Malware Analysis Report

2024-11-15 08:50

Sample ID 240122-dc1rssegdm
Target 6e878d3bec87e1562cd7b8f267d6511c
SHA256 9e34e48ce49ec56aa42b037c0bb4dee15418333d5374dbb3084a0787d254f2a5
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e34e48ce49ec56aa42b037c0bb4dee15418333d5374dbb3084a0787d254f2a5

Threat Level: Known bad

The file 6e878d3bec87e1562cd7b8f267d6511c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 02:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 02:52

Reported

2024-01-22 02:55

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e878d3bec87e1562cd7b8f267d6511c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\lu\\MPSIGS~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 2808 N/A N/A C:\Windows\system32\rdpclip.exe
PID 1348 wrote to memory of 2808 N/A N/A C:\Windows\system32\rdpclip.exe
PID 1348 wrote to memory of 2808 N/A N/A C:\Windows\system32\rdpclip.exe
PID 1348 wrote to memory of 2476 N/A N/A C:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe
PID 1348 wrote to memory of 2476 N/A N/A C:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe
PID 1348 wrote to memory of 2476 N/A N/A C:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe
PID 1348 wrote to memory of 2440 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1348 wrote to memory of 2440 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1348 wrote to memory of 2440 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1348 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe
PID 1348 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe
PID 1348 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe
PID 1348 wrote to memory of 1616 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1348 wrote to memory of 1616 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1348 wrote to memory of 1616 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1348 wrote to memory of 1196 N/A N/A C:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe
PID 1348 wrote to memory of 1196 N/A N/A C:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe
PID 1348 wrote to memory of 1196 N/A N/A C:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e878d3bec87e1562cd7b8f267d6511c.dll,#1

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe

C:\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe

C:\Windows\system32\MpSigStub.exe

C:\Windows\system32\MpSigStub.exe

C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe

C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe

Network

N/A

Files

memory/2644-0-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2644-1-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-4-0x0000000076C26000-0x0000000076C27000-memory.dmp

memory/1348-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/1348-7-0x0000000140000000-0x0000000140164000-memory.dmp

memory/2644-8-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-9-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-12-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-11-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-13-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-14-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-10-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-15-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-16-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-17-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-18-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-19-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-20-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-21-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-22-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-23-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-24-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-26-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-25-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-27-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-28-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-29-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-30-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1348-37-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-38-0x0000000076E31000-0x0000000076E32000-memory.dmp

memory/1348-39-0x0000000076F90000-0x0000000076F92000-memory.dmp

memory/1348-48-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-54-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1348-57-0x0000000140000000-0x0000000140164000-memory.dmp

\Users\Admin\AppData\Local\gXwt2no\rdpclip.exe

MD5 25d284eb2f12254c001afe9a82575a81
SHA1 cf131801fdd5ec92278f9e0ae62050e31c6670a5
SHA256 837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b
SHA512 7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

C:\Users\Admin\AppData\Local\gXwt2no\WINSTA.dll

MD5 b51bd94a3a909f8bdd18578a9833fb66
SHA1 f05a9ccbde744b57e338e6bf516f97622485429c
SHA256 ab84fac1ee6a084951cc6d93bc1f302b5adbedcf67b628d0127ae83997e2484f
SHA512 de16a60fbd986683d53a98ed0ce60be3df90fa879688f4aa800a8e58ae46e12681f9e00b9e1439cd72bcbe00a885419f85c6ddf173657036bde3ba22fbb12cfb

memory/2476-67-0x0000000140000000-0x0000000140166000-memory.dmp

memory/2476-66-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2476-72-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\M1lXF8\MpSigStub.exe

MD5 2e6bd16aa62e5e95c7b256b10d637f8f
SHA1 350be084477b1fe581af83ca79eb58d4defe260f
SHA256 d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA512 1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

C:\Users\Admin\AppData\Local\M1lXF8\VERSION.dll

MD5 1aee649895241074597762d92442dc77
SHA1 4b84bfa9b8f32bfce9b27892141661bc3b1724c7
SHA256 c08bea5cb8262370b757a44cf7e20b9b6c4ec98f4441987ae23676ec3181df77
SHA512 663927e22bad28e5c54aca3454dea2a4c4a4b49a4df23c3af9be632904035be5ee0083d86d5dee76053fa44b51347fe34b943ce582979670f36159f5bda7a4cb

memory/2540-84-0x0000000001B40000-0x0000000001B47000-memory.dmp

memory/2540-85-0x0000000140000000-0x0000000140165000-memory.dmp

memory/2540-90-0x0000000140000000-0x0000000140165000-memory.dmp

\Users\Admin\AppData\Local\lWDq\AdapterTroubleshooter.exe

MD5 d4170c9ff5b2f85b0ce0246033d26919
SHA1 a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256 d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA512 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

