Malware Analysis Report

2024-11-30 21:22

Sample ID 231230-h4pwtscae5
Target 11ece27856133435ff8c3f2f1c4b8b02
SHA256 f82e6e8bf49c6980ca60b9747725046747e4a9bea7334177db1e91ccfcb36874
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f82e6e8bf49c6980ca60b9747725046747e4a9bea7334177db1e91ccfcb36874

Threat Level: Known bad

The file 11ece27856133435ff8c3f2f1c4b8b02 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 07:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 07:17

Reported

2024-01-01 08:26

Platform

win10v2004-20231215-en

Max time kernel

136s

Max time network

166s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\11ece27856133435ff8c3f2f1c4b8b02.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\3WAZE8~1\\FILEHI~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 4160 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3520 wrote to memory of 4160 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3520 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe
PID 3520 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe
PID 3520 wrote to memory of 1632 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3520 wrote to memory of 1632 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3520 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe
PID 3520 wrote to memory of 656 N/A N/A C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe
PID 3520 wrote to memory of 1924 N/A N/A C:\Windows\system32\SndVol.exe
PID 3520 wrote to memory of 1924 N/A N/A C:\Windows\system32\SndVol.exe
PID 3520 wrote to memory of 3372 N/A N/A C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe
PID 3520 wrote to memory of 3372 N/A N/A C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\11ece27856133435ff8c3f2f1c4b8b02.dll,#1

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe

C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe

C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4740-0-0x000001D80F8B0000-0x000001D80F8B7000-memory.dmp

memory/4740-1-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-4-0x0000000002890000-0x0000000002891000-memory.dmp

memory/3520-7-0x0000000140000000-0x0000000140379000-memory.dmp

memory/4740-8-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-9-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-10-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-11-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-12-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-6-0x00007FFE4FA4A000-0x00007FFE4FA4B000-memory.dmp

memory/3520-13-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-14-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-15-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-16-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-17-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-18-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-19-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-20-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-21-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-22-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-23-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-24-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-25-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-26-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-27-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-28-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-29-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-30-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-31-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-32-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-33-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-34-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-35-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-36-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-37-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-38-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-39-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-40-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-41-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-42-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-43-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-44-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-45-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-46-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-47-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-48-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-49-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-50-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-51-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-52-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-53-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-54-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-55-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-56-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-57-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-58-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-59-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-60-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-61-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-62-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-63-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-64-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-65-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3520-68-0x00000000027F0000-0x00000000027F7000-memory.dmp

memory/3520-77-0x00007FFE50840000-0x00007FFE50850000-memory.dmp

C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe

MD5 e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1 adbfa782b7998720fa85678cc85863b961975e28
SHA256 b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512 c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

C:\Users\Admin\AppData\Local\iz1qzr\SYSDM.CPL

MD5 2274c0f10748d2efd97fa5d603ee5dd7
SHA1 ebf7360d538fd84ae0ca8ed3324e380884556ae1
SHA256 cc4df6c3c1f075dbeb062da42b328887ab55def131c8816697e3ea8c2b3f5660
SHA512 f7f2a0354d653de5839e32da595c04b5887c86d2e665bbc5363619d1cb89b4c5fc8333eb471379f319dbfd7de79af3593b6c486269ac972cdf9221a60d2a0490

C:\Users\Admin\AppData\Local\iz1qzr\SYSDM.CPL

MD5 05bc0db1262c3e479f2c940cc1156b34
SHA1 5b38ea29e2bc8f4cdb5486f3695023775190d146
SHA256 4f3d17e449031227e8ce6fa9d93695672de8fbf228e5c78aca0d63a9e039c742
SHA512 99309ac26b0b124bc4b42db57fbcd8a6b6990459b57678da200a483713b5d2f12a5d342c5b31a93a3d826c374f5ba0f34b19555d6008d52d7dd695aabb575473

memory/2136-97-0x000002CCB76E0000-0x000002CCB76E7000-memory.dmp

C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe

MD5 eeba3dd643ced2781ec1b7e3cd6fa246
SHA1 2d394173e603625e231633fc270072e854bac17b
SHA256 bee0799a52fe65b8dc291de32f0c8b03b5a067915b1868bc8ba2a1b139c90b87
SHA512 222d4fbc7ee57d75889698a0660996293a0143518fdecc1b222618796d76d40f2d3b00b071f92ab917ac8847f195d7de02df55b5e89dad8a80d110e464cd3271

