Malware Analysis Report

2024-11-30 21:41

Sample ID 240104-j28ftsbgem
Target 4057f3f059042cd74d9b6673a0cac7a1
SHA256 c0e503e239b73c3bf265e8ad473661c7f9fe7c69f9f31e7a0c3e7f72587e726e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0e503e239b73c3bf265e8ad473661c7f9fe7c69f9f31e7a0c3e7f72587e726e

Threat Level: Known bad

The file 4057f3f059042cd74d9b6673a0cac7a1 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 08:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 08:10

Reported

2024-01-04 08:14

Platform

win7-20231215-en

Max time kernel

150s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4057f3f059042cd74d9b6673a0cac7a1.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\U8Ewli2k\msra.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\JAAvp\VaultSysUi.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\WHf1zn8\DevicePairingWizard.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\d1rFKnZ\\VAULTS~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\U8Ewli2k\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JAAvp\VaultSysUi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WHf1zn8\DevicePairingWizard.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2548 N/A N/A C:\Windows\system32\msra.exe
PID 1204 wrote to memory of 2548 N/A N/A C:\Windows\system32\msra.exe
PID 1204 wrote to memory of 2548 N/A N/A C:\Windows\system32\msra.exe
PID 1204 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\U8Ewli2k\msra.exe
PID 1204 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\U8Ewli2k\msra.exe
PID 1204 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\U8Ewli2k\msra.exe
PID 1204 wrote to memory of 2936 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1204 wrote to memory of 2936 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1204 wrote to memory of 2936 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\JAAvp\VaultSysUi.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\JAAvp\VaultSysUi.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\JAAvp\VaultSysUi.exe
PID 1204 wrote to memory of 2008 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1204 wrote to memory of 2008 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1204 wrote to memory of 2008 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1204 wrote to memory of 312 N/A N/A C:\Users\Admin\AppData\Local\WHf1zn8\DevicePairingWizard.exe
PID 1204 wrote to memory of 312 N/A N/A C:\Users\Admin\AppData\Local\WHf1zn8\DevicePairingWizard.exe
PID 1204 wrote to memory of 312 N/A N/A C:\Users\Admin\AppData\Local\WHf1zn8\DevicePairingWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4057f3f059042cd74d9b6673a0cac7a1.dll,#1

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\U8Ewli2k\msra.exe

C:\Users\Admin\AppData\Local\U8Ewli2k\msra.exe

C:\Windows\system32\VaultSysUi.exe

C:\Windows\system32\VaultSysUi.exe

C:\Users\Admin\AppData\Local\JAAvp\VaultSysUi.exe

C:\Users\Admin\AppData\Local\JAAvp\VaultSysUi.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\WHf1zn8\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\WHf1zn8\DevicePairingWizard.exe

Network

N/A

Files

memory/2632-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2632-1-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-4-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

memory/1204-5-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/1204-15-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-19-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-25-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-33-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-34-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-35-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-39-0x00000000029B0000-0x00000000029B7000-memory.dmp

memory/1204-38-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-37-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-48-0x0000000077060000-0x0000000077062000-memory.dmp

memory/1204-47-0x0000000076F01000-0x0000000076F02000-memory.dmp

memory/1204-46-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-36-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-57-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-32-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-63-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-31-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-30-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/2596-75-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2596-80-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/2596-76-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1204-29-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-28-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-27-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-26-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-24-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-23-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-22-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-21-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-20-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-18-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-17-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-16-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-14-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-13-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/2632-8-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/2880-108-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/2880-103-0x0000000000160000-0x0000000000167000-memory.dmp

memory/312-121-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/312-120-0x0000000000270000-0x0000000000277000-memory.dmp

memory/1204-140-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\d1rFKnZ\credui.dll

MD5 b664a40543a2c658bc7c07073c91086b
SHA1 83ec8befc45e4ea6446943ed42e481b418aa3bcf
SHA256 c66c260e6eecf598ad3b4d0ee0ccda0ff3d7f4f11d1bb0302fb5d8183203ab11
SHA512 42ae3465974a421e950c5db029f3947ae5f9144ab4e054e5e2dad1883dc3ddadd88d16e68fb925363079d1615875b1af4935e97ccea7c741b56ad3eca3c301b5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\8F\MFC42u.dll

MD5 e4923192a28a4f919c191e2e0395eb3c
SHA1 f4d98cb6d1a1c4e89ec10b07123288c0671e8ad3
SHA256 de6a437c60f3c278d5de781f25528ba1fb116ac55960ab2956caf3d302516699
SHA512 4eca4646d5654dec6e7cc3cf6bd7a3a40e31ce7c68dca5bee9100a1663e5b80d50aeaf4a5e8060aac19b7b8b26636e2e8698dadd5d6b9555d6c656e61c990dde

