Analysis Overview
SHA256
f82e6e8bf49c6980ca60b9747725046747e4a9bea7334177db1e91ccfcb36874
Threat Level: Known bad
The file 11ece27856133435ff8c3f2f1c4b8b02 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 07:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 07:17
Reported
2024-01-01 08:26
Platform
win10v2004-20231215-en
Max time kernel
136s
Max time network
166s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\3WAZE8~1\\FILEHI~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11ece27856133435ff8c3f2f1c4b8b02.dll,#1
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe
C:\Windows\system32\FileHistory.exe
C:\Windows\system32\FileHistory.exe
C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe
C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe
C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe
C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4740-0-0x000001D80F8B0000-0x000001D80F8B7000-memory.dmp
memory/4740-1-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-4-0x0000000002890000-0x0000000002891000-memory.dmp
memory/3520-7-0x0000000140000000-0x0000000140379000-memory.dmp
memory/4740-8-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-9-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-10-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-11-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-12-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-6-0x00007FFE4FA4A000-0x00007FFE4FA4B000-memory.dmp
memory/3520-13-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-14-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-15-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-16-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-17-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-18-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-19-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-20-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-21-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-22-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-23-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-24-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-25-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-26-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-27-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-28-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-29-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-30-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-31-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-32-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-33-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-34-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-35-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-36-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-37-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-38-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-39-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-40-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-41-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-42-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-43-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-44-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-45-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-46-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-47-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-48-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-49-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-50-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-51-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-52-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-53-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-54-