Analysis Overview
SHA256
82f87ae7f82947667739ae073c48d9e810af9c638fad471918918ab78d5aea9d
Threat Level: Known bad
The file 1fb0650833a45e6b7611fd961af6cc8f.exe was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-04 20:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-04 20:10
Reported
2024-01-04 20:17
Platform
win7-20231215-en
Max time kernel
5s
Max time network
148s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1
C:\Users\Admin\AppData\Local\SjOXL6\recdisc.exe
C:\Users\Admin\AppData\Local\SjOXL6\recdisc.exe
C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
C:\Users\Admin\AppData\Local\QK7w\xpsrchvw.exe
C:\Users\Admin\AppData\Local\QK7w\xpsrchvw.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Users\Admin\AppData\Local\fCw8tnE\wermgr.exe
C:\Users\Admin\AppData\Local\fCw8tnE\wermgr.exe
Network
Files
memory/1820-1-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1820-0-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-4-0x0000000077A26000-0x0000000077A27000-memory.dmp
memory/1204-8-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-18-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-17-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-21-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-27-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-32-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-35-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-36-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-43-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-44-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-42-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-46-0x0000000001D90000-0x0000000001D97000-memory.dmp
memory/1204-45-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-41-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-55-0x0000000077C90000-0x0000000077C92000-memory.dmp
memory/1204-54-0x0000000077B31000-0x0000000077B32000-memory.dmp
memory/1204-53-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-64-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-68-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-40-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-39-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-73-0x0000000140000000-0x0000000140201000-memory.dmp
C:\Users\Admin\AppData\Local\SjOXL6\recdisc.exe
| MD5 | 39480ca0e22ca0a3c3ef6a8c201dada2 |
| SHA1 | 252e3cb7943f85f5ebcce69339f4559e104869e7 |
| SHA256 | 7a9e40a852e8d18abba348205ef447124090a66665966d1886de17600be8512b |
| SHA512 | f23e7f4ffb48c35e197235d9ca08c609773abf8cbc0f6f7e86ce24e3dec21c683185d964f2f4457a0311bfc03c9d37aaa57bddbf2ce3d1d5d37e75d30cb530a4 |
\Users\Admin\AppData\Local\SjOXL6\SPP.dll
| MD5 | 4e1858f5429d893474c080f4afe0580e |
| SHA1 | 5133383349f362e592789a4f60ed7008887988aa |
| SHA256 | ef9db9155a8d2e82507e041fff60483d9e04d66bb7d6db7e9df65c6b152a14cc |
| SHA512 | c3107d53fab1348d6e3c0eadfdb0b6c9f0ebc1ccaa5e08846793caf013c994785ffe70361249d8c3765a59a0fcf684592af0983351ef6a90a0047e20a3eb5f5e |
C:\Users\Admin\AppData\Local\SjOXL6\SPP.dll
| MD5 | cc4c37022382b5bd47762a362bd8d96c |
| SHA1 | d1f9928136355aa5cf52833f117972236aed01af |
| SHA256 | 9022d036535f5ec148f38b185ea804754777c3f904ada7897d70b6c76eed3b00 |
| SHA512 | 81cdbb58662ca0b9c34f6d67dd9af9f821f2a99bfee138f0d5f114c5b8885a797130786d0ed3ca88281dbcb5b6901c7af948038561df6db5d5102989e6b5b35e |
\Users\Admin\AppData\Local\SjOXL6\recdisc.exe
| MD5 | 49c555bd2eb8bc2ece427c27ab9ab4dc |
