Malware Analysis Report

2024-11-30 21:31

Sample ID 240104-yxvrhaachj
Target 1fb0650833a45e6b7611fd961af6cc8f.exe
SHA256 82f87ae7f82947667739ae073c48d9e810af9c638fad471918918ab78d5aea9d
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82f87ae7f82947667739ae073c48d9e810af9c638fad471918918ab78d5aea9d

Threat Level: Known bad

The file 1fb0650833a45e6b7611fd961af6cc8f.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 20:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 20:10

Reported

2024-01-04 20:17

Platform

win7-20231215-en

Max time kernel

5s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1

C:\Users\Admin\AppData\Local\SjOXL6\recdisc.exe

C:\Users\Admin\AppData\Local\SjOXL6\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\QK7w\xpsrchvw.exe

C:\Users\Admin\AppData\Local\QK7w\xpsrchvw.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\fCw8tnE\wermgr.exe

C:\Users\Admin\AppData\Local\fCw8tnE\wermgr.exe

Network

N/A

Files

memory/1820-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1820-0-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-4-0x0000000077A26000-0x0000000077A27000-memory.dmp

memory/1204-8-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-18-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-17-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-21-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-27-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-32-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-35-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-36-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-43-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-44-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-42-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-46-0x0000000001D90000-0x0000000001D97000-memory.dmp

memory/1204-45-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-41-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-55-0x0000000077C90000-0x0000000077C92000-memory.dmp

memory/1204-54-0x0000000077B31000-0x0000000077B32000-memory.dmp

memory/1204-53-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-64-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-68-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-40-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-39-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-73-0x0000000140000000-0x0000000140201000-memory.dmp

C:\Users\Admin\AppData\Local\SjOXL6\recdisc.exe

MD5 39480ca0e22ca0a3c3ef6a8c201dada2
SHA1 252e3cb7943f85f5ebcce69339f4559e104869e7
SHA256 7a9e40a852e8d18abba348205ef447124090a66665966d1886de17600be8512b
SHA512 f23e7f4ffb48c35e197235d9ca08c609773abf8cbc0f6f7e86ce24e3dec21c683185d964f2f4457a0311bfc03c9d37aaa57bddbf2ce3d1d5d37e75d30cb530a4

\Users\Admin\AppData\Local\SjOXL6\SPP.dll

MD5 4e1858f5429d893474c080f4afe0580e
SHA1 5133383349f362e592789a4f60ed7008887988aa
SHA256 ef9db9155a8d2e82507e041fff60483d9e04d66bb7d6db7e9df65c6b152a14cc
SHA512 c3107d53fab1348d6e3c0eadfdb0b6c9f0ebc1ccaa5e08846793caf013c994785ffe70361249d8c3765a59a0fcf684592af0983351ef6a90a0047e20a3eb5f5e

C:\Users\Admin\AppData\Local\SjOXL6\SPP.dll

MD5 cc4c37022382b5bd47762a362bd8d96c
SHA1 d1f9928136355aa5cf52833f117972236aed01af
SHA256 9022d036535f5ec148f38b185ea804754777c3f904ada7897d70b6c76eed3b00
SHA512 81cdbb58662ca0b9c34f6d67dd9af9f821f2a99bfee138f0d5f114c5b8885a797130786d0ed3ca88281dbcb5b6901c7af948038561df6db5d5102989e6b5b35e

\Users\Admin\AppData\Local\SjOXL6\recdisc.exe

MD5 49c555bd2eb8bc2ece427c27ab9ab4dc
SHA1 dfc221d291361483c323e9f7d9c69543dcc04ad3
SHA256 b3103acd5565835ce017bbdf9713a1cf424307d97ef1c260310185f38fba05dd
SHA512 7e056e74376e210db9cd1220f91e3eed4b68288ad104be53ad73a442f3c8991ba5b5eb83db1925e0d57e7f11450744baa475e1e15880d0e274915e627643204e

memory/2556-83-0x0000000140000000-0x0000000140202000-memory.dmp

memory/2556-82-0x00000000002A0000-0x00000000002A7000-memory.dmp

C:\Users\Admin\AppData\Local\SjOXL6\recdisc.exe

MD5 f88653d6bbbc596148df5e4e79d496a1
SHA1 8ad3e5a6ab6a4620c905cc980a27558008240ee7
SHA256 8c3c7c554e191ceb7503245ae4347a46de8c37c1cef264975b63637709d8aba0
SHA512 961c44f7bf27e1f60f08f2e9c936a20ae6993eaab882a88dff3f74ed0ae8a8611356281beaf5d773484eab57f976e364567d521abc678d5ac376d53f79539e11

memory/1204-38-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-37-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-34-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-33-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-31-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-30-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-29-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-28-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-26-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-25-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-24-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-23-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-22-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-20-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-19-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-16-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-15-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-14-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-13-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-12-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-11-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-10-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-9-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1820-7-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1204-5-0x0000000002A10000-0x0000000002A11000-memory.dmp

