Malware Analysis Report

2024-11-30 21:34

Sample ID 240105-czwwpahcf6
Target 428abad44ebb863196d457a95e2dd57a
SHA256 8c8afce8cda587e4feff9a48932d80cb1054873524eb2b7e442ac052b57cfa67
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c8afce8cda587e4feff9a48932d80cb1054873524eb2b7e442ac052b57cfa67

Threat Level: Known bad

The file 428abad44ebb863196d457a95e2dd57a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 02:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 02:31

Reported

2024-01-05 02:35

Platform

win7-20231215-en

Max time kernel

201s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\428abad44ebb863196d457a95e2dd57a.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\rKm3\\DEVICE~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 1920 N/A N/A C:\Windows\system32\perfmon.exe
PID 1360 wrote to memory of 1920 N/A N/A C:\Windows\system32\perfmon.exe
PID 1360 wrote to memory of 1920 N/A N/A C:\Windows\system32\perfmon.exe
PID 1360 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe
PID 1360 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe
PID 1360 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe
PID 1360 wrote to memory of 1752 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1360 wrote to memory of 1752 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1360 wrote to memory of 1752 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1360 wrote to memory of 2104 N/A N/A C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe
PID 1360 wrote to memory of 2104 N/A N/A C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe
PID 1360 wrote to memory of 2104 N/A N/A C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe
PID 1360 wrote to memory of 2532 N/A N/A C:\Windows\system32\mstsc.exe
PID 1360 wrote to memory of 2532 N/A N/A C:\Windows\system32\mstsc.exe
PID 1360 wrote to memory of 2532 N/A N/A C:\Windows\system32\mstsc.exe
PID 1360 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe
PID 1360 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe
PID 1360 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\428abad44ebb863196d457a95e2dd57a.dll

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe

C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe

C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe

Network

N/A

Files

memory/2576-0-0x0000000000130000-0x0000000000137000-memory.dmp

memory/2576-1-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-4-0x00000000779A6000-0x00000000779A7000-memory.dmp

memory/1360-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1360-8-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-7-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-9-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-10-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-11-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-12-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-13-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-14-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-15-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-16-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-17-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-18-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-19-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-21-0x0000000140000000-0x000000014028B000-memory.dmp

memory/2576-20-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-22-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-23-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-24-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-25-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-26-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-27-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-28-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-29-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-30-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-31-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-32-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-33-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-34-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-36-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-37-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-35-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-38-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-39-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-41-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-42-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-40-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-43-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-45-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-46-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-44-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-47-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-50-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1360-56-0x0000000077AB1000-0x0000000077AB2000-memory.dmp

memory/1360-57-0x0000000077C10000-0x0000000077C12000-memory.dmp

memory/1360-55-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-66-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-71-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-72-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1360-75-0x0000000140000000-0x000000014028B000-memory.dmp

\Users\Admin\AppData\Local\v9yd2\perfmon.exe

MD5 3eb98cff1c242167df5fdbc6441ce3c5
SHA1 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA256 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512 f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

C:\Users\Admin\AppData\Local\v9yd2\credui.dll

MD5 3d51869abe675d41f8574b4795352b8b
SHA1 d243b35505db9f76e74c483a2b29f26407bde6ea
SHA256 0396fdc6664045016a7d76bc483aacde4f3fb7f9cc833f6fd9bf7a51eb211868
SHA512 c3d15894aeb88d7c0389225d56568588ab51566b44dca2852188570af83773609f47157401212a2616d184a88608673708ec20fc3a651d823214794453aa056d

\Users\Admin\AppData\Local\v9yd2\credui.dll

MD5 909dd0a64d23e371c832aaf3aff5e384
SHA1 2822ebfa082a3bcf7e475f0295af796f5eaae668
SHA256 b18c8191f12c4b6ab8f149e9f9de009dd2de2186e79d2206867599c7558787d2
SHA512 7695457a4f1c0759d5f06447e2074addcaf8b539bd1c27ea354415d348983d3656e0691c6e0f8d86bdc1e1872bbece624bf20dc74d65f5973038f21c2a9e9047

memory/1736-84-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\v9yd2\perfmon.exe