| SHA1 | dfc221d291361483c323e9f7d9c69543dcc04ad3 |
| SHA256 | b3103acd5565835ce017bbdf9713a1cf424307d97ef1c260310185f38fba05dd |
| SHA512 | 7e056e74376e210db9cd1220f91e3eed4b68288ad104be53ad73a442f3c8991ba5b5eb83db1925e0d57e7f11450744baa475e1e15880d0e274915e627643204e |
memory/2556-83-0x0000000140000000-0x0000000140202000-memory.dmp
memory/2556-82-0x00000000002A0000-0x00000000002A7000-memory.dmp
C:\Users\Admin\AppData\Local\SjOXL6\recdisc.exe
| MD5 | f88653d6bbbc596148df5e4e79d496a1 |
| SHA1 | 8ad3e5a6ab6a4620c905cc980a27558008240ee7 |
| SHA256 | 8c3c7c554e191ceb7503245ae4347a46de8c37c1cef264975b63637709d8aba0 |
| SHA512 | 961c44f7bf27e1f60f08f2e9c936a20ae6993eaab882a88dff3f74ed0ae8a8611356281beaf5d773484eab57f976e364567d521abc678d5ac376d53f79539e11 |
memory/1204-38-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-37-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-34-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-33-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-31-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-30-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-29-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-28-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-26-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-25-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-24-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-23-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-22-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-20-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-19-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-16-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-15-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-14-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-13-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-12-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-11-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-10-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-9-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1820-7-0x0000000140000000-0x0000000140201000-memory.dmp
memory/1204-5-0x0000000002A10000-0x0000000002A11000-memory.dmp
C:\Users\Admin\AppData\Local\QK7w\WINMM.dll
| MD5 | acd6969f6ea474637d5753fe941ac6a8 |
| SHA1 | a3dab61ad414fd9b869b118c647c929c9be17ffa |
| SHA256 | 8ba489a53baf93724f93c9e7aefe8301aeb0ded0956b0cd45c55225dfd999ce1 |
| SHA512 | 73e3c383ae48968fe6169565f1c3c55616d75143bf23ffbb9278a4c90031251c48c323b021aa88a27e6cad0a14f69c9a78222b1b468db8c19cf030cd5bcc4c96 |
memory/2132-100-0x0000000000320000-0x0000000000327000-memory.dmp
C:\Users\Admin\AppData\Local\QK7w\xpsrchvw.exe
| MD5 | 8d84804e51391ac738abe42661e0c92b |
| SHA1 | 4f7a6fe26f0db0b1ddd96c40852ed91385268116 |
| SHA256 | 3876d1657e833d8c7e6ac9327897ff96214f70fec50590f0884f61aece64a4a2 |
| SHA512 | 61efd418044eb2377258692986f83aa247671ebeec598e1003503155bccc88c1d53279cd4c15225ba31886d034ecab53e9f86ccf225d13926bc9aaeccdc79d86 |
\Users\Admin\AppData\Local\QK7w\xpsrchvw.exe
| MD5 | 415e94cdba7e0569c9a981bb00f6217d |
| SHA1 | 66a0ceda8d051af800fb8a73a3a8f89ba71afbd3 |
| SHA256 | 636d4c83907e5343aef0ba85d656bebd295a85a5e7e5842bb495d04bb91afab9 |
| SHA512 | 6590d4f9607d68bc4aecab0022cf092561d0be52933fcdae708f11d9ea64de22bcda7742441a98a25ccc09b994858ea41e1e232b070c51fe69ead899ca9ae2ab |
C:\Users\Admin\AppData\Local\QK7w\xpsrchvw.exe
| MD5 | e8d7434c7be81f2df6ca6026f642ed0b |
