Malware Analysis Report

2024-11-30 21:29

Sample ID 240101-yppkhsbeh2
Target 22fcf9040c27944c1d46cdcd9998ea24.exe
SHA256 d0716107ad0161ef0ad0627f82753053e722ed2ecff1498cad509ce16459069d
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0716107ad0161ef0ad0627f82753053e722ed2ecff1498cad509ce16459069d

Threat Level: Known bad

The file 22fcf9040c27944c1d46cdcd9998ea24.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-01 19:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 19:57

Reported

2024-01-01 20:07

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\22fcf9040c27944c1d46cdcd9998ea24.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\NpM1oFA\slui.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\b67\mfpmp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fU0xa9Qf\Netplwiz.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\s07P8\\mfpmp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NpM1oFA\slui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\b67\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fU0xa9Qf\Netplwiz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 328 N/A N/A C:\Windows\system32\slui.exe
PID 1228 wrote to memory of 328 N/A N/A C:\Windows\system32\slui.exe
PID 1228 wrote to memory of 328 N/A N/A C:\Windows\system32\slui.exe
PID 1228 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\NpM1oFA\slui.exe
PID 1228 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\NpM1oFA\slui.exe
PID 1228 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\NpM1oFA\slui.exe
PID 1228 wrote to memory of 292 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1228 wrote to memory of 292 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1228 wrote to memory of 292 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1228 wrote to memory of 1392 N/A N/A C:\Users\Admin\AppData\Local\b67\mfpmp.exe
PID 1228 wrote to memory of 1392 N/A N/A C:\Users\Admin\AppData\Local\b67\mfpmp.exe
PID 1228 wrote to memory of 1392 N/A N/A C:\Users\Admin\AppData\Local\b67\mfpmp.exe
PID 1228 wrote to memory of 3044 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1228 wrote to memory of 3044 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1228 wrote to memory of 3044 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1228 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\fU0xa9Qf\Netplwiz.exe
PID 1228 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\fU0xa9Qf\Netplwiz.exe
PID 1228 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\fU0xa9Qf\Netplwiz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\22fcf9040c27944c1d46cdcd9998ea24.dll

C:\Windows\system32\slui.exe

C:\Windows\system32\slui.exe

C:\Users\Admin\AppData\Local\NpM1oFA\slui.exe

C:\Users\Admin\AppData\Local\NpM1oFA\slui.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\b67\mfpmp.exe

C:\Users\Admin\AppData\Local\b67\mfpmp.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\fU0xa9Qf\Netplwiz.exe

C:\Users\Admin\AppData\Local\fU0xa9Qf\Netplwiz.exe

Network

N/A

Files

memory/1280-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1280-1-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-4-0x0000000077176000-0x0000000077177000-memory.dmp

memory/1228-5-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/1280-8-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-7-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-12-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-11-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-10-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-9-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-14-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-19-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-20-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-18-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-17-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-16-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-15-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-13-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-26-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-25-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-24-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-23-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-22-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-21-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-27-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-28-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-30-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-31-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-29-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-34-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-32-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-33-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-36-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-35-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-37-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-40-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-42-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-41-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-39-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-38-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-43-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-44-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-46-0x0000000002730000-0x0000000002737000-memory.dmp

memory/1228-45-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-53-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-54-0x0000000077381000-0x0000000077382000-memory.dmp

memory/1228-55-0x00000000774E0000-0x00000000774E2000-memory.dmp

memory/1228-64-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-68-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1228-69-0x0000000140000000-0x0000000140209000-memory.dmp

\Users\Admin\AppData\Local\NpM1oFA\slui.exe

MD5 c5ce5ce799387e82b7698a0ee5544a6d
SHA1 ed37fdb169bb539271c117d3e8a5f14fd8df1c0d
SHA256 34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c
SHA512 79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

