Malware Analysis Report

2024-11-30 21:28

Sample ID 231226-sznhbaegc5
Target 793df85f287f06c4764a229b404e0a7f
SHA256 823691284d6b7786dee73b7315b3cd146eac4160d5f7fca663cab821b66698fa
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

823691284d6b7786dee73b7315b3cd146eac4160d5f7fca663cab821b66698fa

Threat Level: Known bad

The file 793df85f287f06c4764a229b404e0a7f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 15:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 15:33

Reported

2024-01-06 18:43

Platform

win7-20231215-en

Max time kernel

147s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\G7CnuWd3\dwm.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\oHgkEac\rrinstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bkZce\msra.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\2xYHR\\rrinstaller.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\G7CnuWd3\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oHgkEac\rrinstaller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bkZce\msra.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\G7CnuWd3\dwm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\G7CnuWd3\dwm.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2836 N/A N/A C:\Windows\system32\dwm.exe
PID 1200 wrote to memory of 2836 N/A N/A C:\Windows\system32\dwm.exe
PID 1200 wrote to memory of 2836 N/A N/A C:\Windows\system32\dwm.exe
PID 1200 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\G7CnuWd3\dwm.exe
PID 1200 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\G7CnuWd3\dwm.exe
PID 1200 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\G7CnuWd3\dwm.exe
PID 1200 wrote to memory of 3028 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1200 wrote to memory of 3028 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1200 wrote to memory of 3028 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1200 wrote to memory of 2372 N/A N/A C:\Users\Admin\AppData\Local\oHgkEac\rrinstaller.exe
PID 1200 wrote to memory of 2372 N/A N/A C:\Users\Admin\AppData\Local\oHgkEac\rrinstaller.exe
PID 1200 wrote to memory of 2372 N/A N/A C:\Users\Admin\AppData\Local\oHgkEac\rrinstaller.exe
PID 1200 wrote to memory of 2964 N/A N/A C:\Windows\system32\msra.exe
PID 1200 wrote to memory of 2964 N/A N/A C:\Windows\system32\msra.exe
PID 1200 wrote to memory of 2964 N/A N/A C:\Windows\system32\msra.exe
PID 1200 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\bkZce\msra.exe
PID 1200 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\bkZce\msra.exe
PID 1200 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\bkZce\msra.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#1

C:\Users\Admin\AppData\Local\G7CnuWd3\dwm.exe

C:\Users\Admin\AppData\Local\G7CnuWd3\dwm.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\oHgkEac\rrinstaller.exe

C:\Users\Admin\AppData\Local\oHgkEac\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

C:\Users\Admin\AppData\Local\bkZce\msra.exe

C:\Users\Admin\AppData\Local\bkZce\msra.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

Network

N/A

Files

memory/1572-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1572-0-0x000007FEF6FF0000-0x000007FEF7095000-memory.dmp

memory/1200-3-0x0000000077786000-0x0000000077787000-memory.dmp

memory/1200-11-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-14-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-15-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-24-0x0000000077B20000-0x0000000077B22000-memory.dmp

memory/1200-23-0x0000000077AF0000-0x0000000077AF2000-memory.dmp

memory/1200-22-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-13-0x0000000002610000-0x0000000002617000-memory.dmp

memory/1200-12-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-10-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-8-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-9-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-7-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-6-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-4-0x0000000002630000-0x0000000002631000-memory.dmp

memory/1200-35-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-33-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1572-36-0x000007FEF6FF0000-0x000007FEF7095000-memory.dmp

memory/2672-52-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2672-54-0x000007FEF70A0000-0x000007FEF7146000-memory.dmp

memory/2672-50-0x000007FEF70A0000-0x000007FEF7146000-memory.dmp

C:\Users\Admin\AppData\Local\G7CnuWd3\UxTheme.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\G7CnuWd3\dwm.exe

