Malware Analysis Report

2024-11-30 21:47

Sample ID 231231-ga5jrafcbp
Target 2a4593c7858cd5bc550921d94c1b062a
SHA256 9427d69e40c53f893e795da1f7a5e3ea11571d78859a8e7dff5d31bfc1c23a08
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9427d69e40c53f893e795da1f7a5e3ea11571d78859a8e7dff5d31bfc1c23a08

Threat Level: Known bad

The file 2a4593c7858cd5bc550921d94c1b062a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 05:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 05:37

Reported

2024-01-02 08:31

Platform

win7-20231215-en

Max time kernel

3s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a4593c7858cd5bc550921d94c1b062a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a4593c7858cd5bc550921d94c1b062a.dll,#1

C:\Users\Admin\AppData\Local\AdGMLQcM6\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\AdGMLQcM6\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\DCQ82D\TpmInit.exe

C:\Users\Admin\AppData\Local\DCQ82D\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\Ku7iPn\psr.exe

C:\Users\Admin\AppData\Local\Ku7iPn\psr.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

Network

N/A

Files

memory/2288-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2288-0-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-4-0x0000000076EF6000-0x0000000076EF7000-memory.dmp

memory/1144-14-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-29-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-43-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-45-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-54-0x0000000077160000-0x0000000077162000-memory.dmp

memory/1144-53-0x0000000077001000-0x0000000077002000-memory.dmp

memory/1144-68-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2192-81-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/2192-84-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1144-72-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-69-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-63-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-52-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-44-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

memory/1144-42-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-41-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-40-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-39-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-38-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-37-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-36-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-35-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-34-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-33-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-32-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2536-101-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1144-31-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-30-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-28-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-27-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-26-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-25-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-24-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-23-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-22-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-21-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-20-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-19-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-18-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-17-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-16-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-15-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1244-124-0x0000000000510000-0x0000000000517000-memory.dmp

memory/1144-13-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-12-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-11-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-10-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-9-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2288-8-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-7-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1144-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/1144-153-0x0000000076EF6000-0x0000000076EF7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 05:37

Reported

2024-01-02 08:32

Platform

win10v2004-20231215-en

Max time kernel

113s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a4593c7858cd5bc550921d94c1b062a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\G1N\\rdpclip.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wWRFyfK\mblctr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XozEe\rdpclip.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\s5ey809U\RecoveryDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 2564 N/A N/A C:\Windows\system32\mblctr.exe
PID 3500 wrote to memory of 2564 N/A N/A C:\Windows\system32\mblctr.exe
PID 3500 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\wWRFyfK\mblctr.exe
PID 3500 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\wWRFyfK\mblctr.exe
PID 3500 wrote to memory of 4768 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3500 wrote to memory of 4768 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3500 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\XozEe\rdpclip.exe
PID 3500 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\XozEe\rdpclip.exe
PID 3500 wrote to memory of 2352 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3500 wrote to memory of 2352 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3500 wrote to memory of 3860 N/A N/A C:\Users\Admin\AppData\Local\s5ey809U\RecoveryDrive.exe
PID 3500 wrote to memory of 3860 N/A N/A C:\Users\Admin\AppData\Local\s5ey809U\RecoveryDrive.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a4593c7858cd5bc550921d94c1b062a.dll,#1

C:\Users\Admin\AppData\Local\wWRFyfK\mblctr.exe

C:\Users\Admin\AppData\Local\wWRFyfK\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Users\Admin\AppData\Local\XozEe\rdpclip.exe

C:\Users\Admin\AppData\Local\XozEe\rdpclip.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\s5ey809U\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\s5ey809U\RecoveryDrive.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/4048-0-0x0000021C3E710000-0x0000021C3E717000-memory.dmp

memory/4048-1-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-5-0x00007FFC2562A000-0x00007FFC2562B000-memory.dmp

memory/3500-11-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-13-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-18-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-23-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-26-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-27-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-29-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-31-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-34-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-36-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-37-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-39-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-40-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-43-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-44-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-46-0x0000000000CD0000-0x0000000000CD7000-memory.dmp

memory/3500-42-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-41-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-38-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-35-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-52-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-33-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-32-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-53-0x00007FFC26620000-0x00007FFC26630000-memory.dmp

memory/3500-30-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-62-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-64-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-28-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-25-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-24-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-22-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\wWRFyfK\mblctr.exe

MD5 2102d8565c8731e7e0306a7b543dc802
SHA1 9b79599cf517d73a86cf659e400018b80786ee1c
SHA256 c3168454ccca4938fe500218da94a4cb6b234116204b26e0816bf98e79cd7b70
SHA512 b372ed48ecb20b1616dbe13d9ab15868cbb66cae126f89ca2cc47058b5f895a18694686c9a79cbfacbe7a666e19741d1335b2ac76590b5a17af3b1114a1a8965

