x000007FEF62F0000-0x000007FEF63C5000-memory.dmp

memory/1784-73-0x0000000000370000-0x0000000000377000-memory.dmp

memory/1784-78-0x000007FEF62F0000-0x000007FEF63C5000-memory.dmp

C:\Users\Admin\AppData\Local\nVSMvE\wermgr.exe

MD5 41df7355a5a907e2c1d7804ec028965d
SHA1 453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256 207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA512 59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

C:\Users\Admin\AppData\Local\wDHs08JC\WTSAPI32.dll

MD5 a82d4d876b3a3c95a0032c10e493d18f
SHA1 761ae78c931caac30214df59ddf5189ead808e7f
SHA256 40c5c397b920d94a41e51b02d00c026f966b08e7148596c567318e1815651af2
SHA512 078c3902c90e78b96b936a6b520c41c0ed3c468395ce0c91f6dd1bdc40d920c7c4cf6dc92bcd7766ac14f590652fd71ef40d34f7dfbedcbc1033dab3a246024d

C:\Users\Admin\AppData\Local\wDHs08JC\rdpinit.exe

MD5 664e12e0ea009cc98c2b578ff4983c62
SHA1 27b302c0108851ac6cc37e56590dd9074b09c3c9
SHA256 00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332
SHA512 f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

memory/1900-102-0x00000000000E0000-0x00000000000E7000-memory.dmp

memory/1900-105-0x000007FEF62F0000-0x000007FEF63C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 d9e5b5a5773766bcba2c0bbd19dd0a69
SHA1 bbe07f1b81462453def556a5de30247cb034d6c3
SHA256 4c726263d9ebaebf2e1f3ac92489332f75cba263d8adf20539bf9140822160c5
SHA512 8455c9f674b0ca220fee424e0c6176a6c5ac4a5090c7b0ce19973916deda38acfa8cb452e4cb96436e1cc554330cf6ad303ba10285f140afaf70daec02b289e5

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 07:26

Reported

2023-12-27 12:04

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c73ce8acd26a01655041010b2d4ff6a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\XYI5FJ~1\\APPLIC~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sWNt\rdpclip.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gBDkrt3qY\ApplicationFrameHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\EmvH\psr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 3632 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3512 wrote to memory of 3632 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3512 wrote to memory of 2264 N/A N/A C:\Users\Admin\AppData\Local\sWNt\rdpclip.exe
PID 3512 wrote to memory of 2264 N/A N/A C:\Users\Admin\AppData\Local\sWNt\rdpclip.exe
PID 3512 wrote to memory of 636 N/A N/A C:\Windows\system32\ApplicationFrameHost.exe
PID 3512 wrote to memory of 636 N/A N/A C:\Windows\system32\ApplicationFrameHost.exe
PID 3512 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\gBDkrt3qY\ApplicationFrameHost.exe
PID 3512 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\gBDkrt3qY\ApplicationFrameHost.exe
PID 3512 wrote to memory of 752 N/A N/A C:\Windows\system32\psr.exe
PID 3512 wrote to memory of 752 N/A N/A C:\Windows\system32\psr.exe
PID 3512 wrote to memory of 4504 N/A N/A C:\Users\Admin\AppData\Local\EmvH\psr.exe
PID 3512 wrote to memory of 4504 N/A N/A C:\Users\Admin\AppData\Local\EmvH\psr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c73ce8acd26a01655041010b2d4ff6a.dll,#1

C:\Users\Admin\AppData\Local\sWNt\rdpclip.exe

C:\Users\Admin\AppData\Local\sWNt\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Users\Admin\AppData\Local\gBDkrt3qY\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\gBDkrt3qY\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\EmvH\psr.exe

C:\Users\Admin\AppData\Local\EmvH\psr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 2.17.5.133:80 www.microsoft.com tcp
US 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 32.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 88.221.135.211:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
GB 87.248.204.0:80 tcp
GB 87.248.204.0:80 tcp
US 8.8.8.8:53 udp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
GB 87.248.204.0:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
GB 87.248.204.0:80 tcp
US 93.184.221.240:80 tcp
GB 87.248.204.0:80 tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/4332-0-0x00007FF8D2900000-0x00007FF8D29D4000-memory.dmp

memory/4332-1-0x000002913C1B0000-0x000002913C1B7000-memory.dmp

memory/3512-3-0x0000000003120000-0x0000000003121000-memory.dmp

memory/3512-10-0x00007FF8DF6AA000-0x00007FF8DF6AB000-memory.dmp

memory/3512-19-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-21-0x0000000003060000-0x0000000003067000-memory.dmp

memory/3512-29-0x00007FF8E0F70000-0x00007FF8E0F80000-memory.dmp

memory/3512-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-28-0x00007FF8E0F80000-0x00007FF8E0F90000-memory.dmp

memory/3512-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-18-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3512-5-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/4332-41-0x00007FF8D2900000-0x00007FF8D29D4000-memory.dmp

memory/2264-53-0x00007FF8D2760000-0x00007FF8D2836000-memory.dmp

memory/2264-50-0x000001DBF1370000-0x000001DBF1377000-memory.dmp

memory/2264-48-0x00007FF8D2760000-0x00007FF8D2836000-memory.dmp

memory/2020-69-0x00007FF8D2650000-0x00007FF8D2725000-memory.dmp

memory/2020-64-0x000001D34C5B0000-0x000001D34C5B7000-memory.dmp

memory/2020-65-0x00007FF8D2650000-0x00007FF8D2725000-memory.dmp

memory/4504-80-0x000001BE4DD20000-0x000001BE4DD27000-memory.dmp

memory/4504-85-0x00007FF8D2650000-0x00007FF8D2725000-memory.dmp