Malware Analysis Report

2024-11-13 16:42

Sample ID 240127-eskaeschg2
Target 793df85f287f06c4764a229b404e0a7f
SHA256 823691284d6b7786dee73b7315b3cd146eac4160d5f7fca663cab821b66698fa
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

823691284d6b7786dee73b7315b3cd146eac4160d5f7fca663cab821b66698fa

Threat Level: Known bad

The file 793df85f287f06c4764a229b404e0a7f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 04:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 04:12

Reported

2024-01-27 04:14

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\AUyx93Rp\winlogon.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\v544g\msra.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ZlJ5xMj\sethc.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\QpjyFUS\\msra.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AUyx93Rp\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\v544g\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZlJ5xMj\sethc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2596 N/A N/A C:\Windows\system32\winlogon.exe
PID 1200 wrote to memory of 2596 N/A N/A C:\Windows\system32\winlogon.exe
PID 1200 wrote to memory of 2596 N/A N/A C:\Windows\system32\winlogon.exe
PID 1200 wrote to memory of 1252 N/A N/A C:\Users\Admin\AppData\Local\AUyx93Rp\winlogon.exe
PID 1200 wrote to memory of 1252 N/A N/A C:\Users\Admin\AppData\Local\AUyx93Rp\winlogon.exe
PID 1200 wrote to memory of 1252 N/A N/A C:\Users\Admin\AppData\Local\AUyx93Rp\winlogon.exe
PID 1200 wrote to memory of 2536 N/A N/A C:\Windows\system32\msra.exe
PID 1200 wrote to memory of 2536 N/A N/A C:\Windows\system32\msra.exe
PID 1200 wrote to memory of 2536 N/A N/A C:\Windows\system32\msra.exe
PID 1200 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\v544g\msra.exe
PID 1200 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\v544g\msra.exe
PID 1200 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\v544g\msra.exe
PID 1200 wrote to memory of 308 N/A N/A C:\Windows\system32\sethc.exe
PID 1200 wrote to memory of 308 N/A N/A C:\Windows\system32\sethc.exe
PID 1200 wrote to memory of 308 N/A N/A C:\Windows\system32\sethc.exe
PID 1200 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\ZlJ5xMj\sethc.exe
PID 1200 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\ZlJ5xMj\sethc.exe
PID 1200 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\ZlJ5xMj\sethc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#1

C:\Windows\system32\winlogon.exe

C:\Windows\system32\winlogon.exe

C:\Users\Admin\AppData\Local\AUyx93Rp\winlogon.exe

C:\Users\Admin\AppData\Local\AUyx93Rp\winlogon.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\v544g\msra.exe

C:\Users\Admin\AppData\Local\v544g\msra.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\ZlJ5xMj\sethc.exe

C:\Users\Admin\AppData\Local\ZlJ5xMj\sethc.exe

Network

N/A

Files

memory/1220-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1220-1-0x000007FEF6C70000-0x000007FEF6D15000-memory.dmp

memory/1200-3-0x0000000077406000-0x0000000077407000-memory.dmp

memory/1200-4-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/1200-6-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-10-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-11-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-9-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-8-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-7-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-12-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-13-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-15-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-14-0x0000000002B40000-0x0000000002B47000-memory.dmp

memory/1200-22-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-24-0x00000000777A0000-0x00000000777A2000-memory.dmp

memory/1200-23-0x0000000077770000-0x0000000077772000-memory.dmp

memory/1200-34-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1200-33-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/1220-42-0x000007FEF6C70000-0x000007FEF6D15000-memory.dmp

\Users\Admin\AppData\Local\AUyx93Rp\winlogon.exe

MD5 1151b1baa6f350b1db6598e0fea7c457
SHA1 434856b834baf163c5ea4d26434eeae775a507fb
SHA256 b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49
SHA512 df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

C:\Users\Admin\AppData\Local\AUyx93Rp\WINSTA.dll

MD5 0f7b1cd42cb3008b513c68b61cd3edac
SHA1 dad4038551566471c408d0c467aa8df5efd02fb2
SHA256 eaa3e3df2d903a176a9ba47bd617c5a9dbbfc910e076ab5f0f6ae436418fd0f4
SHA512 56c0b2ec7a68ea554235d6cf9634dabaf5aa9f7fbc57011c70d96e5f7aabdf14d32676a72d07cd779b01789c19a72131d424aac083841a8e1920e2fa8fc3e519

memory/1252-50-0x000007FEF6D20000-0x000007FEF6DC7000-memory.dmp

memory/1252-52-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1252-55-0x000007FEF6D20000-0x000007FEF6DC7000-memory.dmp

