Malware Analysis Report

2024-11-30 21:36

Sample ID 231231-fzqlfseca3
Target 29b903e2ff6db0e1aa56dc3d6f2fa46c
SHA256 e2ea6ece1e6886a76ee5b364587a5f740c4991d653b5b21f83c25c2bef294287
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2ea6ece1e6886a76ee5b364587a5f740c4991d653b5b21f83c25c2bef294287

Threat Level: Known bad

The file 29b903e2ff6db0e1aa56dc3d6f2fa46c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 05:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 05:18

Reported

2024-01-05 16:00

Platform

win7-20231129-en

Max time kernel

66s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\29b903e2ff6db0e1aa56dc3d6f2fa46c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\YNkA\WindowsAnytimeUpgradeResults.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\tQLxu\RDVGHelper.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\z3Hg\rrinstaller.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\EVTW1V~1\\RDVGHE~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tQLxu\RDVGHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\z3Hg\rrinstaller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\YNkA\WindowsAnytimeUpgradeResults.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2592 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1252 wrote to memory of 2592 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1252 wrote to memory of 2592 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1252 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\YNkA\WindowsAnytimeUpgradeResults.exe
PID 1252 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\YNkA\WindowsAnytimeUpgradeResults.exe
PID 1252 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\YNkA\WindowsAnytimeUpgradeResults.exe
PID 1252 wrote to memory of 2876 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1252 wrote to memory of 2876 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1252 wrote to memory of 2876 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1252 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\tQLxu\RDVGHelper.exe
PID 1252 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\tQLxu\RDVGHelper.exe
PID 1252 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\tQLxu\RDVGHelper.exe
PID 1252 wrote to memory of 1812 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1252 wrote to memory of 1812 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1252 wrote to memory of 1812 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1252 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\z3Hg\rrinstaller.exe
PID 1252 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\z3Hg\rrinstaller.exe
PID 1252 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\z3Hg\rrinstaller.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\29b903e2ff6db0e1aa56dc3d6f2fa46c.dll,#1

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\YNkA\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\YNkA\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\tQLxu\RDVGHelper.exe

C:\Users\Admin\AppData\Local\tQLxu\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Users\Admin\AppData\Local\z3Hg\rrinstaller.exe

C:\Users\Admin\AppData\Local\z3Hg\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

Network

N/A

Files

memory/2536-2-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2536-0-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-4-0x0000000077296000-0x0000000077297000-memory.dmp

memory/1252-9-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-15-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-22-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-29-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-35-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-37-0x0000000002DC0000-0x0000000002DC7000-memory.dmp

memory/1252-44-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-46-0x0000000077500000-0x0000000077502000-memory.dmp

memory/1252-45-0x00000000773A1000-0x00000000773A2000-memory.dmp

memory/1252-55-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-36-0x0000000140000000-0x000000014019D000-memory.dmp

memory/2568-73-0x0000000140000000-0x000000014019E000-memory.dmp

memory/2568-78-0x0000000140000000-0x000000014019E000-memory.dmp

memory/2568-76-0x0000000000330000-0x0000000000337000-memory.dmp

memory/1252-64-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-61-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-34-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-33-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-32-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-31-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-30-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-28-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-27-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-26-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-25-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-24-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-23-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-21-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-20-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-19-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-18-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-17-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-16-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-14-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3004-102-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3004-98-0x0000000000200000-0x0000000000207000-memory.dmp

memory/1252-13-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-12-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-11-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-10-0x0000000140000000-0x000000014019D000-memory.dmp

memory/2536-8-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-7-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1252-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/1584-123-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1584-121-0x0000000140000000-0x000000014019F000-memory.dmp

memory/1252-145-0x0000000077296000-0x0000000077297000-memory.dmp

memory/2568-150-0x0000000000330000-0x0000000000337000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 05:18

Reported

2024-01-05 16:01

Platform

win10v2004-20231215-en

Max time kernel

156s

Max time network

168s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\29b903e2ff6db0e1aa56dc3d6f2fa46c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Xe4A9rJND N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Xe4A9rJND\XmlLite.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Xe4A9rJND\MoUsoCoreWorker.exe N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\BQAONjDl\\SYSRES~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pSF53RQ2\LockScreenContentServer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Lc4lh5\SysResetErr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8smXtLltm\MoUsoCoreWorker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 2184 N/A N/A C:\Windows\system32\LockScreenContentServer.exe
PID 3532 wrote to memory of 2184 N/A N/A C:\Windows\system32\LockScreenContentServer.exe
PID 3532 wrote to memory of 1628 N/A N/A C:\Users\Admin\AppData\Local\pSF53RQ2\LockScreenContentServer.exe
PID 3532 wrote to memory of 1628 N/A N/A C:\Users\Admin\AppData\Local\pSF53RQ2\LockScreenContentServer.exe
PID 3532 wrote to memory of 1596 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3532 wrote to memory of 1596 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3532 wrote to memory of 4552 N/A N/A C:\Users\Admin\AppData\Local\Lc4lh5\SysResetErr.exe
PID 3532 wrote to memory of 4552 N/A N/A C:\Users\Admin\AppData\Local\Lc4lh5\SysResetErr.exe
PID 3532 wrote to memory of 464 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3532 wrote to memory of 464 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3532 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\8smXtLltm\MoUsoCoreWorker.exe
PID 3532 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\8smXtLltm\MoUsoCoreWorker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\29b903e2ff6db0e1aa56dc3d6f2fa46c.dll,#1

