Malware Analysis Report

2024-11-30 21:47

Sample ID 231231-bvk3ysdhan
Target 22dfe76a15cee6a41765ba272cf9594e
SHA256 788fc81115102f35935e92f34b78b2a8447a199d7411a19b8259c36727c690d2
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

788fc81115102f35935e92f34b78b2a8447a199d7411a19b8259c36727c690d2

Threat Level: Known bad

The file 22dfe76a15cee6a41765ba272cf9594e was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 01:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 01:27

Reported

2024-01-01 18:37

Platform

win7-20231215-en

Max time kernel

3s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\22dfe76a15cee6a41765ba272cf9594e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\22dfe76a15cee6a41765ba272cf9594e.dll,#1

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\pP5zPW\mblctr.exe

C:\Users\Admin\AppData\Local\pP5zPW\mblctr.exe

C:\Windows\system32\fveprompt.exe

C:\Windows\system32\fveprompt.exe

C:\Users\Admin\AppData\Local\6V8f\fveprompt.exe

C:\Users\Admin\AppData\Local\6V8f\fveprompt.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\AjrT\TpmInit.exe

C:\Users\Admin\AppData\Local\AjrT\TpmInit.exe

Network

N/A

Files

memory/1652-2-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1652-0-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-4-0x00000000776C6000-0x00000000776C7000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-18-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-28-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-38-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-47-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-56-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-62-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-64-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-73-0x0000000077930000-0x0000000077932000-memory.dmp

memory/1204-72-0x00000000777D1000-0x00000000777D2000-memory.dmp

memory/1204-63-0x0000000002E10000-0x0000000002E17000-memory.dmp

memory/1204-61-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-60-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-59-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-58-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-57-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-55-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-54-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-53-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-52-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-51-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-50-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-49-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-48-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-46-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-45-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-44-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-43-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-42-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-41-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-40-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-39-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-37-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-36-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-35-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-34-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-33-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-32-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-31-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-30-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-29-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-27-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-26-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-25-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-24-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-23-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-22-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-21-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-20-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-19-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-17-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-16-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-15-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-14-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-13-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1652-8-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/1032-100-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1204-5-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1252-124-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1204-178-0x00000000776C6000-0x00000000776C7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 01:27

Reported

2024-01-01 18:38

Platform

win10v2004-20231215-en

Max time kernel

161s

Max time network

170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\22dfe76a15cee6a41765ba272cf9594e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\pc2AA0t\\rdpinput.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jOkL\omadmclient.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6nV8gD\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jOjc\rdpinput.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 1144 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3352 wrote to memory of 1144 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3352 wrote to memory of 4584 N/A N/A C:\Users\Admin\AppData\Local\6nV8gD\BdeUISrv.exe
PID 3352 wrote to memory of 4584 N/A N/A C:\Users\Admin\AppData\Local\6nV8gD\BdeUISrv.exe
PID 3352 wrote to memory of 2140 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3352 wrote to memory of 2140 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3352 wrote to memory of 4948 N/A N/A C:\Users\Admin\AppData\Local\jOjc\rdpinput.exe
PID 3352 wrote to memory of 4948 N/A N/A C:\Users\Admin\AppData\Local\jOjc\rdpinput.exe
PID 3352 wrote to memory of 3924 N/A N/A C:\Windows\system32\omadmclient.exe
PID 3352 wrote to memory of 3924 N/A N/A C:\Windows\system32\omadmclient.exe
PID 3352 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\jOkL\omadmclient.exe
PID 3352 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\jOkL\omadmclient.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\22dfe76a15cee6a41765ba272cf9594e.dll,#1

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\6nV8gD\BdeUISrv.exe

C:\Users\Admin\AppData\Local\6nV8gD\BdeUISrv.exe

C:\Windows\system32\rdpinput.exe

C:\Windows\system32\rdpinput.exe

C:\Users\Admin\AppData\Local\jOjc\rdpinput.exe

C:\Users\Admin\AppData\Local\jOjc\rdpinput.exe

C:\Windows\system32\omadmclient.exe

C:\Windows\system32\omadmclient.exe

C:\Users\Admin\AppData\Local\jOkL\omadmclient.exe

C:\Users\Admin\AppData\Local\jOkL\omadmclient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp

