Malware Analysis Report

2024-11-30 21:47

Sample ID 231231-bnfjwscgcl
Target 22b200fd33138460f6e97a83894c11e4
SHA256 bdfe1c709973c63c6529bbf3acc2dca09aeba233611b1a3e58cbc337dd7f0e77
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdfe1c709973c63c6529bbf3acc2dca09aeba233611b1a3e58cbc337dd7f0e77

Threat Level: Known bad

The file 22b200fd33138460f6e97a83894c11e4 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 01:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 01:17

Reported

2024-01-01 18:15

Platform

win7-20231215-en

Max time kernel

8s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\22b200fd33138460f6e97a83894c11e4.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\22b200fd33138460f6e97a83894c11e4.dll,#1

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\4T4A\osk.exe

C:\Users\Admin\AppData\Local\4T4A\osk.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\VJj8S3Ok\xpsrchvw.exe

C:\Users\Admin\AppData\Local\VJj8S3Ok\xpsrchvw.exe

C:\Windows\system32\p2phost.exe

C:\Windows\system32\p2phost.exe

C:\Users\Admin\AppData\Local\l5VHKow9\p2phost.exe

C:\Users\Admin\AppData\Local\l5VHKow9\p2phost.exe

Network

N/A

Files

memory/2300-0-0x0000000000340000-0x0000000000347000-memory.dmp

memory/2300-1-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-4-0x0000000077576000-0x0000000077577000-memory.dmp

memory/1312-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/1312-8-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-12-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-17-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-22-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-24-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-25-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-27-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-31-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-34-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-38-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-42-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-44-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-51-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-52-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-53-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-50-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-54-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-55-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-56-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-59-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-60-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-61-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-62-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-63-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-64-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-65-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-58-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-57-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-71-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

memory/1312-49-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-48-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-46-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-47-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-45-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-43-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-41-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-40-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-39-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-37-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-36-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-35-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-33-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-32-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-30-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-29-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-28-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-26-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-23-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-21-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-20-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-19-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-18-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-79-0x0000000077681000-0x0000000077682000-memory.dmp

memory/1312-16-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-15-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-14-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-13-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-80-0x00000000777E0000-0x00000000777E2000-memory.dmp

memory/1312-11-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-10-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1312-9-0x0000000140000000-0x0000000140338000-memory.dmp

memory/2300-7-0x0000000140000000-0x0000000140338000-memory.dmp

C:\Users\Admin\AppData\Local\4T4A\osk.exe

MD5 cbbaf202fbf1b2933fe2e757e4999acb
SHA1 e8bf1f6ee44a5e344e3707b48001b7583f5b0e75
SHA256 89bf6ace53974e3a014dac5105d88c0723e7ccab24acf7bd148cd182fc73a97b
SHA512 b30b1c5849f60f9d17e1e4ed7c341ba4b7a83ddca8720bd7cc7baa1fa6daf77d09ed68c938eac070170cd1b57d95f3813c5a374d4f66d647c7e54415609ac125

C:\Users\Admin\AppData\Local\4T4A\WMsgAPI.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\4T4A\osk.exe

MD5 f7e568949ac4a72e9d0b038617c8035f
SHA1 f9bc41107838fc40dadf10f01388825c24fda806
SHA256 d90121bc7dbc21669ee872b2758620e323c99fc566ae65aaa4264379cd532bf6
SHA512 4cea4950f15b00130bc70f0221711253897a63285fdc48cbc1b030dffa988e481b0642b04ff75e284908dbdfcdac2f51ea14e9b396c3ebff1d9e749186b7401c

\Users\Admin\AppData\Local\4T4A\WMsgAPI.dll

MD5 fa20d775b9d6aa59fb52cbaabbc1f43a
SHA1 72246446728adc113dc0eaff14b307bd3c163296
SHA256 c6b583f10dd4d0e9bfa3a1cc8845d5275af2fcab26f99397cdea8924f6969679
SHA512 4482042cce08fdc6d7c6c94a23bfe719e69a16f0d5fa3302ddeae9b7f30eb9093254a92b3cb0bfd3fb350b3cc6df14527279168e7a9251d0afd050d9d5c78f23

memory/1532-107-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\4T4A\osk.exe