C:\Users\Admin\AppData\Local\QK7w\WINMM.dll

MD5 acd6969f6ea474637d5753fe941ac6a8
SHA1 a3dab61ad414fd9b869b118c647c929c9be17ffa
SHA256 8ba489a53baf93724f93c9e7aefe8301aeb0ded0956b0cd45c55225dfd999ce1
SHA512 73e3c383ae48968fe6169565f1c3c55616d75143bf23ffbb9278a4c90031251c48c323b021aa88a27e6cad0a14f69c9a78222b1b468db8c19cf030cd5bcc4c96

memory/2132-100-0x0000000000320000-0x0000000000327000-memory.dmp

C:\Users\Admin\AppData\Local\QK7w\xpsrchvw.exe

MD5 8d84804e51391ac738abe42661e0c92b
SHA1 4f7a6fe26f0db0b1ddd96c40852ed91385268116
SHA256 3876d1657e833d8c7e6ac9327897ff96214f70fec50590f0884f61aece64a4a2
SHA512 61efd418044eb2377258692986f83aa247671ebeec598e1003503155bccc88c1d53279cd4c15225ba31886d034ecab53e9f86ccf225d13926bc9aaeccdc79d86

\Users\Admin\AppData\Local\QK7w\xpsrchvw.exe

MD5 415e94cdba7e0569c9a981bb00f6217d
SHA1 66a0ceda8d051af800fb8a73a3a8f89ba71afbd3
SHA256 636d4c83907e5343aef0ba85d656bebd295a85a5e7e5842bb495d04bb91afab9
SHA512 6590d4f9607d68bc4aecab0022cf092561d0be52933fcdae708f11d9ea64de22bcda7742441a98a25ccc09b994858ea41e1e232b070c51fe69ead899ca9ae2ab

C:\Users\Admin\AppData\Local\QK7w\xpsrchvw.exe

MD5 e8d7434c7be81f2df6ca6026f642ed0b
SHA1 223078014ba5dc170e7c2133ca796e8b02f3fd07
SHA256 9eca0ea757c17b5f8cfc2e29cefce881f20b75c0e95a6576c5c60fbce0e0fc6e
SHA512 e48eb42cd2710dd64afd41e9f79af91b69acf3214a5da88ffa00ae4217e126f18ebf291c5c42b347c688ae640e6c85c9c084e7ed8d91ee501227aa3ded7ae831

C:\Users\Admin\AppData\Local\fCw8tnE\wer.dll

MD5 4319d9a431fc96944ec3a3b4368b78f8
SHA1 d9f2fbb6f5d9b6840fff796ffb18c20b5d3e3814
SHA256 7b8bc704d9553fd0f4829495f59ee64fad680c41ed5300aeb2979b4f1c686a2f
SHA512 543e4b3c102bf0e094fc42c828faff1a772ab26556238d4eba2b566c61989ed100974eed5c4670ab4c11db4faf3ebc7ae63f62d539b864a6e19313b4ad445cac

C:\Users\Admin\AppData\Local\fCw8tnE\wermgr.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\fCw8tnE\wermgr.exe

MD5 4efd0af574232c2d4b79d2e98a97ed32
SHA1 3794d9baaeb1ab5ec7e1db54e821e63e9dc41cd5
SHA256 0c5c2cd5a1c2debb1353c5b544b1fb35e4fe989ef95c4a699e69c1bbd5b5b227
SHA512 eb8f026466e592f1ec3d3ca026c8d060cd5a102706a5dce57e8f461b25e6e305245a6989ce60aeadd916119d7bb0770a70569bbc5a003bdf645f56e510c49068

memory/1204-123-0x0000000077A26000-0x0000000077A27000-memory.dmp

\Users\Admin\AppData\Local\fCw8tnE\wer.dll

MD5 41fba43d25eefa239bc9d9db1dabf4e5
SHA1 08ad9d621f754d2a11143bee9bcd1773856e768f
SHA256 971c24380ef6b0d85e84ab83379d1966138c1cc0d1476c7faf35431152aa1f44
SHA512 128b420fe75e2f6e228ee607b5500e147d52a716bf8d9a81b7201cbd42f1a65d931e2f823d2323005f017660a165a64a99fc0dbc4765391edb8ad31cdce80a0e