Files

memory/4124-0-0x000001BAC49D0000-0x000001BAC49D7000-memory.dmp

memory/4124-1-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-5-0x00007FFD13D8A000-0x00007FFD13D8B000-memory.dmp

memory/3352-4-0x0000000003430000-0x0000000003431000-memory.dmp

memory/3352-7-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-9-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-10-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-11-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-14-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-17-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-20-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-22-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-23-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-24-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-27-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-29-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-30-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-32-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-35-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-37-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-36-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-39-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-38-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-34-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-33-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-31-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-28-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-26-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-25-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-21-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-18-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-19-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-16-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-15-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-13-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-12-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/4124-8-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-40-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-41-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-43-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-45-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-46-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-47-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-44-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-49-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-50-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-52-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-54-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-57-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-58-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-60-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-59-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-61-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-62-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-64-0x0000000002930000-0x0000000002937000-memory.dmp

memory/3352-63-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-56-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-55-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-53-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-51-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-48-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-42-0x0000000140000000-0x00000001402F0000-memory.dmp

memory/3352-72-0x00007FFD14560000-0x00007FFD14570000-memory.dmp

C:\Users\Admin\AppData\Local\6nV8gD\WTSAPI32.dll

MD5 f772c9988a06abb771a017283d5787c5
SHA1 04cda51b43bbdbade40591329355bcb3beea4363
SHA256 dfa807d61f62ae000db78010384068544afbbb49bc886c53456bc2618f7ff104
SHA512 ececbde42904ac9e68d6cfd8211f2af2c4914a6c46f4f682cee6759e9b8fa084eadc3c74a25f0c3733c3faed9288e165293f215f179d377c75737de25e729170

C:\Users\Admin\AppData\Local\6nV8gD\WTSAPI32.dll

MD5 940630663b2a457eea8d56939a3004bb
SHA1 c9e1bfd104c904e0d491ef9cff954912af3d5561
SHA256 e43611a8426a1c5c10feddf1ba9633bede04e8e38d37b6681dd2bb5194734bf0
SHA512 af859010d1d2435c793e225e41ef23446915e4302a3b4d573c154a330b68887f04269e006dd1dbede3a0077935e45b910f87a4abba7c96eaba24a7ca617e3699

C:\Users\Admin\AppData\Local\6nV8gD\BdeUISrv.exe

MD5 2ac239f1eea0a748d16e682c895ef8a6
SHA1 3f196083762ddfa2549e17a25436dc0d2d765028
SHA256 2868cd810b44351924a0d63d05600c59cba3f9beb50b71c517777ede6b1d38f1
SHA512 134254df8d07dd52fbf922ae7c60fc4a5d08c4b94dc163e0470603b59823133aeed5441a3ddedb993b1554702f9bc47f48d99b674831b266046a9d7846419ee8

memory/4584-92-0x0000020AA68B0000-0x0000020AA68B7000-memory.dmp

C:\Users\Admin\AppData\Local\6nV8gD\BdeUISrv.exe

MD5 8595075667ff2c9a9f9e2eebc62d8f53
SHA1 c48b54e571f05d4e21d015bb3926c2129f19191a
SHA256 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

C:\Users\Admin\AppData\Local\jOjc\WINSTA.dll

MD5 faef46d47435b89d0ffe4abd0a8b21ca
SHA1 878c694869b00b15bdcdc8cec3909ef7be945bb1
SHA256 d48314e12555e17c32571eaa88c6587f044924a419e6e5fe64cc847061519f59
SHA512 94d26cddfbe1357bf4eb864f08111b7c919444fd94fddc3f44529ec30fb2b68044297ab7baa833986a7fb0eeeaadc488d9b3d18cfea54f712dcbe56b7ab8699a

C:\Users\Admin\AppData\Local\jOjc\rdpinput.exe

MD5 15ea5fefd5edf7b0a4cbe1d9f539b755
SHA1 d85eacb042eb1e57c1c9bc689a2b8161b4d24cb6
SHA256 1e7de91549fd895994c282385d57d2b4bad5f0573a1749e439def75d97d0ecf0
SHA512 8363672d50a424ff67db924ff3ee6184f54b502c610b43caa7970c86d59fcdb059268e59f1ab8e7a2e8828be0d73572dd4d061821f92da46d2e734a228739e4d

C:\Users\Admin\AppData\Local\jOjc\WINSTA.dll

MD5 671ee6344a268560067e0482aebea2d0
SHA1 adab5dfb7fd937f291d88334e3278c237e489068
SHA256 f3c3e4361f8e055d9122595e17d398d58b384c2a3c5cce40b90a4a5866cd4718
SHA512 2fb5caa86b230c7e2b3b7762b3d235b40fc811842b0c710f968a05a2d7ca1a8adf9739878720689805b7e459a86075fc0d1b8ab9a4d22a042049d9d3fd32d135

memory/4948-109-0x00000223EAC40000-0x00000223EAC47000-memory.dmp

C:\Users\Admin\AppData\Local\jOjc\rdpinput.exe

MD5 87022d65a73fd67ec55128144eb64e8e
SHA1 7cdba975e934c18207c2e87dbb5c9d200442fe86
SHA256 321d05378962f36ec4a6a6cb21908442081fafa8d19cf495cffb9b28dfd131ae
SHA512 fc7d1ff12f7f73cb482b8e295451a0c0ac7487c7d87e345c3c218572515aa2bb26b9e8ea856046e56d0457260a31c5e44acf4ffa30ba36e2b1804707e39fd0f9