MD5 1648421a1a4c2d08d2096de85c7f1d8a
SHA1 47b71bafe3f54aa163f87cb40d290bb88d2fd0d4
SHA256 4cb1a0e1e84b152736b4f5791b296f6526b85e93fdec473e8f63a2dc3f31d097
SHA512 46945dabe49543d2673f417a3dee868a62b7479e1073d80f58fbacf0d5f8ad237973b191350a2b59171d2120f54439d8883bbcf2fdda2d29b6045d9a09e77b1c

\Users\Admin\AppData\Local\VJj8S3Ok\xpsrchvw.exe

MD5 083367dd86f7a27e42e6be0946ea9473
SHA1 361c55205d32c43fcb58b68128cc56d60ec387f7
SHA256 cc0f3d91931d77961c5c11a0e4a6a00634ac37ae1cdae6b90e1432d92a2147b0
SHA512 84801ab539891588154debb83e4e2c7100c0fdb283b4d136e5e7d8f09c0e0d77ce7eb64612e78677611af673ec9dc460ab47ddd644bbb62ab1ea71b9141ab915

C:\Users\Admin\AppData\Local\VJj8S3Ok\WINMM.dll

MD5 4ef8ef8f41871a9c0489b003e72b124a
SHA1 fcd51a2d15366c64c0d9767de0870c2d7a6a8661
SHA256 2e23baeb51d62aa8e7aa02153666e010a8b5faae1c095d063b711df82d484f94
SHA512 ae7e535114fad7936ef54674e26ede56a33af59cffe86452c3caa22c8fc5c8f73be15f4788b1948564d187ea78b8e16ac7f018b74b0d2b5ce25e64945cca2804

\Users\Admin\AppData\Local\VJj8S3Ok\WINMM.dll

MD5 f01ab61fe1631276d828bc947dafce40
SHA1 ecf463b5fafac9d42f8366c0fc3713a55a8f1e95
SHA256 7f329604c41bfaa95725a6a429ab08930cda336ba20b6f0c590999c30d9deeb9
SHA512 69836f9208eb449c06f8d90b2ed45adcd52f3a23065d7af8f39559c4442273fe7ec7513a4620a9963c6f1c066cfe26d54b0ed3763fd2654a03cfcadb7cbef25c

memory/1372-131-0x0000000001B50000-0x0000000001B57000-memory.dmp

C:\Users\Admin\AppData\Local\VJj8S3Ok\xpsrchvw.exe

MD5 01590e08d0ef7645601146b6ada7217d
SHA1 31c154626a6df8b177eb1d7e4849f25e7bbd7fdc
SHA256 1815c24f0e545e0cd9d9c2d23a6cd00ba7fd87c08472911747ebfd89a6576458
SHA512 4367d2028cce8d59c6ba8c2df6045a0d0c3b7b889a7749e55b9be36346742316d90951552f316187ff64a43985ffb86a25d3b304faa60c918c9c75a1a3579c98

C:\Users\Admin\AppData\Local\VJj8S3Ok\xpsrchvw.exe

MD5 e8d7434c7be81f2df6ca6026f642ed0b
SHA1 223078014ba5dc170e7c2133ca796e8b02f3fd07
SHA256 9eca0ea757c17b5f8cfc2e29cefce881f20b75c0e95a6576c5c60fbce0e0fc6e
SHA512 e48eb42cd2710dd64afd41e9f79af91b69acf3214a5da88ffa00ae4217e126f18ebf291c5c42b347c688ae640e6c85c9c084e7ed8d91ee501227aa3ded7ae831

\Users\Admin\AppData\Local\l5VHKow9\p2phost.exe

MD5 9bcca34518fcf378338ffb192c5a0e34
SHA1 6520196e53c1767518000e3c37e1f155062ddff3
SHA256 ccb852783cf1b97379cf177ee793b5e98ebae73ab3959cd4736f5e18e0e5f249
SHA512 0a4ed7866072565cd1b82d37481bcf3dab9dfbedc752b0656ac76ca1fd23d93205de8615e4945551f84b8bc2e957d3e9a185b68524221b7fbe2014eda5368d9f

\Users\Admin\AppData\Local\l5VHKow9\P2PCOLLAB.dll

MD5 1e6ad5a8ec9f7dcc813e568b70ac1d4a
SHA1 4b1b3d42339d0c1a49a5ee4d09a2b1b15d5bcba8
SHA256 ecf522380401e54cd4a6c3e07f6ca880cb0be3f456fd24ecfe562d59e2671dab
SHA512 2bf79ed62ce196b4f367edbf08c01515629c293a3fc2471ea604e5426af3cf9b283fdd9674f0c4910418b51e11b9c58beb99a3e49872d91e5ca1ac54fd099ba9

