Malware Analysis Report

2024-11-30 21:06

Sample ID 231230-jjaf3scgem
Target 126952a216c08366289cd79a40008501
SHA256 de7907a0e3cf56aad9b67100168868ed634f831fbe4262684c5ab6e05fb3de9c
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de7907a0e3cf56aad9b67100168868ed634f831fbe4262684c5ab6e05fb3de9c

Threat Level: Known bad

The file 126952a216c08366289cd79a40008501 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 07:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 07:41

Reported

2023-12-31 06:22

Platform

win7-20231129-en

Max time kernel

4s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\126952a216c08366289cd79a40008501.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\126952a216c08366289cd79a40008501.dll,#1

C:\Users\Admin\AppData\Local\jpa5\recdisc.exe

C:\Users\Admin\AppData\Local\jpa5\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Users\Admin\AppData\Local\2bbnbw\recdisc.exe

C:\Users\Admin\AppData\Local\2bbnbw\recdisc.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\ctxgVPYJD\wermgr.exe

C:\Users\Admin\AppData\Local\ctxgVPYJD\wermgr.exe

Network

N/A

Files

memory/3044-1-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3044-0-0x00000000005C0000-0x00000000005C7000-memory.dmp

memory/1376-4-0x0000000077826000-0x0000000077827000-memory.dmp

memory/1376-13-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-21-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-32-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-42-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-53-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-63-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-66-0x0000000002900000-0x0000000002907000-memory.dmp

memory/1376-75-0x0000000077B90000-0x0000000077B92000-memory.dmp

memory/1376-74-0x0000000077A31000-0x0000000077A32000-memory.dmp

memory/1376-65-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-64-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/2084-104-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1376-62-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-61-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-60-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-59-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-58-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-57-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-56-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-55-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-54-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-52-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-51-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-50-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-49-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-48-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-47-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-46-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-45-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-44-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-43-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-41-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1468-128-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1376-40-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-39-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-38-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-37-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-36-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-35-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-34-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-33-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-31-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-30-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-29-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-28-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-27-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-26-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-25-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-24-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-22-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-23-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-20-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/2804-150-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1376-19-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-18-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-17-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-16-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-15-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-14-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-12-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-11-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-10-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-9-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-8-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3044-7-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/1376-5-0x0000000002920000-0x0000000002921000-memory.dmp

memory/1376-174-0x0000000077826000-0x0000000077827000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 07:41

Reported

2023-12-31 06:22

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\126952a216c08366289cd79a40008501.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3073191680-435865314-2862784915-1000\\7532fxkz\\ie4uinit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kRIGYa1J\quickassist.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9aWVFLNFy\ie4uinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WR7F\dxgiadaptercache.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 4336 N/A N/A C:\Windows\system32\quickassist.exe
PID 3524 wrote to memory of 4336 N/A N/A C:\Windows\system32\quickassist.exe
PID 3524 wrote to memory of 3560 N/A N/A C:\Users\Admin\AppData\Local\kRIGYa1J\quickassist.exe
PID 3524 wrote to memory of 3560 N/A N/A C:\Users\Admin\AppData\Local\kRIGYa1J\quickassist.exe
PID 3524 wrote to memory of 4248 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3524 wrote to memory of 4248 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3524 wrote to memory of 3256 N/A N/A C:\Users\Admin\AppData\Local\9aWVFLNFy\ie4uinit.exe
PID 3524 wrote to memory of 3256 N/A N/A C:\Users\Admin\AppData\Local\9aWVFLNFy\ie4uinit.exe
PID 3524 wrote to memory of 4880 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3524 wrote to memory of 4880 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3524 wrote to memory of 3936 N/A N/A C:\Users\Admin\AppData\Local\WR7F\dxgiadaptercache.exe
PID 3524 wrote to memory of 3936 N/A N/A C:\Users\Admin\AppData\Local\WR7F\dxgiadaptercache.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\126952a216c08366289cd79a40008501.dll,#1

