Malware Analysis Report

2024-11-30 21:45

Sample ID 231230-1p9lsshff8
Target 1d9ae0ed5c0c8c5ffd0c9a0e02fa8bad
SHA256 972a7c7225ddd802c9c9cb9922b2093d96bba57e3138ef918e94884858976caf
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

972a7c7225ddd802c9c9cb9922b2093d96bba57e3138ef918e94884858976caf

Threat Level: Known bad

The file 1d9ae0ed5c0c8c5ffd0c9a0e02fa8bad was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 21:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 21:50

Reported

2024-01-04 15:46

Platform

win7-20231129-en

Max time kernel

3s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d9ae0ed5c0c8c5ffd0c9a0e02fa8bad.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d9ae0ed5c0c8c5ffd0c9a0e02fa8bad.dll,#1

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Users\Admin\AppData\Local\KBkSYkkw\RDVGHelper.exe

C:\Users\Admin\AppData\Local\KBkSYkkw\RDVGHelper.exe

C:\Users\Admin\AppData\Local\w0yxS\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\w0yxS\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\2RMK\ComputerDefaults.exe

C:\Users\Admin\AppData\Local\2RMK\ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

Network

N/A

Files

memory/1660-0-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1660-1-0x0000000000430000-0x0000000000437000-memory.dmp

memory/1260-4-0x0000000076C36000-0x0000000076C37000-memory.dmp

memory/1260-13-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-23-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-35-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-43-0x00000000025B0000-0x00000000025B7000-memory.dmp

memory/1260-46-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

memory/1260-45-0x0000000076D41000-0x0000000076D42000-memory.dmp

memory/1260-55-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-44-0x0000000140000000-0x000000014016B000-memory.dmp

\Users\Admin\AppData\Local\KBkSYkkw\dwmapi.dll

MD5 e4a65b758320c1cd2e1f3b99f30c5cb7
SHA1 81f4a0810ed713008021adab75008e543b14d666
SHA256 4bf85983e3d144247e1caf1b168ee65837a8abf6ca1239d077d4cc2863879ad5
SHA512 620d1664fb5dc83490c489ca598e91f9920e75a1af2977c15a17f2e6a5d4988b038f6b0af915f32043c41f9a3ae3e77792a3ffd82a9fb71896c18eebe528e960

memory/2548-74-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2548-78-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2548-73-0x0000000000280000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Local\KBkSYkkw\dwmapi.dll

MD5 a1a45f5a7f011ad4435514d2e061b2b5
SHA1 b3748f9994510e084fb8001402fdfab1d248603a
SHA256 637a82a7f4591b7e69bcc55e27656152fad2301f5a876eb5e56c618b1f7e0ed5
SHA512 de41e50030dd0e3cc985369d6885f082e0dcb91a14961a7e8320beec97ed07a9790bc0d14aeca5d6a68154fbe2fb31aa0d0f859e5e67b737512d856393067881

C:\Users\Admin\AppData\Local\KBkSYkkw\RDVGHelper.exe

MD5 5cd579bc9e79310253a538c013a2d5fb
SHA1 5022fcc9bcd44767a965a6b805e4ec388c569441
SHA256 b4bc7cad65bacb19fb90140c7f29cdef71bbd84540e403c73afee918a3aad18a
SHA512 203e716a65498ec89e5afc700c4a46dc99f88cafa39d21a6242dc469afb38607ceab48e9ea4fc8e0dd40c8a66039f617872f41aadfe0cdcffe710f3dcafd40cf

\Users\Admin\AppData\Local\KBkSYkkw\RDVGHelper.exe

MD5 6cc064101ac1d6a2f0e84368cc486343
SHA1 e976c9204ba92d53347c8add052273e405b53127
SHA256 76a4a0bcef17df20063f8a523ebcf02ec1a166f14461d671abf1b143a9ac09be
SHA512 fe9975dcafa1e179dc359223d03a6adf0138d57afd0017477810745bed3f63da4df981882e34a78fa2e51667934952f5c0197b74f809f7e2fdd2bbe406c5289c

memory/1260-65-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-61-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-36-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-34-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-33-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-32-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-31-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-30-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-29-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-28-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-27-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-26-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-25-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-24-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-22-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-21-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-20-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-19-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-18-0x0000000140000000-0x000000014016B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\OiGftr3\RDVGHelper.exe

