Malware Analysis Report

2024-11-15 08:50

Sample ID 240121-h86p5sgfen
Target 6cb54ce97dda3423fb40360ebe2c88db
SHA256 7b557ca1d1202e571ad469ccbb01f76cdbf54143444865fe520c01f413a60cdd
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b557ca1d1202e571ad469ccbb01f76cdbf54143444865fe520c01f413a60cdd

Threat Level: Known bad

The file 6cb54ce97dda3423fb40360ebe2c88db was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 07:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 07:25

Reported

2024-01-21 07:28

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cb54ce97dda3423fb40360ebe2c88db.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Qt2b\mfpmp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\EtSxOt\sdclt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\WjMBoz\MpSigStub.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\LF64WV~1\\sdclt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Qt2b\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\EtSxOt\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WjMBoz\MpSigStub.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2668 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1284 wrote to memory of 2668 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1284 wrote to memory of 2668 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1284 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\Qt2b\mfpmp.exe
PID 1284 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\Qt2b\mfpmp.exe
PID 1284 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\Qt2b\mfpmp.exe
PID 1284 wrote to memory of 2872 N/A N/A C:\Windows\system32\sdclt.exe
PID 1284 wrote to memory of 2872 N/A N/A C:\Windows\system32\sdclt.exe
PID 1284 wrote to memory of 2872 N/A N/A C:\Windows\system32\sdclt.exe
PID 1284 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\EtSxOt\sdclt.exe
PID 1284 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\EtSxOt\sdclt.exe
PID 1284 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\EtSxOt\sdclt.exe
PID 1284 wrote to memory of 680 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1284 wrote to memory of 680 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1284 wrote to memory of 680 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1284 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\WjMBoz\MpSigStub.exe
PID 1284 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\WjMBoz\MpSigStub.exe
PID 1284 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\WjMBoz\MpSigStub.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cb54ce97dda3423fb40360ebe2c88db.dll,#1

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\Qt2b\mfpmp.exe

C:\Users\Admin\AppData\Local\Qt2b\mfpmp.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\EtSxOt\sdclt.exe

C:\Users\Admin\AppData\Local\EtSxOt\sdclt.exe

C:\Windows\system32\MpSigStub.exe

C:\Windows\system32\MpSigStub.exe

C:\Users\Admin\AppData\Local\WjMBoz\MpSigStub.exe

C:\Users\Admin\AppData\Local\WjMBoz\MpSigStub.exe

Network

N/A

Files

memory/2156-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2156-1-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-3-0x0000000077756000-0x0000000077757000-memory.dmp

memory/1284-4-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1284-7-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-9-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-8-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-10-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-11-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-12-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-13-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-14-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-15-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-16-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-17-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-18-0x0000000002990000-0x0000000002997000-memory.dmp

memory/1284-6-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-26-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-28-0x00000000779F0000-0x00000000779F2000-memory.dmp

memory/1284-27-0x00000000779C0000-0x00000000779C2000-memory.dmp

memory/1284-38-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1284-37-0x0000000140000000-0x0000000140166000-memory.dmp

memory/2156-46-0x0000000140000000-0x0000000140166000-memory.dmp

\Users\Admin\AppData\Local\Qt2b\mfpmp.exe

MD5 2d8600b94de72a9d771cbb56b9f9c331
SHA1 a0e2ac409159546183aa45875497844c4adb5aac
SHA256 7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA512 3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

C:\Users\Admin\AppData\Local\Qt2b\MFPlat.DLL

MD5 16bb8e25d3d2f866cbf6826bb90fd325
SHA1 ce86cea88918e556a9d0d2061c332da8e7513623
SHA256 f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b
SHA512 53321d6e37c9be3be9970ec3a69d84c049e022d071e47a03b922149b453493f531eb4f2afbaee0110d2ba4b87414c653015dd7f85d31fb41848063891b6bee72

memory/2552-54-0x0000000000170000-0x0000000000177000-memory.dmp

memory/2552-55-0x0000000140000000-0x0000000140168000-memory.dmp

memory/2552-59-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\EtSxOt\sdclt.exe