C:\Users\Admin\AppData\Local\lWDq\d3d9.dll

MD5 b659a4ea82d7457a70888141f644faac
SHA1 5e92c75b6137867c09c8981fad8da9a66d25a34d
SHA256 7343e0047308277739264437c11625ed096013a2427b8f6c04b7d0b473b548a8
SHA512 546c9031f4238ab19517bb105393996f9691d42298f3a7e0cb7782ed65e2ff7e2829c12356a6396d08f02d9913599e7d76b0901bc872195676629534225f7f6f

memory/1196-103-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1196-108-0x0000000140000000-0x0000000140165000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 428ff21e5606907e66d0122e9990901c
SHA1 b916139008a7b57a85b103638bed87b3205caf66
SHA256 6fabbe7ad769b7d99c698d7535b0a78ec8e35692c9bbf5f2ca0c8cb815765b94
SHA512 013f448e8695256dbfbbb25e8023442370c373c134ad9b1867bb5158b90996ac99d0bd133c34b676adaf7d75dd4ee57db322478069f14e51b0cb1ba5f5d594ec

memory/1348-127-0x0000000076C26000-0x0000000076C27000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 02:52

Reported

2024-01-22 02:55

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e878d3bec87e1562cd7b8f267d6511c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1497073144-2389943819-3385106915-1000\\aZoD\\PresentationSettings.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MBgUMg\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ezYJC353\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PQqov1cz\PresentationSettings.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 4500 N/A N/A C:\Windows\system32\iexpress.exe
PID 3428 wrote to memory of 4500 N/A N/A C:\Windows\system32\iexpress.exe
PID 3428 wrote to memory of 3344 N/A N/A C:\Users\Admin\AppData\Local\ezYJC353\iexpress.exe
PID 3428 wrote to memory of 3344 N/A N/A C:\Users\Admin\AppData\Local\ezYJC353\iexpress.exe
PID 3428 wrote to memory of 4660 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 3428 wrote to memory of 4660 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 3428 wrote to memory of 964 N/A N/A C:\Users\Admin\AppData\Local\PQqov1cz\PresentationSettings.exe
PID 3428 wrote to memory of 964 N/A N/A C:\Users\Admin\AppData\Local\PQqov1cz\PresentationSettings.exe
PID 3428 wrote to memory of 1072 N/A N/A C:\Users\Admin\AppData\Local\MBgUMg\sppsvc.exe
PID 3428 wrote to memory of 1072 N/A N/A C:\Users\Admin\AppData\Local\MBgUMg\sppsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e878d3bec87e1562cd7b8f267d6511c.dll,#1

C:\Users\Admin\AppData\Local\MBgUMg\sppsvc.exe

C:\Users\Admin\AppData\Local\MBgUMg\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\PQqov1cz\PresentationSettings.exe

C:\Users\Admin\AppData\Local\PQqov1cz\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\ezYJC353\iexpress.exe

C:\Users\Admin\AppData\Local\ezYJC353\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4288-1-0x000001F2416B0000-0x000001F2416B7000-memory.dmp

memory/4288-0-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-5-0x00007FF8D416A000-0x00007FF8D416B000-memory.dmp

memory/3428-4-0x00000000077D0000-0x00000000077D1000-memory.dmp

memory/4288-8-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-14-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-20-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-25-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-24-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-30-0x00000000032E0000-0x00000000032E7000-memory.dmp

memory/3428-29-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-28-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-27-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-38-0x00007FF8D54C0000-0x00007FF8D54D0000-memory.dmp

memory/3428-37-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-26-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-23-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-49-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-47-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3344-58-0x0000011576510000-0x0000011576517000-memory.dmp