C:\Users\Admin\AppData\Local\jOkL\XmlLite.dll

MD5 6c9bcef98bb8b8d3ea852a36627efa27
SHA1 b3dbf90d440559619be608c02d9a10288f1e91f7
SHA256 bdb1b2b952835f6d42b453bc63cf513c481b2eb138d2c1035e6ebabdd6329024
SHA512 7de07e31d3e4727b0208bb257c123c05b07d746c729cd5957ff7b1aff7efbc9d53c21c742e035df36dcf8a41310e86f61b3d963748ad7e7985913fede5de8e95

memory/376-126-0x0000016D32EF0000-0x0000016D32EF7000-memory.dmp

C:\Users\Admin\AppData\Local\jOkL\XmlLite.dll

MD5 afe5c7ba8633becc25ff1a86c7088f21
SHA1 8acbebac59fec5851374d14044c3388ebb368330
SHA256 876f3a314ea785015a6c0b2e1af8b9febd26b2c64f60024dd98e8a2aed047fb3
SHA512 b780b4698b837768055e837ef44fa69c7a7d40c9e4eaa881463afc3ad10e04b57260b9579561e577e47c7189a0f84d668d4d525e515421ed871feb54307c1972

C:\Users\Admin\AppData\Local\jOkL\omadmclient.exe

MD5 a2b234affb7d83e108b1bf31199f05f8
SHA1 3c03c1b71c733b86b921ffb5ad5ad07ea87ecb68
SHA256 ec6124847704a4f56c55651b7a6eebdc3f478485b22ab0bf5ddcc79e35ec9380
SHA512 fef489baa49050f82747cac276afdee928ba7940fa2c18c474c6358a7eac6fb7775e255cceceb10fed767c69c540ff29093acf42dbdb40be0b41b02e1359a314

C:\Users\Admin\AppData\Local\jOkL\omadmclient.exe

MD5 411fb506512fe59dd05006d5a94c2047
SHA1 d3bc7d42d3b512c52438baa112185d00792e2c7b
SHA256 6bc14f6c11073f744b9d179aaab7c58cba4b022d6528382748a67cdc1527c337
SHA512 fd62ad747cbe5797763d38ceb6e022010a18580e50d2b71768860189b262bbb2bbd5838d226e831288597bf3b28311d9066b0cfaeb8d6f282b80ecb4ca1b4420

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

MD5 a3b1eba1483cbf87c484c375225076bc
SHA1 10ce59d7d56cb3e8e84fa29210b488363bdf8b30
SHA256 8688ae4f81357d42bb66f1e1d0c4cf53e5b9d864256d2aa9f740d3d52adeed0a
SHA512 9e2ea446b561a8e54cb74be62f2141c8028cf863209ac65d9216eafa04e89dcf5098c4e953011fd289a6be1a7aa95c50fbce1b11c447bf7069812fc0e7b83962

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\axP1mEL\WTSAPI32.dll

MD5 44d96e7e01cffa049f27869391db87fc
SHA1 5f0ac68020908c0ebf482d4f9cb4a1c533c6c2ec
SHA256 e1f5d7ed27f4c669c7ece846f0603a68f7548d454fd2427b59d5668748fe53c6
SHA512 4a08fe2ff52e3c0ade1ea0d214c8159a0775cce511409a8a3cf2954099b3c583dd67fc63f0872bd856a2e86d34c96ec051366f8d7f6ec005463aef2eb12315c4

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\pc2AA0t\WINSTA.dll

MD5 42ee899cb9e6868a498a73332dd27064
SHA1 231d58bab388beb75d7ccf728f6b0a42226b7d00
SHA256 01dba03f8a58da07b82c6cae091a1f2139172868247474103913dfe8ff4d5a71
SHA512 6b59e3897bf60175a3ad8412d9465e9f0864e252d972ffff4406591a8b1ca9ed6500bba74396e9a7aa8d7bbb4f1f7d5415c9388ff0304768b85df996554619cb

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2398549320-3657759451-817663969-1000\2KM\XmlLite.dll

MD5 580a8293b178808866d08998b03ab47e
SHA1 12c4679fce4fd7a050dcbfd3a8e06e0908b51ea0
SHA256 49d0d1a62ae98f93e26745ee8c0f1177712f8d251bc72013d3bcc4906937d65d
SHA512 4f27753b98c1fdf68e12281fc0fb55863b212722f3af2d3fb919d4186bcc58b1bd7c07ddea5045679d9b9c5daa84b58b854608ff5fac6a40850a8fef918276ac