MD5 f162d5f5e845b9dc352dd1bad8cef1bc
SHA1 35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA256 8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA512 7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

memory/1200-57-0x0000000077786000-0x0000000077787000-memory.dmp

memory/2372-68-0x000007FEF6690000-0x000007FEF6737000-memory.dmp

memory/2372-65-0x000007FEF6690000-0x000007FEF6737000-memory.dmp

memory/2960-80-0x000007FEF6B10000-0x000007FEF6BB6000-memory.dmp

memory/2960-83-0x000007FEF6B10000-0x000007FEF6BB6000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 9a7ad57cee1e096d2b68e401e62b8ebf
SHA1 b0734ecc786fb058c67415851356c3d0aef6aca1
SHA256 6906623398c46e205ba58a552fd9875a1ccd39c44b4314c10d056c1842017600
SHA512 2bad3a2761d3a817e6279e0116db54d561acd9969be169602fe75832f9cbb48c8edc617f63996bc03a172b111edd1a904452f39f4c9c8cda972b752771bd42ff

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\T0pXOE\UxTheme.dll

MD5 5f6c31f53f65a1fdb86734c3f9ee7840
SHA1 a8c5aeb8b426258e84fb7b4bd181f85db18405ae
SHA256 75744da9a671242b908e36a14db2b512b454f506e6eee9e77da3bec1e7225f7d
SHA512 a1713364329e883b9a62409ce721ce7fbc929814e196c8eb18a3bf121cf2eea83d875869d1c8702ef7f9888e4f11659201132554d0101ecf6d0d89592025d242

C:\Users\Admin\AppData\Roaming\Microsoft\2xYHR\MFPlat.DLL

MD5 b534ddbf1e179b81850ddc36674a766c
SHA1 9cbb409970c10468d338937d8a8e85dbd69b48e8
SHA256 15e232aa5f26fe7ff3ec901f1ce86f8d42e1cab7b455bcb542c16029db6e9cae
SHA512 8d1e304e6d11509b34f40ab23a8ce2ea4391b5c177388c938cd6e99d22036c80a515cdea95755997cfbacf443b9e1f6bf0b81eec7b7581aee316348a79c32ced

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\cTd70\NDFAPI.DLL

MD5 192f752bbdcb5e33312abe8fd40eb318
SHA1 efaccfee37c0fa32a1b45b156ad4e65a33bab91e
SHA256 d616010470e5a7f7633e4f505709437b4d672312c57ab1724f3339bbc5acc727
SHA512 0ed59a18735e566cc458b3c3dd27d07fa62d1ec55f67ea3e9f8779ac0ce7373da046ed4dc7b4420d33ec6e810b317f56317b8ba4861825221a2b4ed54cfc9f0e

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 15:33

Reported

2024-01-06 18:44

Platform

win10v2004-20231215-en

Max time kernel

71s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\j1ywryR\\printfilterpipelinesvc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\f9B\osk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nHTTOPH\slui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 872 N/A N/A C:\Windows\system32\slui.exe
PID 3560 wrote to memory of 872 N/A N/A C:\Windows\system32\slui.exe
PID 3560 wrote to memory of 1176 N/A N/A C:\Users\Admin\AppData\Local\nHTTOPH\slui.exe
PID 3560 wrote to memory of 1176 N/A N/A C:\Users\Admin\AppData\Local\nHTTOPH\slui.exe
PID 3560 wrote to memory of 3484 N/A N/A C:\Windows\system32\printfilterpipelinesvc.exe
PID 3560 wrote to memory of 3484 N/A N/A C:\Windows\system32\printfilterpipelinesvc.exe
PID 3560 wrote to memory of 3648 N/A N/A C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe
PID 3560 wrote to memory of 3648 N/A N/A C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe
PID 3560 wrote to memory of 2224 N/A N/A C:\Windows\system32\osk.exe
PID 3560 wrote to memory of 2224 N/A N/A C:\Windows\system32\osk.exe
PID 3560 wrote to memory of 4432 N/A N/A C:\Users\Admin\AppData\Local\f9B\osk.exe
PID 3560 wrote to memory of 4432 N/A N/A C:\Users\Admin\AppData\Local\f9B\osk.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#1

