Malware Analysis Report

2024-11-15 08:50

Sample ID 240125-gh63jsaaer
Target 73e4b574f7a058d63f9b35f74580a338
SHA256 d8ae9023a64efcbaf60e37647a920cf6757fa96a6e1e7357d67a3ac970c86eca
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8ae9023a64efcbaf60e37647a920cf6757fa96a6e1e7357d67a3ac970c86eca

Threat Level: Known bad

The file 73e4b574f7a058d63f9b35f74580a338 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 05:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 05:49

Reported

2024-01-25 05:51

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\73e4b574f7a058d63f9b35f74580a338.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\XLifyUm\wermgr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xjKeJ62\rstrui.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\7uGmjl\SystemPropertiesDataExecutionPrevention.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\hbJZ\\rstrui.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xjKeJ62\rstrui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7uGmjl\SystemPropertiesDataExecutionPrevention.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XLifyUm\wermgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 592 N/A N/A C:\Windows\system32\wermgr.exe
PID 1260 wrote to memory of 592 N/A N/A C:\Windows\system32\wermgr.exe
PID 1260 wrote to memory of 592 N/A N/A C:\Windows\system32\wermgr.exe
PID 1260 wrote to memory of 472 N/A N/A C:\Users\Admin\AppData\Local\XLifyUm\wermgr.exe
PID 1260 wrote to memory of 472 N/A N/A C:\Users\Admin\AppData\Local\XLifyUm\wermgr.exe
PID 1260 wrote to memory of 472 N/A N/A C:\Users\Admin\AppData\Local\XLifyUm\wermgr.exe
PID 1260 wrote to memory of 900 N/A N/A C:\Windows\system32\rstrui.exe
PID 1260 wrote to memory of 900 N/A N/A C:\Windows\system32\rstrui.exe
PID 1260 wrote to memory of 900 N/A N/A C:\Windows\system32\rstrui.exe
PID 1260 wrote to memory of 832 N/A N/A C:\Users\Admin\AppData\Local\xjKeJ62\rstrui.exe
PID 1260 wrote to memory of 832 N/A N/A C:\Users\Admin\AppData\Local\xjKeJ62\rstrui.exe
PID 1260 wrote to memory of 832 N/A N/A C:\Users\Admin\AppData\Local\xjKeJ62\rstrui.exe
PID 1260 wrote to memory of 2724 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1260 wrote to memory of 2724 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1260 wrote to memory of 2724 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1260 wrote to memory of 2984 N/A N/A C:\Users\Admin\AppData\Local\7uGmjl\SystemPropertiesDataExecutionPrevention.exe
PID 1260 wrote to memory of 2984 N/A N/A C:\Users\Admin\AppData\Local\7uGmjl\SystemPropertiesDataExecutionPrevention.exe
PID 1260 wrote to memory of 2984 N/A N/A C:\Users\Admin\AppData\Local\7uGmjl\SystemPropertiesDataExecutionPrevention.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\73e4b574f7a058d63f9b35f74580a338.dll,#1

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\XLifyUm\wermgr.exe

C:\Users\Admin\AppData\Local\XLifyUm\wermgr.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Users\Admin\AppData\Local\xjKeJ62\rstrui.exe

C:\Users\Admin\AppData\Local\xjKeJ62\rstrui.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\7uGmjl\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\7uGmjl\SystemPropertiesDataExecutionPrevention.exe

Network

N/A

Files

memory/2912-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2912-1-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-4-0x00000000775A6000-0x00000000775A7000-memory.dmp

memory/1260-5-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/1260-11-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-10-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-9-0x0000000140000000-0x0000000140203000-memory.dmp

memory/2912-8-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-7-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-13-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-12-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-16-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-17-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-15-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-14-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-18-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-19-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-22-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-21-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-20-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-23-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-28-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-27-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-26-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-25-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-24-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-29-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-31-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-32-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-30-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-37-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-38-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-36-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-35-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-33-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-34-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-42-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-43-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-41-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-40-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-39-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-44-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-46-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-45-0x0000000001D40000-0x0000000001D47000-memory.dmp

memory/1260-53-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-54-0x00000000777B1000-0x00000000777B2000-memory.dmp

memory/1260-57-0x0000000077910000-0x0000000077912000-memory.dmp

memory/1260-60-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1260-64-0x0000000140000000-0x0000000140203000-memory.dmp

C:\Users\Admin\AppData\Local\XLifyUm\wer.dll

MD5 d9a378b4f5fb16a14724aa1ccc404938
SHA1 1511dea6cd032488cdfb7e458adfee99ec2f552b
SHA256 dad49aea079a2ac37d3da85e977dc4dd865594ad64e52bdf7cea2be2382f477a
SHA512 bfaa037331de080eb6cd89bc45fc8dc97c391a96d1d88662d7eac2951593d5cab958a39c74567b90608cf2cbb16f93e8fe782e174210fa0dbc25c41effcc3e22

