Malware Analysis Report

2024-11-30 21:33

Sample ID 231230-1mj85ahab3
Target 1d7960eb16722c63af8924dcf0d7df96
SHA256 c092366b339a5d407c5cda3fda5c319d83012510638e78d89461ec973ea3e615
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c092366b339a5d407c5cda3fda5c319d83012510638e78d89461ec973ea3e615

Threat Level: Known bad

The file 1d7960eb16722c63af8924dcf0d7df96 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 21:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 21:45

Reported

2024-01-04 14:45

Platform

win7-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d7960eb16722c63af8924dcf0d7df96.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\xGVnT2X\\tabcal.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 812 N/A N/A C:\Windows\system32\iexpress.exe
PID 1100 wrote to memory of 812 N/A N/A C:\Windows\system32\iexpress.exe
PID 1100 wrote to memory of 812 N/A N/A C:\Windows\system32\iexpress.exe
PID 1100 wrote to memory of 1460 N/A N/A C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe
PID 1100 wrote to memory of 1460 N/A N/A C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe
PID 1100 wrote to memory of 1460 N/A N/A C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe
PID 1100 wrote to memory of 1756 N/A N/A C:\Windows\system32\tabcal.exe
PID 1100 wrote to memory of 1756 N/A N/A C:\Windows\system32\tabcal.exe
PID 1100 wrote to memory of 1756 N/A N/A C:\Windows\system32\tabcal.exe
PID 1100 wrote to memory of 1760 N/A N/A C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe
PID 1100 wrote to memory of 1760 N/A N/A C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe
PID 1100 wrote to memory of 1760 N/A N/A C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe
PID 1100 wrote to memory of 1772 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1100 wrote to memory of 1772 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1100 wrote to memory of 1772 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1100 wrote to memory of 2440 N/A N/A C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe
PID 1100 wrote to memory of 2440 N/A N/A C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe
PID 1100 wrote to memory of 2440 N/A N/A C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d7960eb16722c63af8924dcf0d7df96.dll,#1

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe

C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe

C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe

C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe

Network

N/A

Files

memory/2500-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2500-0-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-4-0x0000000076EF6000-0x0000000076EF7000-memory.dmp

memory/1100-14-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-28-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-40-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-51-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-53-0x00000000024F0000-0x00000000024F7000-memory.dmp

memory/1100-64-0x0000000077160000-0x0000000077162000-memory.dmp

memory/1100-61-0x0000000077001000-0x0000000077002000-memory.dmp

memory/1100-71-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-60-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1460-92-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1100-52-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-50-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-49-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-48-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-47-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-46-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-45-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-44-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-43-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-42-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-41-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-39-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-38-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-37-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-36-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-35-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-34-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-33-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-32-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-31-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-30-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-29-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-27-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-26-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-25-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-24-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-23-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-22-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-21-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-20-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-19-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-18-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-17-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-16-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-15-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-13-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-12-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-11-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/2440-129-0x0000000000420000-0x0000000000427000-memory.dmp

memory/1100-10-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-9-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/2500-8-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-7-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1100-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1100-153-0x0000000076EF6000-0x0000000076EF7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 21:45

Reported

2024-01-04 14:46

Platform

win10v2004-20231215-en

Max time kernel

154s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d7960eb16722c63af8924dcf0d7df96.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jtsr8C9B\\PresentationHost.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 5056 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3440 wrote to memory of 5056 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3440 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe
PID 3440 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe
PID 3440 wrote to memory of 1804 N/A N/A C:\Windows\system32\PresentationHost.exe
PID 3440 wrote to memory of 1804 N/A N/A C:\Windows\system32\PresentationHost.exe
PID 3440 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe
PID 3440 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe
PID 3440 wrote to memory of 3384 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3440 wrote to memory of 3384 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3440 wrote to memory of 3480 N/A N/A C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe
PID 3440 wrote to memory of 3480 N/A N/A C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d7960eb16722c63af8924dcf0d7df96.dll,#1

