Malware Analysis Report

2024-11-30 21:26

Sample ID 231222-t7m27acdc4
Target f71f16a72ace0fd6a636a6008e36dc8d
SHA256 f049251053c1be586de5e8d9804dcf16ec93afa5d0641c08f31706937d5410a1
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f049251053c1be586de5e8d9804dcf16ec93afa5d0641c08f31706937d5410a1

Threat Level: Known bad

The file f71f16a72ace0fd6a636a6008e36dc8d was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 16:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 16:42

Reported

2023-12-24 07:50

Platform

win7-20231215-en

Max time kernel

139s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f71f16a72ace0fd6a636a6008e36dc8d.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\GUq\raserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fVp\mfpmp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\oRKlp\\mfpmp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\GUq\raserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fVp\mfpmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 3000 N/A N/A C:\Windows\system32\raserver.exe
PID 1196 wrote to memory of 3000 N/A N/A C:\Windows\system32\raserver.exe
PID 1196 wrote to memory of 3000 N/A N/A C:\Windows\system32\raserver.exe
PID 1196 wrote to memory of 2996 N/A N/A C:\Users\Admin\AppData\Local\GUq\raserver.exe
PID 1196 wrote to memory of 2996 N/A N/A C:\Users\Admin\AppData\Local\GUq\raserver.exe
PID 1196 wrote to memory of 2996 N/A N/A C:\Users\Admin\AppData\Local\GUq\raserver.exe
PID 1196 wrote to memory of 2636 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1196 wrote to memory of 2636 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1196 wrote to memory of 2636 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1196 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\fVp\mfpmp.exe
PID 1196 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\fVp\mfpmp.exe
PID 1196 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\fVp\mfpmp.exe
PID 1196 wrote to memory of 2500 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1196 wrote to memory of 2500 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1196 wrote to memory of 2500 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1196 wrote to memory of 2192 N/A N/A C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe
PID 1196 wrote to memory of 2192 N/A N/A C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe
PID 1196 wrote to memory of 2192 N/A N/A C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f71f16a72ace0fd6a636a6008e36dc8d.dll

C:\Users\Admin\AppData\Local\GUq\raserver.exe

C:\Users\Admin\AppData\Local\GUq\raserver.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

C:\Users\Admin\AppData\Local\fVp\mfpmp.exe

C:\Users\Admin\AppData\Local\fVp\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe

C:\Users\Admin\AppData\Local\1DD1kEVR\rdpshell.exe

C:\Windows\system32\rdpshell.exe

C:\Windows\system32\rdpshell.exe

Network

N/A

Files

memory/2336-0-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2336-1-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/1196-4-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

memory/1196-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1196-12-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-13-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-11-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-10-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-9-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2336-8-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-7-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-15-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-36-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-42-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-44-0x00000000024C0000-0x00000000024C7000-memory.dmp

memory/1196-51-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-53-0x0000000077250000-0x0000000077252000-memory.dmp

memory/1196-62-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2996-80-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2996-84-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2996-79-0x0000000000280000-0x0000000000287000-memory.dmp

memory/1196-68-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-67-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-90-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-52-0x00000000770F1000-0x00000000770F2000-memory.dmp

memory/1196-43-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-41-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-40-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-39-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-38-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-37-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-35-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-34-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-33-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-32-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-31-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-30-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-29-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2956-107-0x0000000000410000-0x0000000000417000-memory.dmp

memory/1196-28-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-27-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-26-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-25-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-24-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-23-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-22-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-21-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-20-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-19-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-18-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-17-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-16-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1196-14-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2192-121-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1196-152-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 16:42

Reported

2023-12-24 07:51

Platform

win10v2004-20231215-en

Max time kernel

188s

Max time network

200s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f71f16a72ace0fd6a636a6008e36dc8d.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\PPqecE0nwC\\rdpinit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 3440 N/A N/A C:\Windows\system32\lpksetup.exe
PID 3464 wrote to memory of 3440 N/A N/A C:\Windows\system32\lpksetup.exe
PID 3464 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe
PID 3464 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe
PID 3464 wrote to memory of 1624 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3464 wrote to memory of 1624 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3464 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe
PID 3464 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe
PID 3464 wrote to memory of 2068 N/A N/A C:\Windows\system32\wbengine.exe
PID 3464 wrote to memory of 2068 N/A N/A C:\Windows\system32\wbengine.exe
PID 3464 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe
PID 3464 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f71f16a72ace0fd6a636a6008e36dc8d.dll