C:\Users\Admin\AppData\Local\XLifyUm\wermgr.exe

MD5 41df7355a5a907e2c1d7804ec028965d
SHA1 453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256 207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA512 59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

\Users\Admin\AppData\Local\XLifyUm\wer.dll

MD5 831fa0fe191640a1bc81189c5c968840
SHA1 af019f60c44d8f0d82015ef1ff07ff68e2b2e192
SHA256 1b087df372b266660ff9e4ec7b67806fe8141505aa748e29b7c58713c599bf87
SHA512 91fde0d1a0922036b3e5012ab2215d24dcef91b236d0d36bc27281a3fb1fde617df094a411506e000920041c9b43d49062ece6a8f3449387a7c467ea00a78129

memory/472-79-0x0000000140000000-0x0000000140204000-memory.dmp

memory/472-78-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\xjKeJ62\SRCORE.dll

MD5 2eb76e230d7e1f6c60065648223eaed3
SHA1 f74dddeadd438788e12848fc6e70395ee88a897c
SHA256 ea2b6bcb30e8f47ca03385db20bbd7d89db4d553b32727e62de50c06c6daae67
SHA512 fa06118bbeed663f6f48d9514c63d065c710815d797e4ba32c60fe4d059a43aad45b67ef73a7ca1f88cca27d94afc3ec15d8810ffe8314135895a0669886a23f

C:\Users\Admin\AppData\Local\xjKeJ62\rstrui.exe

MD5 3db5a1eace7f3049ecc49fa64461e254
SHA1 7dc64e4f75741b93804cbae365e10dc70592c6a9
SHA256 ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49
SHA512 ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

memory/832-97-0x0000000000280000-0x0000000000287000-memory.dmp

\Users\Admin\AppData\Local\7uGmjl\SystemPropertiesDataExecutionPrevention.exe

MD5 e43ff7785fac643093b3b16a9300e133
SHA1 a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256 c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA512 61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

C:\Users\Admin\AppData\Local\7uGmjl\SYSDM.CPL

MD5 4d7898b5c400a1cda32132e97e4f0fd8
SHA1 067df1856188c2723795a4dc6a33c0986d4b05eb
SHA256 8a35965c5853e73e12e2e2d984dc925cefef77f5b210af628c95a49ae6409482
SHA512 49b6c484bcb8b329acfe111094ed1b115175714e67118123f504e79c3b2adad17005621783f23e0e0b9e59991ed9bdfed865d692e84b91607997a027074645f5

memory/2984-116-0x0000000000080000-0x0000000000087000-memory.dmp

memory/1260-134-0x00000000775A6000-0x00000000775A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 d63ce2369919ec7fc9e45ea777e80bfd
SHA1 d6c55ed701aa22cbb19094f49e2f1a935d014be3
SHA256 26db2f7976ae3bc3432af7508ae271c09f1b8ed4ec9c0b4398ca66ca0850d828
SHA512 9b2ecc840f2a5435f3a3e9e660c9ef9c342ae260aaed6e728a1857e2221f5bb985378413f4e597b46d6eb7cec3701c664b4c92d23ebf06da3a333dfd37ff10ef

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 05:49

Reported

2024-01-25 05:51

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\73e4b574f7a058d63f9b35f74580a338.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\91w\\mfpmp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\depNl9\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 2464 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3524 wrote to memory of 2464 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3524 wrote to memory of 4616 N/A N/A C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe
PID 3524 wrote to memory of 4616 N/A N/A C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe
PID 3524 wrote to memory of 3504 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3524 wrote to memory of 3504 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3524 wrote to memory of 4884 N/A N/A C:\Users\Admin\AppData\Local\depNl9\mfpmp.exe
PID 3524 wrote to memory of 4884 N/A N/A C:\Users\Admin\AppData\Local\depNl9\mfpmp.exe
PID 3524 wrote to memory of 2592 N/A N/A C:\Windows\system32\iexpress.exe
PID 3524 wrote to memory of 2592 N/A N/A C:\Windows\system32\iexpress.exe
PID 3524 wrote to memory of 3160 N/A N/A C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe
PID 3524 wrote to memory of 3160 N/A N/A C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\73e4b574f7a058d63f9b35f74580a338.dll,#1