MD5 cfee111eaafc15c137489bc36759df40
SHA1 2d257acf4013b4c5b7a10f9955afd29c47e6afd4
SHA256 b134712333515630ecb613505e3c1968f549a4b710cf00589729777cee06345f
SHA512 51fb33838bdda696b58ff60e4d817e20a74d1ac13a86e1525e5344cf762f647dfd6de5d3107d4abb5e6a4d97e8f52e8a39a093178ef4f8ddf016ebd7992be715

memory/1360-95-0x00000000779A6000-0x00000000779A7000-memory.dmp

\Users\Admin\AppData\Local\SOFvNMwOd\DeviceDisplayObjectProvider.exe

MD5 7e2eb3a4ae11190ef4c8a9b9a9123234
SHA1 72e98687a8d28614e2131c300403c2822856e865
SHA256 8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA512 18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

C:\Users\Admin\AppData\Local\SOFvNMwOd\XmlLite.dll

MD5 ff5e34fbc544419f8d966d866bce91af
SHA1 5674d532d14472b49f301ff44fcffe6c36d51b18
SHA256 720b730c9b704366da5b463a204002b094c522e143d91e0480827c57719d2ccf
SHA512 265baabc21695373f14998330c6e41e7d928616a24c80d6081cda0227727ad48a89d674cb8995961416fbbeff9640922b3ac9316c298867f77c730ad999e45fd

memory/2104-103-0x0000000000310000-0x0000000000317000-memory.dmp

C:\Users\Admin\AppData\Local\pzU5p\mstsc.exe

MD5 50f739538ef014b2e7ec59431749d838
SHA1 b439762b8efe8cfb977e7374c11a7e4d8ed05eb3
SHA256 85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3
SHA512 02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

C:\Users\Admin\AppData\Local\pzU5p\WINMM.dll

MD5 a5b1059ec72c47574992de244328ddb2
SHA1 f159954e88b9ad9fd15802a54a02110c22ca2760
SHA256 7abe333e4e980aaacf45d9f22c4b05a0c3cea8b9a42f4f2ac738e332557232af
SHA512 d1139543539ac367f546daddefacc467c70da8c9298e7af332fff88198957eb7f31b6d5a1d17c1ab7d2d842ab7bcf2cfbcac973c3f3ca083c9273a4f09547df9

\Users\Admin\AppData\Local\pzU5p\WINMM.dll

MD5 d64b49cb13926805bd62e1e5a9091a4e
SHA1 6c247862d79eaebab4d3f06d1ce91618b58acbcb
SHA256 d0b8e70f6ecefb2285e1b1fa8d1414fbd2c1a3bbb562ac69b17495e3c6a30bdc
SHA512 15b7fda5daf23cadf9f6bef5691e8af4020f02d8928901fd0d8bd4f2dd14d5ee0a227dc5adc3486334cdd54ee28b8d5d443543ce75d11f67170ba02a6bc8c082

memory/2220-121-0x0000000000340000-0x0000000000347000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 34efcd4ba8b4d6bf5d2736d56fa15da0
SHA1 d4d43b8b9605aa7784d3bb37d20ce09e2a3e0def
SHA256 a8393f522514510b3559ba70542990b2303d1e94fadc2e40ba5293659d976383
SHA512 ed534ff60face5f1831ad18d22ea3c43f6bb0d9a5e13773d90705182ad40e143dbab1f18986fc3419af4e270115406c4c61b79920991a3d0a23e53157232a8c5

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\ek5uUNIsz\credui.dll

MD5 ca54949a412fb93c0394acf909475673
SHA1 b2b5db53176d2cb1cad2ce24dbee39151b8213d9
SHA256 a0283a75d2bd2b3c51a38cc52df2a927dbdf1224379d4fbacd0c28e4a7c51b9f
SHA512 8b5e65f2d04312bb92e00b5406abbe9d273f6a6ff02576f89884ad7fd11044b1f770aad9a1672ed950093213a93aa429e6e557c3fea375cfdd44703fac0dd888

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\rKm3\XmlLite.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 02:31

Reported

2024-01-05 02:34

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

108s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\428abad44ebb863196d457a95e2dd57a.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\428abad44ebb863196d457a95e2dd57a.dll

C:\Windows\system32\bdeunlock.exe

C:\Windows\system32\bdeunlock.exe

C:\Users\Admin\AppData\Local\m1Gn\sethc.exe

C:\Users\Admin\AppData\Local\m1Gn\sethc.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\KEX\perfmon.exe