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-55-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-56-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-57-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-58-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-59-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-60-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-61-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-62-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-63-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-64-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-65-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3520-68-0x00000000027F0000-0x00000000027F7000-memory.dmp
memory/3520-77-0x00007FFE50840000-0x00007FFE50850000-memory.dmp
C:\Users\Admin\AppData\Local\iz1qzr\SystemPropertiesPerformance.exe
| MD5 | e4fbf7cab8669c7c9cef92205d2f2ffc |
| SHA1 | adbfa782b7998720fa85678cc85863b961975e28 |
| SHA256 | b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30 |
| SHA512 | c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6 |
C:\Users\Admin\AppData\Local\iz1qzr\SYSDM.CPL
| MD5 | 2274c0f10748d2efd97fa5d603ee5dd7 |
| SHA1 | ebf7360d538fd84ae0ca8ed3324e380884556ae1 |
| SHA256 | cc4df6c3c1f075dbeb062da42b328887ab55def131c8816697e3ea8c2b3f5660 |
| SHA512 | f7f2a0354d653de5839e32da595c04b5887c86d2e665bbc5363619d1cb89b4c5fc8333eb471379f319dbfd7de79af3593b6c486269ac972cdf9221a60d2a0490 |
C:\Users\Admin\AppData\Local\iz1qzr\SYSDM.CPL
| MD5 | 05bc0db1262c3e479f2c940cc1156b34 |
| SHA1 | 5b38ea29e2bc8f4cdb5486f3695023775190d146 |
| SHA256 | 4f3d17e449031227e8ce6fa9d93695672de8fbf228e5c78aca0d63a9e039c742 |
| SHA512 | 99309ac26b0b124bc4b42db57fbcd8a6b6990459b57678da200a483713b5d2f12a5d342c5b31a93a3d826c374f5ba0f34b19555d6008d52d7dd695aabb575473 |
memory/2136-97-0x000002CCB76E0000-0x000002CCB76E7000-memory.dmp
C:\Users\Admin\AppData\Local\0VMlZ\FileHistory.exe
| MD5 | eeba3dd643ced2781ec1b7e3cd6fa246 |
| SHA1 | 2d394173e603625e231633fc270072e854bac17b |
| SHA256 | bee0799a52fe65b8dc291de32f0c8b03b5a067915b1868bc8ba2a1b139c90b87 |
| SHA512 | 222d4fbc7ee57d75889698a0660996293a0143518fdecc1b222618796d76d40f2d3b00b071f92ab917ac8847f195d7de02df55b5e89dad8a80d110e464cd3271 |
C:\Users\Admin\AppData\Local\0VMlZ\UxTheme.dll
| MD5 | 55567c3f978ce2a63e5629c7ab19ff49 |
| SHA1 | 36f96a6257879f0a342b2f63f87d78ba1cfbf25a |
| SHA256 | 963862bd5f48e65eb8ff8a43b11adb8efda6f4ecc8ef64b04e4654891b3ca9f1 |
| SHA512 | 7bb02f67248df73a1a5c8f3927bab84f170295c1f3ff5e3605224d16eadf7f6a28018c21ec029cf3482a10540f7b00b123430d556bf64aaea62cf52d95ed8201 |
memory/656-114-0x000001BEAF1E0000-0x000001BEAF1E7000-memory.dmp
C:\Users\Admin\AppData\Local\v2DstN\SndVol.exe
| MD5 | c5d939ac3f9d885c8355884199e36433 |
| SHA1 | b8f277549c23953e8683746e225e7af1c193ad70 |
| SHA256 | 68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605 |
| SHA512 | 8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0 |
C:\Users\Admin\AppData\Local\v2DstN\UxTheme.dll
| MD5 | c02eed1a4262664079605d4d673b9178 |
| SHA1 | 3c85895739dd80e3742bb430ff1949b90f0bc2b2 |
| SHA256 | 5bfe328cf55e0121ff20f0b1293856fccd2da87be259c8b449d7a05ed41fc8d7 |
| SHA512 | 87b3b7908bd509fa264b3eebc13c7da9a066084a2392361f4076d6bced0a5bb0e5f32576c8598c38e01da8703852f84dc65c3a2a6e9d2a9b59db107671ba19d9 |
memory/3372-137-0x00000212CE2C0000-0x00000212CE2C7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 018e329bf5dc1b2df8722130e27e5e14 |
| SHA1 | 0b37bfe35afa256e94af7cb5307d789862d05f03 |
| SHA256 | 18fdb9db02ccf2815935e2cb4a3cd194f691092136337c3f123763d4a47f5d14 |
| SHA512 | 216ef6e8e858f60e18669af6e2e4593f3b248ab0a82c76644f589183faf1db4044c1d5a56899ce834b8fdb62ad6c7bd835170f7bfbb0b5733a11cc1419968f99 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 07:17
Reported
2024-01-01 08:26
Platform