C:\Users\Admin\AppData\Local\NpM1oFA\WINBRAND.dll

MD5 ffe6ee7d678d1e1f913d48fd348e9a06
SHA1 21e66d697df9400a36716a944349a9c242b656c2
SHA256 355cb0b902b58440dcac5a1db6cbf5b3080427be9b1b18e896d506dcbe1ab506
SHA512 ecdf79642768217dcf82e4d4d39bc896c9a5e78a07f8981ebe000208f4d4f60b6ec142bffcd93f66387677b741a28172f387e6a7a18381b0b5b0823dc243a5a5

\Users\Admin\AppData\Local\NpM1oFA\WINBRAND.dll

MD5 0a0608faea4d51164c9eef7bab35185d
SHA1 19b3a3daccc47e47a15b793e8c38c8ede8c46c39
SHA256 7c7179651bb2239a718690ebbf58f6f6cefc2295aa3669f11bd66c9cef5c4672
SHA512 c4b3c7b73723034e693947e63dde2e5b07d57f22b1183f593a37c9824a242532f4f85257c3a747de7d7599b38aae5ff2b2d14f959b482b678897852b19a67f18

memory/2568-82-0x0000000140000000-0x000000014020A000-memory.dmp

\Users\Admin\AppData\Local\b67\mfpmp.exe

MD5 2d8600b94de72a9d771cbb56b9f9c331
SHA1 a0e2ac409159546183aa45875497844c4adb5aac
SHA256 7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA512 3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

C:\Users\Admin\AppData\Local\b67\MFPlat.DLL

MD5 2cc985b28b188fd1b22dd1203c3b14a3
SHA1 75dbcc721640147524bb206e724863545040251f
SHA256 eafdd96f81f7ca1f62534a8f97f02097246779da9ef0ecba8a7cafbe91c4c550
SHA512 509738956cdd3716b60f86e8032eb26008ce3111794ca333f41847157af25a72421c54e46f63bfc05d66531cafe4c461dd5eed2c9c531fdc2efd6cce11db0943

memory/1392-100-0x0000000000190000-0x0000000000197000-memory.dmp

\Users\Admin\AppData\Local\fU0xa9Qf\Netplwiz.exe

MD5 e43ec3c800d4c0716613392e81fba1d9
SHA1 37de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

C:\Users\Admin\AppData\Local\fU0xa9Qf\NETPLWIZ.dll

MD5 dc5d4e06c4ba981da5b1b63767b6c383
SHA1 7b8a35b53b2869a4111c86f22f4674e2db964dd0
SHA256 4cbbc861d2363083c3f79347d892444a331cdde2530e9ca22fe2b912e4efde5a
SHA512 46bf0f52faf29b0c396efe8ecd64d3347778ac7561de076c1983f9444987f3c20f34dd7553f1459d6501849a9208113d2b669b650e0c14089163584df8a88d11

memory/2384-117-0x0000000000410000-0x0000000000417000-memory.dmp

memory/1228-141-0x0000000077176000-0x0000000077177000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 9033e6323bb640f43427c31e3f7ca51b
SHA1 0241a7972df1290c672c6b64c24b30aa39a6af85
SHA256 d490c95d2c3fd23b78db8ab7acae87955b2c9075a627caf7cb0e4cf6a6d4c6a1
SHA512 368bb87db13120498b45e9d013afb32746e980ebc2c2ac7108e64f6d23d8b6acebf53f490e163e91baaa6729cb330b0b406ca8f7b93c989c043f0020132630fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\4A\WINBRAND.dll

MD5 48b08cf38b6525ac29dda9b760e3af32
SHA1 34baa0de440d14d752fff1e66f9e237787939eea
SHA256 741dc9afc02f88dc4860349465a921287056161466b9382364c56f0707e97c41
SHA512 7b81ca61ff2d1726ce67217d8f8272ad3a9c71b5ed186ea1f83ca0f5ee4101e13439e0987686b8c19184b19914d49a0e23d1665ff13739615f308a9869931f20