memory/972-125-0x0000000000080000-0x0000000000087000-memory.dmp

\Users\Admin\AppData\Roaming\Mozilla\Extensions\daC1jcu\wermgr.exe

MD5 41df7355a5a907e2c1d7804ec028965d
SHA1 453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256 207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA512 59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 75e41b173cf664b48fd9a11167f9adeb
SHA1 2dfa29b6cff70dd9e2a968adb321eeddf7995e92
SHA256 8f8c914a9342f06530760dc713730a22c20229ab8e957676cdf712c70de8dd3c
SHA512 f050a5e5ebdff22babb65f2b1092e93345b714454f49c5120fd659e3d2192bda95346db38b082e170557a7dcd3d023a06c259c1024cf891daa5a13f8dcd060ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\ulMG\SPP.dll

MD5 a65406ffa4e2c25fdae9e67a5109210f
SHA1 ff471df6fa9898271fd9f8231775bc9c24d8d55f
SHA256 8e1f86a9fdaa4c1baa265ddddd90e81027c86f7800aecf08e4de19da763f862d
SHA512 06a13e5bb6b8e174dee2728e2047a50286218b9858f5d4433fac260fb344c8a08254dc33451529a10d346d446480360337a26b6b41b12133f610f368eed44a56

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cBAQsvSR\WINMM.dll

MD5 ba07af852d334f2056ce18fd9fd5499e
SHA1 b08538a5d61367ade765a2ef3b82f0baf488e247
SHA256 48082c77d74cc1238c806ca2db31b5a9e021659a46b5784a35cb4d167843ab50
SHA512 2c9b5e5b32d30d9bb6e6421cc8cd49f8c659f84db2311d1f572830fb4c83d368f518b4743d8a7dcb31e2b290019af06594c574e4dfd16bba652aa2aed39d432a

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\daC1jcu\wer.dll

MD5 c28c17de9651ecc3e2a88313640729cf
SHA1 27f8492c771a4c3aceec724465256d6e5d650386
SHA256 024e0fef047140923dfe85fe77f794fc386b74d4fd03db9aa843e3da30bb3c9a
SHA512 c6a33f7eead3e7b21187f686b9ddd306c22ec9186e9ca8e8dfda110c1afd3e30bf6d67898926f53c0eb3c344f8da62ea58fff1e0190b8156b3c267b04ead9ba0

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 20:10

Reported

2024-01-04 20:17

Platform

win10v2004-20231215-en

Max time kernel

24s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\vCI\wermgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\vCI\wermgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\i4Rfkq\\wermgr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vCI\wermgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3336 wrote to memory of 2288 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3336 wrote to memory of 2288 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3336 wrote to memory of 3632 N/A N/A C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe
PID 3336 wrote to memory of 3632 N/A N/A C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe
PID 3336 wrote to memory of 2252 N/A N/A C:\Windows\system32\wermgr.exe
PID 3336 wrote to memory of 2252 N/A N/A C:\Windows\system32\wermgr.exe
PID 3336 wrote to memory of 3392 N/A N/A C:\Users\Admin\AppData\Local\vCI\wermgr.exe
PID 3336 wrote to memory of 3392 N/A N/A C:\Users\Admin\AppData\Local\vCI\wermgr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\vCI\wermgr.exe

C:\Users\Admin\AppData\Local\vCI\wermgr.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 43.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/4328-1-0x0000000140000000-0x0000000140201000-memory.dmp

memory/4328-0-0x000002792DC10000-0x000002792DC17000-memory.dmp

memory/3336-4-0x0000000000700000-0x0000000000701000-memory.dmp

memory/3336-6-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-8-0x00007FFCC011A000-0x00007FFCC011B000-memory.dmp

memory/3336-7-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-9-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-10-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-11-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-12-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-13-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-14-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-19-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-20-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-21-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-22-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-23-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-18-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-24-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-26-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-28-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-27-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-25-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-17-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-16-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-15-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-29-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-30-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-32-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-31-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-34-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-35-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-37-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-33-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-36-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-39-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-42-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-44-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-45-0x00000000006B0000-0x00000000006B7000-memory.dmp

memory/3336-43-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-41-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-40-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-38-0x0000000140000000-0x0000000140201000-memory.dmp

memory/4328-52-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-55-0x00007FFCC19C0000-0x00007FFCC19D0000-memory.dmp

memory/3336-53-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-64-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3336-66-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3632-75-0x00000224CEC50000-0x00000224CEC57000-memory.dmp