C:\Windows\system32\LockScreenContentServer.exe

C:\Windows\system32\LockScreenContentServer.exe

C:\Users\Admin\AppData\Local\pSF53RQ2\LockScreenContentServer.exe

C:\Users\Admin\AppData\Local\pSF53RQ2\LockScreenContentServer.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\SysResetErr.exe

C:\Users\Admin\AppData\Local\Lc4lh5\SysResetErr.exe

C:\Users\Admin\AppData\Local\Lc4lh5\SysResetErr.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\8smXtLltm\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\8smXtLltm\MoUsoCoreWorker.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp

Files

memory/3448-1-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3448-0-0x000001E993D20000-0x000001E993D27000-memory.dmp

memory/3532-5-0x00007FFCEFC8A000-0x00007FFCEFC8B000-memory.dmp

memory/3532-4-0x00000000034B0000-0x00000000034B1000-memory.dmp

memory/3532-7-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-9-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3448-8-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-10-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-11-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-12-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-13-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-15-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-16-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-14-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-17-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-18-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-19-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-20-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-21-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-22-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-23-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-24-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-25-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-26-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-27-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-28-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-29-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-30-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-31-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-32-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-33-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-34-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-35-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-37-0x00000000036F0000-0x00000000036F7000-memory.dmp

memory/3532-36-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-44-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-47-0x00007FFCF0B80000-0x00007FFCF0B90000-memory.dmp

memory/3532-54-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3532-56-0x0000000140000000-0x000000014019D000-memory.dmp

C:\Users\Admin\AppData\Local\pSF53RQ2\LockScreenContentServer.exe

MD5 a0b7513c98cf46ca2cea3a567fec137c
SHA1 2307fc8e3fc620ea3c2fdc6248ad4658479ba995
SHA256 cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6
SHA512 3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

C:\Users\Admin\AppData\Local\pSF53RQ2\DUser.dll

MD5 c5ac3491c416657300bb7fa978a15a65
SHA1 b695add73702bf84877bc4d19c5fa04485e05414
SHA256 3ac27ccd0db1206cfac996cb7a500492c838cee0258e7ec850b3ae8f5043e469
SHA512 8408d9081df766cfa9a130dbe27a515b129771598f1f0349209190df3cafb75fc004f1d30d3b7fdaf2669bf5699de7a855868addb0fe9e42f7c3e1fda5b7d915

memory/1628-65-0x0000000140000000-0x000000014019F000-memory.dmp

memory/1628-66-0x0000024514C80000-0x0000024514C87000-memory.dmp

memory/1628-71-0x0000000140000000-0x000000014019F000-memory.dmp

C:\Users\Admin\AppData\Local\Lc4lh5\SysResetErr.exe

MD5 090c6f458d61b7ddbdcfa54e761b8b57
SHA1 c5a93e9d6eca4c3842156cc0262933b334113864
SHA256 a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512 c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

C:\Users\Admin\AppData\Local\Lc4lh5\DUI70.dll

MD5 45ec03cc96babfd72baa1fe13f61dd47
SHA1 44444f5ad1c096c9e6b3b6a4fc82a24ad3c912d5
SHA256 56811ec7f3744a8f6cf80dd48db6ff260723c8e1a02186be05930626163071ad
SHA512 ce8385bd9ac348e780185c75f1688966d5c2a6b352bf89d6d792ccc405c59e598ff94ce81d4f6a3430159c49d61540c0279848d9fafbb451796bf3c97e5478e7

C:\Users\Admin\AppData\Local\Lc4lh5\DUI70.dll

MD5 733f16176f6af6273c9709bd0cd9f15b
SHA1 6ca616135a6cb7f76c1448266d08e315c65aa9e8
SHA256 756dc94b2c9bddf69f057e10ea6a1722ebaf2b72868abe317764c054ba3e17d5
SHA512 0e21d152912a821530ab73f894c6e1e53b846d3b580c300072002f290a56cec28d5e85342d39bd79dc26069aef5374e04ecd61d3bbda65d2a9cafe971b26a64e

memory/4552-85-0x0000000140000000-0x00000001401E3000-memory.dmp

memory/4552-84-0x000001EFA6610000-0x000001EFA6617000-memory.dmp

memory/4552-90-0x0000000140000000-0x00000001401E3000-memory.dmp

C:\Users\Admin\AppData\Local\8smXtLltm\MoUsoCoreWorker.exe

MD5 47c6b45ff22b73caf40bb29392386ce3
SHA1 7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9
SHA256 cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0
SHA512 c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

C:\Users\Admin\AppData\Local\8smXtLltm\XmlLite.dll

MD5 09bd9c75249b3abc576c56a174d7935a
SHA1 26458efac3460b16453fe705d9c6d0568598c1cb
SHA256 71617b51b9d6c7fb6d4a58646be7b39470ea40e20a51648cfa5c1d8463e5ff8b
SHA512 0393c46faceed571a05c203ed6ea0ae5819a02864f2e125e0a8335c72b1df322b248662f23ad9d9d858298a23bc86158b951420bcc9d2eb9fe4a8435423e7928

memory/2564-101-0x000002AD28FC0000-0x000002AD28FC7000-memory.dmp

memory/2564-102-0x0000000140000000-0x000000014019E000-memory.dmp

memory/2564-107-0x0000000140000000-0x000000014019E000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 d309f8a6beea67887d940fc88ebdc76b
SHA1 d542224f2020709015ce374006ed755a10e65665
SHA256 02ee4549c46ee53a5fe4e460876db517867c285e0df8807ec24420739feedccb
SHA512 fc83ed8a308caba73b5654ce11c9bc0c86a7f2bb994d0bff63675c9cd14627ad1655edf9084bfc1e98ba9b934dc81e0f2307cdae24d147ba7b9bd220ea01a555