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe

C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe

C:\Users\Admin\AppData\Local\depNl9\mfpmp.exe

C:\Users\Admin\AppData\Local\depNl9\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/4472-1-0x0000000140000000-0x0000000140203000-memory.dmp

memory/4472-0-0x0000018CC4F50000-0x0000018CC4F57000-memory.dmp

memory/3524-4-0x0000000002600000-0x0000000002601000-memory.dmp

memory/4472-7-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-8-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-6-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-9-0x00007FFA7671A000-0x00007FFA7671B000-memory.dmp

memory/3524-11-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-12-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-16-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-15-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-14-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-17-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-20-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-19-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-24-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-26-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-25-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-23-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-27-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-29-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-30-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-32-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-34-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-37-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-39-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-43-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-46-0x0000000000CC0000-0x0000000000CC7000-memory.dmp

memory/3524-45-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-44-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-42-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-41-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-40-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-38-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-36-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-35-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-33-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-31-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-28-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-22-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-21-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-18-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-13-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-10-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-54-0x00007FFA76D00000-0x00007FFA76D10000-memory.dmp

memory/3524-53-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-65-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3524-63-0x0000000140000000-0x0000000140203000-memory.dmp

C:\Users\Admin\AppData\Local\eTSNNOaO4\XmlLite.dll

MD5 81cea3d511bdbe79b733d7ed35abea05
SHA1 d811ba18d3fc5ac2de26a0a9d0eadca3ea68408b
SHA256 d5a5d37c0354cf166298171b7579b4902b321eeafbf3c751ad6ee3ecac3063c0
SHA512 97e3fdd0135f015ac75bee40f7098f5d4ec01ff7d0d703b7e79d58da0519f868c76ba7e6487527802f4bf08fb0879a6c0a0283c485328e21196153e9fa3b54c3

memory/4616-74-0x0000000140000000-0x0000000140204000-memory.dmp

memory/4616-78-0x0000000140000000-0x0000000140204000-memory.dmp

C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe

MD5 606717695e29b8f039d948015e00003d
SHA1 690da4edffbe50ea1de3e6c482182a70c316a51f
SHA256 0f66ba44232658822e5bb5a7cdf8698850db92b0e916b7c908764ab67bec3e7b
SHA512 de76525bee845410e2658a3ac42fcb7a54d77a67c6dff4292dbea057377cdd78326364a5918290f1f45ea381b28dafccb6a94480a2d8181bc8c6e54e5e1c0cc0

C:\Users\Admin\AppData\Local\depNl9\MFPlat.DLL

MD5 b28d560feee94aa29f2b811385d97bbe
SHA1 c44a548f7b403c6e664fcb4c94b1462a308e0142
SHA256 baff44255ff72d66715f8860a02e7714ca403d15d62baebb0c971fb93adfd004
SHA512 92d9bcc5c572faff1982bfab98d014c7984cb25cee32c6a25062af6a2946e96a12e66673d06ab3f45bf63de9b4b727c7d3ee20d58f304a595379447b8840141b

C:\Users\Admin\AppData\Local\depNl9\MFPlat.DLL

MD5 c50d98c861256764d4fa7d47390bbbd8
SHA1 3ae9f1c353703c0d4e8eaf4c470089e4da18fa8d
SHA256 0fe9efcc0deb9cf66cc46008730ab68f187e93aad09597194a5073c38df3545f
SHA512 dda1b67cc1f0897bbb595527bf2f3867d66750957d25ff5ba2479c461f476315a652914ca3c943a68c4d87fff5891c43bcbc6602175d13694c56c174c5f66e3c

memory/4884-92-0x0000015C513B0000-0x0000015C513B7000-memory.dmp

memory/4884-97-0x0000000140000000-0x0000000140205000-memory.dmp

memory/4884-91-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Users\Admin\AppData\Local\depNl9\mfpmp.exe

MD5 8f8fd1988973bac0c5244431473b96a5
SHA1 ce81ea37260d7cafe27612606cf044921ad1304c
SHA256 27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512 a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

memory/3160-108-0x0000024946820000-0x0000024946827000-memory.dmp

C:\Users\Admin\AppData\Local\TLOsXXq\VERSION.dll

MD5 d9d52cd198acbf4737dd3f9384a7b736
SHA1 4f866b35338a0398f85e5acd507efa004c8c4eea
SHA256 319cb81937ca28d46f7f4c0d90589192907f3c9b3c6527001781d87a9ea78740
SHA512 e56913b2af5ff74716333c52686d27e0e4079a81529a6f03c4ece933286e27ee1ff4b6ff01b1193d96eb0353844394b62e002e7bce2ec9b2d13fd0e9410ef75e

