Malware Analysis Report

2024-11-30 21:31

Sample ID 231230-nqb1psbgc6
Target 174607483f14cc2c3dae74fb06e151ef
SHA256 d546192dbec47bd4bf67aa7558a9b4019773b1373ed32de51c4e83b5b6a724b5
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d546192dbec47bd4bf67aa7558a9b4019773b1373ed32de51c4e83b5b6a724b5

Threat Level: Known bad

The file 174607483f14cc2c3dae74fb06e151ef was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 11:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 11:35

Reported

2024-01-03 08:15

Platform

win7-20231215-en

Max time kernel

148s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\174607483f14cc2c3dae74fb06e151ef.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\Ym\\SYSTEM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2904 N/A N/A C:\Windows\system32\Utilman.exe
PID 1196 wrote to memory of 2904 N/A N/A C:\Windows\system32\Utilman.exe
PID 1196 wrote to memory of 2904 N/A N/A C:\Windows\system32\Utilman.exe
PID 1196 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe
PID 1196 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe
PID 1196 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe
PID 1196 wrote to memory of 1612 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1196 wrote to memory of 1612 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1196 wrote to memory of 1612 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1196 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe
PID 1196 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe
PID 1196 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe
PID 1196 wrote to memory of 1972 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 1972 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 1972 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 1980 N/A N/A C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 1980 N/A N/A C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 1980 N/A N/A C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\174607483f14cc2c3dae74fb06e151ef.dll,#1

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe

C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

Network

N/A

Files

memory/2520-2-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2520-0-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-4-0x0000000077836000-0x0000000077837000-memory.dmp

memory/1196-17-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-30-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-35-0x0000000002D70000-0x0000000002D77000-memory.dmp

memory/1196-41-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

memory/1196-50-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-56-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-59-0x0000000140000000-0x0000000140120000-memory.dmp

memory/2628-73-0x0000000140000000-0x0000000140154000-memory.dmp

memory/2628-71-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2628-68-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1196-40-0x0000000077A41000-0x0000000077A42000-memory.dmp

memory/1196-39-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-31-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-29-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-28-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-27-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-26-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-25-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-24-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-23-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-22-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-21-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-20-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-19-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-18-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-16-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-15-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-14-0x0000000140000000-0x0000000140120000-memory.dmp

memory/2860-92-0x0000000140000000-0x0000000140121000-memory.dmp

memory/2860-97-0x0000000140000000-0x0000000140121000-memory.dmp

memory/2860-95-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1196-13-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-12-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-11-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-10-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-9-0x0000000140000000-0x0000000140120000-memory.dmp

memory/2520-8-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-7-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1196-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1980-114-0x0000000140000000-0x0000000140121000-memory.dmp

memory/1980-109-0x0000000000280000-0x0000000000287000-memory.dmp

memory/1196-130-0x0000000077836000-0x0000000077837000-memory.dmp

memory/2860-141-0x0000000000190000-0x0000000000197000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 11:35

Reported

2024-01-03 08:15

Platform

win10v2004-20231215-en

Max time kernel

19s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\174607483f14cc2c3dae74fb06e151ef.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\E23I1Pj61\\mspaint.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\o36\mspaint.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RrD5f\raserver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 4804 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 3436 wrote to memory of 4804 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 3436 wrote to memory of 452 N/A N/A C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe
PID 3436 wrote to memory of 452 N/A N/A C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe
PID 3436 wrote to memory of 1292 N/A N/A C:\Windows\system32\mspaint.exe
PID 3436 wrote to memory of 1292 N/A N/A C:\Windows\system32\mspaint.exe
PID 3436 wrote to memory of 2192 N/A N/A C:\Users\Admin\AppData\Local\o36\mspaint.exe
PID 3436 wrote to memory of 2192 N/A N/A C:\Users\Admin\AppData\Local\o36\mspaint.exe
PID 3436 wrote to memory of 3328 N/A N/A C:\Windows\system32\raserver.exe
PID 3436 wrote to memory of 3328 N/A N/A C:\Windows\system32\raserver.exe
PID 3436 wrote to memory of 4072 N/A N/A C:\Users\Admin\AppData\Local\RrD5f\raserver.exe
PID 3436 wrote to memory of 4072 N/A N/A C:\Users\Admin\AppData\Local\RrD5f\raserver.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\174607483f14cc2c3dae74fb06e151ef.dll,#1

