Malware Analysis Report

2024-11-30 21:08

Sample ID 231230-q6m41scehm
Target 1aa129aa91ab4e9c78556e4f9d4d795e
SHA256 cc153843be83b66723fe9f0001a83f39b8f4f76aa6b8f68862497b2bd3206390
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc153843be83b66723fe9f0001a83f39b8f4f76aa6b8f68862497b2bd3206390

Threat Level: Known bad

The file 1aa129aa91ab4e9c78556e4f9d4d795e was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 13:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 13:52

Reported

2024-01-01 00:59

Platform

win10v2004-20231222-en

Max time kernel

9s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa129aa91ab4e9c78556e4f9d4d795e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\sY6\\isoburn.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Pxs0pcXl\isoburn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gsh59oJmf\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ChZyxsrK1\phoneactivate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 904 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3436 wrote to memory of 904 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3436 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\ChZyxsrK1\phoneactivate.exe
PID 3436 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\ChZyxsrK1\phoneactivate.exe
PID 3436 wrote to memory of 3432 N/A N/A C:\Windows\system32\isoburn.exe
PID 3436 wrote to memory of 3432 N/A N/A C:\Windows\system32\isoburn.exe
PID 3436 wrote to memory of 4208 N/A N/A C:\Users\Admin\AppData\Local\Pxs0pcXl\isoburn.exe
PID 3436 wrote to memory of 4208 N/A N/A C:\Users\Admin\AppData\Local\Pxs0pcXl\isoburn.exe
PID 3436 wrote to memory of 5012 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3436 wrote to memory of 5012 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3436 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\gsh59oJmf\Taskmgr.exe
PID 3436 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\gsh59oJmf\Taskmgr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa129aa91ab4e9c78556e4f9d4d795e.dll,#1

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\Pxs0pcXl\isoburn.exe

C:\Users\Admin\AppData\Local\Pxs0pcXl\isoburn.exe

C:\Users\Admin\AppData\Local\ChZyxsrK1\phoneactivate.exe

C:\Users\Admin\AppData\Local\ChZyxsrK1\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Users\Admin\AppData\Local\gsh59oJmf\Taskmgr.exe

C:\Users\Admin\AppData\Local\gsh59oJmf\Taskmgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/1532-0-0x00000207F9160000-0x00000207F9167000-memory.dmp

memory/1532-1-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-5-0x00007FF9CB3BA000-0x00007FF9CB3BB000-memory.dmp

memory/3436-4-0x0000000002070000-0x0000000002071000-memory.dmp

memory/1532-8-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-7-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-13-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-21-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-28-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-34-0x0000000000420000-0x0000000000427000-memory.dmp

memory/3436-38-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-39-0x00007FF9CBD80000-0x00007FF9CBD90000-memory.dmp

memory/3436-50-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-48-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-30-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1580-59-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1580-65-0x0000000140000000-0x0000000140165000-memory.dmp

memory/1580-61-0x0000021B5C120000-0x0000021B5C127000-memory.dmp

memory/4208-82-0x0000000140000000-0x0000000140165000-memory.dmp

memory/4208-78-0x00000223D5580000-0x00000223D5587000-memory.dmp

memory/3436-29-0x0000000140000000-0x0000000140164000-memory.dmp

memory/2908-93-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/2908-99-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/2908-96-0x000001F3B91E0000-0x000001F3B91E7000-memory.dmp

memory/3436-27-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-26-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-25-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-24-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-23-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-22-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-20-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-18-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-19-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-17-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-16-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-15-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-14-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-12-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-11-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-10-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3436-9-0x0000000140000000-0x0000000140164000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\aOpJESY\DUI70.dll

MD5 2c24127eda878499367ad59e2c1114e5
SHA1 5e57b47959806cae6ee5b136c00a488a520ff45f
SHA256 414f8b44da073c8ebbffcc2cc5ccc69e3a39b0ab066bf8090afd527ec3fba183
SHA512 6b541e8a46273cb04531daeb3a0a743d5b6f75d83bc4b1e3777afdfb67aa329a34e5bdb71aefc7652f1b164c52165c257bb2fd60637b9ade50e4df2262e0e8d5

