Malware Analysis Report

2024-11-30 21:27

Sample ID 231228-feadqsebc7
Target c48d2bf98633567530e8a2cabe3cc5e5
SHA256 0a70b401529e98e57607d0ea2137046b859621cff5999084e67b18f82c137fb2
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a70b401529e98e57607d0ea2137046b859621cff5999084e67b18f82c137fb2

Threat Level: Known bad

The file c48d2bf98633567530e8a2cabe3cc5e5 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 04:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 04:46

Reported

2024-01-08 05:31

Platform

win7-20231215-en

Max time kernel

3s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c48d2bf98633567530e8a2cabe3cc5e5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c48d2bf98633567530e8a2cabe3cc5e5.dll,#1

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\QzZzwpD\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\QzZzwpD\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\2rIdU8\wisptis.exe

C:\Users\Admin\AppData\Local\2rIdU8\wisptis.exe

C:\Windows\system32\wisptis.exe

C:\Windows\system32\wisptis.exe

C:\Users\Admin\AppData\Local\LvrS\dccw.exe

C:\Users\Admin\AppData\Local\LvrS\dccw.exe

C:\Windows\system32\dccw.exe

C:\Windows\system32\dccw.exe

Network

N/A

Files

memory/2680-1-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2680-0-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-4-0x0000000077776000-0x0000000077777000-memory.dmp

memory/1208-20-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-23-0x0000000002190000-0x0000000002197000-memory.dmp

memory/1208-31-0x0000000077A10000-0x0000000077A12000-memory.dmp

memory/1208-40-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-30-0x0000000077881000-0x0000000077882000-memory.dmp

memory/1208-29-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-21-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-19-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-18-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-17-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-16-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-15-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-14-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-13-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-12-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-11-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-10-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-9-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-8-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-7-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1208-5-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/1208-41-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/2680-44-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3044-57-0x0000000140000000-0x00000001400FA000-memory.dmp

memory/3044-62-0x0000000140000000-0x00000001400FA000-memory.dmp

memory/3044-60-0x0000000000070000-0x0000000000077000-memory.dmp

memory/1208-84-0x0000000077776000-0x0000000077777000-memory.dmp

memory/2296-116-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2296-118-0x0000000140000000-0x00000001400FA000-memory.dmp

C:\Users\Admin\AppData\Local\2rIdU8\wisptis.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\LvrS\dxva2.dll

MD5 bd1495d788fb9ee341839fa2baf80c2d
SHA1 66f64de50d4e3de8f519ebdf8e24e9936286e2f6
SHA256 57c01d3f06b2b38e742e042f8e30d23319edd7ebde1e2dc1f6d27bb359949246
SHA512 60d04106751489ff970dad74b96c0b78ee70edf7288df6dd59ff8b879cf47a0fe19081b72b1d051adaf8f66e2d0d5f70f3180bf02568cbb4d9c70d7ff68a94a5

memory/1016-131-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1016-133-0x0000000140000000-0x00000001400FA000-memory.dmp

C:\Users\Admin\AppData\Local\LvrS\dccw.exe

MD5 81caf635482559646b437e0df3472940
SHA1 de91c2a057db0dfe9402e55031b4fd1669178b24
SHA256 8716997805e8c8693dab49d5768c2b85e1dff771af45b6215ef097725c7f14ab
SHA512 b9462924ded4e619544b09e195d2fd491c48fcf6e4f195f4079e528401a1c670fece9977424704f7c7ae82fbe4cfe916b487c00d0729f0ed91f16f1118d738cc

\Users\Admin\AppData\Local\LvrS\dccw.exe

MD5 6579844eaeb20b42088ccdbbb77585a7
SHA1 4a4c05e72fc146243a2617c5e3a7802d2071a0ca
SHA256 4a2f9613f4706d222fa4f1217aad0fa6687d0cdd87939d19aebc39528c67d0c4
SHA512 16df2c41442b5d9e69a036d17917dc675dd8477f6b28b925455e0a96cb298ea2bfccb8fdcd9c0a5dd52562ba8326c751286fb219deb10b8f5fb9d15fce105dc9

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 881432fb1fe3eaa7c60d9171c8ccad37
SHA1 a0ed4a6d079f259dbd29eec86fd4f66d2e68a3e8
SHA256 65d401100488550a7e05e7527885c5498fc0d097b230d020282d550794c33cfb
SHA512 59206b751dc9589d37a2007a844c75158fbcdb5a2dc81a21afc1deff7cfe430f0d194588e25e67726a4ecc87b3b0d24ed1b6c17aa9c3473d38fa881ff8971445

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\VoT\XmlLite.dll

MD5 ef57a88aad6a6327b85dc5f80815230c
SHA1 87e347e9d98a4d29896e12ef658e7f0aa13cd3d8
SHA256 294a4a621aebfd4b445b913b5e03846f9a6a823c496125ec4f45c948d2641461
SHA512 130410a5fb95cb23523de91d4add7b9605f1d5e6ccbf9b5e16b4152e17932486ca50ba3a28183c0a0ca26b1ed305ba21a9403a0596ad18a4e23b19e20c702416

