Malware Analysis Report

2024-11-30 21:28

Sample ID 231227-xgvwwscfg2
Target b58179d2876272ed58a6e2d6c328be3c
SHA256 548a21178bd299e07a0b0bb0957decd17f937a37b8fe4fbc8125e360bb1f0679
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

548a21178bd299e07a0b0bb0957decd17f937a37b8fe4fbc8125e360bb1f0679

Threat Level: Known bad

The file b58179d2876272ed58a6e2d6c328be3c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-27 18:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 18:49

Reported

2024-01-07 23:35

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b58179d2876272ed58a6e2d6c328be3c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\F8IsRm\PresentationSettings.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Laukhy\BdeUISrv.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\PqYd\perfmon.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\45YHBUST\\KY2v5gP7\\BdeUISrv.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\F8IsRm\PresentationSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Laukhy\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PqYd\perfmon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2644 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1200 wrote to memory of 2644 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1200 wrote to memory of 2644 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1200 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\F8IsRm\PresentationSettings.exe
PID 1200 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\F8IsRm\PresentationSettings.exe
PID 1200 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\F8IsRm\PresentationSettings.exe
PID 1200 wrote to memory of 1856 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1200 wrote to memory of 1856 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1200 wrote to memory of 1856 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1200 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Laukhy\BdeUISrv.exe
PID 1200 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Laukhy\BdeUISrv.exe
PID 1200 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Laukhy\BdeUISrv.exe
PID 1200 wrote to memory of 2232 N/A N/A C:\Windows\system32\perfmon.exe
PID 1200 wrote to memory of 2232 N/A N/A C:\Windows\system32\perfmon.exe
PID 1200 wrote to memory of 2232 N/A N/A C:\Windows\system32\perfmon.exe
PID 1200 wrote to memory of 520 N/A N/A C:\Users\Admin\AppData\Local\PqYd\perfmon.exe
PID 1200 wrote to memory of 520 N/A N/A C:\Users\Admin\AppData\Local\PqYd\perfmon.exe
PID 1200 wrote to memory of 520 N/A N/A C:\Users\Admin\AppData\Local\PqYd\perfmon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b58179d2876272ed58a6e2d6c328be3c.dll,#1

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\F8IsRm\PresentationSettings.exe

C:\Users\Admin\AppData\Local\F8IsRm\PresentationSettings.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\Laukhy\BdeUISrv.exe

C:\Users\Admin\AppData\Local\Laukhy\BdeUISrv.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\PqYd\perfmon.exe

C:\Users\Admin\AppData\Local\PqYd\perfmon.exe

Network

N/A

Files

memory/2084-0-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2084-1-0x000007FEF6690000-0x000007FEF6764000-memory.dmp

memory/1200-3-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

memory/1200-4-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/1200-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-19-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-20-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-18-0x0000000002A90000-0x0000000002A97000-memory.dmp

memory/1200-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-29-0x0000000077190000-0x0000000077192000-memory.dmp

memory/1200-28-0x0000000077160000-0x0000000077162000-memory.dmp

memory/1200-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1200-40-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/2084-41-0x000007FEF6690000-0x000007FEF6764000-memory.dmp

\Users\Admin\AppData\Local\F8IsRm\PresentationSettings.exe

MD5 a6f8d318f6041334889481b472000081
SHA1 b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256 208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA512 60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

