Malware Analysis Report

2024-11-30 21:30

Sample ID 231230-qdel6sgef3
Target 197bba44cb081704db1ea4b33450dc77
SHA256 9bac5fdb730db1a765633c89c46fe761fce5c73e47345ea0e7b41cd455e8b7cb
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bac5fdb730db1a765633c89c46fe761fce5c73e47345ea0e7b41cd455e8b7cb

Threat Level: Known bad

The file 197bba44cb081704db1ea4b33450dc77 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 13:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 13:08

Reported

2024-01-03 16:15

Platform

win7-20231215-en

Max time kernel

4s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\197bba44cb081704db1ea4b33450dc77.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\197bba44cb081704db1ea4b33450dc77.dll,#1

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\fvenotify.exe

C:\Users\Admin\AppData\Local\C5v1XUQX\fvenotify.exe

C:\Users\Admin\AppData\Local\C5v1XUQX\fvenotify.exe

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Users\Admin\AppData\Local\fzVdCTs\sigverif.exe

C:\Users\Admin\AppData\Local\fzVdCTs\sigverif.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\0gp\perfmon.exe

C:\Users\Admin\AppData\Local\0gp\perfmon.exe

Network

N/A

Files

memory/1568-1-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1568-0-0x0000000000390000-0x0000000000397000-memory.dmp

memory/1192-4-0x0000000076C06000-0x0000000076C07000-memory.dmp

memory/1192-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/1192-9-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-16-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-22-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-27-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-31-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-34-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-39-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-44-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-54-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-65-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-64-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-73-0x00000000024B0000-0x00000000024B7000-memory.dmp

memory/1192-63-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-82-0x0000000076E70000-0x0000000076E72000-memory.dmp

memory/1192-81-0x0000000076D11000-0x0000000076D12000-memory.dmp

memory/1192-62-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-61-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-60-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/2952-109-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1192-59-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-58-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-57-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-56-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-55-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-53-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-52-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-51-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-50-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-49-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-48-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-47-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-46-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-45-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-43-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-42-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-41-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-40-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-38-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-37-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/2832-135-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1192-36-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-35-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-33-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-32-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-30-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-29-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-28-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-26-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-25-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-24-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-23-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-21-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-20-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-19-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-18-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-17-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-15-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-14-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-13-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-12-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-11-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-10-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1568-8-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-7-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1192-180-0x0000000076C06000-0x0000000076C07000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 13:08

Reported

2024-01-03 16:16

Platform

win10v2004-20231215-en

Max time kernel

164s

Max time network

179s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\197bba44cb081704db1ea4b33450dc77.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\VTxTK0vRf\\slui.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fSelkcDoB\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qOwaZrq\GamePanel.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oNin4\slui.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 3528 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3576 wrote to memory of 3528 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3576 wrote to memory of 4536 N/A N/A C:\Users\Admin\AppData\Local\qOwaZrq\GamePanel.exe
PID 3576 wrote to memory of 4536 N/A N/A C:\Users\Admin\AppData\Local\qOwaZrq\GamePanel.exe
PID 3576 wrote to memory of 2696 N/A N/A C:\Windows\system32\slui.exe
PID 3576 wrote to memory of 2696 N/A N/A C:\Windows\system32\slui.exe
PID 3576 wrote to memory of 1184 N/A N/A C:\Users\Admin\AppData\Local\oNin4\slui.exe
PID 3576 wrote to memory of 1184 N/A N/A C:\Users\Admin\AppData\Local\oNin4\slui.exe
PID 3576 wrote to memory of 3328 N/A N/A C:\Windows\system32\sethc.exe
PID 3576 wrote to memory of 3328 N/A N/A C:\Windows\system32\sethc.exe
PID 3576 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\fSelkcDoB\sethc.exe
PID 3576 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\fSelkcDoB\sethc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\197bba44cb081704db1ea4b33450dc77.dll,#1

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Users\Admin\AppData\Local\qOwaZrq\GamePanel.exe

C:\Users\Admin\AppData\Local\qOwaZrq\GamePanel.exe

C:\Windows\system32\slui.exe

C:\Windows\system32\slui.exe

C:\Users\Admin\AppData\Local\oNin4\slui.exe

C:\Users\Admin\AppData\Local\oNin4\slui.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\fSelkcDoB\sethc.exe

C:\Users\Admin\AppData\Local\fSelkcDoB\sethc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp

Files

memory/1856-1-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1856-0-0x000001DBFD570000-0x000001DBFD577000-memory.dmp

memory/3576-5-0x00007FFA4005A000-0x00007FFA4005B000-memory.dmp

memory/3576-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/3576-7-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/1856-9-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-10-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-11-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-12-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-13-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-14-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-15-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-16-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-17-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-8-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-18-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-19-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-20-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-21-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-22-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-23-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-24-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-25-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-26-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-27-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-28-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-29-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-30-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-31-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-32-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-33-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-34-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-35-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-36-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-37-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-38-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-39-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-40-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-41-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-42-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-43-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-44-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-45-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-46-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-47-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-48-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-49-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-50-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-51-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-52-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-53-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-54-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-55-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-56-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-57-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-58-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-59-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-60-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-61-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-62-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-63-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-64-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-65-0x0000000140000000-0x00000001402E5000-memory.dmp

memory/3576-73-0x00000000029C0000-0x00000000029C7000-memory.dmp

memory/3576-81-0x00007FFA40CA0000-0x00007FFA40CB0000-memory.dmp

C:\Users\Admin\AppData\Local\qOwaZrq\GamePanel.exe

MD5 266f6a62c16f6a889218800762b137be
SHA1 31b9bd85a37bf0cbb38a1c30147b83671458fa72
SHA256 71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd
SHA512 b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

C:\Users\Admin\AppData\Local\qOwaZrq\dxgi.dll

MD5 335ad6b3e414f9de34f4399aa5fb3d54
SHA1 bfd0feb183d501ec9ce306ff12a63c5ef91f0940
SHA256 6e238efd014e9f93a9609b7b030e3244f66eaada410ac37302b0b0dcbdf547ce
SHA512 9a61613ed7e923865eac4b39fe88ca764f94b1b81eabdbd1d5279dca350115e4b5c8a8f0b7c8a6a7236382438c0fb8c6e18e0e9908e12742ebdfc6c3edcbe233

memory/4536-102-0x000001CA8C970000-0x000001CA8C977000-memory.dmp

C:\Users\Admin\AppData\Local\oNin4\slui.exe

MD5 eb725ea35a13dc18eac46aa81e7f2841
SHA1 c0b3304c970324952e18c4a51073e3bdec73440b
SHA256 25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff
SHA512 39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

C:\Users\Admin\AppData\Local\oNin4\WINBRAND.dll

MD5 d11e276d01acadecd86075c026e4b934
SHA1 52d70f656718764eca02ad14b61c98e8032aebd8
SHA256 3ab408557d74e1c1d27f0ea69c133f6d11c4b9f720d7961edfe16449b7ee352f
SHA512 15bc32121240c4e09c5d1292c280cc142fcd64c9a98111bfcecbbad4e8c10ffb692eb28cc9807f407d460e310763066495105e385a4e6f4ad0e7aba3ad5c66ce

memory/1184-119-0x0000018A9CB80000-0x0000018A9CB87000-memory.dmp

C:\Users\Admin\AppData\Local\fSelkcDoB\sethc.exe

MD5 8ba3a9702a3f1799431cad6a290223a6
SHA1 9c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256 615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512 680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

C:\Users\Admin\AppData\Local\fSelkcDoB\UxTheme.dll

MD5 a0740898cee2f4d10b1266d8da2711ab
SHA1 58aedc8846433d86c85e989dca66de220fed51ee
SHA256 86960dac51eccf29c1c9ae939339eff13f4db4ccd8fa0db4e10c8a8833ad3e6e
SHA512 9fa088a16276a3500dabd20b7aa9f8c3bd3cb2b3dc93779005b19124231fb12c55138c6353981cf7b725a5fbef76dc3f9976a99e9bb843bc953743a67a9d766b

memory/888-137-0x000001ECF46D0000-0x000001ECF46D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 d2ab79bba07e293ae30103f366846f8a
SHA1 1035895bbd8c648dc212d026ca2da07fc19e8867
SHA256 6ef0f5a04512851fa80b679d1497d7b30924a3fe8a9b3d6b31150df6dcf41a0a
SHA512 eccab2afb14be95bb904aa5130f8eb410869ba5ce45704e436abb5b7bdedaf130568ba4c4305d2ffb57310aaee1b9e84cad743bae1246ca143c48dac7c21c868