Analysis Overview
SHA256
8c8afce8cda587e4feff9a48932d80cb1054873524eb2b7e442ac052b57cfa67
Threat Level: Known bad
The file 428abad44ebb863196d457a95e2dd57a was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-05 02:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-05 02:31
Reported
2024-01-05 02:35
Platform
win7-20231215-en
Max time kernel
201s
Max time network
125s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\rKm3\\DEVICE~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\428abad44ebb863196d457a95e2dd57a.dll
C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe
C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe
C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe
C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe
Network
Files
memory/2576-0-0x0000000000130000-0x0000000000137000-memory.dmp
memory/2576-1-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-4-0x00000000779A6000-0x00000000779A7000-memory.dmp
memory/1360-5-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1360-8-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-7-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-9-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-10-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-11-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-12-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-13-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-14-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-15-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-16-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-17-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-18-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-19-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-21-0x0000000140000000-0x000000014028B000-memory.dmp
memory/2576-20-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-22-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-23-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-24-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-25-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-26-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-27-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-28-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-29-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-30-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-31-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-32-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-33-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-34-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-36-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-37-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-35-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-38-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-39-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-41-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-42-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-40-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-43-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-45-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-46-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-44-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-47-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-50-0x0000000002590000-0x0000000002597000-memory.dmp
memory/1360-56-0x0000000077AB1000-0x0000000077AB2000-memory.dmp
memory/1360-57-0x0000000077C10000-0x0000000077C12000-memory.dmp
memory/1360-55-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-66-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-71-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-72-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1360-75-0x0000000140000000-0x000000014028B000-memory.dmp
\Users\Admin\AppData\Local\v9yd2\perfmon.exe
| MD5 | 3eb98cff1c242167df5fdbc6441ce3c5 |
| SHA1 | 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69 |
| SHA256 | 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081 |
| SHA512 | f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35 |
C:\Users\Admin\AppData\Local\v9yd2\credui.dll
| MD5 | 3d51869abe675d41f8574b4795352b8b |
| SHA1 | d243b35505db9f76e74c483a2b29f26407bde6ea |
| SHA256 | 0396fdc6664045016a7d76bc483aacde4f3fb7f9cc833f6fd9bf7a51eb211868 |
| SHA512 | c3d15894aeb88d7c0389225d56568588ab51566b44dca2852188570af83773609f47157401212a2616d184a88608673708ec20fc3a651d823214794453aa056d |
\Users\Admin\AppData\Local\v9yd2\credui.dll
| MD5 | 909dd0a64d23e371c832aaf3aff5e384 |
| SHA1 | 2822ebfa082a3bcf7e475f0295af796f5eaae668 |