C:\Users\Admin\AppData\Local\F8IsRm\WINMM.dll

MD5 a374e0baaca309a272187b1400752737
SHA1 c6af97f19bd235da2a4687907b3d7290082dd4e4
SHA256 98fa73c46d415b5f63ed46630c1a47a8f918a2538f1f31cc3f0207838ae1678d
SHA512 de743446e77d49bda748f4c846f5a66febe351c1b9df7a8d75f1db641ab57b9326416a2cfb99f2efcbb138ca29f2ba2a26c355353112a0fdfcf069bda4ebfa2c

memory/3016-55-0x000007FEF6770000-0x000007FEF6846000-memory.dmp

memory/3016-56-0x0000000000080000-0x0000000000087000-memory.dmp

memory/1200-58-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

memory/3016-61-0x000007FEF6770000-0x000007FEF6846000-memory.dmp

C:\Users\Admin\AppData\Local\Laukhy\WTSAPI32.dll

MD5 dfddf26ff8e86172b44a65e13d2421f3
SHA1 5af5799c2477fe59e555a401868aea3a779cac45
SHA256 472fa1ea4f9b2c9761eeb1cb33d5bd830cb96121d46e4d405598cdeb19291ee2
SHA512 c73a9d6904fc2f5232f9ea0a582618b8e324293ba081d3e647a594079e95d25afab7928840b19e246c78eb88a5bc5debd2ab5f858a3dd25abc0156010a637d91

C:\Users\Admin\AppData\Local\Laukhy\BdeUISrv.exe

MD5 1da6b19be5d4949c868a264bc5e74206
SHA1 d5ee86ba03a03ef8c93d93accafe40461084c839
SHA256 00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA512 9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

memory/1952-73-0x000007FEF6150000-0x000007FEF6225000-memory.dmp

memory/1952-74-0x00000000001F0000-0x00000000001F7000-memory.dmp

memory/1952-78-0x000007FEF6150000-0x000007FEF6225000-memory.dmp

C:\Users\Admin\AppData\Local\PqYd\credui.dll

MD5 b5b53f6f2e83da449e738f5e0a14b2a6
SHA1 0b86737b7749aa16acee4ab28388e9714aa4a26b
SHA256 ba46c1dcd22547b0ee95709baf3ee666702667e42fd88802ee9ac7000efb77e6
SHA512 818687946db791d6ab688d92940333fc57f019efce6bf563607f7ce47edb40843ee19386f03ee421079bc3682bfa4307b4a680d73f74cd8561a6775e7cb657ba

C:\Users\Admin\AppData\Local\PqYd\perfmon.exe

MD5 809ff2ed63658306c9c6bc35035fabf0
SHA1 a330408bd60698806af0b2bde6fbc68c7254ea98
SHA256 d6d1bed58178bd0c84f7ff41f24dc3ee42e02f4b0c00df0dd10ef1eff909d2d3
SHA512 bbd02279bc55185913948f02c13e3d6403e858a36a614e55d0163926783de7847a5fae212d452716cf4cd2b859dee8cfe8987c2f239b358b34dc2f1dc0ef4d43

memory/520-90-0x0000000000070000-0x0000000000077000-memory.dmp

\Users\Admin\AppData\Local\PqYd\perfmon.exe

MD5 3eb98cff1c242167df5fdbc6441ce3c5
SHA1 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA256 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512 f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

memory/520-94-0x000007FEF6150000-0x000007FEF6225000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 0e3eaa63cc756a9437a6ca1e3369081f
SHA1 5021607dc7f31276cc450bcb088eba682dfb497e
SHA256 afdf49d671203de0bd4a62261e52886db6ff62b7e35269bb3a50b114747d6040
SHA512 3ca59f82eae75310f7bd349d0b52b69b5a5f8ee2b970e7b410322ced5616b51b7254932dc71cc8cd407a8525efd47c8de7a808369d3362ebae1735dd1919174e

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\NdxIX\credui.dll

MD5 10c036a17a79a1cb4e7b2e70f4d055e3
SHA1 bc6d1de5d1596ddf06529e2419759d92bfb96705
SHA256 e4c401d68c4d800c9e3892fdbf1e7149ffbfe9aa88720e2d86f0c016cf575e98
SHA512 ffdd7a611f117781faa6974725523adef4797a01d01bb45ebd10c99d98ae2d00106c6a21822e645c95cce61728db71186b921a0396d5ef18be751bc2b8be2aac