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\RrD5f\raserver.exe

C:\Users\Admin\AppData\Local\RrD5f\raserver.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

C:\Users\Admin\AppData\Local\o36\mspaint.exe

C:\Users\Admin\AppData\Local\o36\mspaint.exe

C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
IE 20.223.36.55:443 tcp
IE 20.223.36.55:443 tcp
IE 20.223.36.55:443 tcp
IE 20.223.36.55:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

memory/640-1-0x00000278BE410000-0x00000278BE417000-memory.dmp

memory/640-0-0x0000000140000000-0x0000000140120000-memory.dmp

memory/640-7-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-18-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-28-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-32-0x00000000078B0000-0x00000000078B7000-memory.dmp

memory/3436-31-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-39-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-51-0x0000000140000000-0x0000000140120000-memory.dmp

memory/452-60-0x0000000140000000-0x0000000140121000-memory.dmp

memory/452-66-0x0000000140000000-0x0000000140121000-memory.dmp

memory/452-61-0x000001C0BACC0000-0x000001C0BACC7000-memory.dmp

memory/2192-78-0x000002CA51C80000-0x000002CA51C87000-memory.dmp

memory/2192-82-0x0000000140000000-0x0000000140122000-memory.dmp

memory/4072-97-0x0000000140000000-0x0000000140121000-memory.dmp

memory/4072-93-0x00000281B9F70000-0x00000281B9F77000-memory.dmp

memory/2192-79-0x0000000140000000-0x0000000140122000-memory.dmp

memory/3436-49-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-40-0x00007FFB88D40000-0x00007FFB88D50000-memory.dmp

memory/3436-30-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-29-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-27-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-26-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-25-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-24-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-23-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-22-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-21-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-20-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-19-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-17-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-16-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-15-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-14-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-13-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-12-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-11-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-8-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-10-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-9-0x00007FFB87D6A000-0x00007FFB87D6B000-memory.dmp

memory/3436-6-0x0000000140000000-0x0000000140120000-memory.dmp

memory/3436-4-0x00000000078D0000-0x00000000078D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ecxR8p8hNk\SYSDM.CPL

MD5 9fb8e9c0c04130466cfedd80a476261e
SHA1 1172b1f4a7acfe5fedc4f9739f68cdb5326299ea
SHA256 defaf668afa79c391677c8777d8a49bdc0311596ddff563315b35f56d0097bcb
SHA512 0c52869024c5a1d1f68a7be0a8d7549dc4c76ab26f16a2659b374d792ee038408e53ea8a2695198a747fc882b275551fed3f03d6829a78a066916a6fed17b5c4

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\E23I1Pj61\WINMM.dll

MD5 8db9833ee17c0f616f2eb2f663cbc1da
SHA1 df905c4da9cc1b281bf0603389abce2b6efc8b81
SHA256 3b623470fe88e09f3fba8e373325d8c8aeccd25541e8e843aecf76550493193f
SHA512 94af690d4f6e1613842248ca8d03f4779d0d7944a44f9ac3d7df4689f81cac81a9d193b73a9aa33f59d03bce8272bce1a370cda0032f4d75a97ca583d920be33

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\K2q\WTSAPI32.dll

MD5 5740808152cf3a03399ab7dc87084908
SHA1 351e01543bb0e2791d5ffde975a3ab1cfbd8927f
SHA256 6dd231a62905716cc620500e5401c615c05ef6ecf42698f7310a9e9a5634f15d
SHA512 b95041b358656ac9ad0f47d5ec5d323aed1d803072ba3acda205c45721cafc5e06ab66e7e70a3ed254c86a5d10ea2fc3aecb18c9ca0a8f56d165107b1f31265c