C:\Users\Admin\AppData\Local\l5VHKow9\P2PCOLLAB.dll

MD5 74c57350e39baee3e31975149f6f392b
SHA1 0f613c8d4d620633a14e02a9651214430272c490
SHA256 5475d5828245c71a61f066e627dfd92c0193259b0de8193389b2d4b8d2f97516
SHA512 e582be9cc44a0c3af3c91544223d19cc09a272ff58bea49724b931a01818d27343bd2cbd577f34f9c7b0e021b5952d1d861b717ffd7ddc5508437df0445195ba

C:\Users\Admin\AppData\Local\l5VHKow9\p2phost.exe

MD5 318ecc4995f322b1154dc5bb790ed8d9
SHA1 a0b825952e82786ed314784d41e75f7da2f74abd
SHA256 8ed7e0f1616f41820f34a9228eb3c6ea7f49fa06a2b86de23213300fb9ad3185
SHA512 ebe58d7fb6dd969c0a25092b15d5cd33a805f3b046da43652a49bec14501bf54e7d90f6106e76398e3631e383676a8712e7d841cd7ebf681ed762ebdf04c07d1

C:\Users\Admin\AppData\Local\l5VHKow9\p2phost.exe

MD5 01ef80a59cc4b9a0a832469b2304e593
SHA1 ef06440cc44a2dbf6dc1dcd7acd37b9a67ebd9a0
SHA256 26f9ab76ea736ca7a3ed432163017f094b7fe35d99fb9bb1f42e512f4df2469b
SHA512 ac7ff2ae296104c8c582536bbaf8c6b8a0261e8eb999db6512a235d3bbb05f20d244002c7ed7ea9e8611222226a7eb627b5269796e72df6c9be86557d7eb5356

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\ZFwWO7XPcRQ\p2phost.exe

MD5 4eb43925fe1fb3e943aca3fef86b00c6
SHA1 df0e96f4666a62e44f4eb2e410ece5ff63334068
SHA256 0643e75d4d44971d5d54c3680140f2b0415e984f1869151f46d158f73ff188bd
SHA512 7fc5c59c62bf08547884695f7aef21aa43082120fc9ebe4c12d96e795db1dc492dbce878057e8293cb338be5a0bf0a5fb739493d28db10e096f4be4d1a072872

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 110afdbd8c5ab606766e4a4d645a0860
SHA1 c01309af115d3d0e2fe87844187f37db12a04151
SHA256 749b23228f695ea20ad06f92d2cbac545ded06167ad9c1dbc5e154b178403f09
SHA512 173ce0d0e95776358a4ae678a59159787b0930523de480928443925e0395a4cc752f98148d1fa024c655364c61550e4535ee8f72b25756966a7ba48add496618

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\3joFc\WMsgAPI.dll

MD5 9dcdcd19ddf38f7400b7beb3b2560e20
SHA1 2129d0d24d56d41f6d19737e806f1716ae9c3a5e
SHA256 c2836d93de108ec19e26112468f7c3ea580679c56139502279ea56d4c5e3f4ba
SHA512 f8acb1261cd56d92b44b49b53271c8d8472f0959e43c02dbcf7b2cf7acd05a8f929205e0014d3705c29f44a00ae04b6ce0e515c0999988681ab9903f9c71332d

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\kEbejuc\WINMM.dll

MD5 d6adbba17ac8e2df96e0267ab12dc007
SHA1 b800f8cd7a5b10b9af5c052e38b42ba5ad7aa4c4
SHA256 018999f71f723041e226b976048a3ad6770965fe0a6e370af61446f013c19ca0
SHA512 9b7b54304df92465a4a09173c4c07b3b4a5d7a79b1fb90377e5f14f7003debe2061a3da5cd63901a0a9adce683449635ad92c249f2d0cc12e5aeb66fe3f724a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\ZFwWO7XPcRQ\P2PCOLLAB.dll

