Malware Analysis Report

2024-11-30 21:28

Sample ID 240107-xtgj2adaa8
Target 497c03dfdb726f1817a6484b5f4e7dc8.exe
SHA256 187a497b5e884cd4fd70718901f8e6b12c6a198ec41979c7b529e903f573a588
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

187a497b5e884cd4fd70718901f8e6b12c6a198ec41979c7b529e903f573a588

Threat Level: Known bad

The file 497c03dfdb726f1817a6484b5f4e7dc8.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:08

Reported

2024-01-07 19:11

Platform

win7-20231129-en

Max time kernel

18s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\497c03dfdb726f1817a6484b5f4e7dc8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\gOHjp\irftp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pMsQa\rekeywiz.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\MFQrhEY7\DWWIN.EXE N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\TnpDhl\\rekeywiz.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gOHjp\irftp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pMsQa\rekeywiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MFQrhEY7\DWWIN.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 2624 N/A N/A C:\Windows\system32\irftp.exe
PID 1348 wrote to memory of 2624 N/A N/A C:\Windows\system32\irftp.exe
PID 1348 wrote to memory of 2624 N/A N/A C:\Windows\system32\irftp.exe
PID 1348 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\gOHjp\irftp.exe
PID 1348 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\gOHjp\irftp.exe
PID 1348 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\gOHjp\irftp.exe
PID 1348 wrote to memory of 2912 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1348 wrote to memory of 2912 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1348 wrote to memory of 2912 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1348 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\pMsQa\rekeywiz.exe
PID 1348 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\pMsQa\rekeywiz.exe
PID 1348 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\pMsQa\rekeywiz.exe
PID 1348 wrote to memory of 2516 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1348 wrote to memory of 2516 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1348 wrote to memory of 2516 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1348 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\MFQrhEY7\DWWIN.EXE
PID 1348 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\MFQrhEY7\DWWIN.EXE
PID 1348 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\MFQrhEY7\DWWIN.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\497c03dfdb726f1817a6484b5f4e7dc8.dll,#1

C:\Users\Admin\AppData\Local\gOHjp\irftp.exe

C:\Users\Admin\AppData\Local\gOHjp\irftp.exe

C:\Windows\system32\irftp.exe

C:\Windows\system32\irftp.exe

C:\Users\Admin\AppData\Local\pMsQa\rekeywiz.exe

C:\Users\Admin\AppData\Local\pMsQa\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Users\Admin\AppData\Local\MFQrhEY7\DWWIN.EXE

C:\Users\Admin\AppData\Local\MFQrhEY7\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

Network

N/A

Files

memory/1540-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1540-0-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-4-0x0000000077A96000-0x0000000077A97000-memory.dmp

memory/1348-14-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-29-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-38-0x0000000002530000-0x0000000002537000-memory.dmp

memory/1348-41-0x0000000077E00000-0x0000000077E02000-memory.dmp

memory/1348-50-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-56-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-60-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/2580-69-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/2580-73-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/2580-68-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1348-55-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-40-0x0000000077CA1000-0x0000000077CA2000-memory.dmp

memory/1348-39-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-31-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-30-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-28-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-27-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-26-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-25-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-24-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-23-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-22-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-21-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-20-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-19-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1436-97-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/1436-95-0x0000000000370000-0x0000000000377000-memory.dmp

memory/1436-92-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/1348-18-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-17-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-16-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-15-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-13-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-12-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-11-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-10-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-9-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-8-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1540-7-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1348-5-0x0000000002550000-0x0000000002551000-memory.dmp

memory/2732-110-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2732-114-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/1348-140-0x0000000077A96000-0x0000000077A97000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:08

Reported

2024-01-07 19:13

Platform

win10v2004-20231215-en

Max time kernel

182s

Max time network

195s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\497c03dfdb726f1817a6484b5f4e7dc8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\8ZD2EZ~1\\BDECHA~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\yRhPF\bdechangepin.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8dCyo28\DeviceEnroller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dlJAwCTqg\RdpSa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 3632 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3424 wrote to memory of 3632 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3424 wrote to memory of 3520 N/A N/A C:\Users\Admin\AppData\Local\dlJAwCTqg\RdpSa.exe
PID 3424 wrote to memory of 3520 N/A N/A C:\Users\Admin\AppData\Local\dlJAwCTqg\RdpSa.exe
PID 3424 wrote to memory of 3028 N/A N/A C:\Windows\system32\bdechangepin.exe
PID 3424 wrote to memory of 3028 N/A N/A C:\Windows\system32\bdechangepin.exe
PID 3424 wrote to memory of 1756 N/A N/A C:\Users\Admin\AppData\Local\yRhPF\bdechangepin.exe
PID 3424 wrote to memory of 1756 N/A N/A C:\Users\Admin\AppData\Local\yRhPF\bdechangepin.exe
PID 3424 wrote to memory of 3852 N/A N/A C:\Windows\system32\DeviceEnroller.exe
PID 3424 wrote to memory of 3852 N/A N/A C:\Windows\system32\DeviceEnroller.exe
PID 3424 wrote to memory of 3900 N/A N/A C:\Users\Admin\AppData\Local\8dCyo28\DeviceEnroller.exe
PID 3424 wrote to memory of 3900 N/A N/A C:\Users\Admin\AppData\Local\8dCyo28\DeviceEnroller.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\497c03dfdb726f1817a6484b5f4e7dc8.dll,#1

