Malware Analysis Report

2024-11-30 21:29

Sample ID 240108-l6bnrsgec4
Target 4b2603c38c71b63b5a2af03e84c4ec47
SHA256 b01d5da205231711708f56b7d3daddd9a904f266e598e80c160ea52606b575df
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b01d5da205231711708f56b7d3daddd9a904f266e598e80c160ea52606b575df

Threat Level: Known bad

The file 4b2603c38c71b63b5a2af03e84c4ec47 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 10:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 10:08

Reported

2024-01-08 10:10

Platform

win7-20231215-en

Max time kernel

151s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b2603c38c71b63b5a2af03e84c4ec47.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3gtHHFP\dpapimig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\yzp\eudcedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\TGN\Magnify.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\0237\\eudcedit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3gtHHFP\dpapimig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\yzp\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TGN\Magnify.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 2764 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1384 wrote to memory of 2764 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1384 wrote to memory of 2764 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1384 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\3gtHHFP\dpapimig.exe
PID 1384 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\3gtHHFP\dpapimig.exe
PID 1384 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\3gtHHFP\dpapimig.exe
PID 1384 wrote to memory of 2024 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1384 wrote to memory of 2024 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1384 wrote to memory of 2024 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1384 wrote to memory of 1244 N/A N/A C:\Users\Admin\AppData\Local\yzp\eudcedit.exe
PID 1384 wrote to memory of 1244 N/A N/A C:\Users\Admin\AppData\Local\yzp\eudcedit.exe
PID 1384 wrote to memory of 1244 N/A N/A C:\Users\Admin\AppData\Local\yzp\eudcedit.exe
PID 1384 wrote to memory of 1896 N/A N/A C:\Windows\system32\Magnify.exe
PID 1384 wrote to memory of 1896 N/A N/A C:\Windows\system32\Magnify.exe
PID 1384 wrote to memory of 1896 N/A N/A C:\Windows\system32\Magnify.exe
PID 1384 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\TGN\Magnify.exe
PID 1384 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\TGN\Magnify.exe
PID 1384 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\TGN\Magnify.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b2603c38c71b63b5a2af03e84c4ec47.dll,#1

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\3gtHHFP\dpapimig.exe

C:\Users\Admin\AppData\Local\3gtHHFP\dpapimig.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\yzp\eudcedit.exe

C:\Users\Admin\AppData\Local\yzp\eudcedit.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\TGN\Magnify.exe

C:\Users\Admin\AppData\Local\TGN\Magnify.exe

Network

N/A

Files

memory/3028-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/3028-1-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-4-0x0000000077896000-0x0000000077897000-memory.dmp

memory/1384-5-0x0000000002740000-0x0000000002741000-memory.dmp

memory/1384-7-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3028-8-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-9-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-11-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-10-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-12-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-14-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-15-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-16-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-13-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-17-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-19-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-18-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-20-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-21-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-22-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-23-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-24-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-25-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-26-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-27-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-28-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-29-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-30-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-31-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-32-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-33-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-34-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-35-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-36-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-37-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-38-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-39-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-40-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-41-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-42-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-43-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-44-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-46-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-45-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-47-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-48-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-49-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-50-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-51-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-52-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-53-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-55-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-54-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-56-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-57-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-58-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-60-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-59-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-61-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-62-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-64-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-63-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-65-0x0000000140000000-0x000000014033B000-memory.dmp

memory/1384-74-0x0000000002710000-0x0000000002717000-memory.dmp

memory/1384-81-0x0000000077AA1000-0x0000000077AA2000-memory.dmp

memory/1384-82-0x0000000077C00000-0x0000000077C02000-memory.dmp

\Users\Admin\AppData\Local\3gtHHFP\dpapimig.exe

MD5 0e8b8abea4e23ddc9a70614f3f651303
SHA1 6d332ba4e7a78039f75b211845514ab35ab467b2
SHA256 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA512 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

C:\Users\Admin\AppData\Local\3gtHHFP\DUI70.dll

MD5 0c48dc1267a032b4fa40fa0bc75be456
SHA1 95f8d4328e130e44c2380aaae3d653f035adeade
SHA256 e214f1ea5d976202003f85f5879284605aeea69921521c889378a88d0c671a11
SHA512 61acb9326c5c3b52e11279d23cd1c1bb701c61d297175f17eda3efb58a23c1d501fd7ea6318e9d150235454d94ba55030299cac81728052c94b613b864a3a4c8

memory/2912-109-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\yzp\eudcedit.exe

