Malware Analysis Report

2024-11-30 21:28

Sample ID 240101-klrzksfacm
Target 3c668588dcb6a4b825f4486bdc405a86
SHA256 81a37b8a90f46603b35c91a9b31908d4b8bff1d32559cdf2e3761a10079a8296
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81a37b8a90f46603b35c91a9b31908d4b8bff1d32559cdf2e3761a10079a8296

Threat Level: Known bad

The file 3c668588dcb6a4b825f4486bdc405a86 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-01 08:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 08:41

Reported

2024-01-06 04:18

Platform

win7-20231215-en

Max time kernel

5s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c668588dcb6a4b825f4486bdc405a86.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c668588dcb6a4b825f4486bdc405a86.dll,#1

C:\Windows\system32\winlogon.exe

C:\Windows\system32\winlogon.exe

C:\Users\Admin\AppData\Local\re7LZltE\winlogon.exe

C:\Users\Admin\AppData\Local\re7LZltE\winlogon.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\Ertcr2IJ\sethc.exe

C:\Users\Admin\AppData\Local\Ertcr2IJ\sethc.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\21mBb\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\21mBb\BitLockerWizardElev.exe

Network

N/A

Files

memory/1768-0-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1768-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1272-4-0x0000000077806000-0x0000000077807000-memory.dmp

memory/1272-5-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

memory/1768-8-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-15-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-18-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-19-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-17-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-21-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-24-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-25-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-29-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-33-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-34-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-36-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-37-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-39-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-41-0x0000000002210000-0x0000000002217000-memory.dmp

memory/1272-38-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-35-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-48-0x0000000077911000-0x0000000077912000-memory.dmp

memory/1272-49-0x0000000077A70000-0x0000000077A72000-memory.dmp

memory/1272-47-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-32-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-31-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-30-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-58-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-28-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-27-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-62-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-26-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-23-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-22-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-20-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-68-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-16-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-13-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-14-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Users\Admin\AppData\Local\re7LZltE\winlogon.exe

MD5 4b509741e6b11ed2372f29fe530b76f0
SHA1 8721bccfd4e8a0ec38cbc56728a3a98d9d6772c9
SHA256 d948baa71498b67c9623bf9bbcbd42dee329b86e45d95c72cb2176c2c72f0286
SHA512 39796406924e7c0196b8c912c43e789b26bae305b0b23521402b7384b321946cd9850090f564aeda624e21c651afb4f8915c147958a1665bc2bc58f3e055e878

\Users\Admin\AppData\Local\re7LZltE\WINSTA.dll

MD5 bd552e218be8ea6df8f646a5c0ec0b04
SHA1 82de9247dc4c2f02b7cb315bd8df12cda414b37d
SHA256 a6b1ab05487d0ca6d19910ca6906bd6dea55eed88c7a1c7c6dde5bc35931ac5e
SHA512 5f81075f473dba754fe1f4f38b0282d6de75a26ba4dcd469c443de8f136b81a6a425709af85ce0de4c1e8717dbbe053732418b73680febf6363756ce43ec6824

C:\Users\Admin\AppData\Local\re7LZltE\WINSTA.dll

MD5 b0a4a65d6d7043f3f4213ed682d87756
SHA1 f3d88642a49b36ecc70d8cd99bbea35959b88a21
SHA256 582d029af4e975ff87995ab91665ec33add8f66a48e8ec15ddf2f573a55ddad3
SHA512 a68c27f22d1d9c11287d82d9ab2db8596c2f3662c1df281f76a7d5433ccc19de74af4332300b39d5f673e97c5763d4823b4985bc4bc23bb0e60d8024561bb5ed

memory/3052-77-0x0000000140000000-0x000000014016F000-memory.dmp

memory/3052-81-0x0000000140000000-0x000000014016F000-memory.dmp

memory/3052-76-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\re7LZltE\winlogon.exe