C:\Windows\system32\quickassist.exe

C:\Windows\system32\quickassist.exe

C:\Users\Admin\AppData\Local\kRIGYa1J\quickassist.exe

C:\Users\Admin\AppData\Local\kRIGYa1J\quickassist.exe

C:\Windows\system32\ie4uinit.exe

C:\Windows\system32\ie4uinit.exe

C:\Users\Admin\AppData\Local\9aWVFLNFy\ie4uinit.exe

C:\Users\Admin\AppData\Local\9aWVFLNFy\ie4uinit.exe

C:\Windows\system32\dxgiadaptercache.exe

C:\Windows\system32\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\WR7F\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\WR7F\dxgiadaptercache.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2516-1-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/2516-0-0x000001F22D9B0000-0x000001F22D9B7000-memory.dmp

memory/3524-4-0x0000000003130000-0x0000000003131000-memory.dmp

memory/3524-6-0x00007FFC634FA000-0x00007FFC634FB000-memory.dmp

memory/3524-7-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/2516-8-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-10-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-11-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-12-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-13-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-14-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-15-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-16-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-17-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-18-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-19-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-9-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-21-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-20-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-22-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-23-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-24-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-25-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-26-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-27-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-28-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-29-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-30-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-32-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-33-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-34-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-35-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-31-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-36-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-37-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-38-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-39-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-40-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-41-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-42-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-43-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-44-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-45-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-46-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-47-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-48-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-49-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-50-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-51-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-52-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-53-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-54-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-55-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-56-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-57-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-58-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-59-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-60-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-61-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-62-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-63-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-64-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-65-0x0000000007900000-0x0000000007907000-memory.dmp

memory/3524-66-0x0000000140000000-0x00000001402F2000-memory.dmp

memory/3524-74-0x00007FFC64D00000-0x00007FFC64D10000-memory.dmp

C:\Users\Admin\AppData\Local\kRIGYa1J\quickassist.exe

MD5 d1216f9b9a64fd943539cc2b0ddfa439
SHA1 6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256 c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512 c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

C:\Users\Admin\AppData\Local\kRIGYa1J\UxTheme.dll

MD5 04e4cd335dc51bcc781e3e6b5bab1c70
SHA1 b830b8ad224a5c7ee7ea8d02c0bcbb6508d97fa1
SHA256 aeeb6db21b8b7f6cc0be4fd3104429116ffb4b6e3669ffb8ec93f4c31c1ea1f2
SHA512 af910e3f65cbc7541645a8e8ff94901745280ca3640e32859701d6b3a046ea1b3b94f71e868ab3eb45a94830c6f221f890fe11b5f99e4cd9dd0df840bc0221bb

memory/3560-94-0x00000203C6550000-0x00000203C6557000-memory.dmp

C:\Users\Admin\AppData\Local\9aWVFLNFy\ie4uinit.exe

MD5 a2f0104edd80ca2c24c24356d5eacc4f
SHA1 8269b9fd9231f04ed47419bd565c69dc677fab56
SHA256 5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c
SHA512 e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

C:\Users\Admin\AppData\Local\9aWVFLNFy\VERSION.dll

MD5 40b0eaf6d64d3b15509e9713177dc2c6
SHA1 e5ac932799982f8af99a1ddbe4feddbbca73845d
SHA256 9d6cc312fe05756c60b593963320aecdc1b7be7f1577fc4d9c333c6fdcfad32e
SHA512 ff52b73ad4813cf1854188a56bf806b2fc5a8baa43def1e714f6000b73a1dd54ebef24d3f4f0136626869d214bd555e9cd6c330e484b096f019f22e8abcb08e3

C:\Users\Admin\AppData\Local\WR7F\dxgiadaptercache.exe

MD5 e62f89130b7253f7780a862ed9aff294
SHA1 b031e64a36e93f95f2061be5b0383069efac2070
SHA256 4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5
SHA512 05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

C:\Users\Admin\AppData\Local\WR7F\dxgi.dll

MD5 3c7657d30700cd7281be13975bd69a8d
SHA1 7ab609e577e50ba607cafec7bbda9f5ee46e2bb6
SHA256 4a4c18c02d1893b854c995637d6a31f5bea2efefd7a9f176975a17eea5fdd0f4
SHA512 d3ca8111e145e4cf3314603f9a517b2360a13fb6da11e0c50652d0b7617280d01910c6aac202c8d2945453255c574e0792d06446164c9f2b732a7ab3b1d14d5b

memory/3936-135-0x0000020972650000-0x0000020972657000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 71da044f8706c4c9b51fab29f6fd3468
SHA1 0ce0dd80d085555c5bedbb35d1665a4e7a8ef44b
SHA256 c00743cf29d3fdf69f2814535a54c78212743bcac0bf5d72377e35509d0bb1f7
SHA512 0cbfd5b371f2080feab26f3e6fc1cf1d0ad6af0889b56980ddccd280e8f1febc864268a43c97c152cca133a052aaa90c855a98b8d1a26194ce48c4fb09aacd27