Malware Analysis Report

2024-11-30 21:26

Sample ID 231222-t2zh2abbe3
Target f325ee7a242e62a3685763de8d71db15
SHA256 064dd0fe494677278bb6d1bc0bc811f872b583604d27a81258023f7c695c0a20
Tags
dridex botnet evasion loader payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

064dd0fe494677278bb6d1bc0bc811f872b583604d27a81258023f7c695c0a20

Threat Level: Known bad

The file f325ee7a242e62a3685763de8d71db15 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion loader payload persistence trojan

Dridex

Dridex Loader 'dmod' strings

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 16:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 16:33

Reported

2023-12-24 07:11

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f325ee7a242e62a3685763de8d71db15.dll,#1

Signatures

Dridex

botnet dridex

Dridex Loader 'dmod' strings

botnet loader
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\uh5D\WindowsAnytimeUpgradeResults.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\1eHhzG\RDVGHelper.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\NpffJU\PresentationSettings.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\Z87ICQdtD\\RDVGHelper.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uh5D\WindowsAnytimeUpgradeResults.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1eHhzG\RDVGHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NpffJU\PresentationSettings.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 576 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 576 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 576 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 472 N/A N/A C:\Users\Admin\AppData\Local\uh5D\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 472 N/A N/A C:\Users\Admin\AppData\Local\uh5D\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 472 N/A N/A C:\Users\Admin\AppData\Local\uh5D\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 1784 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1224 wrote to memory of 1784 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1224 wrote to memory of 1784 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1224 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\1eHhzG\RDVGHelper.exe
PID 1224 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\1eHhzG\RDVGHelper.exe
PID 1224 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\1eHhzG\RDVGHelper.exe
PID 1224 wrote to memory of 1044 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1224 wrote to memory of 1044 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1224 wrote to memory of 1044 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1224 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\NpffJU\PresentationSettings.exe
PID 1224 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\NpffJU\PresentationSettings.exe
PID 1224 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\NpffJU\PresentationSettings.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f325ee7a242e62a3685763de8d71db15.dll,#1

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\uh5D\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\uh5D\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Users\Admin\AppData\Local\1eHhzG\RDVGHelper.exe

C:\Users\Admin\AppData\Local\1eHhzG\RDVGHelper.exe

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\NpffJU\PresentationSettings.exe

C:\Users\Admin\AppData\Local\NpffJU\PresentationSettings.exe

Network

N/A

Files

memory/1936-1-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1936-0-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-4-0x0000000077816000-0x0000000077817000-memory.dmp

memory/1224-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1224-7-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-8-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-9-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-10-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-11-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-13-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-12-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-14-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-15-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-16-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-17-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1224-24-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-25-0x0000000077A21000-0x0000000077A22000-memory.dmp

memory/1224-26-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

memory/1224-35-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1936-38-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1224-37-0x0000000140000000-0x00000001400E2000-memory.dmp

\Users\Admin\AppData\Local\uh5D\WindowsAnytimeUpgradeResults.exe

MD5 6f3f29905f0ec4ce22c1fd8acbf6c6de
SHA1 68bdfefe549dfa6262ad659f1578f3e87d862773
SHA256 e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b
SHA512 16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

C:\Users\Admin\AppData\Local\uh5D\WINBRAND.dll

MD5 caecc633f69c34100f93c328738c6eeb
SHA1 b4fa93e24f142d98b17a852d78cc7dbe22f6c23c
SHA256 797c1e567d949944e768e7fdf8ce146ba65ef18c0c07dd478864965a4a714549
SHA512 926dc72d637aca0771c6f7ee42e025d6ac9a80530a4e03893f8ee0fbde3cd07d7ecccfcf28e67a8bcff1b15206a9056f30ef1820b933cb110458052d0d0851a3

memory/472-52-0x0000000000090000-0x0000000000097000-memory.dmp

memory/472-53-0x0000000140000000-0x00000001400E3000-memory.dmp

memory/472-58-0x0000000140000000-0x00000001400E3000-memory.dmp

memory/1224-63-0x0000000077816000-0x0000000077817000-memory.dmp

\Users\Admin\AppData\Local\1eHhzG\RDVGHelper.exe

MD5 53fda4af81e7c4895357a50e848b7cfe
SHA1 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA256 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512 dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