| SHA256 | b18c8191f12c4b6ab8f149e9f9de009dd2de2186e79d2206867599c7558787d2 |
| SHA512 | 7695457a4f1c0759d5f06447e2074addcaf8b539bd1c27ea354415d348983d3656e0691c6e0f8d86bdc1e1872bbece624bf20dc74d65f5973038f21c2a9e9047 |
memory/1736-84-0x00000000000F0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe
| MD5 | cfee111eaafc15c137489bc36759df40 |
| SHA1 | 2d257acf4013b4c5b7a10f9955afd29c47e6afd4 |
| SHA256 | b134712333515630ecb613505e3c1968f549a4b710cf00589729777cee06345f |
| SHA512 | 51fb33838bdda696b58ff60e4d817e20a74d1ac13a86e1525e5344cf762f647dfd6de5d3107d4abb5e6a4d97e8f52e8a39a093178ef4f8ddf016ebd7992be715 |
memory/1360-95-0x00000000779A6000-0x00000000779A7000-memory.dmp
\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe
| MD5 | 7e2eb3a4ae11190ef4c8a9b9a9123234 |
| SHA1 | 72e98687a8d28614e2131c300403c2822856e865 |
| SHA256 | 8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0 |
| SHA512 | 18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf |
C:\Users\Admin\AppData\Local\SOFvNMwOd\XmlLite.dll
| MD5 | ff5e34fbc544419f8d966d866bce91af |
| SHA1 | 5674d532d14472b49f301ff44fcffe6c36d51b18 |
| SHA256 | 720b730c9b704366da5b463a204002b094c522e143d91e0480827c57719d2ccf |
| SHA512 | 265baabc21695373f14998330c6e41e7d928616a24c80d6081cda0227727ad48a89d674cb8995961416fbbeff9640922b3ac9316c298867f77c730ad999e45fd |
memory/2104-103-0x0000000000310000-0x0000000000317000-memory.dmp
C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe
| MD5 | 50f739538ef014b2e7ec59431749d838 |
| SHA1 | b439762b8efe8cfb977e7374c11a7e4d8ed05eb3 |
| SHA256 | 85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3 |
| SHA512 | 02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8 |
C:\Users\Admin\AppData\Local\pzU5p\WINMM.dll
| MD5 | a5b1059ec72c47574992de244328ddb2 |
| SHA1 | f159954e88b9ad9fd15802a54a02110c22ca2760 |
| SHA256 | 7abe333e4e980aaacf45d9f22c4b05a0c3cea8b9a42f4f2ac738e332557232af |
| SHA512 | d1139543539ac367f546daddefacc467c70da8c9298e7af332fff88198957eb7f31b6d5a1d17c1ab7d2d842ab7bcf2cfbcac973c3f3ca083c9273a4f09547df9 |
\Users\Admin\AppData\Local\pzU5p\WINMM.dll
| MD5 | d64b49cb13926805bd62e1e5a9091a4e |
| SHA1 | 6c247862d79eaebab4d3f06d1ce91618b58acbcb |
| SHA256 | d0b8e70f6ecefb2285e1b1fa8d1414fbd2c1a3bbb562ac69b17495e3c6a30bdc |
| SHA512 | 15b7fda5daf23cadf9f6bef5691e8af4020f02d8928901fd0d8bd4f2dd14d5ee0a227dc5adc3486334cdd54ee28b8d5d443543ce75d11f67170ba02a6bc8c082 |
memory/2220-121-0x0000000000340000-0x0000000000347000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | 34efcd4ba8b4d6bf5d2736d56fa15da0 |
| SHA1 | d4d43b8b9605aa7784d3bb37d20ce09e2a3e0def |
| SHA256 | a8393f522514510b3559ba70542990b2303d1e94fadc2e40ba5293659d976383 |
| SHA512 | ed534ff60face5f1831ad18d22ea3c43f6bb0d9a5e13773d90705182ad40e143dbab1f18986fc3419af4e270115406c4c61b79920991a3d0a23e53157232a8c5 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\ek5uUNIsz\credui.dll
| MD5 | ca54949a412fb93c0394acf909475673 |
| SHA1 | b2b5db53176d2cb1cad2ce24dbee39151b8213d9 |
| SHA256 | a0283a75d2bd2b3c51a38cc52df2a927dbdf1224379d4fbacd0c28e4a7c51b9f |
| SHA512 | 8b5e65f2d04312bb92e00b5406abbe9d273f6a6ff02576f89884ad7fd11044b1f770aad9a1672ed950093213a93aa429e6e557c3fea375cfdd44703fac0dd888 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\rKm3\XmlLite.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-05 02:31
Reported
2024-01-05 02:34
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
108s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\428abad44ebb863196d457a95e2dd57a.dll
C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
C:\Users\Admin\AppData\Local\m1Gn\sethc.exe
C:\Users\Admin\AppData\Local\m1Gn\sethc.exe
C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
C:\Users\Admin\AppData\Local\KEX\perfmon.exe
C:\Users\Admin\AppData\Local\KEX\perfmon.exe
C:\Users\Admin\AppData\Local\BBI\bdeunlock.exe
C:\Users\Admin\AppData\Local\BBI\bdeunlock.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| GB | 88.221.135.210:80 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| GB | 96.17.178.176:80 | tcp | |
| US | 92.123.241.104:80 | tcp | |
| US | 92.123.241.104:80 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4616-0-0x0000000140000000-0x000000014028B000-memory.dmp
memory/4616-2-0x0000000000CC0000-0x0000000000CC7000-memory.dmp
memory/4616-7-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-12-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-18-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-22-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-26-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-30-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-35-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-40-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-44-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-43-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-48-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-47-0x00000000035E0000-0x00000000035E7000-memory.dmp
