Malware Analysis Report

2024-11-30 21:26

Sample ID 231229-ztr2wahhbq
Target 03e11938813980f4ee92eafaa1ef0941
SHA256 fb7090afa187d1404a763ce8352a48a9c6fa47da4f1c0dd1b0cbfb87a59c56e0
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb7090afa187d1404a763ce8352a48a9c6fa47da4f1c0dd1b0cbfb87a59c56e0

Threat Level: Known bad

The file 03e11938813980f4ee92eafaa1ef0941 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 21:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 21:00

Reported

2023-12-30 00:40

Platform

win7-20231129-en

Max time kernel

7s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\03e11938813980f4ee92eafaa1ef0941.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\uI8myEsuU\SystemPropertiesProtection.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\0B2zk8txD\DWWIN.EXE N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\V18\spreview.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\OMZuj\\DWWIN.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uI8myEsuU\SystemPropertiesProtection.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0B2zk8txD\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\V18\spreview.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2344 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1248 wrote to memory of 2344 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1248 wrote to memory of 2344 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1248 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\uI8myEsuU\SystemPropertiesProtection.exe
PID 1248 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\uI8myEsuU\SystemPropertiesProtection.exe
PID 1248 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\uI8myEsuU\SystemPropertiesProtection.exe
PID 1248 wrote to memory of 1900 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1248 wrote to memory of 1900 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1248 wrote to memory of 1900 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1248 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\0B2zk8txD\DWWIN.EXE
PID 1248 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\0B2zk8txD\DWWIN.EXE
PID 1248 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\0B2zk8txD\DWWIN.EXE
PID 1248 wrote to memory of 1244 N/A N/A C:\Windows\system32\spreview.exe
PID 1248 wrote to memory of 1244 N/A N/A C:\Windows\system32\spreview.exe
PID 1248 wrote to memory of 1244 N/A N/A C:\Windows\system32\spreview.exe
PID 1248 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\V18\spreview.exe
PID 1248 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\V18\spreview.exe
PID 1248 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\V18\spreview.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\03e11938813980f4ee92eafaa1ef0941.dll,#1

C:\Users\Admin\AppData\Local\uI8myEsuU\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\uI8myEsuU\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\0B2zk8txD\DWWIN.EXE

C:\Users\Admin\AppData\Local\0B2zk8txD\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\V18\spreview.exe

C:\Users\Admin\AppData\Local\V18\spreview.exe

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

Network

N/A

Files

memory/2976-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2976-0-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-4-0x0000000077AB6000-0x0000000077AB7000-memory.dmp

memory/1248-14-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-28-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-35-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-43-0x0000000002500000-0x0000000002507000-memory.dmp

memory/1248-44-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-48-0x0000000077E20000-0x0000000077E22000-memory.dmp

memory/1248-45-0x0000000077CC1000-0x0000000077CC2000-memory.dmp

memory/1248-55-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-61-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/2624-75-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2624-78-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/2624-73-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/1248-64-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-36-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-34-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-33-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-32-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-31-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-30-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-29-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-27-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-26-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-25-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-24-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-23-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-22-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-21-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-20-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-19-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-18-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/2816-95-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/2816-93-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1248-17-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-16-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-15-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-13-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-12-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-11-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-10-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-9-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/2976-8-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-7-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1248-5-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2340-117-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

MD5 ed883c1168daa33af0b82fe3d9e430ec
SHA1 ca560294ea4eb8f2ad48edbffa7d509a9390e955
SHA256 d47618777d557c9cc45b560814e8b3c23d53d4bc191a2a4052d80998ea5c5378
SHA512 52e40fc9d19cf95cd2f9157ac345ee431a2f2c254513265e6f4d8ea902138cf552e5aaf3f5e48faaca03ea8b7335f8f1fb854cc2e4f63f04d8c26b17f5313faf

memory/1248-145-0x0000000077AB6000-0x0000000077AB7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 21:00

Reported

2023-12-30 00:41

Platform

win10v2004-20231215-en

Max time kernel

105s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\03e11938813980f4ee92eafaa1ef0941.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\u3eN\\CUSTOM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\C6enDh\cttune.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 1584 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3500 wrote to memory of 1584 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3500 wrote to memory of 4888 N/A N/A C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe
PID 3500 wrote to memory of 4888 N/A N/A C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe
PID 3500 wrote to memory of 464 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3500 wrote to memory of 464 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3500 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe
PID 3500 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe
PID 3500 wrote to memory of 4996 N/A N/A C:\Windows\system32\cttune.exe
PID 3500 wrote to memory of 4996 N/A N/A C:\Windows\system32\cttune.exe
PID 3500 wrote to memory of 4712 N/A N/A C:\Users\Admin\AppData\Local\C6enDh\cttune.exe
PID 3500 wrote to memory of 4712 N/A N/A C:\Users\Admin\AppData\Local\C6enDh\cttune.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\03e11938813980f4ee92eafaa1ef0941.dll,#1