MD5 e17ab19731a0bdf025c047f20db94c1c
SHA1 aea8f3146f2b4519a7f065415ccef2ed89748737
SHA256 9dabf4ac395ff1d362a06f2a9ec62e9c574acbcc382fcf5c509a5d6f2433f4db
SHA512 ab6920dd2d03d49b9dd906d83e78f3052d1e3916a15cf725b9876c5e0860b7a87651d5913a9cb5952f6689e66f54e4581dabddbbf8b8f686fe20022b33b77b88

C:\Users\Admin\AppData\Local\re7LZltE\winlogon.exe

MD5 eaea8280071e29aa3305bee8323219b6
SHA1 a31bfabd90ad2ea28e8f135d8fba7431a153ed60
SHA256 4941f359a6c5db92721825455018e8c61c8731289bc1a38ed8cf8f37e9baa2ae
SHA512 49db7aa6bc04c42418ca6c015d1b3ec1f949740b2ce080323803562b6d0506bfe1b48ccd4150512503dc3838c9aff050356ac6950107a7c1058aa8e854de53cf

memory/1272-12-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-11-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-9-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-10-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1272-7-0x0000000140000000-0x000000014016D000-memory.dmp

\Users\Admin\AppData\Local\Ertcr2IJ\sethc.exe

MD5 f1c6ec378189811d9e53d710a265771b
SHA1 1a99ef5e8da6b9f50295769ee890be20abfa61ad
SHA256 e0cdd55ead5c3e96dfda26f716a7e3c74b1764bd522887ce49ef8062369b3f6b
SHA512 550e2b764a8af2c5203ed41cef0fa8d35fd486cfd98f75a99df71e588de56ea721bcc297d8b784becb03c5ee955b7ce4dc8ddbd43d1b2b3f24db659b2ccf782b

\Users\Admin\AppData\Local\Ertcr2IJ\DUI70.dll

MD5 6404505f9d3ee6a238e0590aa49afb90
SHA1 c62e78e32906fd9d09bb37b86ae46c301509abf1
SHA256 7a28fe639ae4e999c148d2add5ba0c763639e6d35d4c244cc497bdd51cf1451d
SHA512 2cc929f4a65c15518aef78e504f51367ef69fd95599df5825c49a279c438295528ecfc9ee4f07e4feda3f7a1f07cd10e04a14491351431b8a6d508f2849d3158

memory/1272-97-0x0000000077806000-0x0000000077807000-memory.dmp

memory/2948-99-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/2948-103-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/2948-98-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\Ertcr2IJ\DUI70.dll

MD5 cc3e83df36bd089c3185e8b664e97a93
SHA1 acbc1f73d6aac7ff3eeb9a8a5509c405fc563ecc
SHA256 3f7480b4bd7a227903e95afba78abdccc854921afa5bf9bc1d36475e0295cdee
SHA512 6c68f7cf169a5f19080d47779ab9ff17158d96304e40a7ebe31378cef4c3280b754d0e5acc4c311e8ce5ab62e149bbcb7546545313085a1c7f3ce76491eac1b9

C:\Users\Admin\AppData\Local\Ertcr2IJ\sethc.exe

MD5 b2c09c4d6a2108a57d7dc4bb666e0311
SHA1 4f85882c6051bf1ab4cf1805280e63bc0df2fed2
SHA256 fd75c1457b87df1577671eac9f681f846ec23423c66c66bfbd8708249c9364f7
SHA512 a33b0ea50c4b25e8a03f307233990d1d331c0fcd0c6539cb31ab8379e944eb7a84a14f68b516cd1bce552698c216438b6c9c4438f693c3706b268efd2280261d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\4N1GndBNmc\sethc.exe

MD5 59fca87d619f83ae65f98461c4163ed8
SHA1 83c9689a6c04c993f9c9fa9e45bc03889a989e50
SHA256 f8d0697a0dd9a30c16d785f544dc46f290af7c20ea0f66076d79a0277f6e2570
SHA512 5520af87b1ece406fa9b5ca1dc767ed15399073355e05a1c41e810603b72affdec61b4e9aea2b5c9b1a82c64606aa0796cecebb3029fd062d0b585005c07b22c