MD5 35e397d6ca8407b86d8a7972f0c90711
SHA1 6b39830003906ef82442522d22b80460c03f6082
SHA256 1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde
SHA512 71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

C:\Users\Admin\AppData\Local\yzp\MFC42u.dll

MD5 94552931daee8d874e1acb6f29516537
SHA1 bbc3f958e8e873a3c7486d150d9ca7f90290b426
SHA256 cae42671015ccb4746058d74ecc033dd98491e0ecdfd46307b2b1133aa572b86
SHA512 84f4fa34678a724a57cb5df699c78aaad6d12d78f36e9f1272adb3cbc192dd177a042519144f762b2187d692ed8b96b357bdb6c4f1616f64541da70bb9f1dff8

\Users\Admin\AppData\Local\TGN\Magnify.exe

MD5 233b45ddf77bd45e53872881cff1839b
SHA1 d4b8cafce4664bb339859a90a9dd1506f831756d
SHA256 adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a
SHA512 6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

C:\Users\Admin\AppData\Local\TGN\OLEACC.dll

MD5 3266ea1b1ba2c99ab4530095e4e0e62c
SHA1 3755784be0f5d24a8bad0d6d686ae3d49a4d2a81
SHA256 64dd4940aa169d5c195fec71bf934b173bdc7d063d8698c9edb3829cfd7c13b1
SHA512 90a50f3b68c23b049de783bedd31e3be4faa482a8ab7f09a8f3002d1c865a9d2fc53ac351e78722fc92265a5ecf1d44b3b9873a6c7f5fae412447f986c5b163e

memory/1384-167-0x0000000077896000-0x0000000077897000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 11d09f1ff1a2e6b8bedb0fc7e5da22a5
SHA1 ab722a350a0aa0eb03c1959e0742816ced4d54fd
SHA256 7c5cbf238a0cdeb46e600a8e495db5b695ec59d4aa3488d813ef429430c77a15
SHA512 b097bd0601f9370e18f2beb1f99ed2cdd5ae0362c3731a1fe1772b62f49e4ec3e997af95f4b1be91ce2ec1ed2d6955de67bb200535e779677b6e51d188de16e3

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 10:08

Reported

2024-01-08 10:11

Platform

win10v2004-20231215-en

Max time kernel

133s

Max time network

168s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b2603c38c71b63b5a2af03e84c4ec47.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\P1xJv\\FILEHI~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Kz0DVbn5g\mstsc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5iJz\FileHistory.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\HXB\mmc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 2940 N/A N/A C:\Windows\system32\mstsc.exe
PID 3464 wrote to memory of 2940 N/A N/A C:\Windows\system32\mstsc.exe
PID 3464 wrote to memory of 392 N/A N/A C:\Users\Admin\AppData\Local\Kz0DVbn5g\mstsc.exe
PID 3464 wrote to memory of 392 N/A N/A C:\Users\Admin\AppData\Local\Kz0DVbn5g\mstsc.exe
PID 3464 wrote to memory of 4100 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3464 wrote to memory of 4100 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3464 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\5iJz\FileHistory.exe
PID 3464 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\5iJz\FileHistory.exe
PID 3464 wrote to memory of 1516 N/A N/A C:\Windows\system32\mmc.exe
PID 3464 wrote to memory of 1516 N/A N/A C:\Windows\system32\mmc.exe
PID 3464 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\HXB\mmc.exe
PID 3464 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\HXB\mmc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b2603c38c71b63b5a2af03e84c4ec47.dll,#1

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\Kz0DVbn5g\mstsc.exe

C:\Users\Admin\AppData\Local\Kz0DVbn5g\mstsc.exe

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Users\Admin\AppData\Local\5iJz\FileHistory.exe