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 18:49

Reported

2024-01-07 23:35

Platform

win10v2004-20231215-en

Max time kernel

101s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b58179d2876272ed58a6e2d6c328be3c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\0REF\\PresentationHost.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wbLN30r\wextract.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3KZi\mblctr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aNh\PresentationHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 4920 N/A N/A C:\Windows\system32\mblctr.exe
PID 3468 wrote to memory of 4920 N/A N/A C:\Windows\system32\mblctr.exe
PID 3468 wrote to memory of 4704 N/A N/A C:\Users\Admin\AppData\Local\3KZi\mblctr.exe
PID 3468 wrote to memory of 4704 N/A N/A C:\Users\Admin\AppData\Local\3KZi\mblctr.exe
PID 3468 wrote to memory of 3028 N/A N/A C:\Windows\system32\PresentationHost.exe
PID 3468 wrote to memory of 3028 N/A N/A C:\Windows\system32\PresentationHost.exe
PID 3468 wrote to memory of 2316 N/A N/A C:\Users\Admin\AppData\Local\aNh\PresentationHost.exe
PID 3468 wrote to memory of 2316 N/A N/A C:\Users\Admin\AppData\Local\aNh\PresentationHost.exe
PID 3468 wrote to memory of 2608 N/A N/A C:\Windows\system32\wextract.exe
PID 3468 wrote to memory of 2608 N/A N/A C:\Windows\system32\wextract.exe
PID 3468 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\wbLN30r\wextract.exe
PID 3468 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\wbLN30r\wextract.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b58179d2876272ed58a6e2d6c328be3c.dll,#1

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\3KZi\mblctr.exe

C:\Users\Admin\AppData\Local\3KZi\mblctr.exe

C:\Windows\system32\PresentationHost.exe

C:\Windows\system32\PresentationHost.exe

C:\Users\Admin\AppData\Local\aNh\PresentationHost.exe

C:\Users\Admin\AppData\Local\aNh\PresentationHost.exe

C:\Users\Admin\AppData\Local\wbLN30r\wextract.exe

C:\Users\Admin\AppData\Local\wbLN30r\wextract.exe

C:\Windows\system32\wextract.exe

C:\Windows\system32\wextract.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/4456-0-0x00007FFFDB360000-0x00007FFFDB434000-memory.dmp

memory/4456-1-0x00000264BDC00000-0x00000264BDC07000-memory.dmp

memory/3468-3-0x0000000007A20000-0x0000000007A21000-memory.dmp

memory/3468-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-5-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-8-0x00007FFFE540A000-0x00007FFFE540B000-memory.dmp

memory/3468-19-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-29-0x00007FFFE6070000-0x00007FFFE6080000-memory.dmp

memory/3468-28-0x00007FFFE6080000-0x00007FFFE6090000-memory.dmp

memory/3468-21-0x0000000007A00000-0x0000000007A07000-memory.dmp

memory/3468-18-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3468-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/4456-41-0x00007FFFDB360000-0x00007FFFDB434000-memory.dmp

C:\Users\Admin\AppData\Local\3KZi\WTSAPI32.dll

MD5 0738e97e5fdd3f52f01f229f0379dd8e
SHA1 1a05409d78f9fc065f04cbb5cf764dc7ce222dbd
SHA256 87619ee091b9652b71808b868fe105912906d543c1938663977572be8a8f6147
SHA512 b0896c6d52e1f86882996da9079cff314d8ee0e9052c3e764ed474cc5ce3b7531a8e2168f735b7f91edc6b3c078a75f519d54c2819fb54bfe63bb38ba3e92ad6