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 13:52

Reported

2024-01-01 01:00

Platform

win7-20231215-en

Max time kernel

148s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa129aa91ab4e9c78556e4f9d4d795e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\OLGB\rdpinit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\qU47DXYK\spinstall.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\yh4D7z\SystemPropertiesRemote.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\9R\\spinstall.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OLGB\rdpinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qU47DXYK\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\yh4D7z\SystemPropertiesRemote.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 2596 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1292 wrote to memory of 2596 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1292 wrote to memory of 2596 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1292 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\OLGB\rdpinit.exe
PID 1292 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\OLGB\rdpinit.exe
PID 1292 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\OLGB\rdpinit.exe
PID 1292 wrote to memory of 2572 N/A N/A C:\Windows\system32\spinstall.exe
PID 1292 wrote to memory of 2572 N/A N/A C:\Windows\system32\spinstall.exe
PID 1292 wrote to memory of 2572 N/A N/A C:\Windows\system32\spinstall.exe
PID 1292 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\qU47DXYK\spinstall.exe
PID 1292 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\qU47DXYK\spinstall.exe
PID 1292 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\qU47DXYK\spinstall.exe
PID 1292 wrote to memory of 1908 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1292 wrote to memory of 1908 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1292 wrote to memory of 1908 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1292 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\yh4D7z\SystemPropertiesRemote.exe
PID 1292 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\yh4D7z\SystemPropertiesRemote.exe
PID 1292 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\yh4D7z\SystemPropertiesRemote.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1aa129aa91ab4e9c78556e4f9d4d795e.dll,#1

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\OLGB\rdpinit.exe

C:\Users\Admin\AppData\Local\OLGB\rdpinit.exe

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\qU47DXYK\spinstall.exe

C:\Users\Admin\AppData\Local\qU47DXYK\spinstall.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\yh4D7z\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\yh4D7z\SystemPropertiesRemote.exe

Network

N/A

Files

memory/1320-1-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1320-0-0x0000000000390000-0x0000000000397000-memory.dmp

memory/1292-4-0x0000000077616000-0x0000000077617000-memory.dmp

memory/1292-5-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/1292-7-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1320-8-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-9-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-13-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-17-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-18-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-19-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-21-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-27-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-30-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-33-0x0000000002A60000-0x0000000002A67000-memory.dmp

memory/1292-29-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-28-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-26-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-24-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-25-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-38-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-23-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-39-0x0000000077721000-0x0000000077722000-memory.dmp

memory/1292-40-0x0000000077880000-0x0000000077882000-memory.dmp

memory/1292-22-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-20-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-16-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-15-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-14-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-12-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-11-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-10-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-49-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1292-55-0x0000000140000000-0x0000000140164000-memory.dmp

\Users\Admin\AppData\Local\OLGB\slc.dll

MD5 9b7c44d53570d6c5e840b37eaed6464a
SHA1 e9dad2fd511a7a4a91e98a1159f59690253ad5f2
SHA256 2cfbb4cc4643c06326d35d9449a9750295677852572410ad4fffd67cce1027e7
SHA512 dcf968a4f66e3d85b7ac27476d5322e986163d843423d94e1dad4230478864a9f513433791738609452208775bb27e5a09333bb09d3b97468a42f4e10970e334

C:\Users\Admin\AppData\Local\OLGB\slc.dll

MD5 2e97578f9344e2cfa08d982cd010c454
SHA1 aecc97a0ab1f6f4aade7eecbead979f2eea0de40
SHA256 6a4c548e4a4cc237f7f20e8e718f12b9e398cd9b115b714a370c53d69a14d69f
SHA512 9f7d9c4e122534848fa09a4a34924b60869abd834fae7638e81ecfed28ba31bc6896476a2916f1765aa4e74f02e939e2dc5d787f8983c362161d4a51132abb4c