C:\Users\Admin\AppData\Local\0VMlZ\UxTheme.dll

MD5 55567c3f978ce2a63e5629c7ab19ff49
SHA1 36f96a6257879f0a342b2f63f87d78ba1cfbf25a
SHA256 963862bd5f48e65eb8ff8a43b11adb8efda6f4ecc8ef64b04e4654891b3ca9f1
SHA512 7bb02f67248df73a1a5c8f3927bab84f170295c1f3ff5e3605224d16eadf7f6a28018c21ec029cf3482a10540f7b00b123430d556bf64aaea62cf52d95ed8201

memory/656-114-0x000001BEAF1E0000-0x000001BEAF1E7000-memory.dmp

C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe

MD5 c5d939ac3f9d885c8355884199e36433
SHA1 b8f277549c23953e8683746e225e7af1c193ad70
SHA256 68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605
SHA512 8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

C:\Users\Admin\AppData\Local\v2DstN\UxTheme.dll

MD5 c02eed1a4262664079605d4d673b9178
SHA1 3c85895739dd80e3742bb430ff1949b90f0bc2b2
SHA256 5bfe328cf55e0121ff20f0b1293856fccd2da87be259c8b449d7a05ed41fc8d7
SHA512 87b3b7908bd509fa264b3eebc13c7da9a066084a2392361f4076d6bced0a5bb0e5f32576c8598c38e01da8703852f84dc65c3a2a6e9d2a9b59db107671ba19d9

memory/3372-137-0x00000212CE2C0000-0x00000212CE2C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 018e329bf5dc1b2df8722130e27e5e14
SHA1 0b37bfe35afa256e94af7cb5307d789862d05f03
SHA256 18fdb9db02ccf2815935e2cb4a3cd194f691092136337c3f123763d4a47f5d14
SHA512 216ef6e8e858f60e18669af6e2e4593f3b248ab0a82c76644f589183faf1db4044c1d5a56899ce834b8fdb62ad6c7bd835170f7bfbb0b5733a11cc1419968f99

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 07:17

Reported

2024-01-01 08:26

Platform

win7-20231215-en

Max time kernel

14s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\11ece27856133435ff8c3f2f1c4b8b02.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\11ece27856133435ff8c3f2f1c4b8b02.dll,#1

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe

C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\SI36TQJ\Netplwiz.exe

C:\Users\Admin\AppData\Local\SI36TQJ\Netplwiz.exe

C:\Windows\system32\irftp.exe

C:\Windows\system32\irftp.exe

C:\Users\Admin\AppData\Local\tdqbk\irftp.exe

C:\Users\Admin\AppData\Local\tdqbk\irftp.exe

Network

N/A

Files

memory/2044-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2044-1-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-4-0x0000000076CE6000-0x0000000076CE7000-memory.dmp

memory/1260-5-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1260-12-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-11-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-15-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-14-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-13-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-10-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-9-0x0000000140000000-0x0000000140379000-memory.dmp

memory/2044-8-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-16-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-21-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-22-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-20-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-19-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-18-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-17-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-24-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-23-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-7-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-25-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-26-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-30-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-31-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-29-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-28-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-27-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-33-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-34-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-32-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-35-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-42-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-44-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-43-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-41-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-40-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-46-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-47-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-48-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-45-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-50-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-55-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-56-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-54-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-53-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-52-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-51-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-49-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-39-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-38-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-37-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-36-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-58-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-65-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-64-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-63-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-69-0x00000000025D0000-0x00000000025D7000-memory.dmp

memory/1260-62-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-61-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-60-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-77-0x0000000076DF1000-0x0000000076DF2000-memory.dmp

memory/1260-78-0x0000000076F50000-0x0000000076F52000-memory.dmp

memory/1260-59-0x0000000140000000-0x0000000140379000-memory.dmp

memory/1260-57-0x0000000140000000-0x0000000140379000-memory.dmp

\Users\Admin\AppData\Local\ktK15H\sdclt.exe

MD5 1b9e0489d63aa9a25adea4a464d63f5b
SHA1 b2a4d5a4217a9ec8b6eb4f0bd6821a8e774d96e0
SHA256 e402b627ba740ce6cc5364cd0f03cf4f7d250c4d4b47d1fa46ffbf407abc0bcf
SHA512 fcc56d325e8a905fe67bcca7e987d3eb453fe797fe6bb6464135153b26a68051e06ebb4be9597defe17f4272cda79aac3a93179b521d4f4d6681620855a4905e

C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe

MD5 b041a5fd0ff2ff43540ac4b529285c5f
SHA1 c5f930843a63e93ce0b5be3902a9f7549d82bbcf
SHA256 2df28e3cae406ab310b33bbf4d1feedd49f7004dd6b48370d97f559009ffa1aa
SHA512 b1f1ad2491e69b6cc6a2c57ec3235e2c3e89d7efcefc0541333c4f87ea89b4e2c645e378551aa836414091344ec549ed65ddb22e7a3d3729af5b9285df495bc1