C:\Users\Admin\AppData\Local\3KZi\mblctr.exe

MD5 930d596101ee9f3b87abbdd29989121b
SHA1 b21eb401096a17015bee376be70e7af3547c88b4
SHA256 dbccf058c36d469f27717ed6c490057b90af0526757a38178c05a6783e07d85b
SHA512 1acb6a7c1d68d3daccb24ee50d9c34dec8914efb5aa3b32ffa1f80b150a1989aa04fbd559d6d5ded550729bccc2fda5f448d4a2d3e16eeec49d71d6c6cc88626

memory/4704-48-0x00007FFFC7580000-0x00007FFFC7655000-memory.dmp

memory/4704-49-0x0000012654B60000-0x0000012654B67000-memory.dmp

memory/4704-53-0x00007FFFC7580000-0x00007FFFC7655000-memory.dmp

C:\Users\Admin\AppData\Local\3KZi\mblctr.exe

MD5 d3db14eabb2679e08020bcd0c96fa9f6
SHA1 578dca7aad29409634064579d269e61e1f07d9dd
SHA256 3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69
SHA512 14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

memory/2316-64-0x00007FFFC71D0000-0x00007FFFC72A5000-memory.dmp

memory/2316-69-0x00007FFFC71D0000-0x00007FFFC72A5000-memory.dmp

memory/2316-66-0x000001CBE8440000-0x000001CBE8447000-memory.dmp

C:\Users\Admin\AppData\Local\aNh\PresentationHost.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\aNh\VERSION.dll

MD5 cb5bbe533697edaca80675751b8283b8
SHA1 e37a118b1b692e1a56723af5d8b33aca0cd8761f
SHA256 647aa7cd4068fb6d0786cd71b89ba0e92f3263cdc4f0e394c7610d9b93ca93cd
SHA512 ebeaf5d5541ddb11fb4831895f86a49102b34a122a52742dcf553bc6722bf7dfb2b2250b7c9e4b090a30d78204fb7eadbb4fc767df9b4c3e320ddf687026f14b

C:\Users\Admin\AppData\Local\aNh\PresentationHost.exe

MD5 ef27d65b92d89e8175e6751a57ed9d93
SHA1 7279b58e711b459434f047e9098f9131391c3778
SHA256 17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48
SHA512 40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

memory/1104-83-0x000001E680840000-0x000001E680847000-memory.dmp

memory/1104-86-0x00007FFFC71D0000-0x00007FFFC72A5000-memory.dmp

C:\Users\Admin\AppData\Local\wbLN30r\VERSION.dll

MD5 5499d2e8b8b677284a84b7c650f3b355
SHA1 300d90216f159ba7a21e4161021c38d5b0239cd5
SHA256 bea30891e6571a34add780e6eaa6f400b6dbfbc4734bcded6ce87874f1c595ea
SHA512 be441ee78eb6409277a6c70546750a8de7cf80f9e928b188d1d8f2b2578490e07cffb7d99d57bc14dd0dfa96ec28f017a17badce69d56544e9038ac3c975bf83

C:\Users\Admin\AppData\Local\wbLN30r\wextract.exe

MD5 56e501e3e49cfde55eb1caabe6913e45
SHA1 ab2399cbf17dbee7b302bea49e40d4cee7caea76
SHA256 fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0
SHA512 2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\0REF\VERSION.dll

MD5 2790ec15f43b14fbe11f5492ef72e9d4
SHA1 b0c1b94e92c8947acd954150715cad1d1e06356e
SHA256 4bc1f59f68f8d66883897327c21b60ced5c611f16ab74025082f6c52437e9bcf
SHA512 e2ae259f51bdf42831382f09f1500f9beca8a257ea0dc011cee42d87c9a21caab466358666ff12cae16ccb01d8f7203d3f7f46bfc94f23a64d5c74787f5a3386

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 d9483de389c6fa9750b2ac23d506666c
SHA1 823815134f80b386251eeecfe63c5b999699d03b
SHA256 133d72ed7c2c2f7cbc99a49ec320396db39fec4f0a73a839b14a4678f4b8a722
SHA512 79f76353e19c08b889062811bfb4eafc7c2dc4e90d0446403f24d48a88a0355528a0481ded9250cef851472b1148fbb54e8e902a0f8ca9c517935ca5410d02fc