C:\Users\Admin\AppData\Local\KEX\perfmon.exe

C:\Users\Admin\AppData\Local\BBI\bdeunlock.exe

C:\Users\Admin\AppData\Local\BBI\bdeunlock.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 88.221.135.210:80 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
GB 96.17.178.176:80 tcp
US 92.123.241.104:80 tcp
US 92.123.241.104:80 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4616-0-0x0000000140000000-0x000000014028B000-memory.dmp

memory/4616-2-0x0000000000CC0000-0x0000000000CC7000-memory.dmp

memory/4616-7-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-12-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-18-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-22-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-26-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-30-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-35-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-40-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-44-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-43-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-48-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-47-0x00000000035E0000-0x00000000035E7000-memory.dmp

memory/3424-55-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-56-0x00007FFF9B040000-0x00007FFF9B050000-memory.dmp

memory/3424-46-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-67-0x0000000140000000-0x000000014028B000-memory.dmp

C:\Users\Admin\AppData\Local\m1Gn\WTSAPI32.dll

MD5 c1f2021eb1376d320ee0f5a418c39523
SHA1 e17ae082a106ab6775f814cf80680e190123c42c
SHA256 55e3ed76f779291e701252f057c768a7437bd8d97ef49ab3d07e76fe0c39084a
SHA512 1bfc8cfbf625dec73e5f44df4836ea81e4918ef988eb920ed1378e061d521a3c7583c147d3391cabad0ca7d671ade360123cbb91f5645fe63547a9f74a1d008b

memory/1556-77-0x0000017ABB4A0000-0x0000017ABB4A7000-memory.dmp

memory/1556-82-0x0000000140000000-0x000000014028C000-memory.dmp

C:\Users\Admin\AppData\Local\m1Gn\sethc.exe

MD5 8ba3a9702a3f1799431cad6a290223a6
SHA1 9c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256 615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512 680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

memory/1556-76-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3424-65-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-45-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-42-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-41-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-39-0x0000000140000000-0x000000014028B000-memory.dmp

C:\Users\Admin\AppData\Local\BBI\DUI70.dll

MD5 d39b31e9ce2fdc388cc61337d1534ff0
SHA1 1899bf6947c28721398c2492e88e0fbddefadab7
SHA256 fe1cc0faa7da81a051ab0b264a181b482cf51a1b39a24c164fc71a02ef3b45a3
SHA512 f756fdf88124b646e155a558aea5d876097f6205b011411c4a3093b7cad1c8bcb9aedadb9049a6699269b133a00c02479994f870d8864c34508efc8732befb85

memory/3376-94-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3376-93-0x0000016C6A1A0000-0x0000016C6A1A7000-memory.dmp

C:\Users\Admin\AppData\Local\KEX\credui.dll

MD5 f4a92ca85dd6dd9e5b74ba51be8b9d7c
SHA1 baf8cd58be62f8cc140ecec999d6ca76e64d5cca
SHA256 c0869717b1452c4e06f26f23f66604500b99c5bf3c81697d8cc48243b9db8728
SHA512 14305f001848f7eb688987ce5fca6fadc5356cd4b71950fff63b943c421a3b656d25db0ab2d2a12b08d1e820e29e7657858996cb7529251e4f031a51886d98d1

memory/4888-113-0x000002B2026F0000-0x000002B2026F7000-memory.dmp

C:\Users\Admin\AppData\Local\KEX\perfmon.exe

MD5 d38aa59c3bea5456bd6f95c73ad3c964
SHA1 40170eab389a6ba35e949f9c92962646a302d9ef
SHA256 5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c
SHA512 59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

C:\Users\Admin\AppData\Local\BBI\bdeunlock.exe

MD5 fef5d67150c249db3c1f4b30a2a5a22e
SHA1 41ca037b0229be9338da4d78244b4f0ea5a3d5f3
SHA256 dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603
SHA512 4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

memory/3424-38-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-37-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-36-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-34-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-33-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-32-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-31-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-29-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-28-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-27-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-25-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-24-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-23-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-21-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-20-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-19-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-17-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-16-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-15-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-14-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-13-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-11-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-10-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-8-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-9-0x00007FFF99C9A000-0x00007FFF99C9B000-memory.dmp

memory/3424-6-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3424-4-0x0000000003600000-0x0000000003601000-memory.dmp