MD5 0075a860458385fe2d4a731aa362b518
SHA1 06e7cdc3d4e35234212cac5a391c461271bf0f4e
SHA256 32de26a2f976310dc63670cb374f5d7eca17e489bce0293e4439320abf3271cf
SHA512 9639ba33f3b3ec7dc1610b460cb1b740a12a9e5a45c49090c3979dc7f38a798a912b72853b8569134bfcb965bba08a481b1198c0291dc7cbce2256282360f25c

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 01:17

Reported

2024-01-01 18:15

Platform

win10v2004-20231215-en

Max time kernel

26s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\22b200fd33138460f6e97a83894c11e4.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\22b200fd33138460f6e97a83894c11e4.dll,#1

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\FsZCMH\Magnify.exe

C:\Users\Admin\AppData\Local\FsZCMH\Magnify.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\DhcG3Ad\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\DhcG3Ad\MusNotificationUx.exe

C:\Windows\system32\Narrator.exe

C:\Windows\system32\Narrator.exe

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Users\Admin\AppData\Local\SsILNfZ\Narrator.exe

C:\Users\Admin\AppData\Local\SsILNfZ\Narrator.exe

C:\Users\Admin\AppData\Local\q3Z6GedT\sigverif.exe

C:\Users\Admin\AppData\Local\q3Z6GedT\sigverif.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 53.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp

Files

memory/4392-1-0x0000000140000000-0x0000000140338000-memory.dmp

memory/4392-0-0x00000246A02C0000-0x00000246A02C7000-memory.dmp

memory/3372-7-0x00007FFCE63DA000-0x00007FFCE63DB000-memory.dmp

memory/3372-9-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-12-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-14-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-17-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-19-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-21-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-22-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-23-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-26-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-29-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-31-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-34-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-36-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-38-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-41-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-42-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-45-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-48-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-50-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-54-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-56-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-59-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-61-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-60-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-62-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-65-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-64-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-70-0x00000000024E0000-0x00000000024E7000-memory.dmp

memory/3372-63-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-58-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-57-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-55-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-52-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-53-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-51-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-49-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-47-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-46-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-44-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-43-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-40-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-39-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-37-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-35-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-33-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-32-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-30-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-28-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-27-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-24-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-25-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-20-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-18-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-16-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-15-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-13-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-11-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-10-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-8-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-6-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3372-4-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3372-80-0x00007FFCE6580000-0x00007FFCE6590000-memory.dmp

C:\Users\Admin\AppData\Local\FsZCMH\OLEACC.dll

MD5 156da998bd801189b83966f192719696
SHA1 ab357c84e45410c1e32d47a3204af13b81006cc0
SHA256 cdccf2e3735397bed3a174a3b3226af8b7d0cba94ec7df88467689c87f2e6ec2
SHA512 8f767acfb6ec6295a85e0e14c09c1054b6a7f5470a54844a22f93bf1eed8dd9bee30deb12d84bc35b9e66fb67666c79cf71b69b2e29ed64cf32bfae37f4e51fd

memory/996-100-0x000001EA98200000-0x000001EA98207000-memory.dmp

C:\Users\Admin\AppData\Local\FsZCMH\OLEACC.dll

MD5 56ea2f9fca2be0c99022ec2a83ab604e
SHA1 2134f9c3ad7d2b1fcfb20d8ce12342a73c9f1801
SHA256 d7bf51e71e721abfcb408dfba5b5eee2d11a790ccbfe495aaef9449a0d1454dc
SHA512 f276a175302702e02cbf9c2f535c63d3034db68994cee02bc2327aef7793e1e618da376ae9dca25398f4d3b403378e5eb73225e7cc501ee2bc247cc6196509a3

C:\Users\Admin\AppData\Local\FsZCMH\Magnify.exe

MD5 ac5117faa36caa3f71dd0574b117477a
SHA1 85fab77fe234788d706239693b446fbe44d3b9a2
SHA256 3798d9a19f82173b0e9e0b45ad059e7a17e03c7240c126e84cb0d1609a4375c9
SHA512 69e24ad2bf03564d3b279ea213cf8893870303600c78f822ff538867abdea9c76805759505b030a6f6f81fd53354ca2d35e916ab1523a9b6698526b19a9d8fe4

C:\Users\Admin\AppData\Local\FsZCMH\Magnify.exe

MD5 f018299c386965c0192b369421f9b877
SHA1 9d58ef48bb04c913d4c64d69324e9589285f5762
SHA256 d0e5efc4b69e8efac61f59b975d58f4a72537663129b17846bb7d0c6d090203a
SHA512 1780df6c704ab3c0950efe9d78461020d8ef0d39ad799c0b2f3c090c0c0d8f573599ac30d4c70c2e19c3efe9f18b64b65b525bf83b8fc8cf4548b4c144a9888c