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe

C:\Windows\system32\CustomShellHost.exe

C:\Windows\system32\CustomShellHost.exe

C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe

C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\C6enDh\cttune.exe

C:\Users\Admin\AppData\Local\C6enDh\cttune.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/4136-0-0x00000190D4790000-0x00000190D4797000-memory.dmp

memory/4136-1-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-7-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-12-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-16-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-21-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-22-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-26-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-30-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-31-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-33-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-34-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-36-0x00000000006E0000-0x00000000006E7000-memory.dmp

memory/3500-35-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-32-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-29-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-27-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-28-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-25-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-23-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-24-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-20-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-19-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-18-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-17-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-15-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-14-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-13-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-11-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-10-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-9-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-8-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-6-0x00007FFC905EA000-0x00007FFC905EB000-memory.dmp

memory/3500-4-0x00000000027C0000-0x00000000027C1000-memory.dmp

memory/4136-43-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-44-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-45-0x00007FFC91240000-0x00007FFC91250000-memory.dmp

memory/3500-54-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3500-56-0x0000000140000000-0x00000001401B0000-memory.dmp

C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe

MD5 dad49a2ed8b860e5132a500545f3e6b1
SHA1 ccb5f1fc084d030c383e75837d52a24bc7951b9c
SHA256 65eb3b20af11e155bf01c267737a954685b57dd4bfc6c730250a313a237ba57a
SHA512 08d42d8e6b9800e6374eeca38fbb1365fef07f70731967fa55d3e81f8c995c1a6890c3faa98859b66168133e2e56760a8263cceb77fb77734ab0cf1faf16d7bf

C:\Users\Admin\AppData\Local\mc03LfmPq\DUI70.dll

MD5 5e6007d6992d12d473dca484430c85a3
SHA1 18c51555a796075691ec4424c75806c0c8524f3e
SHA256 95604438e448b4dce62cf79a346bbc6a1e0aae364d9944531e6d6606084802c2
SHA512 8b2d24781ea56dd94393aa3d450aac2a2ab65b23ea9f791cd2a75e7c067c65b61cb0d8470773b1d1f7ad696e0a3a70e15d96b7cecf950ce11c0d0b9b29a2729e

memory/4888-66-0x0000000140000000-0x00000001401F6000-memory.dmp

memory/4888-71-0x0000000140000000-0x00000001401F6000-memory.dmp

memory/4888-65-0x0000019C5E140000-0x0000019C5E147000-memory.dmp

C:\Users\Admin\AppData\Local\mc03LfmPq\SystemSettingsAdminFlows.exe

MD5 0c1e303490ba876cbbb9d6ff0653f159
SHA1 61cca6c175fed82e0c1d3143dd8934bb448f2a15
SHA256 083a30206190a4649d2c9cda0b22934d3c039d134dcb4c2a9a7040a9feaee315
SHA512 4cfbf2df0c065eeefb053e514873fb296641462a8048a36e05cb7decbcb76c4c105908b714e42cb45badf028e6fd970f6da23d2b462ac3c62d155de8b83b4647

C:\Users\Admin\AppData\Local\mc03LfmPq\DUI70.dll

MD5 6c77b777852436bd0b8549df3e1a6c70
SHA1 30da76f742f03d354234663427c25f99fca31f9d
SHA256 61e8db8a339a3303589a56211c4053aa1026e382d8e22dbb32142d798d2731b1
SHA512 e2fc39101b3ce2187c4c46b73e8a904fa64a04d488c47f20534136a7c1d90856026802c9b55516e1105caeb548f9e70022da840f44ee1394fbd4a7dada932074

C:\Users\Admin\AppData\Local\69ktdcgS2\WTSAPI32.dll

MD5 30fe2af7022f5bd6a4cdf59970538af4
SHA1 189e096dde55d0039e0e55682b99d6a6fc91d594
SHA256 a00381d88b901692acb722fb5f1bdecdd4ddd40a31669fe2565ebd2e1fad4260
SHA512 7e1c8a8300ee96b9f8585dbecfc03013b9bcc711ad07b064d72d7d6c893f75dfca03aa77f5a5d6bb235e4e542070a32184145d37f9c078abea187eb5e626a770

C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe

MD5 bfdbc5b5b29614128f3e38c8f321661b
SHA1 9847f223504df6bd8a0ddeb4e791e4417aad3075
SHA256 8a7cdc52f090909e03b7e8ddfb07a1fdb177bff4daee55da056b43cf16cb6156
SHA512 96e3f6562a1995eedb5815e19424314b9757da1106f481674a5b9b17b89beead3efb37c8d55f1aa0dd95493502ce61c622348317c245f753ed75c5ab791c3363

C:\Users\Admin\AppData\Local\69ktdcgS2\WTSAPI32.dll

MD5 3e030ced6c50f647839ff6c367839c69
SHA1 503291061fc8cdda51da2051e089028c446e47be
SHA256 bbb1282167f5c24fd7c05c93888a02ca7eeeb9ceab43ddc92d43056654feed05
SHA512 bb95627d5338714da2698d7b3810defcc5b925a17c4b7091d389764816301d7056e688298568556a7035dfd3a861e6c32539c835874206540b079ca95bd6365a

memory/1476-98-0x000002572CDC0000-0x000002572CDC7000-memory.dmp

memory/1476-104-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/1476-99-0x0000000140000000-0x00000001401B1000-memory.dmp