memory/3632-76-0x0000000140000000-0x0000000140202000-memory.dmp

memory/3632-81-0x0000000140000000-0x0000000140202000-memory.dmp

C:\Users\Admin\AppData\Local\M0QKKqY\XmlLite.dll

MD5 ce73339ff37518c0442db849f109546e
SHA1 2f4fd5a9a8f658e9453aeb792f6c5fdf28c69738
SHA256 bec4c0e0f0b361bb07b62c0056b607346ec50998c3e55bf39760818524e9b2c0
SHA512 ab804d0ab718ebc15fea12d870eae6dfa3bdd1b40169b1e0c9bf9da9c2e93bb2af24b5935bd239a5036a91d158389b85cc693692fcb421a4e6df21d4e3a23cf1

C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe

MD5 3815a5801797addbeb7b5e4a4b578d6c
SHA1 1f4298e81ed85be43aaa496b059e3e4b4eafd8a6
SHA256 e1b5c5ab44701088bc0d1ac389194cad94701d645ff1080f56f94b09a3f488ff
SHA512 e56ed4c94bc544776da0b851b8d518a53c89bbd32be5a20b4b45d8438291a9feb6a6312f5c176a40ccdcd39b7b0a3397113b431d3c3ee4b85c976df70db3c400

C:\Users\Admin\AppData\Local\M0QKKqY\XmlLite.dll

MD5 47e65da3d878a6a6f8a3c7ad0842d646
SHA1 5191c540a030120da4ff7d5519f216fbb50efea5
SHA256 cb67e0a7fcbab06254b1c126c6cdd19663c6fff3c799cb91488dadf37f2d3968
SHA512 18a2484491f373450fac37ba85ddad98efb14044e4c24433a8eabb0c436e41cf0765f8d5695380b2b95d067646913cf4ceaa987987e071d571ef69e9e557ac7e

C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe

MD5 7a31787344fb42f3ebb6213234b9163d
SHA1 0ab871f4730494d46450deb3028c13a7135bcff5
SHA256 db6a2d66afe8583fa470ad5882a44414c9b2bf528471ad5e36fd4e9d7d1571ca
SHA512 7ca4844242c0fc20392cb556d6b0b39c243b55d6f2be569a3b7c0abc8feb9de60a7cd7c6176744299e175f3a956e6bc6671b0a2052298ab930998c96800f3fc3

memory/3392-92-0x0000013788260000-0x0000013788267000-memory.dmp

memory/3392-93-0x0000000140000000-0x0000000140203000-memory.dmp

C:\Users\Admin\AppData\Local\vCI\wer.dll

MD5 845c1424cd32a09f530d87081dcc9a1a
SHA1 7277091da04702cc7c6e74ea5fe52590759320cf
SHA256 1f40236122b6d1ebe103e78f0ceee44c9f523ac8a96eee7b5e3b033cce1707d9
SHA512 79015097bf05aa6baf6e946ff524a1770de28939bc810f819a23f73a28740debeeb20d0f84c2533ee2ff89a700914311bcb9aa82002cedfc7cd3cead76bbdc17

C:\Users\Admin\AppData\Local\vCI\wermgr.exe

MD5 b97eadca12ccce0a2b6a0038d349b037
SHA1 8fcfa6c00068c4ba78056d5ece5755b4026b2e41
SHA256 f0256f61f6ac84ff62379b7c9e92d46a253e2c9a13648df1130f8de8890e4bc7
SHA512 72f90170d800ea8959db1a6ebf6d068399ea6f8be66769ac8c599466d2f6e2042f9e189e02cd3b2fee44108fb79425d20f0582955a57f6fe3f26f30025b98358

C:\Users\Admin\AppData\Local\vCI\wer.dll

MD5 c9d071391a24c522ccc93e48c7179ee2
SHA1 57913aa826acac98a97fbdb4feecd7b4f3968b07
SHA256 4594710891b1592b89d44016c1b6564a2249f250e502508b349d5adf7d57a010
SHA512 9f36a01459df0ac376eb80e91d5bb5be6da7e4d2c0af8c56141e28b1e28a560e72eabccb001070320c079caaa0dbdd41a9b939e7a801bbdf01b3e5e5b41bea72

C:\Users\Admin\AppData\Local\vCI\wermgr.exe

MD5 747dd906853c7bd607566832904cbe67
SHA1 937269abc6a01141f884d5420b1b1ba7f034c136
SHA256 04228d8e6840e924488197cc119a5d16ee83038d282f3a39c8b72f6ad2fb241e
SHA512 4ed5afd9fb52fadd7e466a02895a95e001dea1ec250ba7c8635639bb428996eb40b54830c09ff9ac3d33dc54fa616a56a1ba355e9714b985d71ac3a7f0765770