C:\Users\Admin\AppData\Local\5iJz\FileHistory.exe

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\HXB\mmc.exe

C:\Users\Admin\AppData\Local\HXB\mmc.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 178.113.50.184.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4908-0-0x0000026D21510000-0x0000026D21517000-memory.dmp

memory/4908-1-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-5-0x00007FFB8782A000-0x00007FFB8782B000-memory.dmp

memory/3464-4-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/3464-7-0x0000000140000000-0x000000014033B000-memory.dmp

memory/4908-9-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-10-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-11-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-12-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-13-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-14-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-8-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-15-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-16-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-17-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-18-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-19-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-20-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-21-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-22-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-23-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-24-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-25-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-26-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-27-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-28-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-29-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-30-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-31-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-32-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-33-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-34-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-35-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-36-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-37-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-38-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-39-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-40-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-41-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-42-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-43-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-44-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-45-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-46-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-47-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-48-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-50-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-51-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-49-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-52-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-53-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-54-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-55-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-56-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-58-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-59-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-57-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-60-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-61-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-62-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-63-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-64-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-65-0x0000000140000000-0x000000014033B000-memory.dmp

memory/3464-73-0x0000000000FA0000-0x0000000000FA7000-memory.dmp

memory/3464-81-0x00007FFB87C00000-0x00007FFB87C10000-memory.dmp

C:\Users\Admin\AppData\Local\Kz0DVbn5g\mstsc.exe

MD5 3a26640414cee37ff5b36154b1a0b261
SHA1 e0c28b5fdf53a202a7543b67bbc97214bad490ed
SHA256 1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f
SHA512 76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

C:\Users\Admin\AppData\Local\Kz0DVbn5g\VERSION.dll

MD5 731093c783e01df0f29aa6b082fc639f
SHA1 9ff283b75bc2301ad95d054f2a137ec42422aea5
SHA256 21d8c1ab05a1ebedccce7dd8b71dc897d4e08a352c1e3e83ad878a37d6533dc8
SHA512 32e8c1050fa4294629c4d659b10c3a628279d779c6245a30b102018ef7f62164e73e1e9b903f61889a52dfb143ff43db8d3fe89926226311c60cfc6f29650ab6

memory/392-101-0x000001101BCE0000-0x000001101BCE7000-memory.dmp

C:\Users\Admin\AppData\Local\5iJz\FileHistory.exe

MD5 eeba3dd643ced2781ec1b7e3cd6fa246
SHA1 2d394173e603625e231633fc270072e854bac17b
SHA256 bee0799a52fe65b8dc291de32f0c8b03b5a067915b1868bc8ba2a1b139c90b87
SHA512 222d4fbc7ee57d75889698a0660996293a0143518fdecc1b222618796d76d40f2d3b00b071f92ab917ac8847f195d7de02df55b5e89dad8a80d110e464cd3271

C:\Users\Admin\AppData\Local\5iJz\UxTheme.dll

MD5 d489149cf32641e8d6c5d68bbd34c311
SHA1 e5594e92f3689a78c3a8ef783fa607779faafd36
SHA256 832e1a3492e08f7976f5a2aeae841e07de70ed718f46d4150f443b747d101d6a
SHA512 cf7e1711b7abd02ad12aff8fca6305b1b7b48e1cce50d12e4a33c01a4a419fa762a592d7d68351215c71d4e0b8a0946343c8c590e2f5082f265c710c301bbaf2

memory/3060-118-0x0000023FF3BE0000-0x0000023FF3BE7000-memory.dmp

C:\Users\Admin\AppData\Local\HXB\mmc.exe

MD5 8c86b80518406f14a4952d67185032d6
SHA1 9269f1fbcf65fefbc88a2e239519c21efe0f6ba5
SHA256 895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a
SHA512 1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

C:\Users\Admin\AppData\Local\HXB\MFC42u.dll

MD5 9f828eb4e1e0f0c4d52d9eae88204428
SHA1 43b5cbe8cb7e6f1ed260179beae23a8f07995aa2
SHA256 4390f567b949ee0bf1000e32fa6b9116bcc7dd2abaa5142edd94e0e42db53007
SHA512 21c1e2ab5e5fda8bba70dd64509c8baddf80be0567861e7a9a53123db8e8ce2190895022b9e75e766fa874e39a5b903bf640d99a8cead08a36e693e4ee15cbe5

memory/1144-137-0x0000000000800000-0x0000000000807000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 b6d66a63ec37c2978ba35a5cedc7e87c
SHA1 36de40a9ec691a88c6027fd769ddf8da85788dba
SHA256 7d7f29118a48c8563b87b71559d64233a5e85c14fee06e18863e002eb7e0c6ad
SHA512 65e5860fb1f5106dda9b2f52217744d2e72e5e65b803ee3077c250a4fd567fe826f3c4b8cc068585152d35e428e4649e539020ec06e8afed20cfcc1c3043cf1e