Malware Analysis Report

2024-11-30 21:09

Sample ID 231230-b2j48scabn
Target 0a553e757d7d67d7689766f46910df16
SHA256 7ff117011e21c556700a966806d18d88fcb2dc4c5ade9df0f347d4a745f21511
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ff117011e21c556700a966806d18d88fcb2dc4c5ade9df0f347d4a745f21511

Threat Level: Known bad

The file 0a553e757d7d67d7689766f46910df16 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 01:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 01:38

Reported

2023-12-30 14:05

Platform

win7-20231215-en

Max time kernel

149s

Max time network

120s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0a553e757d7d67d7689766f46910df16.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\S6kUG\notepad.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\YaPb\rdrleakdiag.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\VmISLm\ComputerDefaults.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\QiGGrECy5di\\rdrleakdiag.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\S6kUG\notepad.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\YaPb\rdrleakdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VmISLm\ComputerDefaults.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2596 N/A N/A C:\Windows\system32\notepad.exe
PID 1196 wrote to memory of 2596 N/A N/A C:\Windows\system32\notepad.exe
PID 1196 wrote to memory of 2596 N/A N/A C:\Windows\system32\notepad.exe
PID 1196 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\S6kUG\notepad.exe
PID 1196 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\S6kUG\notepad.exe
PID 1196 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\S6kUG\notepad.exe
PID 1196 wrote to memory of 1648 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1196 wrote to memory of 1648 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1196 wrote to memory of 1648 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1196 wrote to memory of 1444 N/A N/A C:\Users\Admin\AppData\Local\YaPb\rdrleakdiag.exe
PID 1196 wrote to memory of 1444 N/A N/A C:\Users\Admin\AppData\Local\YaPb\rdrleakdiag.exe
PID 1196 wrote to memory of 1444 N/A N/A C:\Users\Admin\AppData\Local\YaPb\rdrleakdiag.exe
PID 1196 wrote to memory of 1772 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1196 wrote to memory of 1772 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1196 wrote to memory of 1772 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1196 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\VmISLm\ComputerDefaults.exe
PID 1196 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\VmISLm\ComputerDefaults.exe
PID 1196 wrote to memory of 1872 N/A N/A C:\Users\Admin\AppData\Local\VmISLm\ComputerDefaults.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0a553e757d7d67d7689766f46910df16.dll

C:\Users\Admin\AppData\Local\S6kUG\notepad.exe

C:\Users\Admin\AppData\Local\S6kUG\notepad.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe

C:\Users\Admin\AppData\Local\YaPb\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\YaPb\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\VmISLm\ComputerDefaults.exe

C:\Users\Admin\AppData\Local\VmISLm\ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

Network

N/A

Files

memory/2256-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

memory/2256-0-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

memory/1196-13-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-25-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-39-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-45-0x0000000002FB0000-0x0000000002FB7000-memory.dmp

memory/1196-52-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-63-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-69-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/2616-84-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2616-81-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1196-57-0x0000000077120000-0x0000000077122000-memory.dmp

memory/1196-55-0x0000000076FC1000-0x0000000076FC2000-memory.dmp

memory/1196-44-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-43-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-42-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-41-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-40-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-38-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-37-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-36-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-35-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-34-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-33-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-32-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-31-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-30-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-29-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-28-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-27-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-26-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-24-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-23-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-22-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-21-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-20-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-19-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-18-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-17-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-16-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-15-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-14-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-12-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-11-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-10-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1872-124-0x0000000000200000-0x0000000000207000-memory.dmp

memory/1196-9-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/2256-8-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-7-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1196-5-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

memory/1196-147-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 01:38

Reported

2023-12-30 14:05

Platform

win10v2004-20231215-en

Max time kernel

166s

Max time network

185s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0a553e757d7d67d7689766f46910df16.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\GEI8FQ~1\\SNIPPI~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1DTD\dialer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\azIqX5MJp\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZyIy\osk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3380 wrote to memory of 3168 N/A N/A C:\Windows\system32\dialer.exe
PID 3380 wrote to memory of 3168 N/A N/A C:\Windows\system32\dialer.exe
PID 3380 wrote to memory of 836 N/A N/A C:\Users\Admin\AppData\Local\1DTD\dialer.exe
PID 3380 wrote to memory of 836 N/A N/A C:\Users\Admin\AppData\Local\1DTD\dialer.exe
PID 3380 wrote to memory of 3544 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 3380 wrote to memory of 3544 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 3380 wrote to memory of 3948 N/A N/A C:\Users\Admin\AppData\Local\azIqX5MJp\SnippingTool.exe
PID 3380 wrote to memory of 3948 N/A N/A C:\Users\Admin\AppData\Local\azIqX5MJp\SnippingTool.exe
PID 3380 wrote to memory of 2332 N/A N/A C:\Windows\system32\osk.exe
PID 3380 wrote to memory of 2332 N/A N/A C:\Windows\system32\osk.exe
PID 3380 wrote to memory of 4364 N/A N/A C:\Users\Admin\AppData\Local\ZyIy\osk.exe
PID 3380 wrote to memory of 4364 N/A N/A C:\Users\Admin\AppData\Local\ZyIy\osk.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0a553e757d7d67d7689766f46910df16.dll