C:\Users\Admin\AppData\Local\69ktdcgS2\CustomShellHost.exe

MD5 f92199156cf1f91aaa5bff734aed09b3
SHA1 ae5bc3f2e43b3a8617143e5850c834f7235c34d4
SHA256 380aff4cd080732de58063e52a72d265423af4a1f0b32dcd9183b1469cf11c95
SHA512 9e671bf56f7e52b89e312f7f8d8bd418132b30ee00832d6e3cdf98ca5eec533dca0c86f40b3d5389933055076cd3858c13ee3e178eb68d55130636a441dfd74f

C:\Users\Admin\AppData\Local\C6enDh\cttune.exe

MD5 fa924465a33833f41c1a39f6221ba460
SHA1 801d505d81e49d2b4ffa316245ca69ff58c523c3
SHA256 de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da
SHA512 eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

C:\Users\Admin\AppData\Local\C6enDh\UxTheme.dll

MD5 72fb66357c41065b83cb6096a4f26c6d
SHA1 21d574a7c31d3bbb34e8074d253fd649083ab3fd
SHA256 81ae209331dde4dfa56c9de7c1ee90925a5c064192882d43478b3eecc60422b4
SHA512 d1a39781baefe71c80102fb4cce166a49a626b1839aa90e81a8378b435170d42399734f26f94fdd73094ac1981adab7c4238d1536d329004607723b2424b5387

C:\Users\Admin\AppData\Local\C6enDh\UxTheme.dll

MD5 1909445d25f24955ff2bf6cf97f239f1
SHA1 ac63b002be40252f7d18b5672acc441dc163196e
SHA256 f75ceee749224959bff78ff564eb306aacc99f89c78be4072e3b0ce1965a123e
SHA512 019f059585eee03afc987e8d8cc49bb7db46031efb1e2655516d94d2a4ecd63b88e18d0c727cf0ed8868fa06e50031e646a637ba49dc24a3c506579a30ad256b

memory/4712-116-0x000001D291020000-0x000001D291027000-memory.dmp

memory/4712-121-0x0000000140000000-0x00000001401B1000-memory.dmp

C:\Users\Admin\AppData\Local\C6enDh\cttune.exe

MD5 a2c3492d5f3c512821243ba4c3df9937
SHA1 c5a38116ac10675c5db6350867b968cc6fe8ee3e
SHA256 b23733ae85cb215f5e09b75d69647fd85d4cda38117bfc7084674a7bfe7ae9aa
SHA512 1a036a9716cd127f018567c714eddea10342143ae55a23b2d54fe691c69c2ac0d59e13f079f309fa8f3ee6a259d630ad376a26bdb0e0fa8ebf69e9d6ae0cc43a

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 b22a54f73944d54d9d21d0fc7394b040
SHA1 76101561d9280f164efe28496c3021886354755a
SHA256 e1650353c967cc8b28ce17862b89136b8e6be44044d9cd25a0927a0a12a72535
SHA512 1f93433716462f806e8aa693396519e94f8af28cc8282dd832c0682a997f231d26dbf404fe7f52c79e25635ae5a8e43cae1bba7ee0e4f7e86780ecb6171463c4

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3336304223-2978740688-3645194410-1000\NSDXXy1QSco\DUI70.dll

MD5 5813ba8feb8a25732f8999fdfa0ababd
SHA1 1c9b31ea650c84ad001c9be1176226c0a4af3e27
SHA256 1014d30df4656aade879ef019409cacc575156d9a4fb71417d4005e27a45c33e
SHA512 cea22ed8553c707af97d19edb7e3913947631d0a77a0220f0ed345dfccd7a9086b4f250eade04f01c4be81f28c372e99d964b2abb3fb85057ebfc3c0ab4a6dc6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\u3eN\WTSAPI32.dll

MD5 f1b451dd604cf008840b23ae41fcd211
SHA1 aae8670b778330c42f02f07711133bf8cf41691f
SHA256 84821a3dbbeb12add62ec98e566afc1789a57aabbf3d7e9feec6a4ccb9adf4e2
SHA512 40a4a5b1e9cb4d7d4e2b09705242d3a8caf5112cbe2300df60d86aa0fc88809dd6417b5fe76134406e41fc1b4a4d57e152addf2db19f514c28ff5ddfbbf0b641

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\BUB\UxTheme.dll

MD5 26fd07b60df0f06d9a3d8ec388a1e8b0
SHA1 c05a3918a3628447ba0d6573c3a01809dee231c0
SHA256 660708beff7a57349fdd815626df83215daa16228ee2e1a1b263eefd1b97b799
SHA512 c511cb328b3dccb28d3e61b4a676effd6de997f9a63ee4234561c3fbf6f13d72cf8b3eedbffc123fbfbb7cbd38059681ddbf3e0520845f4a1113ed6939398b63