win7-20231215-en
Max time kernel
14s
Max time network
134s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11ece27856133435ff8c3f2f1c4b8b02.dll,#1
C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe
C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe
C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
C:\Users\Admin\AppData\Local\SI36TQJ\Netplwiz.exe
C:\Users\Admin\AppData\Local\SI36TQJ\Netplwiz.exe
C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
C:\Users\Admin\AppData\Local\tdqbk\irftp.exe
C:\Users\Admin\AppData\Local\tdqbk\irftp.exe
Network
Files
memory/2044-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2044-1-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-4-0x0000000076CE6000-0x0000000076CE7000-memory.dmp
memory/1260-5-0x00000000025F0000-0x00000000025F1000-memory.dmp
memory/1260-12-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-11-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-15-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-14-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-13-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-10-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-9-0x0000000140000000-0x0000000140379000-memory.dmp
memory/2044-8-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-16-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-21-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-22-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-20-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-19-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-18-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-17-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-24-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-23-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-7-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-25-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-26-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-30-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-31-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-29-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-28-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-27-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-33-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-34-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-32-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-35-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-42-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-44-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-43-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-41-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-40-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-46-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-47-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-48-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-45-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-50-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-55-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-56-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-54-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-53-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-52-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-51-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-49-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-39-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-38-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-37-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-36-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-58-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-65-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-64-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-63-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-69-0x00000000025D0000-0x00000000025D7000-memory.dmp