C:\Users\Admin\AppData\Local\21mBb\FVEWIZ.dll

MD5 44e7eb97f11d0c9c1ab7f7ba9b3b4266
SHA1 0430d4fa238fac37bde529f67574c130e90c784c
SHA256 fd7728fae6a3a0d55ca83d30594411996e7c9aea2ad0791f004a5349cbf81c71
SHA512 bfc2ac97b84a2c33d0c5f4e4beb8856e730e7e3e20f2ae9df1b8990a38e743748b8eea963f3fb11cafd55d11df43782a19be6b6aebeca11d7c82b91655bac003

\Users\Admin\AppData\Local\21mBb\FVEWIZ.dll

MD5 71f5e5c61640d1349c8889a2a314639f
SHA1 887167c869c209f01b7993e5d9b46179b35c5930
SHA256 99a0ef025d08429c55a248f22fc8afa4099d2c713b8bdb28ad777e0dc9a6c3d9
SHA512 4a8e11c68b0084d5b5bf910b7e1f0ed19e11c403f4093175007ba99ef23dde5b5bf3ca8ab5dfc4690a1d74c6e312e5a0d5855462a2cc0e4d70084dc8ee0d675e

C:\Users\Admin\AppData\Local\21mBb\BitLockerWizardElev.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\21mBb\BitLockerWizardElev.exe

MD5 6e2ce1594482671b6a79310bdacd9049
SHA1 844cec00b5c196f42944b97352aa955a7582acc2
SHA256 8bad46da1ccd2935b79681b882d8d35804f5b8f129b583a76ac37c50af614387
SHA512 f85f5f26bc79523922eea8e2a8c0a1af38bef86435de89851d8a9d7d86193625cabb8728d8faa11dd1db5afd25928793e89987f0ad53512a9283af3cfd7026b5

C:\Users\Admin\AppData\Local\21mBb\BitLockerWizardElev.exe

MD5 e04e22f41bbbc7f9d4fb704bde0fa529
SHA1 ff0dc587d1489668ae20bec7eb9ab5f9d9d01651
SHA256 2b981fb26010970b2888287bb7ffffccb04d0a0b11287bf9413b07eab13417fe
SHA512 8fb165b5f20318e0315573d03da6108b6953c2ebc5db4bc3a09d7c1d3342cfa3055b18c4e103788235b1398abd9320071fecb1cef1ffb88d56884ecf124c6854

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Be17rDVSy9\BitLockerWizardElev.exe

MD5 73f13d791e36d3486743244f16875239
SHA1 ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA256 2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512 911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 54c876cdc32c96d49184701fcb3196c7
SHA1 0d9bda507724edc7f96d5e93c871e118d1051e4c
SHA256 04ca67632ded597d425c3ffa9e947d9b1d3735bc672a2c06a92e7596e1a059b8
SHA512 a2799ed912f172834f1fb9023f7a7131ea7b2119ad7ce22d20f0c9b1baeb7e576b6f1702515390e2ccb47a7a586613aace4e619f4dee7a3fe3196cada37f8268

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\rHDPNk9E9G\WINSTA.dll

MD5 ded4df5dca47d86e6059cb17b7426f6c
SHA1 7ed21f9e2ff92b15b9355137d0352565c466f41a
SHA256 299974ceb49e134919520bb756be3eda535d0e0a6e67f7e4511c4b26be93d8db
SHA512 40b2bb1498f8530450640e56dc9ef96b86be5d761cfd64a95042bb925b93b373a306d91052ee757f697a255ebc82041c596e5eeca26e76b714bcfc4d08dbc3a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\4N1GndBNmc\DUI70.dll