C:\Users\Admin\AppData\Local\v544g\msra.exe

MD5 e79df53bad587e24b3cf965a5746c7b6
SHA1 87a97ec159a3fc1db211f3c2c62e4d60810e7a70
SHA256 4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d
SHA512 9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

C:\Users\Admin\AppData\Local\v544g\UxTheme.dll

MD5 677dc45dd6238854f18e3c9e75348af4
SHA1 c6424a702fc06e551b390aa38f4547608c1a748d
SHA256 543e9c0a6dc3515494a173d16fa8118d8503800cbb25c165f0b4e7c7dea01c4d
SHA512 d09e0fa1b44a34b86546d36e56943647d4eb27ae7aa8fc2679ef7079dd38e8e6fe29f2142877e23e1b2fdb3bd08158ce281bf5bd28d22ddedfbed55ec0dfc204

memory/1200-68-0x0000000077406000-0x0000000077407000-memory.dmp

memory/1380-67-0x000007FEF66D0000-0x000007FEF6776000-memory.dmp

memory/1380-70-0x0000000000420000-0x0000000000427000-memory.dmp

memory/1380-73-0x000007FEF66D0000-0x000007FEF6776000-memory.dmp

\Users\Admin\AppData\Local\ZlJ5xMj\sethc.exe

MD5 3bcb70da9b5a2011e01e35ed29a3f3f3
SHA1 9daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256 dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA512 69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

\Users\Admin\AppData\Local\ZlJ5xMj\OLEACC.dll

MD5 d292aac9f1b55a652fbd9f2743d27659
SHA1 268cf9c4a0258371a1705e068d1adeaf5c80c333
SHA256 9399d8785a4da618530d08c1c67f7409a048e27788d24c196776c9f7effd2c26
SHA512 4128188f00c0ac441cd053b52d88ddf06cb6ac55e234c8c934e24c67a17295df9a110bca77cab410e4226c19a824951d5695840bcefefb5718962d6405bbb40b

memory/1788-86-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1788-90-0x000007FEF66D0000-0x000007FEF6776000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 451d3c5dbfe045f7047207e8a48c2e28
SHA1 5cb9a8ea1a705bb69520cea6300b2a79ba476dce
SHA256 1d77f0898c66bc0a2723911e2492c6b57f8b29e5f6b84f90aedca50b0f50eb5d
SHA512 19afaec36d2dcca0160d3049aeead04ae9177981f2d76be52d523d3a128ccf03d666073dd8d7794f9cf7dc3eec7655bc1836e74fb8b9d8945d5cb5f4e97f514e

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 04:12

Reported

2024-01-27 04:14

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\wI1WHJWu\\wscript.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\G25\SystemPropertiesDataExecutionPrevention.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ObVqq\wscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\V62s\AtBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 2472 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 3552 wrote to memory of 2472 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 3552 wrote to memory of 1208 N/A N/A C:\Users\Admin\AppData\Local\G25\SystemPropertiesDataExecutionPrevention.exe
PID 3552 wrote to memory of 1208 N/A N/A C:\Users\Admin\AppData\Local\G25\SystemPropertiesDataExecutionPrevention.exe
PID 3552 wrote to memory of 4376 N/A N/A C:\Windows\system32\wscript.exe
PID 3552 wrote to memory of 4376 N/A N/A C:\Windows\system32\wscript.exe
PID 3552 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\ObVqq\wscript.exe
PID 3552 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\ObVqq\wscript.exe
PID 3552 wrote to memory of 3356 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3552 wrote to memory of 3356 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3552 wrote to memory of 3988 N/A N/A C:\Users\Admin\AppData\Local\V62s\AtBroker.exe
PID 3552 wrote to memory of 3988 N/A N/A C:\Users\Admin\AppData\Local\V62s\AtBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#1

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\G25\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\G25\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\ObVqq\wscript.exe