C:\Users\Admin\AppData\Local\OLGB\rdpinit.exe

MD5 e5890e1be4f31abab5893d0812c8eb01
SHA1 26bb36e64d6fbd469a0506f0396fac331b4408ba
SHA256 e4aa45daae6cf8ab51a4dfde0eb65e5a5b820917b17d31c8b38785252d9f0f92
SHA512 3ad4f99ecd11022b17ac2a8bad3a328eb0ffd2a94bfb7c52b331f6a516e42e210cfbc42681e4280d317982e2a88be2daca9845216442a618bc127b8bc277d522

memory/2624-68-0x0000000140000000-0x0000000140165000-memory.dmp

memory/2624-67-0x0000000000280000-0x0000000000287000-memory.dmp

\Users\Admin\AppData\Local\OLGB\rdpinit.exe

MD5 4e630a2dfed6a970ddf5230da47852cb
SHA1 525388660322feedce49ddbe672f2034768df04e
SHA256 67ca5ee4356c85128940cc001ecfe0b3d8e9b0ee89c1f6522372fcf31f75ed3e
SHA512 6787270c30b9c9d003558c8a94f57fbb7d9807c9145dc3572b6ebcf8fb97868911c1d600ef4bd630d0bdb5c11f8de9470418e6a05e314e79013b5b4b281ed1ce

memory/1292-61-0x0000000140000000-0x0000000140164000-memory.dmp

memory/2624-73-0x0000000140000000-0x0000000140165000-memory.dmp

C:\Users\Admin\AppData\Local\OLGB\rdpinit.exe

MD5 664e12e0ea009cc98c2b578ff4983c62
SHA1 27b302c0108851ac6cc37e56590dd9074b09c3c9
SHA256 00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332
SHA512 f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

C:\Users\Admin\AppData\Local\qU47DXYK\spinstall.exe

MD5 cda3de82f148da2ce34dc150b15aa29b
SHA1 d696e6cd7ccdfef5b72d6d000665ee18c9b65fc5
SHA256 30935168d4ede86dc234787bee2bcec86f31e2c8b903fa8e45017f4f85788982
SHA512 c868b3ea09b5525a995135bf8c88989be18005a0dd752c462dd2181af8133102e96391607c25d2161531a0c4446ebd16ed9cdf83434cc86d3a9e9e206ddff9b7

\Users\Admin\AppData\Local\qU47DXYK\wer.dll

MD5 a971f217536dbfb6171b27aa84e00507
SHA1 d0a0fc3acde0197c9938dbf1cb35e15b7d3d0312
SHA256 52b1c12fad1094c4d0914a92e210410771468a04db9e88dc1232f736fd4df1ac
SHA512 f7c3c7db50c8e329a3bda264d9641e20ddb9ce81ed9166bca287152a56edca6d5aa64dd2a7460fe3edf2b2e4172a86bab69c9f4b7af59eb5feaca506da51d594

memory/2828-85-0x0000000000370000-0x0000000000377000-memory.dmp

memory/2828-90-0x0000000140000000-0x0000000140165000-memory.dmp

C:\Users\Admin\AppData\Local\qU47DXYK\wer.dll

MD5 d4b4884ad015f4a8125ce1b1dd6cb39f
SHA1 784bb0e09f2134eda7407a025ac9ea48f270195c
SHA256 44b71fd4f54c78fc4027bec807577e30ff76905651a9732d7f940c9bf03b83ad
SHA512 29a68da121f2db75cde09b5f15145ccebd39857453f1f3f58e30977a28eb073a2b31ad23d16a8fc41fd4c967499ab28b6769e681542b21b5f7ce85819a077513

\Users\Admin\AppData\Local\qU47DXYK\spinstall.exe

MD5 0080e4bb1eaf8e09d97e0845a8dc6f7a
SHA1 b89441735484bb19f6b6e044a3d4add667e08a78
SHA256 a74a687f2fc13a78b20e12fc9a885dd349d2986cbb99948c317afcec346ca500
SHA512 698e849214b8b6f45f44627bc9371a0487d4a7297ea522930af65148eadbf965efcad6ec51b8719e9ed42e61de770bfc46c07c8352d5db6e7a8f52a3831d3485

C:\Users\Admin\AppData\Local\qU47DXYK\spinstall.exe

MD5 816712f75840bd35c599f50047dc2e3e
SHA1 306e0f33c90e2ca59d35dc0bd618242b1fb2a6f3
SHA256 c128047f9071adedb8f69092f87408a54a16eed9b44c30fe24a161269d0986e1
SHA512 a34d0f2ea0740cdd32ad6a1831a8d8222e836929584516acb50bc5422966e02d2a8482f28c47ec43177050d54443117bfd09dca70b350b59d82b4b97aa844f39