memory/1260-62-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-61-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-60-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-77-0x0000000076DF1000-0x0000000076DF2000-memory.dmp
memory/1260-78-0x0000000076F50000-0x0000000076F52000-memory.dmp
memory/1260-59-0x0000000140000000-0x0000000140379000-memory.dmp
memory/1260-57-0x0000000140000000-0x0000000140379000-memory.dmp
\Users\Admin\AppData\Local\ktK15H\sdclt.exe
| MD5 | 1b9e0489d63aa9a25adea4a464d63f5b |
| SHA1 | b2a4d5a4217a9ec8b6eb4f0bd6821a8e774d96e0 |
| SHA256 | e402b627ba740ce6cc5364cd0f03cf4f7d250c4d4b47d1fa46ffbf407abc0bcf |
| SHA512 | fcc56d325e8a905fe67bcca7e987d3eb453fe797fe6bb6464135153b26a68051e06ebb4be9597defe17f4272cda79aac3a93179b521d4f4d6681620855a4905e |
C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe
| MD5 | b041a5fd0ff2ff43540ac4b529285c5f |
| SHA1 | c5f930843a63e93ce0b5be3902a9f7549d82bbcf |
| SHA256 | 2df28e3cae406ab310b33bbf4d1feedd49f7004dd6b48370d97f559009ffa1aa |
| SHA512 | b1f1ad2491e69b6cc6a2c57ec3235e2c3e89d7efcefc0541333c4f87ea89b4e2c645e378551aa836414091344ec549ed65ddb22e7a3d3729af5b9285df495bc1 |
\Users\Admin\AppData\Local\ktK15H\slc.dll
| MD5 | c5a487b0f680b3a05a2b29acc076839e |
| SHA1 | 0983d9a19663f93caa9e72164394a773a027b057 |
| SHA256 | 10fcec64ed8718708e1a0a88a87b7d2bf7a24108e5f250d72732669d6fd9bad2 |
| SHA512 | 1fff0495da1dbc12121ca7ee566394569bbaf15156cc78e30fc3e84ad8baa1d99c7c71e5f1b98bd5373f605dd382d42294183d51f09b378efcd59f6c15c9a46d |
C:\Users\Admin\AppData\Local\ktK15H\slc.dll
| MD5 | 9156227a64b3f9a4220591abd7efba90 |
| SHA1 | 68e00c4214cddb4c6fc787bba2ce31aeb28c76ee |
| SHA256 | 86c274674dab331d152a27948a89ef3ae0aa98ca744119d56c708c0d468eade9 |
| SHA512 | 7a3d06db09c73a6e5bdcf6c111216c2fbcc24cfe2c1ed3316e4e2769e694cc4c45f5f11dbcd17b89150ca461b29845cd3561e70a2c70b44878f2b317ad37f67d |
memory/2916-105-0x0000000000190000-0x0000000000197000-memory.dmp
C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe
| MD5 | 039f9b8b9b7f65e356c59c242362ff06 |
| SHA1 | 1fdcd7a018d14fe5c64c07b7994becf6a7db4454 |
| SHA256 | f98c2d04243c2bdbced4ee3cadc1797ca845b03f37dce4d39923928135765407 |
| SHA512 | 9161f3d76222e100a9f2a29080d1a5a508057f9f9f011f89e3845313328938651acf6c45fbb7a7599bf461be8b1dad2fe5374edf41c0978f0bee9a79e7b29fac |
C:\Users\Admin\AppData\Local\SI36TQJ\NETPLWIZ.dll
| MD5 | 7137bee1dbf41d3528eaae2ff4ae4b08 |
| SHA1 | 3efd39068f7fbbe25b935a99eacd58c37d84efd0 |
| SHA256 | 96f07b6d109544c03da076112d2c846766f00a9e8c7a4d83b593c1105f2ac0dc |
| SHA512 | 42628f8f355fe55ba63ee7b7765f215d4c96e0b134ef7f321b58f546c6f095fa690b435f8565db70134cdfb14cdbd5ad76b8d297fe768758a1154fe33c37ef59 |
\Users\Admin\AppData\Local\SI36TQJ\NETPLWIZ.dll
| MD5 | 0265f0a543275d6a97b88d6c0a044a38 |
| SHA1 | 180ff362f7ce351d79fe34ee354be816ad5f9335 |
| SHA256 | 177f2a932b220dc69866ddd7365504109f743769c2833b670b291f2df1d4cd1f |
| SHA512 | 805ba4ef7a1c0c02bfed5551d6840b48748ea961c34ab71c3e9620f5b37b0a671333c2d38ec0b461ba977ffa417d745a7df251b04a4cd5fefbd2f5e7f84a7e51 |
memory/1584-129-0x00000000000F0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\SI36TQJ\Netplwiz.exe
| MD5 | e43ec3c800d4c0716613392e81fba1d9 |
| SHA1 | 37de6a235e978ecf3bb0fc2c864016c5b0134348 |
| SHA256 | 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c |
| SHA512 | 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\7q6\Netplwiz.exe
| MD5 | d0d915bcb40691cdcb45b92693060a7e |
| SHA1 | c2c808ae86b1efa72bc925a99bf1c35c1230fcff |
| SHA256 | 6fc3792a759ead90869883dde058cbace942b02df240cbbace7bd4f2fc487832 |
| SHA512 | 7e8d883c17d0f492c2d5dcbacc1b5f4062f275b0abafc0fed8c7a571cb5b5846952993173b15092fd55dcae29fd312688108c5b2f8a6dec929c287bb2b3c2959 |