MD5 cdebd55ffbda3889aa2a8ce52b9dc097
SHA1 4b3cbfff5e57fa0cb058e93e445e3851063646cf
SHA256 61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd
SHA512 2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

C:\Users\Admin\AppData\Local\EtSxOt\wer.dll

MD5 c32ce7525de15e6eb63b26c0c273d43c
SHA1 489fc6280dde75311a22daad648d3e5a9911a510
SHA256 44041874034c58a8e8f9f3313c9e06d76471f9d644dec93503c897aa8efb1997
SHA512 699228baa764fcc1055eda917ccc32c99aaf2f94a5b4ed855717984028b3fea13beedce133d82296772d47fca0dd1e486a33b97ceefda811befa0a6504eb64c6

memory/2900-73-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-75-0x0000000077756000-0x0000000077757000-memory.dmp

memory/2900-76-0x0000000000390000-0x0000000000397000-memory.dmp

memory/2900-79-0x0000000140000000-0x0000000140167000-memory.dmp

\Users\Admin\AppData\Local\WjMBoz\MpSigStub.exe

MD5 2e6bd16aa62e5e95c7b256b10d637f8f
SHA1 350be084477b1fe581af83ca79eb58d4defe260f
SHA256 d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA512 1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

C:\Users\Admin\AppData\Local\WjMBoz\VERSION.dll

MD5 48ed0fa711c99b5dd370d33fd7283d7e
SHA1 afc37df20ce5ebeff233832df9e90027589efddb
SHA256 02381d7d554ad7da5ee83db9cb0de32a4c83a05525750c8a89d8152a383725be
SHA512 c6a8e79fc63d5354221e45ea9e2cde1e079f4916f0cb53377b131f3d477fcb3d6650f79cd10fa8331e36947e335c032755027db07916d0c40d55c56553082935

memory/1620-95-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 1cde2d6dc7469e7f514022416b21c591
SHA1 a44973270b8a46b7aecc96a9869b81763b3eb46c
SHA256 11378e5f61bc41ae20055296f8767c491f1d8faa606269983c63104c2e0aa552
SHA512 05217c9f5c6a742fd4ef48d3e9927f94b426e56e9db036716249780faba38c08b42fed5192d5b01b5eaffdc34b7c97ec188acae5c10e73b6674ad0fb55af0e09

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 07:25

Reported

2024-01-21 07:28

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cb54ce97dda3423fb40360ebe2c88db.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\kqloZD\\CLOUDN~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\faPMxHBR\mblctr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FGLyklV4I\CloudNotifications.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Pl7\msinfo32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 4108 N/A N/A C:\Windows\system32\mblctr.exe
PID 3520 wrote to memory of 4108 N/A N/A C:\Windows\system32\mblctr.exe
PID 3520 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\faPMxHBR\mblctr.exe
PID 3520 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\faPMxHBR\mblctr.exe
PID 3520 wrote to memory of 3048 N/A N/A C:\Windows\system32\CloudNotifications.exe
PID 3520 wrote to memory of 3048 N/A N/A C:\Windows\system32\CloudNotifications.exe
PID 3520 wrote to memory of 4740 N/A N/A C:\Users\Admin\AppData\Local\FGLyklV4I\CloudNotifications.exe
PID 3520 wrote to memory of 4740 N/A N/A C:\Users\Admin\AppData\Local\FGLyklV4I\CloudNotifications.exe
PID 3520 wrote to memory of 972 N/A N/A C:\Windows\system32\msinfo32.exe
PID 3520 wrote to memory of 972 N/A N/A C:\Windows\system32\msinfo32.exe
PID 3520 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Pl7\msinfo32.exe
PID 3520 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Pl7\msinfo32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cb54ce97dda3423fb40360ebe2c88db.dll,#1

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\faPMxHBR\mblctr.exe

C:\Users\Admin\AppData\Local\faPMxHBR\mblctr.exe

C:\Windows\system32\CloudNotifications.exe

C:\Windows\system32\CloudNotifications.exe

C:\Users\Admin\AppData\Local\FGLyklV4I\CloudNotifications.exe

C:\Users\Admin\AppData\Local\FGLyklV4I\CloudNotifications.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\Pl7\msinfo32.exe

