Malware Analysis Report

2024-11-30 21:28

Sample ID 240106-qy11xaagd8
Target 465f8dd473fe81d9637997dbed1f2c72
SHA256 080236eb8dc3c63a652f93615636206544f11faa255996bee018fc2c85576dd4
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

080236eb8dc3c63a652f93615636206544f11faa255996bee018fc2c85576dd4

Threat Level: Known bad

The file 465f8dd473fe81d9637997dbed1f2c72 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 13:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 13:40

Reported

2024-01-06 13:43

Platform

win7-20231129-en

Max time kernel

149s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\465f8dd473fe81d9637997dbed1f2c72.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\15VDeC7j7\recdisc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5CeDx\SystemPropertiesRemote.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\LwbDUA\\recdisc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\15VDeC7j7\recdisc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5CeDx\SystemPropertiesRemote.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2864 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1368 wrote to memory of 2864 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1368 wrote to memory of 2864 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1368 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe
PID 1368 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe
PID 1368 wrote to memory of 2600 N/A N/A C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe
PID 1368 wrote to memory of 2492 N/A N/A C:\Windows\system32\recdisc.exe
PID 1368 wrote to memory of 2492 N/A N/A C:\Windows\system32\recdisc.exe
PID 1368 wrote to memory of 2492 N/A N/A C:\Windows\system32\recdisc.exe
PID 1368 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\15VDeC7j7\recdisc.exe
PID 1368 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\15VDeC7j7\recdisc.exe
PID 1368 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\15VDeC7j7\recdisc.exe
PID 1368 wrote to memory of 2788 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1368 wrote to memory of 2788 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1368 wrote to memory of 2788 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1368 wrote to memory of 1916 N/A N/A C:\Users\Admin\AppData\Local\5CeDx\SystemPropertiesRemote.exe
PID 1368 wrote to memory of 1916 N/A N/A C:\Users\Admin\AppData\Local\5CeDx\SystemPropertiesRemote.exe
PID 1368 wrote to memory of 1916 N/A N/A C:\Users\Admin\AppData\Local\5CeDx\SystemPropertiesRemote.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\465f8dd473fe81d9637997dbed1f2c72.dll,#1

C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe

C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Users\Admin\AppData\Local\15VDeC7j7\recdisc.exe

C:\Users\Admin\AppData\Local\15VDeC7j7\recdisc.exe

C:\Users\Admin\AppData\Local\5CeDx\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\5CeDx\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

Network

N/A

Files

memory/3020-1-0x000007FEF67F0000-0x000007FEF689C000-memory.dmp

memory/3020-0-0x0000000001D80000-0x0000000001D87000-memory.dmp

memory/1368-3-0x0000000076FD6000-0x0000000076FD7000-memory.dmp

memory/1368-4-0x0000000002920000-0x0000000002921000-memory.dmp

memory/1368-12-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1368-11-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1368-15-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1368-24-0x0000000077270000-0x0000000077272000-memory.dmp

memory/1368-23-0x0000000077240000-0x0000000077242000-memory.dmp

memory/1368-22-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1368-14-0x0000000002900000-0x0000000002907000-memory.dmp

memory/1368-13-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1368-10-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1368-9-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1368-8-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1368-7-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1368-6-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/1368-33-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3020-39-0x000007FEF67F0000-0x000007FEF689C000-memory.dmp

memory/1368-35-0x0000000140000000-0x00000001400AC000-memory.dmp

\Users\Admin\AppData\Local\dvPj\MFPlat.DLL

MD5 7d99740b41faf8bd8a19798747200ec4
SHA1 a2f7b31f8185a4c31f937e4761e7c822fce61b15
SHA256 787907cb558f6f29f6e6bc782a70b4bb08a64e19d91f96057e6a8c3f658843bd
SHA512 e63bbfa0ad17c5f0dcf00821b0c2b3fe1a622ac8beadccc95785e7b0e3ecc989141064775b6dda2a000e7586ccc466de22e62ed4f50f861a458a9bf6de7432be

memory/2600-52-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2600-55-0x000007FEF68A0000-0x000007FEF694E000-memory.dmp

C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2600-50-0x000007FEF68A0000-0x000007FEF694E000-memory.dmp