| SHA1 | 223078014ba5dc170e7c2133ca796e8b02f3fd07 |
| SHA256 | 9eca0ea757c17b5f8cfc2e29cefce881f20b75c0e95a6576c5c60fbce0e0fc6e |
| SHA512 | e48eb42cd2710dd64afd41e9f79af91b69acf3214a5da88ffa00ae4217e126f18ebf291c5c42b347c688ae640e6c85c9c084e7ed8d91ee501227aa3ded7ae831 |
C:\Users\Admin\AppData\Local\fCw8tnE\wer.dll
| MD5 | 4319d9a431fc96944ec3a3b4368b78f8 |
| SHA1 | d9f2fbb6f5d9b6840fff796ffb18c20b5d3e3814 |
| SHA256 | 7b8bc704d9553fd0f4829495f59ee64fad680c41ed5300aeb2979b4f1c686a2f |
| SHA512 | 543e4b3c102bf0e094fc42c828faff1a772ab26556238d4eba2b566c61989ed100974eed5c4670ab4c11db4faf3ebc7ae63f62d539b864a6e19313b4ad445cac |
C:\Users\Admin\AppData\Local\fCw8tnE\wermgr.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\fCw8tnE\wermgr.exe
| MD5 | 4efd0af574232c2d4b79d2e98a97ed32 |
| SHA1 | 3794d9baaeb1ab5ec7e1db54e821e63e9dc41cd5 |
| SHA256 | 0c5c2cd5a1c2debb1353c5b544b1fb35e4fe989ef95c4a699e69c1bbd5b5b227 |
| SHA512 | eb8f026466e592f1ec3d3ca026c8d060cd5a102706a5dce57e8f461b25e6e305245a6989ce60aeadd916119d7bb0770a70569bbc5a003bdf645f56e510c49068 |
memory/1204-123-0x0000000077A26000-0x0000000077A27000-memory.dmp
\Users\Admin\AppData\Local\fCw8tnE\wer.dll
| MD5 | 41fba43d25eefa239bc9d9db1dabf4e5 |
| SHA1 | 08ad9d621f754d2a11143bee9bcd1773856e768f |
| SHA256 | 971c24380ef6b0d85e84ab83379d1966138c1cc0d1476c7faf35431152aa1f44 |
| SHA512 | 128b420fe75e2f6e228ee607b5500e147d52a716bf8d9a81b7201cbd42f1a65d931e2f823d2323005f017660a165a64a99fc0dbc4765391edb8ad31cdce80a0e |
memory/972-125-0x0000000000080000-0x0000000000087000-memory.dmp
\Users\Admin\AppData\Roaming\Mozilla\Extensions\daC1jcu\wermgr.exe
| MD5 | 41df7355a5a907e2c1d7804ec028965d |
| SHA1 | 453263d230c6317eb4a2eb3aceeec1bbcf5e153d |
| SHA256 | 207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861 |
| SHA512 | 59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk
| MD5 | 75e41b173cf664b48fd9a11167f9adeb |
| SHA1 | 2dfa29b6cff70dd9e2a968adb321eeddf7995e92 |
| SHA256 | 8f8c914a9342f06530760dc713730a22c20229ab8e957676cdf712c70de8dd3c |
| SHA512 | f050a5e5ebdff22babb65f2b1092e93345b714454f49c5120fd659e3d2192bda95346db38b082e170557a7dcd3d023a06c259c1024cf891daa5a13f8dcd060ca |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\ulMG\SPP.dll
| MD5 | a65406ffa4e2c25fdae9e67a5109210f |
| SHA1 | ff471df6fa9898271fd9f8231775bc9c24d8d55f |
| SHA256 | 8e1f86a9fdaa4c1baa265ddddd90e81027c86f7800aecf08e4de19da763f862d |
| SHA512 | 06a13e5bb6b8e174dee2728e2047a50286218b9858f5d4433fac260fb344c8a08254dc33451529a10d346d446480360337a26b6b41b12133f610f368eed44a56 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cBAQsvSR\WINMM.dll
| MD5 | ba07af852d334f2056ce18fd9fd5499e |
| SHA1 | b08538a5d61367ade765a2ef3b82f0baf488e247 |
| SHA256 | 48082c77d74cc1238c806ca2db31b5a9e021659a46b5784a35cb4d167843ab50 |
| SHA512 | 2c9b5e5b32d30d9bb6e6421cc8cd49f8c659f84db2311d1f572830fb4c83d368f518b4743d8a7dcb31e2b290019af06594c574e4dfd16bba652aa2aed39d432a |
C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\daC1jcu\wer.dll
| MD5 | c28c17de9651ecc3e2a88313640729cf |
| SHA1 | 27f8492c771a4c3aceec724465256d6e5d650386 |
| SHA256 | 024e0fef047140923dfe85fe77f794fc386b74d4fd03db9aa843e3da30bb3c9a |
| SHA512 | c6a33f7eead3e7b21187f686b9ddd306c22ec9186e9ca8e8dfda110c1afd3e30bf6d67898926f53c0eb3c344f8da62ea58fff1e0190b8156b3c267b04ead9ba0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-04 20:10
Reported
2024-01-04 20:17
Platform
win10v2004-20231215-en
Max time kernel
24s
Max time network
