Analysis Overview
SHA256
f049251053c1be586de5e8d9804dcf16ec93afa5d0641c08f31706937d5410a1
Threat Level: Known bad
The file f71f16a72ace0fd6a636a6008e36dc8d was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 16:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 16:42
Reported
2023-12-24 07:50
Platform
win7-20231215-en
Max time kernel
139s
Max time network
119s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\GUq\raserver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fVp\mfpmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\GUq\raserver.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fVp\mfpmp.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\oRKlp\\mfpmp.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\GUq\raserver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\fVp\mfpmp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 3000 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1196 wrote to memory of 3000 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1196 wrote to memory of 3000 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1196 wrote to memory of 2996 | N/A | N/A | C:\Users\Admin\AppData\Local\GUq\raserver.exe |
| PID 1196 wrote to memory of 2996 | N/A | N/A | C:\Users\Admin\AppData\Local\GUq\raserver.exe |
| PID 1196 wrote to memory of 2996 | N/A | N/A | C:\Users\Admin\AppData\Local\GUq\raserver.exe |
| PID 1196 wrote to memory of 2636 | N/A | N/A | C:\Windows\system32\mfpmp.exe |
| PID 1196 wrote to memory of 2636 | N/A | N/A | C:\Windows\system32\mfpmp.exe |
| PID 1196 wrote to memory of 2636 | N/A | N/A | C:\Windows\system32\mfpmp.exe |
| PID 1196 wrote to memory of 2956 | N/A | N/A | C:\Users\Admin\AppData\Local\fVp\mfpmp.exe |
| PID 1196 wrote to memory of 2956 | N/A | N/A | C:\Users\Admin\AppData\Local\fVp\mfpmp.exe |
| PID 1196 wrote to memory of 2956 | N/A | N/A | C:\Users\Admin\AppData\Local\fVp\mfpmp.exe |
| PID 1196 wrote to memory of 2500 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1196 wrote to memory of 2500 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1196 wrote to memory of 2500 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1196 wrote to memory of 2192 | N/A | N/A | C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe |
| PID 1196 wrote to memory of 2192 | N/A | N/A | C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe |
| PID 1196 wrote to memory of 2192 | N/A | N/A | C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f71f16a72ace0fd6a636a6008e36dc8d.dll
C:\Users\Admin\AppData\Local\GUq\raserver.exe
C:\Users\Admin\AppData\Local\GUq\raserver.exe
C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
C:\Users\Admin\AppData\Local\fVp\mfpmp.exe
C:\Users\Admin\AppData\Local\fVp\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe
C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe
C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
Network
Files
memory/2336-0-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/2336-1-0x00000000002A0000-0x00000000002A7000-memory.dmp
memory/1196-4-0x0000000076FE6000-0x0000000076FE7000-memory.dmp
memory/1196-5-0x00000000024E0000-0x00000000024E1000-memory.dmp
memory/1196-12-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-13-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-11-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-10-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-9-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/2336-8-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-7-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-15-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-36-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-42-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-44-0x00000000024C0000-0x00000000024C7000-memory.dmp
memory/1196-51-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-53-0x0000000077250000-0x0000000077252000-memory.dmp
memory/1196-62-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/2996-80-0x0000000140000000-0x00000001401B7000-memory.dmp
memory/2996-84-0x0000000140000000-0x00000001401B7000-memory.dmp
memory/2996-79-0x0000000000280000-0x0000000000287000-memory.dmp