C:\Users\Admin\AppData\Local\TLOsXXq\VERSION.dll

MD5 d9952dc5d97cc9c3f0282b901116b146
SHA1 a844c858f296e7fcc33d8ee88a1fdf67644b7dca
SHA256 af3ca2cc9655f7ef5e8e1f61decdc4cf86dc436324e641f77286f11e6b8450ee
SHA512 5442786b95ae55b15ff3bdf57d402c200ca1d4464591b1bf791408a44612be9875e2583ff386f3b6964690c5ce59ffb2aaa010c27c05e27dba71c2565654325b

C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe

MD5 227ab2fc33a1cc8fa4fb0237741fc617
SHA1 50690f645bf47779fa1d8e80578a797cfd87b6b6
SHA256 cfabe68c6aa58ace3da85eb09dc5fcf79d5155010edb71437a1e602a9240b878
SHA512 94db1c88f56705e992310a833c86e3dcc69d6c13249306fe7a3efd20c956cbd8a8ad6ce9c32ef384f986df3ea017cf4856aa3b2b38960ed5f1b775dc7c9b2c8c

C:\Users\Admin\AppData\Local\TLOsXXq\iexpress.exe

MD5 17b93a43e25d821d01af40ba6babcc8c
SHA1 97c978d78056d995f751dfef1388d7cce4cc404a
SHA256 d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3
SHA512 6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

memory/4616-76-0x0000011A13EE0000-0x0000011A13EE7000-memory.dmp

C:\Users\Admin\AppData\Local\eTSNNOaO4\XmlLite.dll

MD5 c7cabcfb1af104ac2fbb360b1221ea1b
SHA1 dfcdd8a5f08ad36e782970eba26451166ded50c1
SHA256 44e0087aacb083e1f9e0dcc285243c97d85fe72115530db02e86a27de39b7809
SHA512 ee524f087cd07c7a9d8bcbf256fd385aa58e420358adbeb0f1378b8466986a9ea4572da5c9d56be94e0f9f3c064dc703dd270185b95ff52acb983aec5f46c70a

C:\Users\Admin\AppData\Local\eTSNNOaO4\MusNotificationUx.exe

MD5 45dc6e99453e1cdf35359447794dd776
SHA1 aab3ac86ab0f4c80ba091899ea80b29bf3894880
SHA256 5aefeb3c2a946e5829e8eb478f0e2047a738619b8417343afe68fe448e203bb6
SHA512 8c374c3eadcdeb79f4d7a2fc24821e346c458f75767bbbd8c656eb38e757838b7cd84e479fba588e5a6a9496baa176827e4ce70d77d4578ea78eb2224e3df5af

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 40046bbec3c19f403608a345603d1a10
SHA1 eb3b1db462107936baf9e24b8c842ebeaa782a1e
SHA256 ca030d8455840e50bce97872e5fbe8677b8f54876ee02a5fb3130d34fcf3d8d7
SHA512 5617bb88da6bd0d3e8b65bc435e9c06df4e09bfaa59293437b181c45c77d47f858db4183100a4c67676dd539f2be292bf92bf526c51be68e2db054d093a8ae55

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\nlJWpe\XmlLite.dll

MD5 04b4170dc230fded01356074d3802a0a
SHA1 c1259e7a90a7ded5ce2cf855c20b4830f5b55a3c
SHA256 f4f4483765dcd61b550d99a02ebfc33eecd3784dbf5fe504495039e4a7591190
SHA512 927e4a7dbb0a6b5e46e3d5cecfac13ce26f3a1948141a2e2a3625a98d0a5bb6577e45691314ad23f79824cf4ab1fd3a50bcddb14cabfc3560e745b17cabd7c3b

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\91w\MFPlat.DLL

MD5 76c5af9abee001e721c3b6c1eec89276
SHA1 a848688581557c61d7d67970aaf666d7cc86ebf2
SHA256 d0d9c8e7955ad3eefd4943b75f3fa0d95af81a00b519fa1ff2bba3dd42430e34
SHA512 f3b8da1f99e4d3c661f994a319bd7f57152813ad4bd1cca401529c6f9e65b7d9aec8908f3acb146fbad7cd7b8720350c2a85f375a28a8824a34bca5302190d13

C:\Users\Admin\AppData\Roaming\Microsoft\Vault\EkuQ\VERSION.dll

MD5 1054dfd902ffa49ed554c6b8cc50da6a
SHA1 62a4ac626c025c553589375d5e50b696689b2faf
SHA256 cae591410d9deebbdacdcef826473def1d15f9bf36aaa13ddbd2900836bb2a24
SHA512 b8d7a7dae1893847f6fc739a8c7272644679a2a83792b7e6add50d6d4c9f94d3763a73c86e6b8a90f4a638b3e4b6fcd21122f2f9c050d556644a9655f40d557e