\Users\Admin\AppData\Local\ktK15H\slc.dll

MD5 c5a487b0f680b3a05a2b29acc076839e
SHA1 0983d9a19663f93caa9e72164394a773a027b057
SHA256 10fcec64ed8718708e1a0a88a87b7d2bf7a24108e5f250d72732669d6fd9bad2
SHA512 1fff0495da1dbc12121ca7ee566394569bbaf15156cc78e30fc3e84ad8baa1d99c7c71e5f1b98bd5373f605dd382d42294183d51f09b378efcd59f6c15c9a46d

C:\Users\Admin\AppData\Local\ktK15H\slc.dll

MD5 9156227a64b3f9a4220591abd7efba90
SHA1 68e00c4214cddb4c6fc787bba2ce31aeb28c76ee
SHA256 86c274674dab331d152a27948a89ef3ae0aa98ca744119d56c708c0d468eade9
SHA512 7a3d06db09c73a6e5bdcf6c111216c2fbcc24cfe2c1ed3316e4e2769e694cc4c45f5f11dbcd17b89150ca461b29845cd3561e70a2c70b44878f2b317ad37f67d

memory/2916-105-0x0000000000190000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe

MD5 039f9b8b9b7f65e356c59c242362ff06
SHA1 1fdcd7a018d14fe5c64c07b7994becf6a7db4454
SHA256 f98c2d04243c2bdbced4ee3cadc1797ca845b03f37dce4d39923928135765407
SHA512 9161f3d76222e100a9f2a29080d1a5a508057f9f9f011f89e3845313328938651acf6c45fbb7a7599bf461be8b1dad2fe5374edf41c0978f0bee9a79e7b29fac

C:\Users\Admin\AppData\Local\SI36TQJ\NETPLWIZ.dll

MD5 7137bee1dbf41d3528eaae2ff4ae4b08
SHA1 3efd39068f7fbbe25b935a99eacd58c37d84efd0
SHA256 96f07b6d109544c03da076112d2c846766f00a9e8c7a4d83b593c1105f2ac0dc
SHA512 42628f8f355fe55ba63ee7b7765f215d4c96e0b134ef7f321b58f546c6f095fa690b435f8565db70134cdfb14cdbd5ad76b8d297fe768758a1154fe33c37ef59

\Users\Admin\AppData\Local\SI36TQJ\NETPLWIZ.dll

MD5 0265f0a543275d6a97b88d6c0a044a38
SHA1 180ff362f7ce351d79fe34ee354be816ad5f9335
SHA256 177f2a932b220dc69866ddd7365504109f743769c2833b670b291f2df1d4cd1f
SHA512 805ba4ef7a1c0c02bfed5551d6840b48748ea961c34ab71c3e9620f5b37b0a671333c2d38ec0b461ba977ffa417d745a7df251b04a4cd5fefbd2f5e7f84a7e51

memory/1584-129-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\SI36TQJ\Netplwiz.exe

MD5 e43ec3c800d4c0716613392e81fba1d9
SHA1 37de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\7q6\Netplwiz.exe

MD5 d0d915bcb40691cdcb45b92693060a7e
SHA1 c2c808ae86b1efa72bc925a99bf1c35c1230fcff
SHA256 6fc3792a759ead90869883dde058cbace942b02df240cbbace7bd4f2fc487832
SHA512 7e8d883c17d0f492c2d5dcbacc1b5f4062f275b0abafc0fed8c7a571cb5b5846952993173b15092fd55dcae29fd312688108c5b2f8a6dec929c287bb2b3c2959

C:\Users\Admin\AppData\Local\tdqbk\irftp.exe

MD5 982ff572b4c4282fda399476426655b0
SHA1 b525d41c5d1eaa49995ba33132509485413cf569
SHA256 04c2f4679ba4c9c39b9bb8c36491ab6ee83daef32a0415f40891143cbf55d634
SHA512 501aaf73e0063ca1f4286c76673a04dd189f20eb8986ed93bbc72eb2781d34262d367b6253ef4fe352eb5569cb585606461d7a003b041febddeed0ba3cc7c358

C:\Users\Admin\AppData\Local\tdqbk\WINMM.dll

MD5 fc5af0009c23ca35e6db65096e2fff08
SHA1 74b29c1e92ec4416a458393f64136906ac222c8c
SHA256 970d7fb628f4c0a5c74a146f50353740dfa9bc72ba124a41f5ce8861aec2c485
SHA512 31d12e438c363657b9fbc921c5dfa23b3b51e4e1a24c87e862c2d3ffcfce2a1cd1167cc4b850fc00e32e3acafa15e97e81a1ae758000f094eaab6ef17a668b34