memory/1196-68-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-67-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-90-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-52-0x00000000770F1000-0x00000000770F2000-memory.dmp
memory/1196-43-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-41-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-40-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-39-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-38-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-37-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-35-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-34-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-33-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-32-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-31-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-30-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-29-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/2956-107-0x0000000000410000-0x0000000000417000-memory.dmp
memory/1196-28-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-27-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-26-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-25-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-24-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-23-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-22-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-21-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-20-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-19-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-18-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-17-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-16-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1196-14-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/2192-121-0x0000000000090000-0x0000000000097000-memory.dmp
memory/1196-152-0x0000000076FE6000-0x0000000076FE7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-22 16:42
Reported
2023-12-24 07:51
Platform
win10v2004-20231215-en
Max time kernel
188s
Max time network
200s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\PPqecE0nwC\\rdpinit.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3464 wrote to memory of 3440 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 3464 wrote to memory of 3440 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 3464 wrote to memory of 2028 | N/A | N/A | C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe |
| PID 3464 wrote to memory of 2028 | N/A | N/A | C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe |
| PID 3464 wrote to memory of 1624 | N/A | N/A | C:\Windows\system32\rdpinit.exe |
| PID 3464 wrote to memory of 1624 | N/A | N/A | C:\Windows\system32\rdpinit.exe |
| PID 3464 wrote to memory of 5032 | N/A | N/A | C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe |
| PID 3464 wrote to memory of 5032 | N/A | N/A | C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe |
| PID 3464 wrote to memory of 2068 | N/A | N/A | C:\Windows\system32\wbengine.exe |
| PID 3464 wrote to memory of 2068 | N/A | N/A | C:\Windows\system32\wbengine.exe |
| PID 3464 wrote to memory of 1028 | N/A | N/A | C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe |
| PID 3464 wrote to memory of 1028 | N/A | N/A | C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f71f16a72ace0fd6a636a6008e36dc8d.dll
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe
C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe
C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe
C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe
C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe
C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
Files
memory/4900-0-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/4900-2-0x0000000002390000-0x0000000002397000-memory.dmp
memory/4900-4-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-5-0x00000000014A0000-0x00000000014A1000-memory.dmp
memory/3464-7-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-10-0x00007FFFACB5A000-0x00007FFFACB5B000-memory.dmp