C:\Users\Admin\AppData\Local\1eHhzG\dwmapi.dll

MD5 196598ff5ca15cf9e0707217dc6d7b29
SHA1 b922c0ee6765e9ae8da0c2adfe77e0a750c59303
SHA256 beb9ab605985ae7fd93625e8add4b495670c22ad1d82d7f0cc791e00e8bdb516
SHA512 a97b2082adc8c2181a8493a9b63acf3967bfb7716f257185dfc187cc2fc1d725fe13b8341e33b28c13204cda06065332348816ffea6426273725772604e13c82

memory/1984-71-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1984-77-0x0000000140000000-0x00000001400E3000-memory.dmp

\Users\Admin\AppData\Local\NpffJU\PresentationSettings.exe

MD5 a6f8d318f6041334889481b472000081
SHA1 b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256 208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA512 60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

C:\Users\Admin\AppData\Local\NpffJU\Secur32.dll

MD5 7217453a9effb28e36dd6885c8352856
SHA1 5634b120fec22840c0839af617a9bf361753dd94
SHA256 90484abccb733d75d4821fbfb338799d4edadfcff96dbe801b565afc4f3a3480
SHA512 a5b9acf48b5f0378113cdec10d61773890f07bbb46bc01d789ca435319860354930f5779e70212cbfbe0b41c54f12f2964621ed6cbf9ae97859e76bf79100d62

memory/2888-89-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2888-95-0x0000000140000000-0x00000001400E3000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 fd8e6868846e14ed5d416aaf1b781911
SHA1 c226e4a9fa0b1b94091f4984b6f7d9c8f82c1734
SHA256 b80db88bac303296cb065106ca51e9a57aa282b2700995b5d83cc52c0451490f
SHA512 eecbf5cada50937f88b6d9eacce5e90369ae50cf32204aa89d57febdd8128e079c4974fcb112cdde02504ab926adb901e5ef0243cbcfe3cb52385211c8b0ab9a

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 16:33

Reported

2023-12-24 07:11

Platform

win10v2004-20231222-en

Max time kernel

3s

Max time network

115s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f325ee7a242e62a3685763de8d71db15.dll,#1

Signatures

Dridex

botnet dridex

Dridex Loader 'dmod' strings

botnet loader
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f325ee7a242e62a3685763de8d71db15.dll,#1

C:\Users\Admin\AppData\Local\cRq\tcmsetup.exe

C:\Users\Admin\AppData\Local\cRq\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\o1jLI\phoneactivate.exe

C:\Users\Admin\AppData\Local\o1jLI\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Users\Admin\AppData\Local\2EQlojm9\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\2EQlojm9\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

memory/1624-0-0x000001EB16960000-0x000001EB16967000-memory.dmp

memory/1624-1-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-15-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-17-0x0000000000F70000-0x0000000000F77000-memory.dmp

memory/3404-24-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-25-0x00007FFB24410000-0x00007FFB24420000-memory.dmp

memory/3404-34-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-16-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-14-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-13-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-12-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-11-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-10-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-9-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-8-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-7-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3404-5-0x00007FFB2280A000-0x00007FFB2280B000-memory.dmp

memory/3404-4-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/1624-37-0x0000000140000000-0x00000001400E2000-memory.dmp