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 08:10

Reported

2024-01-04 08:14

Platform

win10v2004-20231215-en

Max time kernel

156s

Max time network

173s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4057f3f059042cd74d9b6673a0cac7a1.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3073191680-435865314-2862784915-1000\\Oq\\sdclt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Wfr\mblctr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VWpmrvpzF\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\J7Yr4\RdpSaUacHelper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 1500 N/A N/A C:\Windows\system32\mblctr.exe
PID 3500 wrote to memory of 1500 N/A N/A C:\Windows\system32\mblctr.exe
PID 3500 wrote to memory of 2796 N/A N/A C:\Users\Admin\AppData\Local\Wfr\mblctr.exe
PID 3500 wrote to memory of 2796 N/A N/A C:\Users\Admin\AppData\Local\Wfr\mblctr.exe
PID 3500 wrote to memory of 3608 N/A N/A C:\Windows\system32\sdclt.exe
PID 3500 wrote to memory of 3608 N/A N/A C:\Windows\system32\sdclt.exe
PID 3500 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\VWpmrvpzF\sdclt.exe
PID 3500 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\VWpmrvpzF\sdclt.exe
PID 3500 wrote to memory of 3724 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3500 wrote to memory of 3724 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3500 wrote to memory of 312 N/A N/A C:\Users\Admin\AppData\Local\J7Yr4\RdpSaUacHelper.exe
PID 3500 wrote to memory of 312 N/A N/A C:\Users\Admin\AppData\Local\J7Yr4\RdpSaUacHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4057f3f059042cd74d9b6673a0cac7a1.dll,#1

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\Wfr\mblctr.exe

C:\Users\Admin\AppData\Local\Wfr\mblctr.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\VWpmrvpzF\sdclt.exe

C:\Users\Admin\AppData\Local\VWpmrvpzF\sdclt.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\J7Yr4\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\J7Yr4\RdpSaUacHelper.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2644-0-0x0000013EE9590000-0x0000013EE9597000-memory.dmp

memory/2644-1-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/2644-8-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-9-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-6-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-11-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-10-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-12-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-7-0x00007FF8E006A000-0x00007FF8E006B000-memory.dmp

memory/3500-13-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-14-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-15-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-18-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-17-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-19-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-16-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-20-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-21-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-22-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-23-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-24-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-25-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-26-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-27-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-28-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-29-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-30-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-31-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-32-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-33-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-34-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-36-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-35-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-37-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-39-0x0000000002B30000-0x0000000002B37000-memory.dmp

memory/3500-38-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-46-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-50-0x00007FF8E0A60000-0x00007FF8E0A70000-memory.dmp

memory/3500-56-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3500-58-0x0000000140000000-0x00000001401B2000-memory.dmp

C:\Users\Admin\AppData\Local\Wfr\mblctr.exe

MD5 d3db14eabb2679e08020bcd0c96fa9f6
SHA1 578dca7aad29409634064579d269e61e1f07d9dd
SHA256 3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69
SHA512 14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

C:\Users\Admin\AppData\Local\Wfr\UxTheme.dll

MD5 40a9b6965af52868fe023fc988fcbc68
SHA1 624dc3f162a95915dce1bd8cdc7e55a1dd5a8267
SHA256 ad9d147060b5942a148e29ce6c87d5ccd37b4ad5005e75792c1bc412637c7832
SHA512 07f216e0c107708dec9ab7b9d29550fd16049a5993a655c00c1b090b34ad75b344ffd6da0328db431d96b94ccad9345cb408a308a7e457b0e2e269bfe8a53054

memory/2796-67-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/2796-68-0x00000219F2A20000-0x00000219F2A27000-memory.dmp

memory/2796-73-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Users\Admin\AppData\Local\VWpmrvpzF\sdclt.exe

MD5 e09d48f225e7abcab14ebd3b8a9668ec
SHA1 1c5b9322b51c09a407d182df481609f7cb8c425d
SHA256 efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3
SHA512 384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

C:\Users\Admin\AppData\Local\VWpmrvpzF\SPP.dll

MD5 e87bfc0cc36752cf85bd6013ef73344d
SHA1 89b5d594b2289ced9815a56db21d85f8090db200
SHA256 3a98711a1dcec253d8d59376bba2b301cd66eab54a6c759dba7565483bc53bcc
SHA512 901c0397924d47eef807462c85aae0155c19a6b2d708bd9e052dd4a776723b3eb45ddc93df2125ad117ae1d451e8b9aab0e4df4e4b69f6f51391eeb75cab524b

memory/2568-84-0x000001DB19000000-0x000001DB19007000-memory.dmp

memory/2568-90-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Users\Admin\AppData\Local\J7Yr4\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

C:\Users\Admin\AppData\Local\J7Yr4\WINSTA.dll

MD5 12ddc4f58e6884b7080fdfd8815a4feb
SHA1 58fd77ab50c87230a52dc792ac47ff1f541e7893
SHA256 94ea16a3d76c633d5e493f24a5386c48656dd4533d7568ffde2e00f7b379c914
SHA512 d7a0f8d7eb470e629275986efb3bc34ee51bba8e35784ca4b36ebd12571077089a2db58ab20ffda7258af3096516591f814e1d921d63036d10f347329d16cb5c

memory/312-101-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/312-102-0x000001BB87B40000-0x000001BB87B47000-memory.dmp

memory/312-107-0x0000000140000000-0x00000001401B4000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 9854b829bdb204c65bea070530c4cd9a
SHA1 fa12cce95833653179b7bcc65696dd3daf8b0a54
SHA256 5e9bb7310d7dff8b83af514023ffe8bee0b066b7efb6f1ce9e668c1be4fce6f8
SHA512 5945d4b613c06d4933375136e628e639f63e173c228d7259266f2cdae7422a8cf2af089a762fd2e98307128267ed2a5af307b2134ae0511d2def36a787883b73