memory/3464-12-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-13-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-9-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-14-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-15-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-11-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-16-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-17-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-18-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-19-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-20-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-21-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-22-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-23-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-24-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-25-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-27-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-26-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-28-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-29-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-30-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-32-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-33-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-36-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-37-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-39-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-42-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-41-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-40-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-44-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-45-0x0000000001470000-0x0000000001477000-memory.dmp
memory/3464-43-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-38-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-35-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-34-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-31-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-52-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-53-0x00007FFFACC20000-0x00007FFFACC30000-memory.dmp
memory/3464-62-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/3464-64-0x0000000140000000-0x00000001401B6000-memory.dmp
C:\Users\Admin\AppData\Local\AJr7bL\dpx.dll
| MD5 | 78c3636ed730f18667e16e8e9eac6151 |
| SHA1 | aee12fda10c79eb34bffb98d325eb3322b74d61b |
| SHA256 | 1f57065243fef0721a7b344bee714e4642c0e1928ddfee5202a3509896101c3f |
| SHA512 | b86a95892e1a13f6efdfd9023a30861eadba18f60d0b98e76201b70df1e00cda675fecc8c444d6e14cf6ad423b5e16e80387a1bd53589e94cff95058e3573094 |
C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe
| MD5 | 831e3f0b08ffd17835153edf4672f846 |
| SHA1 | dbb7bb7124ede23cf8b0590fedc887e0ace8ee40 |
| SHA256 | a0d25aae9482a4eb539b6efa575a91c15ee2c482d344d40bdb856de093dcf983 |
| SHA512 | e0c7858f926c043d6b8a064af9386f3e7c20f9d704dbd58141bdecddf26633d413046a055218a33636e145f83daa7170c11ad5cffbccd0127b5a2384068cb97f |
C:\Users\Admin\AppData\Local\AJr7bL\dpx.dll
| MD5 | 9b0b099fd03f910ae80f210922559341 |
| SHA1 | 5943c506f6621a538c9b6e4c7b87b7a5fcd22c8c |
| SHA256 | b43371ca81f749fb319ebd32f87ea5951ad5bba5226b73c0b2a0e1d486c883a0 |
| SHA512 | 9ae9ab5ece1ba1213c8f870d877a61ef0dd3389646a573f499b9af29d8e494f4786979b3eda8e4aa20d3137a0fd189eb6432c614bf14bab4cddb5113a7c36c8c |
memory/2028-73-0x00000160FE870000-0x00000160FE877000-memory.dmp
memory/2028-74-0x0000000140000000-0x00000001401B7000-memory.dmp
memory/2028-79-0x0000000140000000-0x00000001401B7000-memory.dmp
C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe
| MD5 | c5ba25782bee51b7afce309726eb1102 |
| SHA1 | ab4e438383687ab3ccdb3eb617664dadc76e1fcf |
| SHA256 | 3b7472cf94b3631f55e42e1caa5ae54bec6b256aff97264194b2b34bfdb84835 |
| SHA512 | 3f4f0e15a4d70452862a3c7fa88146afdd944471dbcd08ce84629ce458bb508abc97e3944b63f63af1c8458e9cfa44183b5f895068b7dfbe153126eb8b47a110 |
C:\Users\Admin\AppData\Local\0Awitw7R\WTSAPI32.dll
| MD5 | ca1b74e1d8c7ff8a5b6d592d854cb44a |
| SHA1 | 4e4f9da80518c7965a15fe92433803b27221296e |
| SHA256 | bcb98b83baa3d364dfdfddb38afb95536fc65cc78b65905d5061042e01edef2f |
| SHA512 | 2267a9ab2d32d059c40961c53adbe896b130414fc890617ef5c408738d257cdcb1753f54fa53e15ddf27b1e1efade726a869857f2bb6f981ce758ccc8ad0c06a |
memory/5032-90-0x0000026D82C80000-0x0000026D82C87000-memory.dmp