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe

C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe

C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe

C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/4900-0-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/4900-2-0x0000000002390000-0x0000000002397000-memory.dmp

memory/4900-4-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-5-0x00000000014A0000-0x00000000014A1000-memory.dmp

memory/3464-7-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-10-0x00007FFFACB5A000-0x00007FFFACB5B000-memory.dmp

memory/3464-12-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-13-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-9-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-14-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-15-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-11-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-16-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-17-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-18-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-19-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-20-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-21-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-22-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-23-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-24-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-25-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-27-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-26-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-28-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-29-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-30-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-32-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-33-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-36-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-37-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-39-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-42-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-41-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-40-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-44-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-45-0x0000000001470000-0x0000000001477000-memory.dmp

memory/3464-43-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-38-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-35-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-34-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-31-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-52-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-53-0x00007FFFACC20000-0x00007FFFACC30000-memory.dmp

memory/3464-62-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3464-64-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\AJr7bL\dpx.dll

MD5 78c3636ed730f18667e16e8e9eac6151
SHA1 aee12fda10c79eb34bffb98d325eb3322b74d61b
SHA256 1f57065243fef0721a7b344bee714e4642c0e1928ddfee5202a3509896101c3f
SHA512 b86a95892e1a13f6efdfd9023a30861eadba18f60d0b98e76201b70df1e00cda675fecc8c444d6e14cf6ad423b5e16e80387a1bd53589e94cff95058e3573094

C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe

MD5 831e3f0b08ffd17835153edf4672f846
SHA1 dbb7bb7124ede23cf8b0590fedc887e0ace8ee40
SHA256 a0d25aae9482a4eb539b6efa575a91c15ee2c482d344d40bdb856de093dcf983
SHA512 e0c7858f926c043d6b8a064af9386f3e7c20f9d704dbd58141bdecddf26633d413046a055218a33636e145f83daa7170c11ad5cffbccd0127b5a2384068cb97f

C:\Users\Admin\AppData\Local\AJr7bL\dpx.dll

MD5 9b0b099fd03f910ae80f210922559341
SHA1 5943c506f6621a538c9b6e4c7b87b7a5fcd22c8c
SHA256 b43371ca81f749fb319ebd32f87ea5951ad5bba5226b73c0b2a0e1d486c883a0
SHA512 9ae9ab5ece1ba1213c8f870d877a61ef0dd3389646a573f499b9af29d8e494f4786979b3eda8e4aa20d3137a0fd189eb6432c614bf14bab4cddb5113a7c36c8c

memory/2028-73-0x00000160FE870000-0x00000160FE877000-memory.dmp

memory/2028-74-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2028-79-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\AJr7bL\lpksetup.exe

MD5 c5ba25782bee51b7afce309726eb1102
SHA1 ab4e438383687ab3ccdb3eb617664dadc76e1fcf
SHA256 3b7472cf94b3631f55e42e1caa5ae54bec6b256aff97264194b2b34bfdb84835
SHA512 3f4f0e15a4d70452862a3c7fa88146afdd944471dbcd08ce84629ce458bb508abc97e3944b63f63af1c8458e9cfa44183b5f895068b7dfbe153126eb8b47a110

C:\Users\Admin\AppData\Local\0Awitw7R\WTSAPI32.dll

MD5 ca1b74e1d8c7ff8a5b6d592d854cb44a
SHA1 4e4f9da80518c7965a15fe92433803b27221296e
SHA256 bcb98b83baa3d364dfdfddb38afb95536fc65cc78b65905d5061042e01edef2f
SHA512 2267a9ab2d32d059c40961c53adbe896b130414fc890617ef5c408738d257cdcb1753f54fa53e15ddf27b1e1efade726a869857f2bb6f981ce758ccc8ad0c06a

memory/5032-90-0x0000026D82C80000-0x0000026D82C87000-memory.dmp

C:\Users\Admin\AppData\Local\0Awitw7R\WTSAPI32.dll

MD5 bda667963d16a933cd1ec9a5082a93c6
SHA1 b0363ee647486e63980f682cab44ac8f1c44ec3a
SHA256 e6a6ccd3e9c3108b04b3f54b84a867521d3b59e10e32245b17a88186e9129e9d
SHA512 fdb21118cd3b73cbc8f7f25d351ce72f67e6ef80e84e9d7be12fe8435cbc42a7f344b5a581a3691deb2a60c1e293c2370584f83ad7996d12350404279ffdfa1c

memory/5032-96-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe

MD5 40f750473561b60a91d3dadcbd4714de
SHA1 42076ce9eb59c88c1eaa371eb3bb8b92284f0618
SHA256 8958877143804eb2137226d11d5198321c370d1c77ba41428cf29e86ca653e7d
SHA512 80df90067f3d59b6ff0bc5aa59b8b36e9da59dc7c83f7e14b0b9c90255839c883fb9df3b468c5253df96b23988de75b4b40a21e427875c58205f244138ec14de