C:\Users\Admin\AppData\Local\yh4D7z\SystemPropertiesRemote.exe

MD5 d0d7ac869aa4e179da2cc333f0440d71
SHA1 e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA256 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA512 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

\Users\Admin\AppData\Local\yh4D7z\SYSDM.CPL

MD5 5551368a6705e760ade3181f09294363
SHA1 5decc80cc27b2fe750fede62f2ae7a18d67bc0ae
SHA256 078a7961ef2e1a4e183f8ea8e5fdf09da19fe56088545c0c657af0035c281234
SHA512 f9e83e653b0fb03b632400e341567e9ca0588869eb50cd2f429ac362fa4c8e84547ff9c2ef34efe72c98a37085e7cf7c05980aec745001337c7732be6ccde33b

memory/1652-106-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1652-111-0x0000000140000000-0x0000000140165000-memory.dmp

C:\Users\Admin\AppData\Local\yh4D7z\SYSDM.CPL

MD5 e4b14a0571e6deb3b8551753b00fbe07
SHA1 aba5c1591191f9e921486599c9b4d980ad76e8d6
SHA256 f52556a855b89b69abc99dfdf1cf63dd82985f130534e05f93d7ac0d19a80492
SHA512 360b8e3e0b305eeb9a7104b782b0c502c6db1df5a657fc8b855748c622f0217ef05fc6eb0f083f74e4b2df49759f13e9dea0fcb07e70fd8708b0667419b531a7

\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Zn9xOqq5K\SystemPropertiesRemote.exe

MD5 74d32e68891538c4a35d2d86641ce77a
SHA1 cfbb57f9a4ac2918a7956df71e8ac1152685a52d
SHA256 f4ae8bc91fb740891a3e0008ee23dc3e5534ac1e0732a44c6c9f4c728d70629f
SHA512 a4149c7cc35d0d1d25b42ad32f5701e20554a82dd0fb127d250041725101f8e8951db1a84e9afb6f03b7fcc23b6126c88b813da69eaaf3daae2fde059ffb2e40

memory/1292-127-0x0000000077616000-0x0000000077617000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 fe47b3100522d14791374849f8553cd4
SHA1 380ca3d4b2d4868974ec152870880864fc4e2977
SHA256 7564d562c9210e3648e3ca851d8318138570fcd3d4532216e2a4d50c3c7b67b0
SHA512 1d83ad65563d4ba28453fadf3bb96ebb08533cebbcb80d2a7936279afbc31eb0ad8aadcf9a8256d6b0aacdb209badca48d5ff2f3251038488e7a9e15c3c9e7e1

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\8bKCgGEJobz\slc.dll

MD5 5a38578ebed679b9749db7c03fa5fe10
SHA1 d07a364aa674d1423f440bcdd111cb37a4ea9689
SHA256 0b42e2f4b888ce666dcbcc649d2081544d9cbfd3d053f31784f09eb8dbf64590
SHA512 5d1e3bd53e8739d4254cb7f52263b5b8e4ff650562467c3cbe637e126b035561df856f9084a31898c8c245ba40adb10df00c05bd9d2bfe388d2e4c740f42ca88

C:\Users\Admin\AppData\Roaming\Macromedia\9R\wer.dll

MD5 68812ca67a0bb081c3a27f5382c0bbc4
SHA1 1760d805ebe976ca934a5c99770a1961a7a881e5
SHA256 bda29d66eb47e893fa9abcc068c690b3a7de48f2afb358d8b018d1d5e49c829f
SHA512 2273d230197518012d846efa7df70f7fdd6c7766b8c6a8e410de0a306f9142b3aeefbc81a0ce98ed064fd43d21675b2f68bce3d33666fad35b3da2b46ce79c25

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Zn9xOqq5K\SYSDM.CPL

MD5 bc730d31113a658ca6477218c251044c
SHA1 f79528f489581d5e6b2abfd634fa0e4647b38bd8
SHA256 6b6981d5760d17917579369bf9d3fb43f1772756e9099d4a6221b8025a033718
SHA512 b3004f32c709e5538cd9fa095859f9b2debb2f07cc985f70059b410c107a25e2da3dc366938efbea6e8e7a03c4d288a3fc54f4a4db74e0ced3f52da439cc6c12