MD5 5ae7bedaa46e4c596784bfce37a7d249
SHA1 ff7c0aba2b6aa3bf5f4597e1aaf9465f9da43187
SHA256 adb1c2eb1c1820c96b73aeac5299ba8fd472014648d5054195feea269f10e0c6
SHA512 00eb3f80f650131fd5ab3b3530bb00e60974e222b6d51bde946f3da2307f78a614630ba99c44ba957075228f3c533a2bdb23bf116cd7a3c117bd7729c32fdbe4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Be17rDVSy9\FVEWIZ.dll

MD5 8d9b4ac4b2611d78046258375550012f
SHA1 3bb72fef7333a1c0d251256fa172420ff1ae9b36
SHA256 05390576b3596aad3e60b337e2d66c60c11ba67a90af309a7b9e29543299334f
SHA512 1511315abde49bd6fa9edcc5bfe99e5f133314bd96263b4e8433a8710a80119181e50b1b1b72ce6febf6972246b9600ef08aeba9eec04559d5d206483757ced4

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 08:41

Reported

2024-01-06 04:18

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c668588dcb6a4b825f4486bdc405a86.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c668588dcb6a4b825f4486bdc405a86.dll,#1

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\pdnn5L19I\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\pdnn5L19I\RdpSaUacHelper.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\5D5K9CcDr\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\5D5K9CcDr\MoUsoCoreWorker.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\gdeKd\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\gdeKd\SystemSettingsAdminFlows.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/4916-1-0x0000000140000000-0x000000014016D000-memory.dmp

memory/4916-0-0x0000022A574F0000-0x0000022A574F7000-memory.dmp

memory/3292-6-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-11-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-14-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-15-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-18-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-19-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-22-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-23-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-27-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-31-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-35-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-36-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-34-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-33-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-37-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-38-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-40-0x0000000002A20000-0x0000000002A27000-memory.dmp

memory/3292-32-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-29-0x0000000140000000-0x000000014016D000-memory.dmp

memory/4916-46-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-48-0x00007FFCA4680000-0x00007FFCA4690000-memory.dmp

memory/3292-47-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-30-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-57-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-59-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-28-0x0000000140000000-0x000000014016D000-memory.dmp

memory/4264-70-0x000001FEA2310000-0x000001FEA2317000-memory.dmp

memory/4264-68-0x0000000140000000-0x000000014016F000-memory.dmp

memory/4264-74-0x0000000140000000-0x000000014016F000-memory.dmp

C:\Users\Admin\AppData\Local\pdnn5L19I\WINSTA.dll

MD5 9afb99be4c89926cc1a7fb61f94a0c7f
SHA1 ac7ff17b227f5bd38d4ba7c55dd8f495963ef3aa
SHA256 aa3c7ea6c268842c766e2f30b38d26170f3d518afaf602f6098e3da74bc6e30d
SHA512 8f9929ce8acf57d0ab0e47928b129fb2cb306b00056b77ad8ec6cdf2597e92b767585eb0830445dfa225b9ae01857f231b7175871d0e010e8a5f568189973490

C:\Users\Admin\AppData\Local\pdnn5L19I\WINSTA.dll

MD5 95ecaa3191aab9006b115edd58b16bd8
SHA1 6439252aebf158f0f8fc41f6d5cbf89d57db69ed
SHA256 32d3daf0fbb6bc9a51be515f3bdea1479c39b2943f5c8098c184575501c38931
SHA512 327deee4bcafd4409a8d8a4f130818e4e742ed27f66c1571eed149bb8c2bfef38df41d2f8f8654fc9e0263736d221b4acda13074d7f2198b54f92cf0baa6d740