MD5 63206cbd0750c633eb51f2a865415cfb
SHA1 c902d749cac86ad15f03a669487e1b0cc48737b3
SHA256 663670dd29dead93ee3a911dfdd8cc50f8c298a336451a2d13ba0419987d4713
SHA512 95d2827910b4abf742b2a5589a5618026280744431df9473b1cac205c8b4d43b11d3178f195a68c7b624e5219e84dab44362015d5db8883450c308801d44985c

memory/1260-17-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-16-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-15-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-14-0x0000000140000000-0x000000014016B000-memory.dmp

\Users\Admin\AppData\Local\w0yxS\SYSDM.CPL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1676-90-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1676-95-0x0000000140000000-0x000000014016C000-memory.dmp

C:\Users\Admin\AppData\Local\w0yxS\SYSDM.CPL

MD5 efffe409ddfb1cc1e9389fbb12b16c1c
SHA1 68e07283bccefd7c62264e8a20f2cb0ae3641f1b
SHA256 9ca0ff84b5958096656052db4717c0cb6340543f4a7a649a1d5d5dabb9302dbd
SHA512 36b619face2e4d5f534a46973df81860b10c797e821855b1e94d22591ccb173bb6f8d26aac8233bfb9d0f1973d4845ec4d4d64b1549c152c121d0cc25d91f2cd

C:\Users\Admin\AppData\Local\w0yxS\SystemPropertiesRemote.exe

MD5 b6c2c0a1663cdf3d0461824292a3847b
SHA1 6ea2cbc03bf6838d196cb84ae461e20cd44cf81a
SHA256 c1a18bbfb579b4989d6cc89e3657a224c2dcecff5574af939396afed379cb59d
SHA512 4693dd7db3cca09a6307dbd2319155277d1693226101f26d8c645d46f840fd9564a1a41f2dea546ca0b750f896bb5cf303cc7e89ef9aeffc9d93740ecc80bafd

memory/1260-12-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-11-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-10-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-9-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1660-8-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-7-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1260-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

\Users\Admin\AppData\Local\2RMK\appwiz.cpl

MD5 73fc30bc92cdef317782c611318321d4
SHA1 5e04335abff192b98d8dec2199a43bc4da0ee1ed
SHA256 3aa11d59249587436a8ba5ec3c4ea8c8c03d418388c549f67bfd2fb5331ab299
SHA512 3564acf9cbccc65e3c763aaf73b0dc94bb6786386a7c3a928d9d3f13691902b876bff7b1cf0328dc09de7e365409b733bf40fe9c7dc6b7bbab9607ab9df635f4

memory/2680-109-0x0000000000110000-0x0000000000117000-memory.dmp

C:\Users\Admin\AppData\Local\2RMK\appwiz.cpl

MD5 91041a757bba42c5d496342c64360e85
SHA1 45c9b036cdd3165228038514619e2723cc595735
SHA256 e8de3fda3f895e4ec2022a56373afe28504eb2267ebaf1c26c18ce7dbd44b8e1
SHA512 701c5ba05ecf913db8ab3f9541e09b561170ea14ac794cbb3adca7af0c44d328030f16f7f7366827b52ad1c6023ab89e5342080707d523f1a8051a9ab460675c

C:\Users\Admin\AppData\Local\2RMK\ComputerDefaults.exe

MD5 931db3a018be09b76d9c6b5cd4b32dc6
SHA1 8b62905ab656d97f09f4e247b8b0906373c6a97f
SHA256 7f7cb28aa0ee88537c94fb3085196e68d420fd0c1dc82bef69a7f512bb8ad2ae
SHA512 469f4e9d5fe20d07e5848041a75b3b1d3e524c17d0a952bf450e49e3774fc4664ab1ae141e1822205625fb3fad57ef5c1853d632ca46aeeba321589287d6902e

C:\Users\Admin\AppData\Local\2RMK\ComputerDefaults.exe

MD5 86bd981f55341273753ac42ea200a81e
SHA1 14fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA256 40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA512 49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

\Users\Admin\AppData\Local\2RMK\ComputerDefaults.exe

MD5 92c6308b792b3094434d5c4d5274ead7
SHA1 20a17a963680a61647bae3024f8916ac46a458cb
SHA256 de884af8f28f55b2ae4343937e6f01aff2d56eebc2de321d7f1eebab472871ad
SHA512 15ed01a8de92ffc8ebbb4126b185be3de818cf33db9339fb2f358173ea105acd15c4c661b16e1633b755981558dbad6da98b6e29988154e76589dee2fb55b75e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Zkrs3Oj\SystemPropertiesRemote.exe