C:\Users\Admin\AppData\Local\0Awitw7R\WTSAPI32.dll
| MD5 | bda667963d16a933cd1ec9a5082a93c6 |
| SHA1 | b0363ee647486e63980f682cab44ac8f1c44ec3a |
| SHA256 | e6a6ccd3e9c3108b04b3f54b84a867521d3b59e10e32245b17a88186e9129e9d |
| SHA512 | fdb21118cd3b73cbc8f7f25d351ce72f67e6ef80e84e9d7be12fe8435cbc42a7f344b5a581a3691deb2a60c1e293c2370584f83ad7996d12350404279ffdfa1c |
memory/5032-96-0x0000000140000000-0x00000001401B7000-memory.dmp
C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe
| MD5 | 40f750473561b60a91d3dadcbd4714de |
| SHA1 | 42076ce9eb59c88c1eaa371eb3bb8b92284f0618 |
| SHA256 | 8958877143804eb2137226d11d5198321c370d1c77ba41428cf29e86ca653e7d |
| SHA512 | 80df90067f3d59b6ff0bc5aa59b8b36e9da59dc7c83f7e14b0b9c90255839c883fb9df3b468c5253df96b23988de75b4b40a21e427875c58205f244138ec14de |
C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe
| MD5 | d383dc1b8b3586a61409f5895db73d69 |
| SHA1 | 56691c99e4ea0168504cd6deb1845d57367c9c34 |
| SHA256 | 48950b25afb9896545b1d0124fa2fa737af80fc47c8aba998b5cba3518e2e2cf |
| SHA512 | 475c4b7f0563ab44ea7d1b094e801f275db10f16ec713a6ba37a5141425a13331b61c633ffc755875ad16bb095f534b4dd91aff22a43310cd577250f48d2a1d0 |
C:\Users\Admin\AppData\Local\D64St0vTL\SPP.dll
| MD5 | 509233f4e6b841d9bb7f08df7f904749 |
| SHA1 | bb71cba560ce7c48842b157e93318688fc398ea1 |
| SHA256 | b32aa778fb9cd6e1100c9830ba30935dc9ac2731ed347f4c6b54d04d47ead6c3 |
| SHA512 | c8bd60296df69656cd2466378e1690e20996a9ad79836a4f858e84848c0cc4450eee6f78e9e6cd43313be5588eae248ab098b0d113770046829c68cb2d7e7e81 |
C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe
| MD5 | 705e362df90b501f5e360f9155f7337a |
| SHA1 | 7d7efcdf35a4a627b743b1b9621400eb1b4c16c3 |
| SHA256 | bc629ef14705b00f18874fa2dd33652e30dbc43192d473044ac0e28dc0124a48 |
| SHA512 | 9688ae0142ed7aaa40db62ab79b96d100417e1d67821cc52f2c17183e826a0e0e338b36f14f7b1791fc941196e5bf6f38ffffd6f1689d6bf088e28128a0f0268 |
C:\Users\Admin\AppData\Local\D64St0vTL\SPP.dll
| MD5 | aa466d68aea5c09f8dc52d228fd3dbb1 |
| SHA1 | e127a84281aa3ed4fb5c23ea561a2334826fae12 |
| SHA256 | 09061081f59c04bc51c8fc2f09ff358bfee5fabd29060dae36af542ccca6bb1b |
| SHA512 | 353c5374ab5d6d9457bab5e3c80732d3f984ba97250780401913a41895fe0945caccb2dfe7096ab0cb20c5f394c8eefac6ec702157cc4e484ed18ca9ff2b1542 |
memory/1028-107-0x000002DEF1310000-0x000002DEF1317000-memory.dmp
C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe
| MD5 | 0ca51c53b91a475b8404cb010237fa57 |
| SHA1 | 561fb8a6c73a8def7e30894fcfa69c1427c90ada |
| SHA256 | 7966407a2457a0753186dde81b202b35b5288e270eed652f194bca93590970ab |
| SHA512 | 1e3c3169b0d6dbcf75705ac6c4d5646e975705743402a64c7d8d98f70850e3b9a9abea53de0744f7b1d0c2aee364bb4c47b5c8f1b34531fe1f40b95ab1055a28 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk
| MD5 | 6197fb436acefb76aa12bba23a573e3a |
| SHA1 | 6b30d239092c3983e31322b589e88b951e4e5f8d |
| SHA256 | 9c4f04a8a3e8af96de25aab4b82a3aacf55c7b9db7dec171929b5aaa021337e6 |
| SHA512 | 6eab03ecef685489a8549fa99239f2f9e5a05e48eac341ebbdac3263b40c51c700e39cc5bf3a2b38cab03929949053d8fd22c6684bbd21fe8380f83f9a1d2d2c |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\WcnqyRq6N\dpx.dll
| MD5 | 20db1beaa4c3085ccb9dd2282cd694ae |
| SHA1 | 5154938ef118dd602dbb447f1978a7e6bc114c58 |
| SHA256 | ab0fe43dbee8b4c222276b470e6bbc19a19a474af2ca812105cc2de0bf53ddc4 |
| SHA512 | bf9efbd449f0a8428e51c4cb2a46bdc95d684d895464b55038cffaf9e045d453b4ecead64fbb2e16246cd8a1ff137ea49d45746bfc32d8cda7c230c45a0ab49c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\PPqecE0nwC\WTSAPI32.dll
| MD5 | ac478c4dc16b90a649b2a519d91b2032 |
| SHA1 | 61589a833db12ca4e90b362f91749cd64f989ace |
| SHA256 | f7ad90ba837c49d082e1ac5da443d1a06fefb8831ef4d4a4391461c6d9fa3297 |
| SHA512 | 4e803f61bae7e4511c920853e2faff804fe075eaa26e1c56aaeb1353564c75dcb369d3c3ac9ac343948721919e1d858b50b7b3d7b1af4ea643590a1add773f24 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\J1bwqbEHibJ\SPP.dll
| MD5 | aa7138c965524415f1e382dc74651c45 |
| SHA1 | da0b6883cd7be4cff6d8f0cd4be9978be5cd6c51 |
| SHA256 | e966070d1eb37c7d87ff3e4c835bc0ec2cfd5a114a7dd46e4fb8650abae791af |
| SHA512 | 9a3f8e97331259c3e75889e2cbef27a329d6b9ee040ec5e7cb335dabff557b70193a85b4c07347ccadbf08c351ea926f3ed245224198b74e8636ab7a00a03e27 |