C:\Users\Admin\AppData\Local\pdnn5L19I\RdpSaUacHelper.exe

MD5 bff1c6c28827a4e88ae4cdfa3f7aa2a6
SHA1 9029c2780e48e945e789b21f1d80f4b9d56eb8b2
SHA256 e5057d5414000d74e62c055c0f8af8087ad35a32a2ef5fdb91504fb1521cf32f
SHA512 52a143ad9ad4858f3a8c9e8b2c2fa6d48566655c3127e6cb4e39270e083b48327d75c15a1fc12d7e4ee392f9c4cf789b6662bd27bf2df9edc7c59354621d54dc

C:\Users\Admin\AppData\Local\pdnn5L19I\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

memory/3292-26-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-25-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-24-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-21-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-20-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-17-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-16-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-12-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-13-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-10-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-9-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-8-0x00007FFCA431A000-0x00007FFCA431B000-memory.dmp

memory/3292-7-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3292-4-0x0000000007140000-0x0000000007141000-memory.dmp

C:\Users\Admin\AppData\Local\5D5K9CcDr\XmlLite.dll

MD5 ec00a9563dd8cec3df99e24665bfe096
SHA1 ca3290d44794cbcb3a728a1786280b3460bd14f6
SHA256 6128126e0a8845e05e6c1a590b5277f6f09e89781723678afb7b41f434e0e016
SHA512 c464887717e75f456dad853a2263ff19beeb80186098d9cbaf554209a72c61ba5934bb406491090797525824ab127b5a1ae28af0e338a52e6f05bdba21dc5ef2

C:\Users\Admin\AppData\Local\5D5K9CcDr\XmlLite.dll

MD5 037825c85ae49c22fc9386544578b828
SHA1 b3704e106124074c0a2cd8d60134eb50e7554adb
SHA256 be95c76cc74e6f694d9b90308f1ca48717e8604dc5c4a1a5209c119d7b402bac
SHA512 5fa7374a33a124df8dfd24c580f3def6eb699cebd8c0371859385212e8dfa4a2dd4a7b9e37939f51d901257ca807ec8a18b01c12fde8e39fbd8c5b4efa1ea581

memory/1488-88-0x0000000140000000-0x000000014016E000-memory.dmp

memory/1488-93-0x0000000140000000-0x000000014016E000-memory.dmp

C:\Users\Admin\AppData\Local\5D5K9CcDr\MoUsoCoreWorker.exe

MD5 2f87bee4a5e997021c491d115bc7fa09
SHA1 5474dea318d518c567e81e5e3bd2bd7d034df4c9
SHA256 ad839a099e06f6301fa061fc4aa0c2c200ac8e504a97dc245a17ab4c967972f3
SHA512 30472d05003acae558d1bd6286a7f63e9cec70cc26e7ed73460ec37cd99080a3dd166fa74b40411d122af9a4cd2c01b6bc54ef396a10975aeb89d0edc580f0b2

memory/1488-87-0x0000017451F10000-0x0000017451F17000-memory.dmp

C:\Users\Admin\AppData\Local\5D5K9CcDr\MoUsoCoreWorker.exe

MD5 763e1041c325531aa4ef731fdd291a9d
SHA1 96ccfa7224c0d622bbe529736b9bef7a00bc92a0
SHA256 50ccd01d4491186664ddb29cfbf9a57f073bc49ce934eca8496422de48b64c0c
SHA512 56e517d6557824244df5c8689266a6975d5a0595a360b3803adcf95e2b9e8421e83218c4f1987d7f0582ab382a15922a4bb25bd1478937c008d2ffc3251184b5

C:\Users\Admin\AppData\Local\gdeKd\DUI70.dll

MD5 814a4e5a57156a1939e0fbf5cd5fa513
SHA1 299b4aec377d848e3e7d148907023a40c7858c62
SHA256 ccb29dacaa00fc352db6aa9462e20216a4c366214829146d5ec6059d6f577425
SHA512 552816d3247ead60a5345608936251cb6f68c554b6243554bca665dbc272336b10b41a24b47104dfb9eb94d87216b0b06bfca38deec5cce15f09a16a4393ca7b