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe

C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe

C:\Windows\system32\PresentationHost.exe

C:\Windows\system32\PresentationHost.exe

C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe

C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe

C:\Windows\system32\ie4uinit.exe

C:\Windows\system32\ie4uinit.exe

C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe

C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/5064-0-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/5064-2-0x000001FB24CE0000-0x000001FB24CE7000-memory.dmp

memory/5064-1-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-5-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/3440-7-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-10-0x00007FFE42BBA000-0x00007FFE42BBB000-memory.dmp

memory/3440-11-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-12-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-13-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-14-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/5064-9-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-8-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-15-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-16-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-17-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-18-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-19-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-20-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-21-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-22-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-23-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-24-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-25-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-26-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-27-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-28-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-29-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-30-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-31-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-32-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-33-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-34-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-35-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-36-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-37-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-38-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-39-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-40-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-41-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-42-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-44-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-43-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-45-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-46-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-47-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-48-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-49-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-50-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-51-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-52-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-54-0x0000000001290000-0x0000000001297000-memory.dmp

memory/3440-53-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-61-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-62-0x00007FFE44340000-0x00007FFE44350000-memory.dmp

memory/3440-71-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3440-73-0x0000000140000000-0x00000001401C6000-memory.dmp

C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe

MD5 eeba3dd643ced2781ec1b7e3cd6fa246
SHA1 2d394173e603625e231633fc270072e854bac17b
SHA256 bee0799a52fe65b8dc291de32f0c8b03b5a067915b1868bc8ba2a1b139c90b87
SHA512 222d4fbc7ee57d75889698a0660996293a0143518fdecc1b222618796d76d40f2d3b00b071f92ab917ac8847f195d7de02df55b5e89dad8a80d110e464cd3271

C:\Users\Admin\AppData\Local\eDEFb\UxTheme.dll

MD5 f51db4e23edba0032fe10f1ae7ccf3c1
SHA1 2e6646efed5b666620540847fc61067fa67c01bd
SHA256 e5dd1abc940aa012b401e29a4c92c917c8feaa3d49e026f110de1941a909d607
SHA512 f138f55911681e6fb2178248056cbc042979a84e78f25fd06539f64a3542afe00199a6f993996377fbcedbf8f40afc30b6e4f66e268ffc9af6a8b9a7d002c0e8

memory/4180-83-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/4180-82-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/4180-85-0x0000027AA3DA0000-0x0000027AA3DA7000-memory.dmp

memory/4180-90-0x0000000140000000-0x00000001401C7000-memory.dmp

C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe

MD5 ef27d65b92d89e8175e6751a57ed9d93
SHA1 7279b58e711b459434f047e9098f9131391c3778
SHA256 17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48
SHA512 40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

C:\Users\Admin\AppData\Local\aEL\VERSION.dll

MD5 c23d867f1fca778932391be2c7b1210d
SHA1 fb5098275afb7a86027af1f76840827841462b38
SHA256 de88d6e0df48efc41f5eaaafe1f6b34707a788ed669226a512a6e45303ef4358
SHA512 87f1f131ec586e0274234d4ed23ac843ee26540e535467e46ce37335f441f95132e484d20fb7983ccc5f6435db29feb06daf999c98b534bb61ea7a5e7a0755d4

memory/2452-104-0x00000237460C0000-0x0000023746287000-memory.dmp

memory/2452-107-0x00000237460C0000-0x0000023746287000-memory.dmp

memory/2452-109-0x0000023746380000-0x0000023746387000-memory.dmp

memory/2452-115-0x00000237460C0000-0x0000023746287000-memory.dmp

C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe

MD5 a2f0104edd80ca2c24c24356d5eacc4f
SHA1 8269b9fd9231f04ed47419bd565c69dc677fab56
SHA256 5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c
SHA512 e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

C:\Users\Admin\AppData\Local\AEJX3MG\VERSION.dll

MD5 42298b714f7ce638c6435c80e30278db
SHA1 95103990b2ce3459390961eddb194a91d5ff02a4
SHA256 983f1905899ef52adb230275ff0ca9cf1df486a1c4cd3d00297c2846d23279d2
SHA512 f74e4d1d07e5072f2957168e51b01a804cedb80a8b5241ed867598931e40441b2790201d54e17292fa0deed1d0cfaed5df3fd9f1e1b5fac83ae68c4f70edb9d4

memory/3480-126-0x000001DF3E780000-0x000001DF3E947000-memory.dmp

memory/3480-129-0x000001DF3E780000-0x000001DF3E947000-memory.dmp

memory/3480-132-0x000001DF401B0000-0x000001DF401B7000-memory.dmp

memory/3480-140-0x000001DF3E780000-0x000001DF3E947000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 3f1c5fbb8f0774d5c627309b7b65cab5
SHA1 6be2fd8c41bdd1619cf879950ca576dec0f69fa4
SHA256 40a75644893ed5c2d90670db97982c94c569a436f0be8cbc08633633e4539a18
SHA512 e0d648e8e95f27292e2967572c83d3fe3f79c6ec774c4899f15aa0848efb0a5185b98a32be716978080a133d2d6ee71c55c4c7d78be0b245daa9242e03a0fa2b