MD5 1b20259566998712cb90de1318eb39b0
SHA1 f6b2fc9a20228cee32b4318a61d5a236e406ab90
SHA256 8023f14adc67f6995023247aec943cc07e71b134370023d8c3fbbea2dda2dd70
SHA512 0f89958b74b31bebe88937ceb479792c2deab27b4f013eead1c9f70ac287b0fedcc78d4a9aefb95d3877ef822f4cbc5217b26962676132a42798b92be3c0324b

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 58b42ebc5e10ca5cbb844e992a422040
SHA1 bbe8448eb8e9a640eefe6b5f559498bd12e5bc42
SHA256 9ffa804048737d58891452041fb880099c77e9730ad49236dd72d2ac366fa8ce
SHA512 b8d9679193c2c2e8323c43291b24f1c500f19a5810b38bd074e79258e5df71f5dd793afc9290856d67924a66b78db6758dc1a33e4665fff28b23f9f70ebe406e

memory/1260-132-0x0000000076C36000-0x0000000076C37000-memory.dmp

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\OiGftr3\dwmapi.dll

MD5 6f86eb7fed6c7214e02120bad2b1b348
SHA1 bb069e40ba6513d95a4f4b4c05d2635899f76a20
SHA256 e033aa94690921f102506508c50483bc9e579edeaa6f1d4ea70761bf2b0501aa
SHA512 922a1f5f0a7d704ad0978a7d9e44aad500cadc0c1423ebeef9e30da2e8b2792ffd394673fdbc25594e1c6eeb788f730c2866d146609a1b43c180bab965c2eb80

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Zkrs3Oj\SYSDM.CPL

MD5 bd9e2c25aa403d4dbb6e6b27536a88f3
SHA1 f55e8e120289e198aa02a6a8ac4f7c0d93510e38
SHA256 12df9dd5c48152b19d9f78a36c9ca04951df29ddc6d9b169ac9b5a29ccdc1af2
SHA512 8debfbba1ba919e262c75f3f9e3f22d00293c401cc24fe607d25cfdc619335ea8e39b99f4dd9b6de7a17125d7f2e5acb33e622a0267c3e16d73cc9001a740bed

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\KNGVw1\appwiz.cpl

MD5 24deded2cea054f803b96a77d31a078b
SHA1 8e345cb0594d107c188c8aa07f1749b4ea9b38b2
SHA256 c7b03b23faa2361bb97c7c217b3d0e8c2e5a8fafba0cd737c7d2c53c9422f3e2
SHA512 1ab7796762740df5f3af401fe19bbbe856771d5d26b657f9b384bc3f7a2ebc350545088e00c061164a0a155b5faaf0d339426ac987b0329e17d44efe499ad5ba

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 21:50

Reported

2024-01-04 15:45

Platform

win10v2004-20231222-en

Max time kernel

3s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d9ae0ed5c0c8c5ffd0c9a0e02fa8bad.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d9ae0ed5c0c8c5ffd0c9a0e02fa8bad.dll,#1

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\gExl7Ja\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\gExl7Ja\SystemSettingsAdminFlows.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\sOG7650WR\Magnify.exe

C:\Users\Admin\AppData\Local\sOG7650WR\Magnify.exe

C:\Users\Admin\AppData\Local\etDa\perfmon.exe

C:\Users\Admin\AppData\Local\etDa\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
GB 88.221.135.211:80 tcp
GB 88.221.135.211:80 tcp

Files

memory/1856-0-0x0000022708940000-0x0000022708947000-memory.dmp

memory/1856-1-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-13-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-20-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-26-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-30-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-34-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-36-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-37-0x0000000000550000-0x0000000000557000-memory.dmp

memory/3460-44-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-45-0x00007FFF17380000-0x00007FFF17390000-memory.dmp

memory/3460-54-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-56-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-35-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-33-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-32-0x0000000140000000-0x000000014016B000-memory.dmp

C:\Users\Admin\AppData\Local\gExl7Ja\DUI70.dll

MD5 e4761c85b94084abb1e9d58091a451b0
SHA1 b194c7b5466b6488beb23cf269c525ca9c94fe54
SHA256 01c894b377dae84c7ea8f9651d2710c29a17323790090820f95076d5f3de8fd0
SHA512 272db4d399a358077097120a2632d0bef26563123451bb8ad1bf4c1e9cadf9b83de51fdccf4041999e7cfb7469958a45e968bbf85df0489583fda012e1c50f6a

memory/5040-66-0x00000247C8810000-0x00000247C8817000-memory.dmp

memory/5040-71-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/5040-65-0x0000000140000000-0x00000001401B1000-memory.dmp