C:\Users\Admin\AppData\Local\nHTTOPH\slui.exe

C:\Users\Admin\AppData\Local\nHTTOPH\slui.exe

C:\Windows\system32\slui.exe

C:\Windows\system32\slui.exe

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe

C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe

C:\Users\Admin\AppData\Local\f9B\osk.exe

C:\Users\Admin\AppData\Local\f9B\osk.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3992-0-0x000002397A610000-0x000002397A617000-memory.dmp

memory/3992-1-0x00007FFBDE320000-0x00007FFBDE3C5000-memory.dmp

memory/3560-4-0x00007FFBEB9FA000-0x00007FFBEB9FB000-memory.dmp

memory/3560-3-0x0000000007B10000-0x0000000007B11000-memory.dmp

memory/3560-7-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3560-8-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3560-9-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3560-10-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3560-11-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3560-6-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3560-12-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3560-15-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3560-24-0x00007FFBEC3F0000-0x00007FFBEC400000-memory.dmp

memory/3560-23-0x00007FFBEC400000-0x00007FFBEC410000-memory.dmp

memory/3560-22-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3560-33-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3560-14-0x0000000007AF0000-0x0000000007AF7000-memory.dmp

memory/3560-13-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3992-36-0x00007FFBDE320000-0x00007FFBDE3C5000-memory.dmp

memory/1176-45-0x0000028BAA850000-0x0000028BAA857000-memory.dmp

memory/1176-48-0x00007FFBDD720000-0x00007FFBDD7C6000-memory.dmp

memory/1176-43-0x00007FFBDD720000-0x00007FFBDD7C6000-memory.dmp

C:\Users\Admin\AppData\Local\nHTTOPH\WTSAPI32.dll

MD5 288d72978838193b8aa0ddeb45d163d6
SHA1 ff1b81e3e358aaed9b73e586a1bbb2b3d8ec8651
SHA256 ca50d1eb34df25fb899fe747c4ace4423c4da79bee82cdd5b813a6bb504a8f11
SHA512 de492cc2853fd977c2756ae8f4c30f2cd6060f50657070ac4cf99de9ae5711c0e12d6a392fd623fd5ff80c4d5daf69528bc74c9fc45dedd666dbc8648780ec22

C:\Users\Admin\AppData\Local\nHTTOPH\WTSAPI32.dll

MD5 3979dd404e02cd194f81b74f78d85245
SHA1 7c0d381c5104fbff83a33ca00f2c785c073de9a3
SHA256 dd495154b1cb39a729ae8907aca4eb63e67455c31ac72a80db6adfe823799743
SHA512 582f9bfef8a172bbd312db29d5decee9bfaa032e9d1889e267e99fde2769f6e4a1aed67d861ffac8e7dbf7a2dfb9c3ad4b1eb888a8f2ad584fe121820ba936d6

C:\Users\Admin\AppData\Local\nHTTOPH\slui.exe

MD5 89e3292a3338df70574e1a8415659204
SHA1 7233c59a227a40fe9ef6f74ea9b03d5545420dfd
SHA256 7ae0532fc112967677baaf64272ddaa467c9004c5d0d9980b82b43143bb16afc
SHA512 86b3224d7a0035d812266754c5977d698f5f1a538d0961afaa6edc20569d2de0a2b0d84889dc347bdefd65bdd8fb602673311c7889a12df10dfed24677d4097a

C:\Users\Admin\AppData\Local\TTcSUIg\XmlLite.dll

MD5 ce92fb27287b8d8da3b53825faebe282
SHA1 b0b3a97dcfecb6a25ad52cfca9a9f8708eaa3a76
SHA256 94a90a4eb25abcbbac0c023c3736473b5a29df02f1a702ca86d037b5ca244312
SHA512 27f0d045d02c93cc1ebc5e5ab22716fa48d02d00f02445b3e215c980e01ef1d688cbbd732924113fdb691ec076fefa0ee8f5124b4164544168397b6129a8f215

memory/3648-64-0x00007FFBDD720000-0x00007FFBDD7C6000-memory.dmp

C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe

MD5 e8c60c1cea5fe66669a567f2928da865
SHA1 130273dd1a9c632a10d9cee2864175361293f020
SHA256 3676a513ee82bafc02efd24f96178b6e9385947021fe46f0526f61acbd20b15d
SHA512 2f3ebcf552e41b0740bcfa9643461d0f866ac92132ccc6cbf900fdee8da189466ef17f7c2da039baed8713ec569c16d17e03465bca0b2a5e5e5378537d7210d3

memory/3648-61-0x000001FC35230000-0x000001FC35237000-memory.dmp

C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe

MD5 331a40eabaa5870e316b401bd81c4861
SHA1 ddff65771ca30142172c0d91d5bfff4eb1b12b73
SHA256 105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88
SHA512 29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