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 19:57

Reported

2024-01-01 20:07

Platform

win10v2004-20231215-en

Max time kernel

169s

Max time network

186s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\22fcf9040c27944c1d46cdcd9998ea24.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\SHZFHZ~1\\DMNOTI~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tvsk\DmNotificationBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\o11qEswZC\MusNotificationUx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bjYurd\wextract.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 2828 N/A N/A C:\Windows\system32\wextract.exe
PID 3316 wrote to memory of 2828 N/A N/A C:\Windows\system32\wextract.exe
PID 3316 wrote to memory of 916 N/A N/A C:\Users\Admin\AppData\Local\bjYurd\wextract.exe
PID 3316 wrote to memory of 916 N/A N/A C:\Users\Admin\AppData\Local\bjYurd\wextract.exe
PID 3316 wrote to memory of 4916 N/A N/A C:\Windows\system32\DmNotificationBroker.exe
PID 3316 wrote to memory of 4916 N/A N/A C:\Windows\system32\DmNotificationBroker.exe
PID 3316 wrote to memory of 4648 N/A N/A C:\Users\Admin\AppData\Local\tvsk\DmNotificationBroker.exe
PID 3316 wrote to memory of 4648 N/A N/A C:\Users\Admin\AppData\Local\tvsk\DmNotificationBroker.exe
PID 3316 wrote to memory of 4208 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3316 wrote to memory of 4208 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3316 wrote to memory of 4372 N/A N/A C:\Users\Admin\AppData\Local\o11qEswZC\MusNotificationUx.exe
PID 3316 wrote to memory of 4372 N/A N/A C:\Users\Admin\AppData\Local\o11qEswZC\MusNotificationUx.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\22fcf9040c27944c1d46cdcd9998ea24.dll

C:\Windows\system32\wextract.exe

C:\Windows\system32\wextract.exe

C:\Users\Admin\AppData\Local\bjYurd\wextract.exe

C:\Users\Admin\AppData\Local\bjYurd\wextract.exe

C:\Windows\system32\DmNotificationBroker.exe

C:\Windows\system32\DmNotificationBroker.exe

C:\Users\Admin\AppData\Local\tvsk\DmNotificationBroker.exe

C:\Users\Admin\AppData\Local\tvsk\DmNotificationBroker.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\o11qEswZC\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\o11qEswZC\MusNotificationUx.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 64.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 53.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 171.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/2188-0-0x0000000002E00000-0x0000000002E07000-memory.dmp

memory/2188-1-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-5-0x00007FFF5067A000-0x00007FFF5067B000-memory.dmp

memory/3316-4-0x0000000000930000-0x0000000000931000-memory.dmp

memory/2188-8-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-9-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-10-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-12-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-11-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-13-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-7-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-15-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-14-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-16-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-17-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-18-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-19-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-20-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-21-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-22-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-24-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-23-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-25-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-26-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-27-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-28-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-32-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-36-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-39-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-38-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-37-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-35-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-34-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-33-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-31-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-30-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-29-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-40-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-44-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-43-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-46-0x0000000000850000-0x0000000000857000-memory.dmp

memory/3316-45-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-42-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-41-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-53-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-54-0x00007FFF51D00000-0x00007FFF51D10000-memory.dmp

memory/3316-63-0x0000000140000000-0x0000000140209000-memory.dmp

memory/3316-65-0x0000000140000000-0x0000000140209000-memory.dmp

C:\Users\Admin\AppData\Local\bjYurd\VERSION.dll

MD5 fec37c7b3f6e2bd15053c4f962a6a651
SHA1 3eec84de5ad60ef439e11740fa41380779748510
SHA256 8bc40e69bf8abf3827d6e6070239592044e3b3cb6d38399c989b0f5fbe56024b
SHA512 17cfc27d4a679db5f81f9db16a77981ec78662260800ad6fbabbcc38dc88331c49bda7a5bd887c12b005e6b509c581ecc86a0281b20a0176df50762f96f4ca7f