memory/3344-64-0x0000000140000000-0x0000000140165000-memory.dmp

memory/3344-59-0x0000000140000000-0x0000000140165000-memory.dmp

C:\Users\Admin\AppData\Local\ezYJC353\iexpress.exe

MD5 9628f4dd25aa5d67e93b21484740c90b
SHA1 157074aa985ba87a1fa081ca7cab9ade40785a9a
SHA256 01826493a7d3614863dabaf8f9ceec306d6db6c5b8a4240cdb1729bbfcf74f43
SHA512 4446d338c668772316c43b7a7effec4c0eb30f47a2250a410c860fbad454b3a6dc3a543beda8c1b0fa061b3361aa662cdc92220228cec51c8860a7f695f513f7

memory/964-75-0x000002055C250000-0x000002055C257000-memory.dmp

memory/964-81-0x0000000140000000-0x0000000140166000-memory.dmp

memory/964-76-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1072-94-0x00000277FACF0000-0x00000277FACF7000-memory.dmp

memory/1072-98-0x0000000140000000-0x0000000140165000-memory.dmp

C:\Users\Admin\AppData\Local\MBgUMg\sppsvc.exe

MD5 f241a076703c4cfd3df3f696c2efb8c5
SHA1 d35fc72b4fded6d272f0b40b8b8e137027d2ceef
SHA256 fd5656a8d642a5ea12d0a19f6fd548317254dfb78678ad444d5631cd5fe13558
SHA512 ea05b367be375fe51b19b4a26b11d823cfd72f975be8b9939b7ddfb66ce3eda60cf2aa1b6d7239fffc104ec0f8d6332e737dd3fae4b5c545e1fdcb582fd39296

C:\Users\Admin\AppData\Local\MBgUMg\XmlLite.dll

MD5 cb3ce286a419de18e1173f93d2c33a71
SHA1 468ed1de78c4d1c3909cd2a89fcdfef1b4aaecde
SHA256 14f6a21e3bcc7ac278fedb846fee706e46ceab9686e79f979b08eca5ab496e64
SHA512 529af8f87f5ad72583aa16cec30a7ac59fd1521fb7897dc96ac78eb3340528019d164b2ea6422373e35493dd3540a8ace7995b8a8ae9914a8af16668564bfce9

C:\Users\Admin\AppData\Local\MBgUMg\XmlLite.dll

MD5 6ccf6a79fc28fa8ad7ff7b2661857b20
SHA1 cf2c252d988cfef3d1aeddb5ba58a98cc79336ec
SHA256 e81ca3ec82b01b356de2e97384170078b79c639298ac3d273a45bfafdcbf033c
SHA512 fac018ed23426274f4d6bb3dc6bf8535a89f7dfcaaec750a93f4b772088edbad9a3b7809e2cbd504f5f85932744f701623b17c1cabad05a5478a4c32f3bb1b1c

C:\Users\Admin\AppData\Local\MBgUMg\sppsvc.exe

MD5 e5d03fae6ea5c4d8da6526b33cafa629
SHA1 a3c90ffcb09fb35c942cf3257d45e63d5901c339
SHA256 8e63128e5214ec38961354d5ee71111d646aa97347de7d84030eb36df242d750
SHA512 20db70d65c9371174f76b1d43963761e491f7489152ffb88d80ed665ff1e460579a22ea2b81708d7e8554b4914e80ef82199c65e5b78b430328360642ef59f10

C:\Users\Admin\AppData\Local\PQqov1cz\PresentationSettings.exe

MD5 790799a168c41689849310f6c15f98fa
SHA1 a5d213fc1c71a56de9441b2e35411d83770c01ec
SHA256 6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8
SHA512 8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

C:\Users\Admin\AppData\Local\PQqov1cz\WINMM.dll

MD5 ba212c13629b1a61a00678e9f0927582
SHA1 5ee028481369a46508418a7aa20560e4aac526ab
SHA256 296943936c7d4f50d46a8206b213e0dd385080bc9b53a1762559b45fdb32b796
SHA512 0f3fdf5f0f09d7b5c83983deb7f50f13dc24375b75c57a20264aeda3a955909306eb4cf579e4536f3002f4b1c7a35b831b0cf6cd5b57f3c52b1e3e49a84751f0

C:\Users\Admin\AppData\Local\PQqov1cz\WINMM.dll

MD5 319e9808480025caf44584a9699f0497
SHA1 11d7608e02690bfa1126669677c10f173a981900
SHA256 a68e22e3a20b4c48004c331e2c37235db6caa3989f59cdc2414d2893f2cf8125
SHA512 b51930d5b223cf252960bbf2273d62d3165ac951c2dd64a202733f1d14faa013ee59b611112353c259188235cddd07bedb2e4c700b06bf9c1ce0c63cd8d77e7b