memory/3424-55-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-56-0x00007FFF9B040000-0x00007FFF9B050000-memory.dmp
memory/3424-46-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-67-0x0000000140000000-0x000000014028B000-memory.dmp
C:\Users\Admin\AppData\Local\m1Gn\WTSAPI32.dll
| MD5 | c1f2021eb1376d320ee0f5a418c39523 |
| SHA1 | e17ae082a106ab6775f814cf80680e190123c42c |
| SHA256 | 55e3ed76f779291e701252f057c768a7437bd8d97ef49ab3d07e76fe0c39084a |
| SHA512 | 1bfc8cfbf625dec73e5f44df4836ea81e4918ef988eb920ed1378e061d521a3c7583c147d3391cabad0ca7d671ade360123cbb91f5645fe63547a9f74a1d008b |
memory/1556-77-0x0000017ABB4A0000-0x0000017ABB4A7000-memory.dmp
memory/1556-82-0x0000000140000000-0x000000014028C000-memory.dmp
C:\Users\Admin\AppData\Local\m1Gn\sethc.exe
| MD5 | 8ba3a9702a3f1799431cad6a290223a6 |
| SHA1 | 9c7dc9b6830297c8f759d1f46c8b36664e26c031 |
| SHA256 | 615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8 |
| SHA512 | 680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746 |
memory/1556-76-0x0000000140000000-0x000000014028C000-memory.dmp
memory/3424-65-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-45-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-42-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-41-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-39-0x0000000140000000-0x000000014028B000-memory.dmp
C:\Users\Admin\AppData\Local\BBI\DUI70.dll
| MD5 | d39b31e9ce2fdc388cc61337d1534ff0 |
| SHA1 | 1899bf6947c28721398c2492e88e0fbddefadab7 |
| SHA256 | fe1cc0faa7da81a051ab0b264a181b482cf51a1b39a24c164fc71a02ef3b45a3 |
| SHA512 | f756fdf88124b646e155a558aea5d876097f6205b011411c4a3093b7cad1c8bcb9aedadb9049a6699269b133a00c02479994f870d8864c34508efc8732befb85 |
memory/3376-94-0x0000000140000000-0x00000001402D1000-memory.dmp
memory/3376-93-0x0000016C6A1A0000-0x0000016C6A1A7000-memory.dmp
C:\Users\Admin\AppData\Local\KEX\credui.dll
| MD5 | f4a92ca85dd6dd9e5b74ba51be8b9d7c |
| SHA1 | baf8cd58be62f8cc140ecec999d6ca76e64d5cca |
| SHA256 | c0869717b1452c4e06f26f23f66604500b99c5bf3c81697d8cc48243b9db8728 |
| SHA512 | 14305f001848f7eb688987ce5fca6fadc5356cd4b71950fff63b943c421a3b656d25db0ab2d2a12b08d1e820e29e7657858996cb7529251e4f031a51886d98d1 |
memory/4888-113-0x000002B2026F0000-0x000002B2026F7000-memory.dmp
C:\Users\Admin\AppData\Local\KEX\perfmon.exe
| MD5 | d38aa59c3bea5456bd6f95c73ad3c964 |
| SHA1 | 40170eab389a6ba35e949f9c92962646a302d9ef |
| SHA256 | 5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c |
| SHA512 | 59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68 |
C:\Users\Admin\AppData\Local\BBI\bdeunlock.exe
| MD5 | fef5d67150c249db3c1f4b30a2a5a22e |
| SHA1 | 41ca037b0229be9338da4d78244b4f0ea5a3d5f3 |
| SHA256 | dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603 |
| SHA512 | 4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7 |
memory/3424-38-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-37-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-36-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-34-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-33-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-32-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-31-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-29-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-28-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-27-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-25-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-24-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-23-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-21-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-20-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-19-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-17-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-16-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-15-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-14-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-13-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-11-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-10-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-8-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-9-0x00007FFF99C9A000-0x00007FFF99C9B000-memory.dmp
memory/3424-6-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3424-4-0x0000000003600000-0x0000000003601000-memory.dmp