C:\Users\Admin\AppData\Local\gdeKd\SystemSettingsAdminFlows.exe

MD5 8f6af44eb9a96b41a3f29177076978aa
SHA1 50986612988803f5ca20671ab84887f6a188fc57
SHA256 4dbb6c3ea2e0e66c73ce608c5139861a2fcf7bba48d6e49ac15f475fb915faaf
SHA512 14329efd871104832a4bb079d38a23d53c5cc484573d6a179c4aeac2f46602f817c06472df480467f28bd8c49da9abb282dd7c99133662a1044ff7a7cb743133

C:\Users\Admin\AppData\Local\gdeKd\DUI70.dll

MD5 e5c09c00bacee68e4e35d092198b2046
SHA1 85753e6729d8b70fdf9f109d3061438077c20eb5
SHA256 6f23750f747bb38a100beea709893d386389fab20e66518ace5311bc5138fb8e
SHA512 ff1c262e967362b18f994f9d40d28b684606753d35d7192c7f1bdf5bb6e7988047eccd5dbcd660b991c57c540cb95cea0ec9899e25aaad2b2231d87faa2e05af

memory/1512-120-0x0000022A5E750000-0x0000022A5E757000-memory.dmp

memory/1512-126-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1512-121-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Users\Admin\AppData\Local\gdeKd\SystemSettingsAdminFlows.exe

MD5 05a534b769e9d7367d9c3c9c85b04f39
SHA1 1daaa0b8d6ee66a9447226f52e2b0edd6f69b872
SHA256 0128cdc5f566f8807260769de088e6a9a8d93fe134e50ae3aa7299275292ce19
SHA512 fbaf1a47678adbc4cee090f22d9c4ea5d6e4bf644cd690891f960e000303ba97e75d8b7b2b8bb6c46f645a456bc0e29321064093d1d5f037b5cde64d34b6db22

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 480cfc6790821ea9429a332c4629d50e
SHA1 a68d61d26000507da60a49d948fa37d2aea4d32b
SHA256 cb17f7c3165239e67463429db6023f41fe2ea3610c1c58cadc1eccbefea48b5a
SHA512 46925a90174c12ce52fb97f1d2582e755d7827e3ac815b575b45d2dac969a6355dc9f5bf175e595f3f1554c06b68d941ae00e569eeae06dc91a0d68af45e1348

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T6s6MG5\WINSTA.dll

MD5 a78a5c53046bad580ea50a3d260c610c
SHA1 c3efd344a2bd4db80a13c798d353b37592ac00dc
SHA256 f2dc89ba73150e0bd06f2eceb6d09c2903c3ff6e1f3594fb84de81730da331a3
SHA512 fcf15d841391f8db780e59d72648e43caf413f5cb947cf7b3f88aa0b4e4bdeba547726794f7e26656a6f53dec0d9a83ac97e58a765c2987af66022fe8cb01c59

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983843758-932321429-1636175382-1000\Z6M\XmlLite.dll

MD5 c602e434970664a28bdfdb84a2942d81
SHA1 68aca186353fb7c29226ea7688c28ea1ca307b17
SHA256 84ead7e4c6e12e68b315dec1cd84cd77598b1cdc217ea17ed2105391323067c8
SHA512 36177475eec1183f644fc8c0e317ed78f3cafee9a4026779ea20d6e2f424c58cf33a6c8e708a7c7ee382b5fb55c9500f8ceca06bd1ccb3d507fadd8198c7ebd4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\cabUBP\DUI70.dll

MD5 0ad4efc1300da7f4523319f072356b42
SHA1 f7d7a103d08006afc866c631f25fffea0074f1f5
SHA256 10f61949cbe93405a1709063c1b46a32a46b446c83a9d664f4e68d6776a44fe1
SHA512 b4a6739cf746d56d0b3b350d848546db30757272cb08bbd8e4ce9abd1f5694d1818a380703115d0d8834e7329b1c6dfca093920e754d6abc334d507dd62ae5b4