152s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vCI\wermgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vCI\wermgr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\i4Rfkq\\wermgr.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\vCI\wermgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3336 wrote to memory of 2288 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3336 wrote to memory of 2288 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3336 wrote to memory of 3632 | N/A | N/A | C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe |
| PID 3336 wrote to memory of 3632 | N/A | N/A | C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe |
| PID 3336 wrote to memory of 2252 | N/A | N/A | C:\Windows\system32\wermgr.exe |
| PID 3336 wrote to memory of 2252 | N/A | N/A | C:\Windows\system32\wermgr.exe |
| PID 3336 wrote to memory of 3392 | N/A | N/A | C:\Users\Admin\AppData\Local\vCI\wermgr.exe |
| PID 3336 wrote to memory of 3392 | N/A | N/A | C:\Users\Admin\AppData\Local\vCI\wermgr.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1
C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Users\Admin\AppData\Local\vCI\wermgr.exe
C:\Users\Admin\AppData\Local\vCI\wermgr.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 14.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/4328-1-0x0000000140000000-0x0000000140201000-memory.dmp
memory/4328-0-0x000002792DC10000-0x000002792DC17000-memory.dmp
memory/3336-4-0x0000000000700000-0x0000000000701000-memory.dmp
memory/3336-6-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-8-0x00007FFCC011A000-0x00007FFCC011B000-memory.dmp
memory/3336-7-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-9-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-10-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-11-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-12-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-13-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-14-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-19-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-20-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-21-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-22-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-23-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-18-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-24-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-26-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-28-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-27-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-25-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-17-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-16-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-15-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-29-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-30-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-32-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-31-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-34-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-35-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-37-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-33-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-36-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-39-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-42-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-44-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-45-0x00000000006B0000-0x00000000006B7000-memory.dmp