C:\Users\Admin\AppData\Local\cRq\TAPI32.dll

MD5 03785321acfcca8033aae84ae14d1da9
SHA1 55a56835446983774edc229dbb3d798bcce73e7e
SHA256 612a59c6820fbdb44abd15141e5abb12d9be36c4febef9074f5a4d406ea10e0d
SHA512 ba65229f19e345cb197225db36be2f23da71ff0f6b0af3fa688777e8b365d9309af86d2932eae8723d7b9facac350adca7b391b5a564e48b122a632059114715

memory/3888-50-0x0000000140000000-0x00000001400E4000-memory.dmp

memory/3888-47-0x0000022AB2430000-0x0000022AB2437000-memory.dmp

C:\Users\Admin\AppData\Local\cRq\tcmsetup.exe

MD5 58f3b915b9ae7d63431772c2616b0945
SHA1 6346e837da3b0f551becb7cac6d160e3063696e9
SHA256 e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39
SHA512 7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

memory/3888-44-0x0000000140000000-0x00000001400E4000-memory.dmp

C:\Users\Admin\AppData\Local\cRq\TAPI32.dll

MD5 c8dd9e948f61bbb66355a45ea585b227
SHA1 0239a7f3cd55b6302f0fc62b3164654dc88bc770
SHA256 0e5ec84a61d77170be46d8beff2d577e281e9ec66d01985ae589948b2bf3f336
SHA512 37da10a158420b6e55a96863560c38ef0db513d20f000462b51cbfb594a1e21fdc0f08c46558b53e6229decc2ee3bf1dfc96373678b6b265f943b2f721a2f9e5

C:\Users\Admin\AppData\Local\o1jLI\phoneactivate.exe

MD5 56b51e0ac4ee47fbd7ee166fedc0a847
SHA1 4a8232b4b3b3f6f82a8b58c60e567d276af6b8d5
SHA256 485983a549421906ccdc20bf06870180061fb6cc17480fb59139fbed0459e1b4
SHA512 1a02726e90d0e10e3176623217556a758b1107a99c12cbaee86770bca46221c8f7fc033dee1976381bd15e7a208ef929cbb13bc249bbd59e2a5a4ac00a6cf567

memory/4812-67-0x0000000140000000-0x00000001400E3000-memory.dmp

C:\Users\Admin\AppData\Local\o1jLI\phoneactivate.exe

MD5 d9c4beb0e8fb3f0e724e09729ec1769c
SHA1 30fd237f5472f9cc4b195b0e5db31ea40e55daa3
SHA256 3acc447b497ecf478cb97c7b44041856f4cbc16e03f20e92f4ef24b558c6d230
SHA512 c38b0991b9421f4076beffe6a3a74ec733f706261c2e5dd24ebb5bf261673df6a602073a8dc6e89364590dadc723b07a5a05def5cc2af1a5419f2bf3a47300a6

memory/4812-64-0x00000214F2C30000-0x00000214F2C37000-memory.dmp

memory/4812-61-0x0000000140000000-0x00000001400E3000-memory.dmp

C:\Users\Admin\AppData\Local\o1jLI\SLC.dll

MD5 3c72f408c697c23f3b012b25bee3305d
SHA1 805b6b550aaac871483ae05ddb8876257c94c6ec
SHA256 3aef5400aa44369e01564b35c218bbbd8df99703c955faca8d3dead3865b5e6b
SHA512 157723290c060c9598ed65ee04d9b076f15e0b76702cefaf3b3da8eacd126bd34d20e29a341a8d6ac737e7e0cbfeaab9a5f19384894e794adfbcfd287ab6075e

C:\Users\Admin\AppData\Local\o1jLI\SLC.dll

MD5 34e91e814e0da8dcc6a3d43abe93ece8
SHA1 002b651f40abc5d1a02bf493062c5e425455c60b
SHA256 33a85bb6ff30c08f471b2315c43d682a52bbb824dc3c177a0554d15b4aeb42bd
SHA512 2b466bfde295f04a898b2df94dbaf175cfe6da70cf60413e02a2d6e9af78309050a78e4c42332985b7aaa5e0f7541b1bba05e0ff8dc44007a1e646c62b232e65