C:\Users\Admin\AppData\Local\Ef206GJD\SYSDM.CPL

MD5 a477ae8e0f5bb5b4f15c201812595047
SHA1 90741c4b4cb5f8754413c146366e909c3849e81a
SHA256 2e116998d458c83c8173409f31160528794568dd5a8d83226f049d73b37461dd
SHA512 3e787242ed3ea12498d9a55beac12208ba43112b41eb4295b8fb9541f084ddb448bea40552200589fd9b3f895cb3568345a2d7c0cb23b33437273764e1e45132

C:\Users\Admin\AppData\Local\Ef206GJD\SYSDM.CPL

MD5 dfe51efd96de2a1db9031aad765f4dab
SHA1 582b53662a0e728b874579f1632f0f03ba7b3469
SHA256 3d24c3448460f3d396077fcaaa4bdbee3d1d177215e33db9fd43611a65aee09a
SHA512 6c0bfc29d9eca574b708f38d42ed48b03b43ed4d8eb57d5194b9e9db742264f2f10b90c444c519968656bdc381e6b34e1e4a700444b961bbdfde0f09c02daf02

memory/2816-109-0x000001710CA00000-0x000001710CA07000-memory.dmp

C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe

MD5 f72dcda4b59d9873598d5ad01bf7897b
SHA1 204858b39b4e5c6a2890e66215bf657ad62267ff
SHA256 4815331bccda6bef12322595b58ee2061bffa42595597ec5e36f28322dd868ad
SHA512 8170029208136446ca40905e7a7ecca78045fa124fed2b8e7f8874258a1d0f6bfc9be72e33012cc6d076d03b5d6789249de9dbcbcc1f0bd627cdcb39d54ccb6b

C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe

MD5 bce579e5b02f2550a17a35639a67ac9c
SHA1 4e54af9dfa9a2bb5f0dafc05f450d42cc8c32a2a
SHA256 03417b3faddb6a2757865b6ffcf3fdd55bed95672eaa79ab21bc2df36115dc09
SHA512 dc142310fa864a231abcaaa6c77e0943fe88aa2696b4928aeaad069a5fec9dd7751d23812a965761419299a80463fd0c6b20bb7477f1c25524d7845142788663

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

MD5 cbf527564aa2b481dcdb43abe7a28aeb
SHA1 a8eacbf4f452376e3ceb50a364caad4349720e85
SHA256 73cd546213269a6688070b822a88a7c8063c67fe201ae7783435f646edd6b3f6
SHA512 22be767c3104f8d5c2d13c33c48d3835f1813a2658df0594fe686a0f5409c5abac4f15e2eb294ce13a6a1741aab1c0f0c35259dcb8af60496ffef95d55938c57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\u6UGYkMK\XmlLite.dll

MD5 178672f7ca742a6e4fdf2573fbd4cc21
SHA1 b87da911fef0f4768852574fd100f4fe321a18ba
SHA256 3497c900bdc9449c9b8e6c00aab0a6d1fa9cb017db3fc37e72c0da4516b67a4d
SHA512 3274470c3b8885510975018a2d940a0c2ca09ed9b4a6141b6c73cdb372124ce469818704d85a42788178f288c08a039debef70ae13662c35e1e9b9ad17cd9af5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\i4Rfkq\wer.dll

MD5 4e3a069e24e9bb86fa0a8c131bf7c680
SHA1 c9b480a935894c2f209590e7840f61b95a5ea767
SHA256 ead29818704e3bf69a74486bd3a797b33505b8cdf6cc1e59b267cdf4f3bf5517
SHA512 dcca7056c016db4b7aa6e396d75d8c253d6fab23a55bb02aa954658be70f676fee5866c97f6eb4f016370e1a224815078cb94ba97adceb4ebb5c5f2f159346fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\4UN60eAaF\SYSDM.CPL

MD5 43dcc32764d35f83ef58bab42e6fac86
SHA1 6acbd360149633c0e221af299ae0282cd5b77b4d
SHA256 2776387a4cc37c228e6cc08a71a56f8e5e2731b743d869fed58d22ddc095afc3
SHA512 37c916f3b87970199cda7fabf21e274675bbe0ad3a3aeb720b3a272a70122a2ba9c553295ca3c10340a17e435008f9f2ed11562b73607d00eb1612215ffcfde2