C:\Windows\system32\RdpSa.exe

C:\Windows\system32\RdpSa.exe

C:\Users\Admin\AppData\Local\dlJAwCTqg\RdpSa.exe

C:\Users\Admin\AppData\Local\dlJAwCTqg\RdpSa.exe

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\bdechangepin.exe

C:\Users\Admin\AppData\Local\yRhPF\bdechangepin.exe

C:\Users\Admin\AppData\Local\yRhPF\bdechangepin.exe

C:\Windows\system32\DeviceEnroller.exe

C:\Windows\system32\DeviceEnroller.exe

C:\Users\Admin\AppData\Local\8dCyo28\DeviceEnroller.exe

C:\Users\Admin\AppData\Local\8dCyo28\DeviceEnroller.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 197.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp

Files

memory/2416-1-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/2416-3-0x000001E838630000-0x000001E838637000-memory.dmp

memory/3424-5-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

memory/3424-8-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-10-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-7-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-12-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-11-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-13-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/2416-15-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-16-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-14-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-9-0x00007FFCE84DA000-0x00007FFCE84DB000-memory.dmp

memory/3424-17-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-18-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-19-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-20-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-21-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-22-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-23-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-24-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-25-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-26-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-27-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-28-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-29-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-30-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-31-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-33-0x0000000001160000-0x0000000001167000-memory.dmp

memory/3424-32-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-40-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-41-0x00007FFCE9200000-0x00007FFCE9210000-memory.dmp

memory/3424-50-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3424-52-0x0000000140000000-0x00000001401AA000-memory.dmp

C:\Users\Admin\AppData\Local\dlJAwCTqg\WINSTA.dll

MD5 c8004aa9e122aa2bca901cb5024260a5
SHA1 dbd5fa99f74d48cd5acc62f84d453cd83a84b7f0
SHA256 6332ec5faaeb69d933780983f6ff02d8f0c8fd2e07d4b2482435d0fe855e7d05
SHA512 e2d1c33c7e4be78e3d4b4764cb66e154f9a4d8a0d2eae03888fc864773e3c3152c41d2d27e45ae289da99d2a522744f3c1e1b705127ec5f6bd6a4da1d46a9913

C:\Users\Admin\AppData\Local\dlJAwCTqg\RdpSa.exe

MD5 5992f5b5d0b296b83877da15b54dd1b4
SHA1 0d87be8d4b7aeada4b55d1d05c0539df892f8f82
SHA256 32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c
SHA512 4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

memory/3520-61-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3520-63-0x000002A73A410000-0x000002A73A417000-memory.dmp

memory/3520-68-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3520-62-0x0000000140000000-0x00000001401AC000-memory.dmp

C:\Users\Admin\AppData\Local\yRhPF\bdechangepin.exe

MD5 601a28eb2d845d729ddd7330cbae6fd6
SHA1 5cf9f6f9135c903d42a7756c638333db8621e642
SHA256 4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6
SHA512 1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

C:\Users\Admin\AppData\Local\yRhPF\DUI70.dll

MD5 71fcae469cac6fb9f50eeb978b569584
SHA1 d3ff23bf816ee4282236f9b85005e5a3615f23df
SHA256 edf011b1b477f9b2f699e3e3b6c25b3f84ccee3c81b16d6e7e7d46a9086f6d72
SHA512 893554a8562ba2186baab4375fb0eac8a6f8157c9f18c28b9638fa2a70866f872504c9e71448ac406b6a6ad1e9f0aa0c54247fc9b915202f4798bc1094e555fc

memory/1756-79-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1756-80-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1756-82-0x0000027417D20000-0x0000027417D27000-memory.dmp

memory/1756-86-0x0000000140000000-0x00000001401F0000-memory.dmp

C:\Users\Admin\AppData\Local\8dCyo28\DeviceEnroller.exe

MD5 946d9474533f58d2613078fd14ca7473
SHA1 c2620ac9522fa3702a6a03299b930d6044aa5e49
SHA256 cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb
SHA512 3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

C:\Users\Admin\AppData\Local\8dCyo28\XmlLite.dll

MD5 739f4486e5ed50d83337e6e6bca5e34e
SHA1 7855f97f8c5ce44a8c2335848fa1c01acd74107a
SHA256 5112bffa4dc7d0f391f597336ccc2f30c08db1ea4d4de13c453aea4d661abfe5
SHA512 23f528093a0578a6069248092c82a67ee7d480672bde9ca362d2d051eb5c9798a322f9cf27981b1fe9df0f221463ebf37df772e624a5b8d33d1272e7d2741587

memory/3900-100-0x000002CCCC7B0000-0x000002CCCC7B7000-memory.dmp

memory/3900-98-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/3900-104-0x0000000140000000-0x00000001401AB000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 2ea4ac6676c70f12a3cfc9ee7ff03d19
SHA1 de21fb471c7ef1a92506cf364157da324f6b714a
SHA256 e0fd44bff4cc37d1758605415ce662a13791336f15c899ecba3cc75056a91acf
SHA512 2baf6493588bbd48a678d9b5f0b7cb93524b43ea418e92b4700510ca1f330e251a587a6853ede435b144256e94f22222787511b2847abac0ae67c04285121331