C:\Users\Admin\AppData\Local\2EQlojm9\XmlLite.dll

MD5 4bd77062a0094b7a2d9b1dc56c6f824b
SHA1 f28b1f14b49e978612a46c80c7edcc1be8316d9d
SHA256 2d33f403f7c52de56974ee44d42d14038a2766c2bcd0629088b0c347fe7f3378
SHA512 3d2ff237ec4d7558ef29c17b9da340b470aa503f5e96d4388094cb81820ccc26b8aceeef94c78007d3b9e8b25824ec9885da4efde7f0b3f3e63361c761c80591

memory/4192-84-0x0000000140000000-0x00000001400E3000-memory.dmp

C:\Users\Admin\AppData\Local\2EQlojm9\MusNotificationUx.exe

MD5 969a614ead88811dcc6baacb769ac975
SHA1 fe23dfdaa316cbef7452c75735157ac2d1c8097f
SHA256 d2e72d9bac3bd2e27b648de69aa5e37063e8d1047042b306a924171d8b5e0d37
SHA512 2527105d94b620bee1beb1060b0eb39fef7d72441438080000daf23c0f9fbbb816ee2ca8c5ccb3a26cbf5aa49f45c06969eded8983453316f90d47f1d6b75f1e

memory/4192-81-0x0000023EC9180000-0x0000023EC9187000-memory.dmp

C:\Users\Admin\AppData\Local\2EQlojm9\XmlLite.dll

MD5 df4d3cbd5baeb935f75db51d21c93085
SHA1 caedaa90d81f7ee680cb242d156c867df911bb5c
SHA256 48e7f910a5a7a985d2522c00e8cf2a49aa6b281e1b4b167d52efdbccca777e1c
SHA512 450d7a41041707c5d154461a22591face2ccfaf8178581606bf2fe9318d43576b1c930b51a58406785cc4338f9485a35b2f9b24ca8cea174e3fb25f335fadf3f

C:\Users\Admin\AppData\Local\2EQlojm9\MusNotificationUx.exe

MD5 34a442145739e7b68a831c1f7a468c50
SHA1 50518e78044b7ac30e694f431a0d2f21fb724367
SHA256 38180a11bf6ba4b94f9dc851fee5a20d23b557327cbf68063b3979931ac2bc85
SHA512 6a811268691daec7a2e9c39734a1d2ec6a05ae6425bbc300fd6d38330a19795032e99fd8b3a49f9642d1229f033a490620c7d7eeedf788dac2744d8eec87c057

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 1ed3497323b0d5b36f3aa8b93987e661
SHA1 344cfb057f4f26c8d82ff501f76897aeb5a5a45b
SHA256 2427fda69f560c383d233af9dfb385423e1156d10e7df783248493b8c4318f43
SHA512 98c776e11b8b2a7d326a1bd209cfa8a1b375cf1d77f41dc01b1f293a2e80e4a23aa50ebd6c6c18139f5425ade90d3def4350657eaae63993e9f26a95aeeb8b8d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\p3V64Sj\TAPI32.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\2Ul9Dtn02zO\SLC.dll

MD5 86533f0faaf510444bea8c39c9657c39
SHA1 a6495b8ca9d377c93c6d910d08e96de7ed2264c6
SHA256 0f64a778ad3d646a877e9a1c651f081d89d39bbf141b9bdf10ad905bfe521101
SHA512 b59d6bad2ca234f9360b44ef81a323c8f6a566717745c286d10cd7d11979bdb5631a9284c2c58130a801b06a54e53c0f3a8e62c0b9bc50c0349ee6aaeeadca87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CM2xvn6VC\XmlLite.dll

MD5 a5f7c9f4b6cbab0d6e61e149fc035063
SHA1 52c22976d2a6d57310067050a47f6ee6eea4b9c2
SHA256 44e3dc2a40f332855635400e31ea831ef7f8be20edc09629a6014c371270ad7f
SHA512 7ad5866dc768246177ebf162f4e7d4a8d5a6e02041980c9432c4f1b03fd7aff68cc8755cf4e2b938a16941adcd22d8e308e968a9afd287b9c85d8e68570aa8d7