memory/916-74-0x0000000140000000-0x000000014020A000-memory.dmp

memory/916-75-0x000001E1EEEE0000-0x000001E1EEEE7000-memory.dmp

C:\Users\Admin\AppData\Local\bjYurd\VERSION.dll

MD5 4234d4f8e1cc8ad8d195edf2925a62f4
SHA1 c62ba4c61b3c5e2d8415e2dfa4fb1beeeabc25d6
SHA256 3e01ac86eb4da0380ac03cb9256d01f31d735af4e9d0072212452abad490ac7c
SHA512 e1197302e20cbc7352dbb17a0b494d667d5b8d027381aed853fe3d2df5e2ee2820fd0645602aedc0dde9b2f323491a5e705a1f561354d9cd70a6e6315e507b7b

C:\Users\Admin\AppData\Local\bjYurd\wextract.exe

MD5 2ba1a23414a5a0538d6563207ce4a4fa
SHA1 9b9b2e6f436270ea956ee93e180219af24432085
SHA256 7255b530eca3e1ed4e163a01e815af8fa5d4f0269e7ff37115a093db85283a62
SHA512 62543878a473df594075b5f161b87a0061677adddd7317571150799fd48f14ce74acf85b8e7168647d7df06520196614d9c43f59edde06ed82307894735c8692

memory/916-80-0x0000000140000000-0x000000014020A000-memory.dmp

C:\Users\Admin\AppData\Local\bjYurd\wextract.exe

MD5 308b4b18ac08bfd444c54ac94c657ab1
SHA1 5c6d5d53dad0b9e89a9c2c8779d2af22bed0a568
SHA256 8c02f83c1ad2fbf39ae4902d51253c2dad6d4e0d4ca490ca15391089fad6d931
SHA512 f7aefede4d2bc8bc41c28bca16a4b79fa7f793fdd7148252a626ed2f20ec5587880d18fa4c240d8ed24dba1a69b51b93724618771a2fc8343347b118b7a34bda

C:\Users\Admin\AppData\Local\tvsk\DUI70.dll

MD5 7f5e9aa9f28a9ed7aa30c94e3ebea262
SHA1 ea127f5a17cb71128032aafc9c67c04e2a8acb15
SHA256 1f8b7c3e417c3cbf9a5134b596844e0add1c49690b17392c0025608b20ce26ab
SHA512 bd14394edec75cdac7f7bba41bddc6e2b8d129f22cb62273f9c9e132a9db076242fc6027cc2e07f45c8e4b74545532f089c7344c17bda0031072c4d55c0aa18a

C:\Users\Admin\AppData\Local\tvsk\DUI70.dll

MD5 c03a9818eda825eb5a5cff614529f98d
SHA1 bb4f3fe15da2d044d3c745236c0ba1b5e73c1513
SHA256 11bc79a74fe7d7eca3f1dcf6c2d62e0db043d08259be6585a73be7f9d0726543
SHA512 9f9c870335f881b49ca8d01def085d5ca95119d3a659cea6bf8898043a1dc5de073b947a600653ce2a7b351806cb7d9e718ced45b3e107dac401cc8f1dd99a8e

memory/4648-91-0x000001FEB58D0000-0x000001FEB58D7000-memory.dmp

memory/4648-92-0x0000000140000000-0x000000014024F000-memory.dmp

memory/4648-97-0x0000000140000000-0x000000014024F000-memory.dmp

C:\Users\Admin\AppData\Local\tvsk\DmNotificationBroker.exe

MD5 f0bdc20540d314a2aad951c7e2c88420
SHA1 4ab344595a4a81ab5f31ed96d72f217b4cee790b
SHA256 f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5
SHA512 cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