C:\Users\Admin\AppData\Local\tdqbk\irftp.exe
| MD5 | 982ff572b4c4282fda399476426655b0 |
| SHA1 | b525d41c5d1eaa49995ba33132509485413cf569 |
| SHA256 | 04c2f4679ba4c9c39b9bb8c36491ab6ee83daef32a0415f40891143cbf55d634 |
| SHA512 | 501aaf73e0063ca1f4286c76673a04dd189f20eb8986ed93bbc72eb2781d34262d367b6253ef4fe352eb5569cb585606461d7a003b041febddeed0ba3cc7c358 |
C:\Users\Admin\AppData\Local\tdqbk\WINMM.dll
| MD5 | fc5af0009c23ca35e6db65096e2fff08 |
| SHA1 | 74b29c1e92ec4416a458393f64136906ac222c8c |
| SHA256 | 970d7fb628f4c0a5c74a146f50353740dfa9bc72ba124a41f5ce8861aec2c485 |
| SHA512 | 31d12e438c363657b9fbc921c5dfa23b3b51e4e1a24c87e862c2d3ffcfce2a1cd1167cc4b850fc00e32e3acafa15e97e81a1ae758000f094eaab6ef17a668b34 |
\Users\Admin\AppData\Local\tdqbk\WINMM.dll
| MD5 | 72b0b2e54ebd2c399dcd96edf3487791 |
| SHA1 | 2fde92a82662b64381c53405011d41822fac5244 |
| SHA256 | bbf30bff3a60bb8f9dc298a06d39203511db59d036213de8a9b686c4d594939c |
| SHA512 | a3bfbaf01b2b251e0b9e83dab06f6221ae37f18f71eb0af504de7e362192a77e914dde4847bf9cf60124ff39339225c591ea1c8a914960121ecee86d9107f212 |
\Users\Admin\AppData\Local\tdqbk\irftp.exe
| MD5 | 0b31d458054385b7a387997a12b6e82f |
| SHA1 | 7df45ac38c6cef6f7701d21681a516998f6b34f5 |
| SHA256 | ba4ab4ff646276ddbe91ef9d99f1978ae25c7b44cb146f8d98c6b66fe45ac498 |
| SHA512 | 18d964adeb3a6faded74e71b202d180a100584fea603e0e58fc34cf3f0b75fcb3b1aaf88878ce102b88943eeee8957bbab35e7d7915d1670542d42713a7943ef |
memory/1124-146-0x00000000000A0000-0x00000000000A7000-memory.dmp
C:\Users\Admin\AppData\Local\tdqbk\irftp.exe
| MD5 | 1a63380a459cc2a9745b4fc93fcb3687 |
| SHA1 | 05944e732d4dc4fa269890e9ed8fa8a17a41adcc |
| SHA256 | 3e182f7d8446e9ac4b598537fd43124a03859208129d60bb4cbe1d8c65ef5556 |
| SHA512 | e65d233bd3a02ae50ca97d3b8cd87ed94da907d4adc9df8f3d758dc6f6e01d6cf5b3eeb9951636a91019e9c604140d5d08a3e0cdc34e708f7c288260df5c7bcf |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\hft8xF\irftp.exe
| MD5 | bd1e23d1b052e613cd146a5f282501e2 |
| SHA1 | 49a79db68b6fc596d5eca31de453b0519cc97d06 |
| SHA256 | 894fdc939e53ab46479075342672e061fde1d3effc80cf441175bb121dbfa968 |
| SHA512 | fca2b79f2c6e4eb7a851d51b504ed51aa4c0e625a72b2ff26e883e7c35b35eae8708a3c7dd37f33abc1a3a7a33d7109903226e059c07e14a2a79a0b4d200ece6 |
memory/1260-174-0x0000000076CE6000-0x0000000076CE7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk
| MD5 | 6f86fc10048b075d1819d19853772960 |
| SHA1 | d65cf5ad4c9b192aaf7bc27e09fd3ded576bf510 |
| SHA256 | 1f93de89bcc283effef6cecd7e21acbbecb2b53479e24e18219da6a8249784ee |
| SHA512 | 61fb0ac4dec9317e6061cf9549cc718c2760bd11e1bdea84ad115d85e5596c1ad0f75ccc81133ee3d27f7e1a153632b9c9b4deb83976aaa625e9cfb7ad1605d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\2UFxLNE\slc.dll
| MD5 | 132e18ef895165ae5720d2f4976ddf1d |
| SHA1 | b528535d1bc8975919d6a8c8bdeab6bf8de98175 |
| SHA256 | 66d2cadfad122267a2e55d5dd8784753a856bb525cc93ac7e50d0e5b59870ef0 |
| SHA512 | c2cb43a1d0d096556da689d103f0856165c997528664449eca0b7dab05d187a70b2f97f00bf232452ae361b4d933bb9a0cf661c84445b41c8d46668096797649 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\7q6\NETPLWIZ.dll
| MD5 | 92040dce981421f568442e17ad393f91 |
| SHA1 | 6c78301e55f191c634fefe8bc0c1fbb96c686984 |
| SHA256 | 67c62359e61f186d7826996244b5eccd6750754910e784c9adf7223c1e1dd037 |
| SHA512 | afe94297392e7228aa162fd03f4961138783d09646e8aeada8c7a3ec9997f0ce0f7736d0474a8fcb5a053526f7bcac949b0d47ebca33ded12bf0db20ff5e94d3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\hft8xF\WINMM.dll
| MD5 | c5e1cd42867e7e6151077cc395b998e4 |
| SHA1 | c400e1e4b2ed9c8a9a5610c8fc6e75e78744af36 |
| SHA256 | 36c405ef7f86abd9c3e5e24236ee9f43f79fd77461cd3f67d3275c6c2d47cf7a |
| SHA512 | 764cce17a1173f49b7e87de71cb05779f36730bffb411f55e4f2c501aba0b47ef397dd6fda3a78d13843c89ec6d3e6cf35a6b5cd1eef84d9105e1b19b3f0565c |