C:\Users\Admin\AppData\Local\PQqov1cz\PresentationSettings.exe

MD5 c20e3a56a7506e9d91b1faf1dcfdfa17
SHA1 cd26be6402ed237df9a7cbf8e0cf42b236dd227f
SHA256 6d3ac00ae0c65bdb30a8b73d01e22c78ff066909eff01c7433a78c8c65274d50
SHA512 7abf166bcd7813b370307b716c8a75d2340c625f901bef0fa9be6f7b64bb48e035f3975c9c96a236ce8ac6a133c49a724864d4328595964f81da7fc2e7802e6e

C:\Users\Admin\AppData\Local\ezYJC353\VERSION.dll

MD5 8bbae7de49d4fe00ff2c522fd604bc0f
SHA1 7bb347e970c53ee0b7cd4c5a3638c1ac86754606
SHA256 88184dac299e4beefa6ca629baeab429f11d09cff6a91685fbab0e90766a834f
SHA512 ce58f35a4fc6340636c71b9a65ec58040414d00b6e7011d15fc0ae1af91f513b1bda7ae56ca06e4a07df7d355f10012e26f488789145015e5639f582da8d8bf2

C:\Users\Admin\AppData\Local\ezYJC353\VERSION.dll

MD5 3cb7cd97bd5fe4fbc2d5f200adea5640
SHA1 a1214f51b1a30dbd50fa9451250bd759df745b94
SHA256 b5bd2c438892acdd6afd040a61fe783575d59243b466123240a0221b9c081bc4
SHA512 43dafe59af48f79fe60eb2a73205f76a3b451f12c423cf56c199693e5088493299e300372b80436ac2857abdb197817bf39f6ea2081cda6246f9363a548ba653

C:\Users\Admin\AppData\Local\ezYJC353\iexpress.exe

MD5 17b93a43e25d821d01af40ba6babcc8c
SHA1 97c978d78056d995f751dfef1388d7cce4cc404a
SHA256 d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3
SHA512 6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

memory/3428-22-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-21-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-19-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-18-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-17-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-16-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-15-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-13-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-12-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-11-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-10-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-7-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3428-9-0x0000000140000000-0x0000000140164000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 c28575f02ff23f5b71621a21a093d195
SHA1 c8a32774801a436c9d20d465cf784eae6341a6df
SHA256 8600d9ce653e440d0a42b793f552d50367e72e0c581f90bdeb3d9743fc1f5e92
SHA512 0bee8cd3ded4020ab041e8e27c7d9efa8742bd3fc55aea133a633f49c48c59e60e36423e30c9fd4ee670ff6d504491d731545c73437e1335e70722d7f3e7b540

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\fiwe4T\VERSION.dll

MD5 6c2a27d94d2badac2d50c3496deaa634
SHA1 845214c7a0e21b644c1039f49eb65116dd91541d
SHA256 d34290a63a913aacb222498dfaea0a986ec223ef9a0b32d779bba8ec894f6c76
SHA512 a939e8aec6dc43471fa32a93ef321d4b1bd2aae11f675353ef3092fa6425be5b6bc510ea685b6c1285d1767bcdcd3373a2f907983621a6ec5d778fc39f663890

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1497073144-2389943819-3385106915-1000\aZoD\WINMM.dll

MD5 4f3ea92220678c3e1fe8f73e5a1b184f
SHA1 7e2f5b111f2c46b05f02702eae5b90bf41e9e770
SHA256 3ecc73fdfa853b0bef95ede5cb23ce62be78e213024eaf39ddc9c48eaad1e454
SHA512 6d975b663868dc2355289c1318b42cd889332ec207f6153fbb92f3f972b57b4f1e4754cb1f896422300e1cb8146e08d057ebe6409725c4090843722c541eaa84

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\JQqq\XmlLite.dll

MD5 24dff759c5233259d1114739a46f0a24
SHA1 4a2a2a8850995a2a003afd31a1c40c3e28b23467
SHA256 f41a281c2c544e8008e999c65369f1d08ac705bc323426773f6744928b70385c
SHA512 33ceef2689d25d4a6858b444b329c05de1c86b213e2529b66126f8768418bf6b0ba921aec20a76cc0442b1280e1bdbf1f4b8b9b3749a0866d86759801f6ee251