C:\Users\Admin\AppData\Local\gExl7Ja\SystemSettingsAdminFlows.exe

MD5 13069d05bf5f17d8fcddb742ceded4c1
SHA1 3820c8fa44d93055bea0458e257ca4926693477d
SHA256 5129888e8e03b5af87c0791b79250437ce3b2d6b96b9a6883387b4e5fcda63d3
SHA512 8122d088e603f63a2548442055d1d3da60c73f5813bc51902a2deb0a181343c8d56355779e42421bc067c609e85dce3ed5ffcbe7ba50bcb20d480197eb87de22

C:\Users\Admin\AppData\Local\gExl7Ja\DUI70.dll

MD5 2baff390f7a7720d703edaa33d5fe8df
SHA1 7c4fd22c1de6960984888d9ef4983fd97fdc5243
SHA256 29ccf0e8b8e7876d81388e12caa9f0bf724b084a0df0340aa52391a25adfaa67
SHA512 dd5b500ff696aa4f26521a3ed61e944c397ba4593c5085adf6fc5ffe33ec2e0ee3e7a853f298879765d2e04a168ab34e8ac9666f1ff1918b256aec0154e73ab5

C:\Users\Admin\AppData\Local\etDa\perfmon.exe

MD5 a74d766de69a78d9645562adff435355
SHA1 f942806807c6b35bcfca7ca4050ca668f2f6ff23
SHA256 4fbe75b7eeea9770cacbb089dd353867184084dd47dde7cad6b5c2bf02b988b4
SHA512 8d01b27a8d162d4996f1de13ab8224cb0021358a36f3038ad2789bc4144ccc802d10bc55672fa0bf12fcc1b678b39b9c116defb0937c7f340fc694e171c1b8fb

memory/1116-82-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1116-88-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1116-85-0x000001FE9A130000-0x000001FE9A137000-memory.dmp

C:\Users\Admin\AppData\Local\etDa\credui.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\sOG7650WR\dwmapi.dll

MD5 3253ddd9eac23c1888853063d9a90ffe
SHA1 bd3a32a54528d7be5cbd91ec66a92b314f99a796
SHA256 0443e62d405c5e6e8f74c305f03c906732e3708b30cbb6aedf99630f89efeb1b
SHA512 b3c3b408b1af108356081f79850dc231637b6598e06aab22a2325e993b7788a266d12577bf836b3b84444a41568e6e7fc1685d08ccbd9618c2fc14c93a1aaac1

C:\Users\Admin\AppData\Local\sOG7650WR\dwmapi.dll

MD5 720586d7fb84b8f6e024faf414424743
SHA1 f14ca6f9d1a9eebf5fbdb1bd6073943126d1fbb3
SHA256 aae9cb68896bbc210f5ec738cdcab721bbaf4b456d19df9b28a0f044824f2513
SHA512 ea99ca3bbe4d8e89fd58451cf7432121bb2947be0d273a7f72bef6dfafbae8bc4ed17a9bc12632b6c79f516a0763719ef28e9f3b135fd2e3967fbfe4ca15310c

memory/3628-107-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3628-102-0x0000020D64840000-0x0000020D64847000-memory.dmp

C:\Users\Admin\AppData\Local\sOG7650WR\Magnify.exe

MD5 ab0adff5372c79a832aa3340d1b2684f
SHA1 310547dfcd7751761e7fac6a20c72d62f872f95b
SHA256 aa52ac948692e096fc612fee3c573e3d81f2bce1f511df94c20ed8bc66ed5327
SHA512 5e62647dce1d44db978edff9ed8cb65d4235ecaf645568dd65275310eb39d12b059cf907d18c413c91502bcaa7863a7b61915c6afea554c1c700975d6039c3bf

C:\Users\Admin\AppData\Local\sOG7650WR\dwmapi.dll

MD5 b462e0cc9410309aebf92a0be9514d36
SHA1 242a182dfccf4b14214bba5b8c1ad55ac235d5f1
SHA256 84d0156c2f6510aa9cbcb7d51320a77e784a7c1b0c71a13db12ca3d11640005a
SHA512 956e57664dc3f982cadec0d0a57dabbd8b29c5e5f45bbaea15532649697716a3e8c66dd1569e513549d90d3731f71f62d412220d26d6dc409d74c984fc2bbeb3

C:\Users\Admin\AppData\Local\sOG7650WR\dwmapi.dll

MD5 235400972d853ee43a2131840ee21721
SHA1 43e85a3eb3b27cac6590fb602225e2e8bc666efa
SHA256 3270cad529973ef1abb284e18d176245f2597686d7651ad1464e34796410a2f6
SHA512 4153ccc4a9a8d4d0b85237e48f52300f891379c893c938b328c48311d452843157c1290fbb6c36b05fa618f3861c2164bb460d6cadd98238e45cb083b06c5519