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 04:46

Reported

2024-01-08 05:31

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c48d2bf98633567530e8a2cabe3cc5e5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\WwK6Oc9WCq\\Netplwiz.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WRnNAb\rdpinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\emkxd5M\quickassist.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1cGpaPzR\Netplwiz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 3076 N/A N/A C:\Windows\system32\quickassist.exe
PID 3432 wrote to memory of 3076 N/A N/A C:\Windows\system32\quickassist.exe
PID 3432 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\emkxd5M\quickassist.exe
PID 3432 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\emkxd5M\quickassist.exe
PID 3432 wrote to memory of 1608 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 3432 wrote to memory of 1608 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 3432 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\1cGpaPzR\Netplwiz.exe
PID 3432 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\1cGpaPzR\Netplwiz.exe
PID 3432 wrote to memory of 532 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3432 wrote to memory of 532 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3432 wrote to memory of 3908 N/A N/A C:\Users\Admin\AppData\Local\WRnNAb\rdpinit.exe
PID 3432 wrote to memory of 3908 N/A N/A C:\Users\Admin\AppData\Local\WRnNAb\rdpinit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c48d2bf98633567530e8a2cabe3cc5e5.dll,#1

C:\Windows\system32\quickassist.exe

C:\Windows\system32\quickassist.exe

C:\Users\Admin\AppData\Local\emkxd5M\quickassist.exe

C:\Users\Admin\AppData\Local\emkxd5M\quickassist.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\1cGpaPzR\Netplwiz.exe

C:\Users\Admin\AppData\Local\1cGpaPzR\Netplwiz.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\WRnNAb\rdpinit.exe

C:\Users\Admin\AppData\Local\WRnNAb\rdpinit.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 27.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp

Files

memory/1220-1-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1220-0-0x000001CDDB1B0000-0x000001CDDB1B7000-memory.dmp

memory/3432-4-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

memory/3432-6-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-8-0x00007FFBC24BA000-0x00007FFBC24BB000-memory.dmp

memory/3432-9-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-11-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-12-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-13-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-14-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-10-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-7-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-20-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-18-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-19-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-17-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-16-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-15-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-22-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-21-0x0000000007EB0000-0x0000000007EB7000-memory.dmp

memory/3432-29-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/3432-30-0x00007FFBC26F0000-0x00007FFBC2700000-memory.dmp

memory/3432-39-0x0000000140000000-0x00000001400F9000-memory.dmp

memory/1220-42-0x0000000140000000-0x00000001400F9000-memory.dmp

C:\Users\Admin\AppData\Local\emkxd5M\quickassist.exe

MD5 52fd62cca663c96cd6993768b9a2ac52
SHA1 05e6dd317dda2a788473237ede8c78aaabea179d
SHA256 859f20cddd55eca85e86c6d551a099cdb87782df8f6be60e4090d47dec32fb0c
SHA512 259acb071da018864e722b5eb2f07bf41b6acc3176fab1fb1c60aa5585362ae48f86c58f19a31223161665a3b6846de5a6482ef4d3e3026fe035c945b956cdfa

C:\Users\Admin\AppData\Local\emkxd5M\UxTheme.dll

MD5 8fb917dc52f991573a0d97dac3a5d256
SHA1 5a7b630f93125dbb582b76475400a0816d8f70b5
SHA256 8c3aeb78cf57286d03b5576d06f2d7049d5792b65c3d2debe28abadb5749377d
SHA512 75ea6ad81350a086d269c30cd258e8308dc6aabe2b66b727d5d77c2171d7d5626b989fd769e2334aa1d208989167536940f4698f073575449c85b3e88a7a471e

C:\Users\Admin\AppData\Local\emkxd5M\UxTheme.dll

MD5 aa3c46507ca7a93e0250a547ba9c34ee
SHA1 f4e7fff633cfec5ee10dae6ca38ab9d556ebdc69
SHA256 9bc9d0da90fa4853337b3f0e052ef5ce852788f0cee5a54ba821a09c83b9cc03
SHA512 90095eb61c487803250e1c9b2e4ee2951f873da26df5db6ea29b930e9d0a1a5a04dfc11b4488d79db99826b689cbdec0f5b1164d1d2610542f769365c145a809

memory/1876-49-0x0000000140000000-0x00000001400FA000-memory.dmp

memory/1876-50-0x0000000140000000-0x00000001400FA000-memory.dmp

memory/1876-51-0x0000016983B20000-0x0000016983B27000-memory.dmp

memory/1876-56-0x0000000140000000-0x00000001400FA000-memory.dmp

C:\Users\Admin\AppData\Local\emkxd5M\quickassist.exe

MD5 94d179b5e84a62c821ff53db34f68a16
SHA1 a782fc91ab1131def4bd72fe1a1e8fb737f719a6
SHA256 84ef1dc4eca7b5072c42fa77b79e2891fa8d1a843e40132e67b743c3df504c9d
SHA512 9b24e6e6c764ee0cf13f3971a1ecb68b16e0330660128d4e0f8d445664447c3ee9f842c43cb9c0bebb7643fc22084423b35922b07d48ea591beb9a41e7eace72

