Malware Analysis Report

2024-11-30 21:30

Sample ID 231229-3l7ddagecm
Target 0724ac274c2aa56ae735cccf77b3f98e
SHA256 c1c4df943e9c4ec308cef81052e29707a94810f3c3a018a0be8072d4e2a59cd5
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1c4df943e9c4ec308cef81052e29707a94810f3c3a018a0be8072d4e2a59cd5

Threat Level: Known bad

The file 0724ac274c2aa56ae735cccf77b3f98e was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 23:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 23:37

Reported

2023-12-30 07:58

Platform

win7-20231129-en

Max time kernel

145s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0724ac274c2aa56ae735cccf77b3f98e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\rAiq\StikyNot.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\wAc7JV\WFS.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\7NZBO\msinfo32.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\dSHPu\\WFS.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wAc7JV\WFS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7NZBO\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rAiq\StikyNot.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 2508 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1372 wrote to memory of 2508 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1372 wrote to memory of 2508 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1372 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\rAiq\StikyNot.exe
PID 1372 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\rAiq\StikyNot.exe
PID 1372 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\rAiq\StikyNot.exe
PID 1372 wrote to memory of 2692 N/A N/A C:\Windows\system32\WFS.exe
PID 1372 wrote to memory of 2692 N/A N/A C:\Windows\system32\WFS.exe
PID 1372 wrote to memory of 2692 N/A N/A C:\Windows\system32\WFS.exe
PID 1372 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\wAc7JV\WFS.exe
PID 1372 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\wAc7JV\WFS.exe
PID 1372 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\wAc7JV\WFS.exe
PID 1372 wrote to memory of 2436 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1372 wrote to memory of 2436 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1372 wrote to memory of 2436 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1372 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\7NZBO\msinfo32.exe
PID 1372 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\7NZBO\msinfo32.exe
PID 1372 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\7NZBO\msinfo32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0724ac274c2aa56ae735cccf77b3f98e.dll,#1

C:\Users\Admin\AppData\Local\rAiq\StikyNot.exe

C:\Users\Admin\AppData\Local\rAiq\StikyNot.exe

C:\Windows\system32\StikyNot.exe

C:\Windows\system32\StikyNot.exe

C:\Users\Admin\AppData\Local\wAc7JV\WFS.exe

C:\Users\Admin\AppData\Local\wAc7JV\WFS.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\7NZBO\msinfo32.exe

C:\Users\Admin\AppData\Local\7NZBO\msinfo32.exe

Network

N/A

Files

memory/2364-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2364-0-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-4-0x00000000775F6000-0x00000000775F7000-memory.dmp

memory/1372-15-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-30-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-44-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-52-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-60-0x0000000002960000-0x0000000002967000-memory.dmp

memory/1372-66-0x0000000077860000-0x0000000077862000-memory.dmp

memory/1372-72-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-62-0x0000000077701000-0x0000000077702000-memory.dmp

memory/2572-93-0x0000000000390000-0x0000000000397000-memory.dmp

memory/1372-61-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-53-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-51-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-50-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-49-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-48-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-47-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-46-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-45-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-43-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-42-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-41-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-40-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-39-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-38-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-37-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-36-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-35-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-34-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-33-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1616-114-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1372-32-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-31-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-29-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-28-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-27-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-26-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-25-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-24-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-23-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-22-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-21-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-20-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-19-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-18-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-17-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-16-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-14-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-13-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-12-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-11-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-10-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-9-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/2364-8-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1372-7-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/1864-138-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1372-5-0x0000000002980000-0x0000000002981000-memory.dmp

memory/1372-166-0x00000000775F6000-0x00000000775F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 23:37

Reported

2023-12-30 07:58

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0724ac274c2aa56ae735cccf77b3f98e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\xomBt95Pr\\RdpSaUacHelper.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3iF5Y\msdt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 996 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3416 wrote to memory of 996 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3416 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe
PID 3416 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe
PID 3416 wrote to memory of 3384 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3416 wrote to memory of 3384 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3416 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exe
PID 3416 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exe
PID 3416 wrote to memory of 1736 N/A N/A C:\Windows\system32\msdt.exe
PID 3416 wrote to memory of 1736 N/A N/A C:\Windows\system32\msdt.exe
PID 3416 wrote to memory of 1632 N/A N/A C:\Users\Admin\AppData\Local\3iF5Y\msdt.exe
PID 3416 wrote to memory of 1632 N/A N/A C:\Users\Admin\AppData\Local\3iF5Y\msdt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0724ac274c2aa56ae735cccf77b3f98e.dll,#1

C:\Windows\system32\wlrmdr.exe

C:\Windows\system32\wlrmdr.exe

C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe

C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\3iF5Y\msdt.exe

C:\Users\Admin\AppData\Local\3iF5Y\msdt.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp

Files

memory/3500-0-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3500-2-0x0000027429EE0000-0x0000027429EE7000-memory.dmp

memory/3500-1-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-5-0x0000000003290000-0x0000000003291000-memory.dmp

memory/3500-9-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-8-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-10-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-11-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-12-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-13-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-14-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-15-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-7-0x00007FF9B140A000-0x00007FF9B140B000-memory.dmp

memory/3416-16-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-17-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-18-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-19-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-20-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-21-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-22-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-24-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-27-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-29-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-32-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-33-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-31-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-30-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-28-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-26-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-25-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-34-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-35-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-23-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-36-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-37-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-40-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-41-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-42-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-44-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-45-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-43-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-46-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-48-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-50-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-51-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-49-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-47-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-39-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-53-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-55-0x0000000003270000-0x0000000003277000-memory.dmp

memory/3416-54-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-52-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-38-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-62-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-63-0x00007FF9B22C0000-0x00007FF9B22D0000-memory.dmp

memory/3416-72-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3416-74-0x0000000140000000-0x00000001401C8000-memory.dmp