memory/3336-43-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-41-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-40-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-38-0x0000000140000000-0x0000000140201000-memory.dmp
memory/4328-52-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-55-0x00007FFCC19C0000-0x00007FFCC19D0000-memory.dmp
memory/3336-53-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-64-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3336-66-0x0000000140000000-0x0000000140201000-memory.dmp
memory/3632-75-0x00000224CEC50000-0x00000224CEC57000-memory.dmp
memory/3632-76-0x0000000140000000-0x0000000140202000-memory.dmp
memory/3632-81-0x0000000140000000-0x0000000140202000-memory.dmp
C:\Users\Admin\AppData\Local\M0QKKqY\XmlLite.dll
| MD5 | ce73339ff37518c0442db849f109546e |
| SHA1 | 2f4fd5a9a8f658e9453aeb792f6c5fdf28c69738 |
| SHA256 | bec4c0e0f0b361bb07b62c0056b607346ec50998c3e55bf39760818524e9b2c0 |
| SHA512 | ab804d0ab718ebc15fea12d870eae6dfa3bdd1b40169b1e0c9bf9da9c2e93bb2af24b5935bd239a5036a91d158389b85cc693692fcb421a4e6df21d4e3a23cf1 |
C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe
| MD5 | 3815a5801797addbeb7b5e4a4b578d6c |
| SHA1 | 1f4298e81ed85be43aaa496b059e3e4b4eafd8a6 |
| SHA256 | e1b5c5ab44701088bc0d1ac389194cad94701d645ff1080f56f94b09a3f488ff |
| SHA512 | e56ed4c94bc544776da0b851b8d518a53c89bbd32be5a20b4b45d8438291a9feb6a6312f5c176a40ccdcd39b7b0a3397113b431d3c3ee4b85c976df70db3c400 |
C:\Users\Admin\AppData\Local\M0QKKqY\XmlLite.dll
| MD5 | 47e65da3d878a6a6f8a3c7ad0842d646 |
| SHA1 | 5191c540a030120da4ff7d5519f216fbb50efea5 |
| SHA256 | cb67e0a7fcbab06254b1c126c6cdd19663c6fff3c799cb91488dadf37f2d3968 |
| SHA512 | 18a2484491f373450fac37ba85ddad98efb14044e4c24433a8eabb0c436e41cf0765f8d5695380b2b95d067646913cf4ceaa987987e071d571ef69e9e557ac7e |
C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe
| MD5 | 7a31787344fb42f3ebb6213234b9163d |
| SHA1 | 0ab871f4730494d46450deb3028c13a7135bcff5 |
| SHA256 | db6a2d66afe8583fa470ad5882a44414c9b2bf528471ad5e36fd4e9d7d1571ca |
| SHA512 | 7ca4844242c0fc20392cb556d6b0b39c243b55d6f2be569a3b7c0abc8feb9de60a7cd7c6176744299e175f3a956e6bc6671b0a2052298ab930998c96800f3fc3 |
memory/3392-92-0x0000013788260000-0x0000013788267000-memory.dmp
memory/3392-93-0x0000000140000000-0x0000000140203000-memory.dmp
C:\Users\Admin\AppData\Local\vCI\wer.dll
| MD5 | 845c1424cd32a09f530d87081dcc9a1a |
| SHA1 | 7277091da04702cc7c6e74ea5fe52590759320cf |
| SHA256 | 1f40236122b6d1ebe103e78f0ceee44c9f523ac8a96eee7b5e3b033cce1707d9 |
| SHA512 | 79015097bf05aa6baf6e946ff524a1770de28939bc810f819a23f73a28740debeeb20d0f84c2533ee2ff89a700914311bcb9aa82002cedfc7cd3cead76bbdc17 |
C:\Users\Admin\AppData\Local\vCI\wermgr.exe
| MD5 | b97eadca12ccce0a2b6a0038d349b037 |
| SHA1 | 8fcfa6c00068c4ba78056d5ece5755b4026b2e41 |
| SHA256 | f0256f61f6ac84ff62379b7c9e92d46a253e2c9a13648df1130f8de8890e4bc7 |
| SHA512 | 72f90170d800ea8959db1a6ebf6d068399ea6f8be66769ac8c599466d2f6e2042f9e189e02cd3b2fee44108fb79425d20f0582955a57f6fe3f26f30025b98358 |
C:\Users\Admin\AppData\Local\vCI\wer.dll
| MD5 | c9d071391a24c522ccc93e48c7179ee2 |
| SHA1 | 57913aa826acac98a97fbdb4feecd7b4f3968b07 |
| SHA256 | 4594710891b1592b89d44016c1b6564a2249f250e502508b349d5adf7d57a010 |
| SHA512 | 9f36a01459df0ac376eb80e91d5bb5be6da7e4d2c0af8c56141e28b1e28a560e72eabccb001070320c079caaa0dbdd41a9b939e7a801bbdf01b3e5e5b41bea72 |