\Users\Admin\AppData\Local\tdqbk\WINMM.dll

MD5 72b0b2e54ebd2c399dcd96edf3487791
SHA1 2fde92a82662b64381c53405011d41822fac5244
SHA256 bbf30bff3a60bb8f9dc298a06d39203511db59d036213de8a9b686c4d594939c
SHA512 a3bfbaf01b2b251e0b9e83dab06f6221ae37f18f71eb0af504de7e362192a77e914dde4847bf9cf60124ff39339225c591ea1c8a914960121ecee86d9107f212

\Users\Admin\AppData\Local\tdqbk\irftp.exe

MD5 0b31d458054385b7a387997a12b6e82f
SHA1 7df45ac38c6cef6f7701d21681a516998f6b34f5
SHA256 ba4ab4ff646276ddbe91ef9d99f1978ae25c7b44cb146f8d98c6b66fe45ac498
SHA512 18d964adeb3a6faded74e71b202d180a100584fea603e0e58fc34cf3f0b75fcb3b1aaf88878ce102b88943eeee8957bbab35e7d7915d1670542d42713a7943ef

memory/1124-146-0x00000000000A0000-0x00000000000A7000-memory.dmp

C:\Users\Admin\AppData\Local\tdqbk\irftp.exe

MD5 1a63380a459cc2a9745b4fc93fcb3687
SHA1 05944e732d4dc4fa269890e9ed8fa8a17a41adcc
SHA256 3e182f7d8446e9ac4b598537fd43124a03859208129d60bb4cbe1d8c65ef5556
SHA512 e65d233bd3a02ae50ca97d3b8cd87ed94da907d4adc9df8f3d758dc6f6e01d6cf5b3eeb9951636a91019e9c604140d5d08a3e0cdc34e708f7c288260df5c7bcf

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\hft8xF\irftp.exe

MD5 bd1e23d1b052e613cd146a5f282501e2
SHA1 49a79db68b6fc596d5eca31de453b0519cc97d06
SHA256 894fdc939e53ab46479075342672e061fde1d3effc80cf441175bb121dbfa968
SHA512 fca2b79f2c6e4eb7a851d51b504ed51aa4c0e625a72b2ff26e883e7c35b35eae8708a3c7dd37f33abc1a3a7a33d7109903226e059c07e14a2a79a0b4d200ece6

memory/1260-174-0x0000000076CE6000-0x0000000076CE7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 6f86fc10048b075d1819d19853772960
SHA1 d65cf5ad4c9b192aaf7bc27e09fd3ded576bf510
SHA256 1f93de89bcc283effef6cecd7e21acbbecb2b53479e24e18219da6a8249784ee
SHA512 61fb0ac4dec9317e6061cf9549cc718c2760bd11e1bdea84ad115d85e5596c1ad0f75ccc81133ee3d27f7e1a153632b9c9b4deb83976aaa625e9cfb7ad1605d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\2UFxLNE\slc.dll

MD5 132e18ef895165ae5720d2f4976ddf1d
SHA1 b528535d1bc8975919d6a8c8bdeab6bf8de98175
SHA256 66d2cadfad122267a2e55d5dd8784753a856bb525cc93ac7e50d0e5b59870ef0
SHA512 c2cb43a1d0d096556da689d103f0856165c997528664449eca0b7dab05d187a70b2f97f00bf232452ae361b4d933bb9a0cf661c84445b41c8d46668096797649

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\7q6\NETPLWIZ.dll

MD5 92040dce981421f568442e17ad393f91
SHA1 6c78301e55f191c634fefe8bc0c1fbb96c686984
SHA256 67c62359e61f186d7826996244b5eccd6750754910e784c9adf7223c1e1dd037
SHA512 afe94297392e7228aa162fd03f4961138783d09646e8aeada8c7a3ec9997f0ce0f7736d0474a8fcb5a053526f7bcac949b0d47ebca33ded12bf0db20ff5e94d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\hft8xF\WINMM.dll

MD5 c5e1cd42867e7e6151077cc395b998e4
SHA1 c400e1e4b2ed9c8a9a5610c8fc6e75e78744af36
SHA256 36c405ef7f86abd9c3e5e24236ee9f43f79fd77461cd3f67d3275c6c2d47cf7a
SHA512 764cce17a1173f49b7e87de71cb05779f36730bffb411f55e4f2c501aba0b47ef397dd6fda3a78d13843c89ec6d3e6cf35a6b5cd1eef84d9105e1b19b3f0565c