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\1DTD\dialer.exe

C:\Users\Admin\AppData\Local\1DTD\dialer.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\azIqX5MJp\SnippingTool.exe

C:\Users\Admin\AppData\Local\azIqX5MJp\SnippingTool.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\ZyIy\osk.exe

C:\Users\Admin\AppData\Local\ZyIy\osk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4032-1-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/4032-0-0x00000000007F0000-0x00000000007F7000-memory.dmp

memory/4032-4-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-6-0x00007FFE2A11A000-0x00007FFE2A11B000-memory.dmp

memory/3380-5-0x00000000073F0000-0x00000000073F1000-memory.dmp

memory/3380-8-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-10-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-11-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-12-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-13-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-14-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-16-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-15-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-17-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-18-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-19-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-20-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-21-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-22-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-23-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-24-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-26-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-27-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-28-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-29-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-30-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-25-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-31-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-33-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-32-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-34-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-35-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-36-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-37-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-38-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-39-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-40-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-41-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-42-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-43-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-44-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-46-0x00000000073D0000-0x00000000073D7000-memory.dmp

memory/3380-45-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-53-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-54-0x00007FFE2B960000-0x00007FFE2B970000-memory.dmp

memory/3380-63-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/3380-65-0x0000000140000000-0x00000001401B8000-memory.dmp

C:\Users\Admin\AppData\Local\1DTD\dialer.exe

MD5 b2626bdcf079c6516fc016ac5646df93
SHA1 838268205bd97d62a31094d53643c356ea7848a6
SHA256 e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb
SHA512 615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

C:\Users\Admin\AppData\Local\1DTD\TAPI32.dll

MD5 3bf4a0baf84a35436145a9042cfb69b1
SHA1 7ad5144eaa0a55ce0b2bd1d9c3ebaafe42736300
SHA256 4b0a389d6985892860407c22e4ff1deeca82869520cad59f7a98c6a2a8130354
SHA512 8deb3b3253e0fdc2cb13974f437e5b4e1dc7f1e587581120ce049b45a69641e6df38254dd0a74b3a532d33aeb1e04d3b585144611a1c5856322b896c4be19f57

memory/836-74-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/836-75-0x0000019466AC0000-0x0000019466AC7000-memory.dmp

memory/836-80-0x0000000140000000-0x00000001401BA000-memory.dmp

C:\Users\Admin\AppData\Local\azIqX5MJp\SnippingTool.exe

MD5 f06d69f2fdd4d6a4e16f55769b7dccc1
SHA1 735eb9b032d924b59a8767b9d49bdb88bed05220
SHA256 83be001996cd4d9e5a1a8cd130e17e5b5ee81c9b5cf1b9d9196d8a39fbf7506d
SHA512 ccc1bff59636e91763659749d67b9f6255765ed5aed4b40b6f8111d4136a7e2fe9e0726396b0c837e4ab8717528134273ffc0825a205e501a13bf1d3aee5046b

C:\Users\Admin\AppData\Local\azIqX5MJp\OLEACC.dll

MD5 3c69ac7b4b1aea520c4224f0364f9309
SHA1 9abb54770c644d03519bf52ab93f4870f9f89e38
SHA256 3170ce0dce2faf67465cf46d0e98dc54b5370557fd5a8df0432e7c1b52866635
SHA512 e4fc3d7357986dcf28b186251bbbe572e4d7bbac0a656684d235737136c035cbd7ab46d46bb02265aab0486ff6e73de35e207e650cc81c6ed717d726b02f9aa9

memory/3948-92-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3948-91-0x000001AC402C0000-0x000001AC402C7000-memory.dmp

memory/3948-97-0x0000000140000000-0x00000001401B9000-memory.dmp

C:\Users\Admin\AppData\Local\ZyIy\osk.exe

MD5 745f2df5beed97b8c751df83938cb418
SHA1 2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25
SHA256 f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51
SHA512 2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

C:\Users\Admin\AppData\Local\ZyIy\OLEACC.dll

MD5 ed3d8a85f8fd7c285af174e981dbeffb
SHA1 8d2062753883d3f5024fdb317da45ba3404da5b2
SHA256 e6f6f97117d92790ba4117c222b07582c19313c06c9c2cd1848b4146848c9307
SHA512 2146b6f0936ac09867abfa972a75aacf247767e387e23b5d0e3f4167dcd2e3327d1283daafd86b7c2174159a86734a0b715609536f8bac87d61c400ed789465e

memory/4364-111-0x0000029ED5020000-0x0000029ED5027000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 97b96bb7249fff137b57e38da9f17edf
SHA1 a5e566b56dcae3e9e4046297923a161c592adf6c
SHA256 aac9451c28450e8a6b080a8d1faee80c15aa9cd5f0e0766b85fee8e0a8536c5d
SHA512 0f7b27c89043f75d8e65e0f4788d701a6f970e4c1db548945be56478ecc2b2ddba0552819722ee0ffe39a6c43bdec7d8afea02303d41e9649755f45c540667d5