C:\Users\Admin\AppData\Local\dvPj\MFPlat.DLL

MD5 7690f4f5db28f10d5e2a31465e3e9fea
SHA1 12dc2c7b7e15748d4de7125ca8f2a669f3973886
SHA256 89dab5aaaf5921b209d63ca0bda2282c419c74017952fcaa640afbd2735a6a9d
SHA512 3403931e76b495b6277a5b49f3c105bd7ce6a878ca28659095135e776e98ef5405a0dbfbdc23c4a54083464ba37da161dda4ce625fcea6667f60f87358b16189

C:\Users\Admin\AppData\Local\dvPj\mfpmp.exe

MD5 2d8600b94de72a9d771cbb56b9f9c331
SHA1 a0e2ac409159546183aa45875497844c4adb5aac
SHA256 7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA512 3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

\Users\Admin\AppData\Local\15VDeC7j7\ReAgent.dll

MD5 34163046242808ca0639b73a0a93b985
SHA1 8fcdfef18865a5d8736e7a9bedf64f610a2e4771
SHA256 e363b403afc7c5af24575fe304c49f29ed1298b878cde448d0863bd3d8735d96
SHA512 1785bea9390e766c9867cc040f9baa2bb89b196ce84e32bfd803de9707a84b41312c39d05a4da4f6007e9216df8cb4fe26e0e16f088cc19e752835f56f6f9b47

memory/2560-72-0x000007FEF61A0000-0x000007FEF624D000-memory.dmp

memory/2560-70-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1368-69-0x0000000076FD6000-0x0000000076FD7000-memory.dmp

memory/2560-67-0x000007FEF61A0000-0x000007FEF624D000-memory.dmp

C:\Users\Admin\AppData\Local\15VDeC7j7\recdisc.exe

MD5 f3b306179f1840c0813dc6771b018358
SHA1 dec7ce3c13f7a684cb52ae6007c99cf03afef005
SHA256 dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0
SHA512 9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

\Users\Admin\AppData\Local\5CeDx\SystemPropertiesRemote.exe

MD5 d0d7ac869aa4e179da2cc333f0440d71
SHA1 e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA256 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA512 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

memory/1916-91-0x000007FEF61A0000-0x000007FEF624D000-memory.dmp

memory/1916-89-0x0000000000090000-0x0000000000097000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

MD5 d5b83a584b1e4083303c6871ec513dfc
SHA1 c8899ea33decc2da57d3fd3a013d59e8b0e3f587
SHA256 4bb8d290543667159b6242a8f1616c3e500d89ce1c6fec98fc084cf43a8f2ca9
SHA512 7b70cf08e337de31ba0546b211d6f698a6877a9aebd81ac9a9a8cb851c0eb7773490730fa209ddaf760699d0b27cb91c2634f4ff2f67d81b5abf79141554a3a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\LwbDUA\ReAgent.dll

MD5 b598fdeec72523e90270871a87238f88
SHA1 d7dbbc87fdc49c8bf1d4c7262cde434821b7d64b
SHA256 b606ad098efa89041c97a4061ab8c87acd1262dc79774e625b9c9ab4c0afaedc
SHA512 00aaec79f9597cdfb1e1c4ab5b32e9ce5312d4f6a3a8b33d298988848b2865e5fa40b267357dcb786afdd00a5cc19593db45e0c84e0e27a47ad1b25dc077d19f

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\BzFpz\SYSDM.CPL

MD5 01f00eca96d11527adf5adb96b6ca6d9
SHA1 6667e0216142fcca30b7408553141c8b2bd5a89a
SHA256 4355bfbe2e752a1a451404120d4fc101de28fd501a56dc2d1eacfc1bccf321eb
SHA512 21149a1c331987797f362e5e6164ead30c0b82aeea19e2026428a230c763f1eae6232c4d1e1d65995e29158dfaaeea23deb6ef04917f918ead4ada0b55db74b6

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 13:40

Reported

2024-01-06 13:43

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\465f8dd473fe81d9637997dbed1f2c72.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\OXdW62\\msdt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\afeVAIIn\ProximityUxHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\z02x1Dl\msdt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6XPsW\tcmsetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 5108 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3396 wrote to memory of 5108 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3396 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\afeVAIIn\ProximityUxHost.exe
PID 3396 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\afeVAIIn\ProximityUxHost.exe
PID 3396 wrote to memory of 4600 N/A N/A C:\Windows\system32\msdt.exe
PID 3396 wrote to memory of 4600 N/A N/A C:\Windows\system32\msdt.exe
PID 3396 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\z02x1Dl\msdt.exe
PID 3396 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\z02x1Dl\msdt.exe
PID 3396 wrote to memory of 2900 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 3396 wrote to memory of 2900 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 3396 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\6XPsW\tcmsetup.exe
PID 3396 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\6XPsW\tcmsetup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\465f8dd473fe81d9637997dbed1f2c72.dll,#1