C:\Users\Admin\AppData\Local\f9B\WINMM.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4432-75-0x00007FFBDD610000-0x00007FFBDD6B7000-memory.dmp

memory/4432-80-0x00007FFBDD610000-0x00007FFBDD6B7000-memory.dmp

memory/4432-77-0x000001FC5E3E0000-0x000001FC5E3E7000-memory.dmp

C:\Users\Admin\AppData\Local\f9B\WINMM.dll

MD5 0a6c9d0583ea2a2bbe2d8df974e13d3d
SHA1 dd0d9b7ed6b8e833e3c0317402f82d0fe21fffee
SHA256 a0a852c7d1fcd00cc2710d09f1f5afaf51efa5a69f1795faacb9c805b367abc3
SHA512 da22a9c5fa741242855fbd582b2dd091908f82fcd2ef885b2cad3c00f0d0dabcd3c468e2ad2479d13c89de53bf13280e988e396fbc9482af115e53c339d3b975

C:\Users\Admin\AppData\Local\f9B\osk.exe

MD5 c6a35c5c01187c39859b84e884de47ef
SHA1 6fef730762b70ea398eb7ff5358690fb94f73bd8
SHA256 a0c4f535e7cda3451e3639fb2c3b4b586dcb686f67f03475619d22fd38c7f7bc
SHA512 dbf7d088d8aa52e5a459d37f1ccccdd00e31b7bd1b15806681e79cad3c11e7b66fbe339dec9c0ab6fb1c111bc58213413ebc8b8f093f90f2e1e971e0fded8127

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

MD5 df07bad1a5f4389192fc09ee163b160e
SHA1 b619c2ff5ceafeb9402c3dc369d43b63c866fd41
SHA256 0ab1123bcfa5a76d20a3eca57d1cd7911d0fa66800e87931f93247809468103f
SHA512 2c48b6c47de94ac4a023d10a8ee1e826dfdb38e121596303150a67bea66e1a8d282de4382b2f11a07efa6a66c3a5548908c0f6d2eab19bbd08ebab875391c361

C:\Users\Admin\AppData\Roaming\Sun\4xsoJ4o\WTSAPI32.dll

MD5 bca074a7366a91b631507914afcac0c1
SHA1 d15420166ea0070adb76b254deac7e50188b12a3
SHA256 0e11ca1228cbc474d5f0fd149fd3615d7caeadc4421cd478bb281716958e5a72
SHA512 ff9c141437aa1cd6a7176b2943ae1a134be32d5711eb03aee64cad8650b013c0c54895b4de3cb1229fa8bf2b940caac2fabca9e90d99c86075dc57adaecc5094

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\j1ywryR\XmlLite.dll

MD5 4ce79158c633aedd6b20602785fd9efc
SHA1 fe7c1477b9654d12a1d1f4575604a5471f5812e6
SHA256 9c2ea2e54f50a4c3cc08d6d6ddb864e61290b0d8cfd7753d79ce5907dbbcf5a4
SHA512 28b2e6e042cb83a1e472dece258689f840eee9ae23648ca6954f819953824cb4c7220bb1a9cfaaec862f8e8cb1ecd14687a063d4f96356c5e8565a6c7cd9e184

C:\Users\Admin\AppData\Roaming\Sun\VML6Xp\WINMM.dll

MD5 6e81fa44ba1b79c29a1f1e2e6af6faaf
SHA1 993d4e84074a54b99a356eb3224eceb7e0b7e0f6
SHA256 5f96961bd625f1511372ddb3b20380f3d9085fe9765d088b10c730ace5ee01e6
SHA512 ebd94dce5c34630905ed744e7b75af2c1d934241e86717069f5b66e900906082b500f5cb494e60d5126785c569db2475e7a7732846f3b0dd1dde024643783c25