C:\Users\Admin\AppData\Local\hKpXJ\DUI70.dll

MD5 4e4f4e4a13e0d17a792824f22679e305
SHA1 983aae98a73b55ec9ba7545180c19cb3db91d6f7
SHA256 eb059c47f0492143581a566e5464fc14cf38c4e542688102dccdc2401b5cd69d
SHA512 046da1ca89c66ab12a9f1f27197c5f2cfe41ca5231456a40627ee508044a6cb4e69e7172a63897dce4f903a1883c3d8471f96195c3f4e99d70935083b6af55d0

C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe

MD5 dabbfef50f731f12f346b83f567cecea
SHA1 4904741f17a2afd395f7a58e704d237b2192e93e
SHA256 66cf68b465172eed24459e28d0b74f66fc23d73ad7723fe1e56ae4c529677e17
SHA512 6c0896ec991b1eac89dd7870ea2696e2b350fdadd6f880839fd2a61a242ce82367016a1279e62e018f2a919f07bf87ef768e43f10132214ee81c527db01be24f

memory/2820-86-0x0000015567CF0000-0x0000015567CF7000-memory.dmp

memory/2820-84-0x0000000140000000-0x000000014020E000-memory.dmp

memory/2820-91-0x0000000140000000-0x000000014020E000-memory.dmp

C:\Users\Admin\AppData\Local\hKpXJ\wlrmdr.exe

MD5 ef9bba7a637a11b224a90bf90a8943ac
SHA1 4747ec6efd2d41e049159249c2d888189bb33d1d
SHA256 2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA512 4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

C:\Users\Admin\AppData\Local\hKpXJ\DUI70.dll

MD5 d572895cebd24e9d61357ef48497a083
SHA1 b48e519d03220fb78f7f5b75c25a235fdcdcc1a6
SHA256 304b562f9ed4dd95be477826cd828c6fd38e9fb59af7901585116ced012f5685
SHA512 f5a8828cf0e7e166340c299b1c8cd97771b34e0b19479a544251bbb011db5165d2e9ac947422e7a8cc75b46a247b7688d88a581d181eec0034e06376a6561d36

C:\Users\Admin\AppData\Local\9ijXD\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

C:\Users\Admin\AppData\Local\9ijXD\WINSTA.dll

MD5 e7da7ef61ca915d5346deddef7316a09
SHA1 4f166900b88086a201818337295b00cde7bbab08
SHA256 d752b79d9df6f7fe13405a1c6862a92a93e086c7c89e6178979fd8a1a050204c
SHA512 7331bac2e61f391d0ecdd48192e0aee7a546663ef7d4b99172d7d0cb16eded840242406fb7d857d5bf05db9ef37ea173d07c722c990f918f702d3236dea24cb7

memory/1696-103-0x0000000140000000-0x00000001401CA000-memory.dmp

memory/1696-106-0x0000018329760000-0x0000018329767000-memory.dmp

memory/1696-112-0x0000000140000000-0x00000001401CA000-memory.dmp

C:\Users\Admin\AppData\Local\3iF5Y\msdt.exe

MD5 992c3f0cc8180f2f51156671e027ae75
SHA1 942ec8c2ccfcacd75a1cd86cbe8873aee5115e29
SHA256 6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f
SHA512 1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

C:\Users\Admin\AppData\Local\3iF5Y\UxTheme.dll

MD5 658f82507b5fa9445a83a38312af28bc
SHA1 fc7a89399847b65de4459bc34bbb7b53f9af9904
SHA256 fe8dea4166d614d0103e02bb257fa4f6e5f2946ae59a15cf4aa506f53f476efa
SHA512 cb63fb22f3a54fc65c279fb771e25ef854e298e8ae3ba1b9d65a725f4616284850b0f0cfaf4e773ab4711c04daaedba020e9858fb52798bc58436972724cba2b

memory/1632-124-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1632-125-0x000002137E480000-0x000002137E487000-memory.dmp

memory/1632-131-0x0000000140000000-0x00000001401C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 6379441ac0d453219c6637e229a6bb2c
SHA1 2c8931504af11cbb91965dd703bcce8c784435d5
SHA256 ef54baf12291f7eee44e67b55d557ab3d9edced6d3d99677a729ad5ba544ee8f
SHA512 57038fb05926d807ce88b9133f7bec770362a079eba6d653debeb0ffd0539c480c8a1a65fa65aaa589204caf462258b5453e09f4b8c5798a6a212727e385c9da

C:\Users\Admin\AppData\Roaming\Microsoft\Qq3I\DUI70.dll

MD5 5e90060a71a514ec725c8ee66b905b3b
SHA1 e22584625f27adb071c7da6363c68bc23fab42d4
SHA256 daaf7376615b0897b36e083930a1a6508e82b528dd0b7d444f79b50838ed5b33
SHA512 60072412b53253ca78bffe731ee22d153adf1f242de53ee5b170a7278ada7bd1ce8b19476f4ce4977d1fa13d0bebc38004d2099fca3ab403c2d7a35b5d846dcb