C:\Users\Admin\AppData\Local\vCI\wermgr.exe
| MD5 | 747dd906853c7bd607566832904cbe67 |
| SHA1 | 937269abc6a01141f884d5420b1b1ba7f034c136 |
| SHA256 | 04228d8e6840e924488197cc119a5d16ee83038d282f3a39c8b72f6ad2fb241e |
| SHA512 | 4ed5afd9fb52fadd7e466a02895a95e001dea1ec250ba7c8635639bb428996eb40b54830c09ff9ac3d33dc54fa616a56a1ba355e9714b985d71ac3a7f0765770 |
C:\Users\Admin\AppData\Local\Ef206GJD\SYSDM.CPL
| MD5 | a477ae8e0f5bb5b4f15c201812595047 |
| SHA1 | 90741c4b4cb5f8754413c146366e909c3849e81a |
| SHA256 | 2e116998d458c83c8173409f31160528794568dd5a8d83226f049d73b37461dd |
| SHA512 | 3e787242ed3ea12498d9a55beac12208ba43112b41eb4295b8fb9541f084ddb448bea40552200589fd9b3f895cb3568345a2d7c0cb23b33437273764e1e45132 |
C:\Users\Admin\AppData\Local\Ef206GJD\SYSDM.CPL
| MD5 | dfe51efd96de2a1db9031aad765f4dab |
| SHA1 | 582b53662a0e728b874579f1632f0f03ba7b3469 |
| SHA256 | 3d24c3448460f3d396077fcaaa4bdbee3d1d177215e33db9fd43611a65aee09a |
| SHA512 | 6c0bfc29d9eca574b708f38d42ed48b03b43ed4d8eb57d5194b9e9db742264f2f10b90c444c519968656bdc381e6b34e1e4a700444b961bbdfde0f09c02daf02 |
memory/2816-109-0x000001710CA00000-0x000001710CA07000-memory.dmp
C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe
| MD5 | f72dcda4b59d9873598d5ad01bf7897b |
| SHA1 | 204858b39b4e5c6a2890e66215bf657ad62267ff |
| SHA256 | 4815331bccda6bef12322595b58ee2061bffa42595597ec5e36f28322dd868ad |
| SHA512 | 8170029208136446ca40905e7a7ecca78045fa124fed2b8e7f8874258a1d0f6bfc9be72e33012cc6d076d03b5d6789249de9dbcbcc1f0bd627cdcb39d54ccb6b |
C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe
| MD5 | bce579e5b02f2550a17a35639a67ac9c |
| SHA1 | 4e54af9dfa9a2bb5f0dafc05f450d42cc8c32a2a |
| SHA256 | 03417b3faddb6a2757865b6ffcf3fdd55bed95672eaa79ab21bc2df36115dc09 |
| SHA512 | dc142310fa864a231abcaaa6c77e0943fe88aa2696b4928aeaad069a5fec9dd7751d23812a965761419299a80463fd0c6b20bb7477f1c25524d7845142788663 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk
| MD5 | cbf527564aa2b481dcdb43abe7a28aeb |
| SHA1 | a8eacbf4f452376e3ceb50a364caad4349720e85 |
| SHA256 | 73cd546213269a6688070b822a88a7c8063c67fe201ae7783435f646edd6b3f6 |
| SHA512 | 22be767c3104f8d5c2d13c33c48d3835f1813a2658df0594fe686a0f5409c5abac4f15e2eb294ce13a6a1741aab1c0f0c35259dcb8af60496ffef95d55938c57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\u6UGYkMK\XmlLite.dll
| MD5 | 178672f7ca742a6e4fdf2573fbd4cc21 |
| SHA1 | b87da911fef0f4768852574fd100f4fe321a18ba |
| SHA256 | 3497c900bdc9449c9b8e6c00aab0a6d1fa9cb017db3fc37e72c0da4516b67a4d |
| SHA512 | 3274470c3b8885510975018a2d940a0c2ca09ed9b4a6141b6c73cdb372124ce469818704d85a42788178f288c08a039debef70ae13662c35e1e9b9ad17cd9af5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\i4Rfkq\wer.dll
| MD5 | 4e3a069e24e9bb86fa0a8c131bf7c680 |
| SHA1 | c9b480a935894c2f209590e7840f61b95a5ea767 |
| SHA256 | ead29818704e3bf69a74486bd3a797b33505b8cdf6cc1e59b267cdf4f3bf5517 |
| SHA512 | dcca7056c016db4b7aa6e396d75d8c253d6fab23a55bb02aa954658be70f676fee5866c97f6eb4f016370e1a224815078cb94ba97adceb4ebb5c5f2f159346fc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\4UN60eAaF\SYSDM.CPL
| MD5 | 43dcc32764d35f83ef58bab42e6fac86 |
| SHA1 | 6acbd360149633c0e221af299ae0282cd5b77b4d |
| SHA256 | 2776387a4cc37c228e6cc08a71a56f8e5e2731b743d869fed58d22ddc095afc3 |
| SHA512 | 37c916f3b87970199cda7fabf21e274675bbe0ad3a3aeb720b3a272a70122a2ba9c553295ca3c10340a17e435008f9f2ed11562b73607d00eb1612215ffcfde2 |