C:\Users\Admin\AppData\Local\1cGpaPzR\Netplwiz.exe

MD5 520a7b7065dcb406d7eca847b81fd4ec
SHA1 d1b3b046a456630f65d482ff856c71dfd2f335c8
SHA256 8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d
SHA512 7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

C:\Users\Admin\AppData\Local\1cGpaPzR\NETPLWIZ.dll

MD5 24134a0f9fda20851d34e783f9591ff4
SHA1 7c85f2321419edec44c9e04f962254e656edb0c0
SHA256 9559213ecbca2e89e6daac5312adba0b52a2162611794d81a41d827772d14648
SHA512 2fae74b05b917024050f12603a5903f6d1c70317d754cb92899d83075d749860d9970e6b9399c8972525d8e974698d66bd64971ff7669923585c586db4a424cd

C:\Users\Admin\AppData\Local\1cGpaPzR\NETPLWIZ.dll

MD5 6cd880fafb9cdf026124f7cf6bc1880f
SHA1 89762318682b8648e4f088e5cc1c76f39c68e985
SHA256 3044442c202c0a38270648e1a7827ce38b4aa765cb297c2c484a2b4895a90012
SHA512 13418581e8f35c0d91ef0b18ecc65b7e3a3720a770f318db38c397db182ac8d57223900caae56dd146f34b7cef117c4885513bb681001d36cdf6ebe3ccc97be9

memory/216-68-0x0000000140000000-0x00000001400FA000-memory.dmp

memory/216-70-0x00000185FEF90000-0x00000185FEF97000-memory.dmp

memory/216-74-0x0000000140000000-0x00000001400FA000-memory.dmp

C:\Users\Admin\AppData\Local\WRnNAb\rdpinit.exe

MD5 b0ecd76d99c5f5134aeb52460add6f80
SHA1 51462078092c9d6b7fa2b9544ffe0a49eb258106
SHA256 51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b
SHA512 16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

C:\Users\Admin\AppData\Local\WRnNAb\WINSTA.dll

MD5 605bec4ab43a667d31b6d66a563afc45
SHA1 ed9341f542ecf631ef9bf73c78f0808035f7cd65
SHA256 8649506c13357ae376f1adbb0f2586868fc3d29b59500e0a8db60ef292f9772d
SHA512 ab51a203eb0498794a450da06eec0c5d4d879ae56500a38994beed522c44dacc9febb849b48721cebd7b5992eaccbc69cc6f14bd78081b8bf09a1aab817ba4a6

memory/3908-86-0x0000000140000000-0x00000001400FB000-memory.dmp

memory/3908-89-0x000001F9712F0000-0x000001F9712F7000-memory.dmp

memory/3908-92-0x0000000140000000-0x00000001400FB000-memory.dmp

C:\Users\Admin\AppData\Local\WRnNAb\rdpinit.exe

MD5 0e1aeeb2b002c25bc7185b94d47b8aa3
SHA1 6f8639f3fc72c6e4694a0985dc7740385b4573e7
SHA256 982fa6e838a9a20ad702476a818b6bac5d744f8b84d033cdba9be26cfd6940ef
SHA512 28e37c656e9bf3f8cb70da081ee62a1b61616480da70c12bf04d1b4b595e632e5b6a708880579366600fdda2eae30f177f9c5b086171d16335a6beb1b9718ea9

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 d8556452d3df60d78809ac9cb6eb243a
SHA1 3f0fe3b009515f830ac5cd807044c9594979e433
SHA256 d7c2c975f6e72f581621ac01cda61950e298845338326c2fcaa281cbc7b98d00
SHA512 5ab777d2a4588e147e07c67b285e408a77615f90df3d3ff29cf56172725b3fefca7c9ef7c4cdeb8abdc7dd1bf1f2ff3c12620719268abbbc0189bda5bf6bdcea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\j3TwWi\UxTheme.dll

MD5 b89c7e501d2a1a15864094f09a45b264
SHA1 7671fc9bc1871028b65f924f11bfad9b3c25b33d
SHA256 ba28b7a2cb5123d19d810abf6f3eb191701ac1c310cbcc007ab439c40d594106
SHA512 ed2ef75baed151b734da8b228e78f4cba539130bb9a4d30d13e772c946b77c6cdc7e467102adedc8ca3426ae7bbe31998a15d1fed491188de9bc7b4008773940