C:\Users\Admin\AppData\Local\DhcG3Ad\XmlLite.dll

MD5 a8e1cb6c7660874c181f733f3fcea15a
SHA1 374c60fca282e1f7f3be3a7467c3c3d274648657
SHA256 35fc667efbfa837fe95778a41dd99b25bafdb94dfddd6ad2e62061bb4caa6bd7
SHA512 4f2cfa36f94029b609abf34e6dd546da5103fbaaaf9481533bbe935cb9607fe069b1f86bff8c7de5707955308ecae1f40f4ab88874cb275334ee207045c407db

C:\Users\Admin\AppData\Local\DhcG3Ad\XmlLite.dll

MD5 381dea19d8b14bf7681496dbfdb2fec6
SHA1 b333f2e31c987016bc50c653fa4376fa753f6368
SHA256 43d2db46a8010d46eea13755f3df902d55208709ffe308897753a596b5d1d25b
SHA512 83de8db6d8686b6848f117dcaf18a776c8fd8973684ad911fee63e4363d93b1c2802e0f784f15b4e9b51fdee1e2ae47c9e1b76bab728ae12aab68738aea4925e

memory/4452-117-0x000001DEF2B10000-0x000001DEF2B17000-memory.dmp

C:\Users\Admin\AppData\Local\DhcG3Ad\MusNotificationUx.exe

MD5 5879a4eb696bf53dc80732fc19b9a436
SHA1 b926eeb81bdefffe10f3d2a230cabda076452366
SHA256 b1cce1df3febb185d54029e570adf7d78062fce936679a5a7b6eff60e966b6f7
SHA512 bf30880dc5ae4d9743469519140fcd9ab1ebb5e3cb3b0915bf5fd0b08ebf7d9e8b74926d4307278641aa61afee75405cf46db4dd68a1c22b44149cc4c864af09

C:\Users\Admin\AppData\Local\DhcG3Ad\MusNotificationUx.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2360-142-0x000001D8458B0000-0x000001D8458B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 f8a8b1b5c6ea00a106bf588a59477d70
SHA1 76f9bd72cdb460f67ddc67271f80eb5456a8cc39
SHA256 654b39a77d153254cbbe28857359a9973b40d5f49a68678f846b14f9e3c35579
SHA512 c6ac8a147461c1077d5626babb34f881428fd022d8803a75c894add332463a177249fe9bdc7789e2e9f0680d54deaee42cb5ccf691b565b6303747a6ce16cdc6

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-983843758-932321429-1636175382-1000\3c08\OLEACC.dll

MD5 f40010eaf18fc13cf6649cad8b0d2a86
SHA1 2e8a55d244db710e8962cdc2667071bdd11dd4ef
SHA256 069520011e5df3413e362e70da6025308fcff7e5944bf451be63f5727e46a338
SHA512 39a08c53b775c28fe0be4abb70803a544b823da218a79c6b6cf365256d00951468f4b488985e166f0da2f6e04e7781c296834649fee5e3d8b71d256255f102a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1rBGiGpaWL\XmlLite.dll

MD5 4156d18954b383a6dfbc7a56ab554375
SHA1 2643586fb75b633bfbfb7bcecd0f460d3e4b7e08
SHA256 634c0b9d1a06191e6e1341c395e39f5aa6365552b781cb1705be127f607ab7c1
SHA512 eb528164b80b598cf33271ab0ac34dacf62d56cfee208280689b078b98814de26eb90dabfdbf57d907303edf431953bd7a85f313131422a8a99dfce29111f473

C:\Users\Admin\AppData\Roaming\Mozilla\LUeieo\VERSION.dll

MD5 6a56f61a140bddaf228da5228944ac4b
SHA1 6f0c3a6689794c702451e43eb94b5798e9b4fa77
SHA256 81c9d846c474580e050c05b335981bb9d00f9fa7b7de63c5a973af90a1a760e8
SHA512 e9a74d4f6db963d960b8b16b86903728f8fede3d069bc45927020afd54f924dfb8ee4e290f80be7b2f7b0a5bf29834c88a789620a04cba6abd88ba0d2c009b54