C:\Users\Admin\AppData\Local\0Awitw7R\rdpinit.exe

MD5 d383dc1b8b3586a61409f5895db73d69
SHA1 56691c99e4ea0168504cd6deb1845d57367c9c34
SHA256 48950b25afb9896545b1d0124fa2fa737af80fc47c8aba998b5cba3518e2e2cf
SHA512 475c4b7f0563ab44ea7d1b094e801f275db10f16ec713a6ba37a5141425a13331b61c633ffc755875ad16bb095f534b4dd91aff22a43310cd577250f48d2a1d0

C:\Users\Admin\AppData\Local\D64St0vTL\SPP.dll

MD5 509233f4e6b841d9bb7f08df7f904749
SHA1 bb71cba560ce7c48842b157e93318688fc398ea1
SHA256 b32aa778fb9cd6e1100c9830ba30935dc9ac2731ed347f4c6b54d04d47ead6c3
SHA512 c8bd60296df69656cd2466378e1690e20996a9ad79836a4f858e84848c0cc4450eee6f78e9e6cd43313be5588eae248ab098b0d113770046829c68cb2d7e7e81

C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe

MD5 705e362df90b501f5e360f9155f7337a
SHA1 7d7efcdf35a4a627b743b1b9621400eb1b4c16c3
SHA256 bc629ef14705b00f18874fa2dd33652e30dbc43192d473044ac0e28dc0124a48
SHA512 9688ae0142ed7aaa40db62ab79b96d100417e1d67821cc52f2c17183e826a0e0e338b36f14f7b1791fc941196e5bf6f38ffffd6f1689d6bf088e28128a0f0268

C:\Users\Admin\AppData\Local\D64St0vTL\SPP.dll

MD5 aa466d68aea5c09f8dc52d228fd3dbb1
SHA1 e127a84281aa3ed4fb5c23ea561a2334826fae12
SHA256 09061081f59c04bc51c8fc2f09ff358bfee5fabd29060dae36af542ccca6bb1b
SHA512 353c5374ab5d6d9457bab5e3c80732d3f984ba97250780401913a41895fe0945caccb2dfe7096ab0cb20c5f394c8eefac6ec702157cc4e484ed18ca9ff2b1542

memory/1028-107-0x000002DEF1310000-0x000002DEF1317000-memory.dmp

C:\Users\Admin\AppData\Local\D64St0vTL\wbengine.exe

MD5 0ca51c53b91a475b8404cb010237fa57
SHA1 561fb8a6c73a8def7e30894fcfa69c1427c90ada
SHA256 7966407a2457a0753186dde81b202b35b5288e270eed652f194bca93590970ab
SHA512 1e3c3169b0d6dbcf75705ac6c4d5646e975705743402a64c7d8d98f70850e3b9a9abea53de0744f7b1d0c2aee364bb4c47b5c8f1b34531fe1f40b95ab1055a28

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 6197fb436acefb76aa12bba23a573e3a
SHA1 6b30d239092c3983e31322b589e88b951e4e5f8d
SHA256 9c4f04a8a3e8af96de25aab4b82a3aacf55c7b9db7dec171929b5aaa021337e6
SHA512 6eab03ecef685489a8549fa99239f2f9e5a05e48eac341ebbdac3263b40c51c700e39cc5bf3a2b38cab03929949053d8fd22c6684bbd21fe8380f83f9a1d2d2c

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\WcnqyRq6N\dpx.dll

MD5 20db1beaa4c3085ccb9dd2282cd694ae
SHA1 5154938ef118dd602dbb447f1978a7e6bc114c58
SHA256 ab0fe43dbee8b4c222276b470e6bbc19a19a474af2ca812105cc2de0bf53ddc4
SHA512 bf9efbd449f0a8428e51c4cb2a46bdc95d684d895464b55038cffaf9e045d453b4ecead64fbb2e16246cd8a1ff137ea49d45746bfc32d8cda7c230c45a0ab49c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\PPqecE0nwC\WTSAPI32.dll

MD5 ac478c4dc16b90a649b2a519d91b2032
SHA1 61589a833db12ca4e90b362f91749cd64f989ace
SHA256 f7ad90ba837c49d082e1ac5da443d1a06fefb8831ef4d4a4391461c6d9fa3297
SHA512 4e803f61bae7e4511c920853e2faff804fe075eaa26e1c56aaeb1353564c75dcb369d3c3ac9ac343948721919e1d858b50b7b3d7b1af4ea643590a1add773f24

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\J1bwqbEHibJ\SPP.dll

MD5 aa7138c965524415f1e382dc74651c45
SHA1 da0b6883cd7be4cff6d8f0cd4be9978be5cd6c51
SHA256 e966070d1eb37c7d87ff3e4c835bc0ec2cfd5a114a7dd46e4fb8650abae791af
SHA512 9a3f8e97331259c3e75889e2cbef27a329d6b9ee040ec5e7cb335dabff557b70193a85b4c07347ccadbf08c351ea926f3ed245224198b74e8636ab7a00a03e27