C:\Users\Admin\AppData\Local\o11qEswZC\XmlLite.dll

MD5 52a7fe2632e8cee95f8550a7913c6ba2
SHA1 42bffff5e841660733a218d5999291daadba95d2
SHA256 73779c7684faddd2df6ef664b9aeeb5e88d9564b9c9ca9ffb9b6ba358181bab0
SHA512 3d5ccf34447e2f62e46cbb709a9829af5742c9e64badff236397ef0211c4506e8567dc209d7f8d05e92e3c9bc94aad89d3fb5a1eccd995d4e808230b7db76c71

memory/4372-111-0x0000016A448E0000-0x0000016A448E7000-memory.dmp

C:\Users\Admin\AppData\Local\o11qEswZC\XmlLite.dll

MD5 27dc46d3b88a3cdeeb8c9d0d2ce2002b
SHA1 abeaa9bd218073e649543d3d21159490facd9a55
SHA256 adee0756dae1431f032491e903b5699ac817f15377ded6e96836be6d18d58f42
SHA512 691f5882d917ff2c64f0bbced7f4860d26d0f23539c30a50fd31fbf0b8b7fdbe9903a530d62a0bd58cf40e60e7260cbee03a6726de083cef91c18c55fbc8a784

C:\Users\Admin\AppData\Local\o11qEswZC\MusNotificationUx.exe

MD5 35c23d2ec0865ea5edea5aad2cdd21ba
SHA1 5e04714428d143f5c076d186cb4f0f218a71055b
SHA256 581b879bff182875ce9d319fe3a5e0aa56fae59a03d4364f04c7c379211d9e79
SHA512 dfec5ac9dcce47fba33c162f3d32ad84376a9e1bae323dd730b4cf62838d49b36427f40f26ef7ff1196cfad74c08f55c4a050b660f7847be5b019173ca90fc03

C:\Users\Admin\AppData\Local\o11qEswZC\MusNotificationUx.exe

MD5 5bebb0c53a5abb13391cf044a156cf91
SHA1 b1190a37d8709a51b4865a58ec42a860ff5917f2
SHA256 56daf39f2d7e0594a62105df8390c623ffbc793a31fa4a11eab69c6826b5833c
SHA512 499bd992386282873bc43204030f56b7fb91fa0e53096c49320b08051e045792e217e0088d1b59966c1267b8a1a99e84cefe899c20b9791717c4233ce245bffb

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 2b497d7c076af572820da23bdeeae9e4
SHA1 671ce54a0d7c8ecda686a48e428f326919d712eb
SHA256 576e9d414fcaf5d1f901c92fd19da08ea82a5f7d569bec48ef32d0a78eb9f343
SHA512 ba05d004e9c788e326252aa62c4dd64f91acc5b780fa09f9ddfb982ac6970596e8b4d88ee78357c9ec934871843893bf7b3db515fa81a01d442a6f6d203c1178

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\5TYR\VERSION.dll

MD5 01894355e9b61ede7b615ba5e04ec6a8
SHA1 855fb96a78302bfbe748b51a535a9cd28c7999de
SHA256 d7e0ccef5be3fc6aea0e1e2a43b434e797e183ca686122ecb1a29e77a3509508
SHA512 2a7610d7e97e5e6c18134d0384e4d052db0790058669222e81313b4025b34281451276db7c69e389cd7e89da07281228f241d39cae7e1887c730639405e1d650

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\ShZfHZWuR\DUI70.dll

MD5 6c7a043ac1129e151a1643d3c74e5660
SHA1 9853fb58565270b956571bfc76e073e3b7a3bc81
SHA256 1d2671a749408d23ec6a61a8797be8fb9961d4beda25bd8df7325d4e4183f157
SHA512 2b7ba65cda6cf598d9de1aad538549847d04fc9f1dbffdec0576d164be078b67fa57421978a663ca2972b5a3e7717ac26b991aced850f6621cec823c9256cf98

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\iMdLcabY\XmlLite.dll

MD5 16e11cda3527d4ded3580147f95392ae
SHA1 3b12edebcb31898d515ffc6948ffea70106851e1
SHA256 51bd0fc7f67984743b81b1c23cf4abb7c33b54c8329c9320fcad197ef2d7f644
SHA512 2a5e001aadc676713be2f72ae7a552f7970443a6988e3091536ce6a99c2977143ac9f3aa01e038e944f7fe873939295a7fcc1fbda88acfe5985edb5bea52b3e6