C:\Users\Admin\AppData\Local\Pl7\msinfo32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/868-0-0x0000025FBE8F0000-0x0000025FBE8F7000-memory.dmp

memory/868-1-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-4-0x00007FFD492DA000-0x00007FFD492DB000-memory.dmp

memory/3520-3-0x00000000088D0000-0x00000000088D1000-memory.dmp

memory/3520-6-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-7-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-8-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-9-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-10-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-11-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-12-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-13-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-14-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-15-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-16-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-19-0x00000000086A0000-0x00000000086A7000-memory.dmp

memory/3520-17-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-26-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-27-0x00007FFD4ADC0000-0x00007FFD4ADD0000-memory.dmp

memory/3520-28-0x00007FFD4ADB0000-0x00007FFD4ADC0000-memory.dmp

memory/868-32-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3520-38-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\faPMxHBR\mblctr.exe

MD5 d3db14eabb2679e08020bcd0c96fa9f6
SHA1 578dca7aad29409634064579d269e61e1f07d9dd
SHA256 3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69
SHA512 14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

C:\Users\Admin\AppData\Local\faPMxHBR\WTSAPI32.dll

MD5 460853dc2d4eb8c6ef969468e96d4848
SHA1 1cf879eaffda5e86c10851318b6aced388609191
SHA256 d5e632ebe0a5db834a209391c2ddf1ec91aad99a19e177d68daa51998b3ace26
SHA512 481935aaf938dca27ff8fc91ea0d905db8c7d9036be72e2ac5eaa449ddfde7a8d074f9d20d51a11a1f850d11730c9f2a0e18ca3bfa99ea2455b573a45cd2182e

memory/3604-47-0x00000212A13D0000-0x00000212A13D7000-memory.dmp

memory/3604-48-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3604-52-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\FGLyklV4I\CloudNotifications.exe

MD5 b50dca49bc77046b6f480db6444c3d06
SHA1 cc9b38240b0335b1763badcceac37aa9ce547f9e
SHA256 96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775
SHA512 2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

C:\Users\Admin\AppData\Local\FGLyklV4I\UxTheme.dll

MD5 ae929a0749157b4e066875db351711ef
SHA1 8aa55d7d9b43225ce5f67b31332f56c35459520d
SHA256 b996bd4a19e143f16d6497f87abf72874f0afba80cf5374d24b0a3522556b082
SHA512 3b5b6c85574e6bb6620cfc78c07b18101df0ef2e4e9d8f8f1affa83c0b8cfc4557a86338bed9467ddabcb6c7b98ebfd972cd1d0031ae927436629fabb8e39c34

memory/4740-63-0x000001948CD60000-0x000001948CD67000-memory.dmp

memory/4740-68-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\Pl7\msinfo32.exe

MD5 0aed91da63713bf9f881b03a604a1c9d
SHA1 b1b2d292cb1a4c13dc243b5eab13afb316a28b9a
SHA256 5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14
SHA512 04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

C:\Users\Admin\AppData\Local\Pl7\SLC.dll

MD5 e74399f942cf0cf81df1e8a4972bb8bb
SHA1 13416b3359fb3b1ce03acca069454bb4c228b3f0
SHA256 db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a
SHA512 09968cb2afead5f2626ed4c85471ffa0b80fab89066e4662dd07f86824a9873f149fa840950123989fe9fdee44649de6f52a7975da6d57ff29094ddfb4b459d0

memory/2584-83-0x000001D8EAF30000-0x000001D8EAF37000-memory.dmp

memory/2584-86-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 5781c377a575cca0f6ccd8c4f819271e
SHA1 a597e54f8a469d0d446b9ddd972e0d092ba10b50
SHA256 be06a5bee37aafa22d4de6b983e214486a58322194fee0e74442535d5aa52261
SHA512 12876b36027ea4745b731bdddd64990321166b8aec2fec233e806b5624b0631b956cdeb3be63f4ca8b0ea05cd7cc402bf98371d77715635f069a5ff5c3da4388