C:\Users\Admin\AppData\Local\sOG7650WR\Magnify.exe

MD5 1a9a6b3287bbd76ee2e75223e0eaf5c1
SHA1 113813c8decbae87a66de0c170c9f3bffdd36ffd
SHA256 aee8db359fa6238dc74f6eb05b0f736a3319f081bcf5904166b18816de5f443c
SHA512 bfc87a2e8c45ad2c09165adc72a17b18975a0efc1c0cd360bb1e7befa5969f3dcb25fade9a995b63e8eb545e2fce36b52893998137b754fa339bc970154415cb

C:\Users\Admin\AppData\Local\etDa\credui.dll

MD5 4afa896de801bc3214954b06ec60f3b1
SHA1 12c9c2e6caf3062b533d40e5ef5d2cf495835b90
SHA256 dc309fc19b56e5ffd87900997876e752bb353973f31275154b805df5420d4189
SHA512 fd0204295424728973fb5e7276fc1a31c287668d3cc58f01fc4e9a1015847d8220dd337fe1382622d3ffe718b45b341d2f759946b25e91f21ab7a142751e02e5

C:\Users\Admin\AppData\Local\gExl7Ja\SystemSettingsAdminFlows.exe

MD5 9a1156e5517ddde78536a2310d0b23c8
SHA1 b4d8650f5a6fe218a6d4eeafbbc0ad2732bcf7fc
SHA256 6a962d0d78053b40b0ea0882a96c55c9b768eb8508b4488b6a1216481cfe8fa4
SHA512 9ff7fb7a6c52bc671541edee826b79166c3c42836c19e2c7f240a4822115a39b5022acb547d741d1934006589a921b54759e4721e84a71a8e42e39ffb4e13610

memory/3460-31-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-29-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-28-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-27-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-25-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-24-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-23-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-22-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-21-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-19-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-17-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-18-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-16-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-15-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-14-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-12-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-11-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-10-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-9-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1856-8-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-7-0x0000000140000000-0x000000014016B000-memory.dmp

memory/3460-6-0x00007FFF16E7A000-0x00007FFF16E7B000-memory.dmp

memory/3460-4-0x0000000002410000-0x0000000002411000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 58fa42b92745ecee794de1da8044b25d
SHA1 75e20453d1f01fa7f24d143f40d4e2252579e1ca
SHA256 6c6caa6c55e4fb164ad32dd3f4eaa71aa79079b2d2b7afc832c16866f19f98c4
SHA512 88df33cd29bbdaac701311657b8e35fc01b5b234422c271209ab875fed11ea77648330a23d9c3f0d83d600a4078b8c5287680578d838bd36b5aa91f4bf014a20

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\FgExmg6opNK\DUI70.dll

MD5 8ae41eddaa0656bf878ce2d0298987cf
SHA1 f9046e9b5d348391e21b86c3e2821664ac4cefe9
SHA256 bacdf5c7e8623078353103cfbc90ba079ac671796a0e1c092061aa2a4194f5df
SHA512 4dc96c3ebb064abbd4d3fb122fcd40a4fb44447fb452b686dc7910474fec06b1de4608263d4ad78894b3554e678f10530ec4e7812ffc3d25636a498eb540a1f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\x7p2\credui.dll

MD5 52ddff23b94e52717a64d7e4c9823f40
SHA1 3954557fb4d83da7308ec86a9a541a6df5d863a4
SHA256 1ddd98adc1291f1533b9df4eafeec509ba0bec7e54c254bd756b9d72906f1c19
SHA512 5991b0d6a86bfde4114da2a8af5a5c0f58fedb677fcb7579e3be72787d1500a792e1a9cb2fadf1c9891bd719bf5161037dea4dc0d9b5d04ee69e54daf1420246

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\mAhdqzUnI\dwmapi.dll

MD5 8fe74db30041f55b9249fdd69b6a8781
SHA1 cb1872d91abdb2bc774fd74061a87820ad9f28e2
SHA256 73d81acddaa621b1645ad505ec0bf71ff05902b72b16041e65d012b2a336e668
SHA512 9b8cc8309fa35853f3f86d5364730998e17e1ffc1b39d955ee4961a505e899e2bf8b11959750b74f55653fb90a5d22bee38410b8c4e825e89be6fc3d16445984