C:\Users\Admin\AppData\Local\afeVAIIn\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\afeVAIIn\ProximityUxHost.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\z02x1Dl\msdt.exe

C:\Users\Admin\AppData\Local\z02x1Dl\msdt.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\6XPsW\tcmsetup.exe

C:\Users\Admin\AppData\Local\6XPsW\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1508-0-0x00007FFED40E0000-0x00007FFED418C000-memory.dmp

memory/1508-2-0x000001D885520000-0x000001D885527000-memory.dmp

memory/3396-4-0x00007FFEE197A000-0x00007FFEE197B000-memory.dmp

memory/3396-14-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-16-0x0000000000F50000-0x0000000000F57000-memory.dmp

memory/3396-24-0x00007FFEE27D0000-0x00007FFEE27E0000-memory.dmp

memory/3396-33-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-23-0x00007FFEE27E0000-0x00007FFEE27F0000-memory.dmp

memory/3396-22-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-13-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-12-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-11-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-10-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-9-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-8-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-7-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-6-0x0000000140000000-0x00000001400AC000-memory.dmp

memory/3396-3-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/1508-36-0x00007FFED40E0000-0x00007FFED418C000-memory.dmp

memory/1872-43-0x00007FFEC3D40000-0x00007FFEC3DEE000-memory.dmp

memory/1872-48-0x00007FFEC3D40000-0x00007FFEC3DEE000-memory.dmp

memory/1872-45-0x00000200F2A70000-0x00000200F2A77000-memory.dmp

memory/2840-64-0x00007FFEC3CA0000-0x00007FFEC3D4D000-memory.dmp

memory/2840-59-0x00000203110F0000-0x00000203110F7000-memory.dmp

memory/2840-60-0x00007FFEC3CA0000-0x00007FFEC3D4D000-memory.dmp

memory/2220-80-0x00007FFEC3D90000-0x00007FFEC3E3E000-memory.dmp

memory/2220-75-0x0000018593FB0000-0x0000018593FB7000-memory.dmp

memory/2220-76-0x00007FFEC3D90000-0x00007FFEC3E3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 f64f66cce537e022c908579d7ad34e7b
SHA1 d4ece463c654574b361a56bdf3d3fa0c6e80da53
SHA256 f0f547d55375bfa055f2dee75cd2871d4faa76b8d69691184aec1a252682d7e4
SHA512 a2eee9a306101371373901e55d9fdc41ae61278f658454805c3ea5a1e6ee07b5dba93dcaaab42525286e0bf74ed1deed0f701ee4619aa2c9d1d4f0b3cb43021a

C:\Users\Admin\AppData\Roaming\Microsoft\Proof\ESyNMZL1\WINMM.dll

MD5 d9d0961cde279dc434e1bc1b4c20cfad
SHA1 d61dbe97c2988e077f1457935a5aa5b4f7f82269
SHA256 4b8af8ba2335fd90478388afc3452af4f5c5cda9cdc09a03186d4da824cf0cc6
SHA512 1104dba2ef9a0fd7e3b0cd1561a46d3c64e0bdf9b5f27129a5c965150b9ad658b8611181941f567b3ad149f3cdbb4f21025217ced4223ab823c02682a9e91182

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\OXdW62\UxTheme.dll

MD5 22a653d4a5d14a2d58fe6d740963259b
SHA1 475f0228ff2d82d58d976fcedfcda5f535018632
SHA256 9a5f72c351770211e723adc7e8cb9dcf2c1f3d773f8b722aa4b6afff158dc8ca
SHA512 57a0d71be29035016781751906aa7aa2b1186bbbf09dcf55f95dff96c67ef62125ad58ee162a78901490afb28f092a2884c38de5b5126b7c3821c10c4d425fae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CloudStore\Wd0I6\TAPI32.dll

MD5 886ea31a038b8fa6f75206d62bb15c75
SHA1 d11abfe413a3e8ca00e86a49f1bcd16ecf2722cd
SHA256 8f2abb2a43e07322c764241c1db7c0c87534e6edff2faec02701ee1f195daae8
SHA512 d70f43f9e7354cf78c01910dc3255c8b870c8c15be35df2dbfa0e932805a98a30664638228f667a7b035d5822c1af0945b4286dff6f25f35a84bd7c34c53b825