C:\Users\Admin\AppData\Local\ObVqq\wscript.exe

C:\Windows\system32\AtBroker.exe

C:\Windows\system32\AtBroker.exe

C:\Users\Admin\AppData\Local\V62s\AtBroker.exe

C:\Users\Admin\AppData\Local\V62s\AtBroker.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3280-0-0x00007FFD9EC90000-0x00007FFD9ED35000-memory.dmp

memory/3280-2-0x000002A7EDC80000-0x000002A7EDC87000-memory.dmp

memory/3552-3-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

memory/3552-5-0x00007FFDAB1FA000-0x00007FFDAB1FB000-memory.dmp

memory/3552-6-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3552-7-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3552-8-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3552-9-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3552-10-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3552-11-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3552-13-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3552-14-0x00000000027B0000-0x00000000027B7000-memory.dmp

memory/3552-15-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3552-12-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3552-22-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3552-23-0x00007FFDAD140000-0x00007FFDAD150000-memory.dmp

memory/3552-24-0x00007FFDAD130000-0x00007FFDAD140000-memory.dmp

memory/3552-33-0x0000000140000000-0x00000001400A5000-memory.dmp

memory/3280-36-0x00007FFD9EC90000-0x00007FFD9ED35000-memory.dmp

C:\Users\Admin\AppData\Local\G25\SystemPropertiesDataExecutionPrevention.exe

MD5 de58532954c2704f2b2309ffc320651d
SHA1 0a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA256 1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512 d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

C:\Users\Admin\AppData\Local\G25\SYSDM.CPL

MD5 26561066087142861def65355f08e1e0
SHA1 ce93999f2bb742b6b3e6417dc94fa5b51b010e90
SHA256 623473f9ceafb0a7410e5b96b196789587567fee2a2507923c9d4907abfb165e
SHA512 c4e120d5f7fb2f5c6de306d56959c63c8b3aa58f3f8be6d10f18294cc481540f4eeab87ee3d22f993c6a1e55e523acaa7289715630e621bd8e042888de7a237e

memory/1208-44-0x00007FFD8F020000-0x00007FFD8F0C6000-memory.dmp

memory/1208-43-0x000002AFA8080000-0x000002AFA8087000-memory.dmp

memory/1208-48-0x00007FFD8F020000-0x00007FFD8F0C6000-memory.dmp

C:\Users\Admin\AppData\Local\ObVqq\wscript.exe

MD5 a47cbe969ea935bdd3ab568bb126bc80
SHA1 15f2facfd05daf46d2c63912916bf2887cebd98a
SHA256 34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512 f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

C:\Users\Admin\AppData\Local\ObVqq\VERSION.dll

MD5 b2645ebd75dcc17de3ee4a29f12deb95
SHA1 1cfd8481ddb7f3a537081c98bbf76006e3344998
SHA256 7cfa69cc2a42b04130edb59e3951fce79a21a0d3582094aa3d1d26e35f278ee6
SHA512 fa25593a09d95b44c5208b087e24a933014e3921e551644791c6cbd964335274b294249219e579e26e1baf8fef79924c38aad4f408b8de134aa1cc270a51dbc1

memory/1576-60-0x00007FFD8F080000-0x00007FFD8F126000-memory.dmp

memory/1576-59-0x000002088DFB0000-0x000002088DFB7000-memory.dmp

memory/1576-64-0x00007FFD8F080000-0x00007FFD8F126000-memory.dmp

C:\Users\Admin\AppData\Local\V62s\AtBroker.exe

MD5 30076e434a015bdf4c136e09351882cc
SHA1 584c958a35e23083a0861421357405afd26d9a0c
SHA256 ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd
SHA512 675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

C:\Users\Admin\AppData\Local\V62s\UxTheme.dll

MD5 5d537207a55057c222855dc117960e80
SHA1 a3e602f1c377a31a46c68c1d597915bf6200e6e1
SHA256 517903c6645634501126e88ba2e36f84d2d194b2f3f5749eeecec9751584c075
SHA512 1a3f645de4602e41734dee5ecde1b582e01e743f16326b5e8a40f572da94b40169ecc41d183a360314a157cd9e45acdbbe7e3380ff2fbedf817f526be06b7a03

memory/3988-76-0x0000018DBFE30000-0x0000018DBFE37000-memory.dmp

memory/3988-80-0x00007FFD8F080000-0x00007FFD8F126000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 60fae643256f7135fe98b2508796722b
SHA1 0cbb0eada5ecadf5cf51902e6bcf4911be577bf2
SHA256 29488f31d96360e878a89082883f24d15764ff691d45519c16b844309fa0dffd
SHA512 03993eb85553d6ecd042d912c6ca4ea98f9a29a9c407aaa553c14489ab89b74465ad50f05bef2fe492d9f914f79b79d3e2d17366001266687955ed400416ad9b