C:\Users\Admin\AppData\Local\wWRFyfK\WTSAPI32.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1972-74-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1972-79-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1972-73-0x0000015C3E3A0000-0x0000015C3E3A7000-memory.dmp

C:\Users\Admin\AppData\Local\wWRFyfK\WTSAPI32.dll

MD5 d138b6b3203b68da81ffef5fdb6bd99a
SHA1 12d6f64780e5a6a1e76d14f4520977893f5f33bf
SHA256 94790b1fce273de9edb43a2f1c1c3eeaa8a4996622ac316db0800279ec651c07
SHA512 31a7adc439ef463fa799a86258b8e9f837cdcf5ba0a3a2ed42e6912175d0b7bcbd3aee3f4846d5d61603d9c322ff3b5cb7c3a3a569d6ae45bfd1c497448e2d52

memory/3500-21-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\wWRFyfK\mblctr.exe

MD5 b69890e0a69d4a18b76e27293c3f9fe0
SHA1 59cb819b2eb16c9cbeb23a81b3703ef6b4c8c02e
SHA256 47130d5f6291cb46b0e4be7f5c0c1cfaeda9666c54cd0a907651d9658a2fadfa
SHA512 7ad36721a1136a00b2ba2ed2f8cba654098a320e11ae01c050ab4d1067a0f2e5df54ae4320847ab6aa427fab30202fb3d72fdf32ef5344e7dec982ca5d486ac5

memory/3500-20-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-19-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-17-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-16-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-15-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-14-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\XozEe\rdpclip.exe

MD5 c10b07fa30cac5b37c0f5aaeeccff3d8
SHA1 ea3ce50c66136d8070c991a4b7cdbc22866e85d0
SHA256 f3baff3abdf6fdc17c914c9b679f50519dbbf299ba9751dabdeaeba1b434d0e1
SHA512 14787d65b44a1538016b7c96045a062edc3f573f29bab4bbef0a396d20b06d2970fa33244683a8c0d8b3948ab1ea760276e852ca5c2b4b250bb6490e476be0df

C:\Users\Admin\AppData\Local\XozEe\WINSTA.dll

MD5 2efc37d5bcd4441db59a250ea9cb3c1c
SHA1 9aad32894484e5cae50336e9e80d5882a2b59242
SHA256 7ba3570634f4710770ccac79a12a98eb113276a1a14004cdf952e82b4b08cc9d
SHA512 5c9ecb4cc2abfb21e33d120c08693178bf111c5c89fd0ed8d7dd55f2e521aa93e92b00ed73a156f1a5306504d38aaa25c1491be50a2d1544d52b1f3cb38bcfb1

C:\Users\Admin\AppData\Local\XozEe\WINSTA.dll

MD5 6f19d192b8957a565c6615f42cf74f7f
SHA1 6b662ba0bcc79a2f457442af8de3967c0b507a9a
SHA256 8d58907b2b40425403a7a483d65d5bea95ca78908215d95b1fe2855137235885
SHA512 9fb0b831413a8af32189312d2d045e851467e20b5ec7a14419774d3b467471e520722abd31df54f33794ccf2e7034cbf9d7e9dd612d8509c07d22a4f4ad3658a

memory/944-91-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/944-96-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/944-90-0x000001DAFEC70000-0x000001DAFEC77000-memory.dmp

C:\Users\Admin\AppData\Local\XozEe\rdpclip.exe

MD5 ddb6a9715680480e5bbf543b99795ad9
SHA1 d662d15321ea277124af6f30a838c6369afbf2af
SHA256 d7e5b6daadaa713a86cf5b4cfbd8d5c83d88a7faa251d04faab75b0e92ee0a22
SHA512 f8297cb254a4cb5871ed95c571be59bc0f6617365d15e9d2ec09b2caa7f5d7ba2ec28147b160764dc12322a90e323998e9e38dffe398b9a970f06b5a4eb9251f

memory/3500-12-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\s5ey809U\RecoveryDrive.exe

MD5 2a892c8eb7c8b5f94c695ba80faad62f
SHA1 3e3d971916fb3800c89d3c2c2bb4997d60931da4
SHA256 aa12d79e254c533d3be2ac26b56c98805bcf1fea6daeca98451ebc4c2380efcf
SHA512 1d644dfcfd24da6ad224dce6466f795e4cf6d21b6b137eb15e49d8a6f35a7b7e8969860e675f2a317c0e7a6cc3ac4e3509be38cd7cb1350d019339a57bb2229e

C:\Users\Admin\AppData\Local\s5ey809U\UxTheme.dll

MD5 0872db1464a6962b522332046839720e
SHA1 7e08ecc315c92c5267caf50e12ebd270a33f7e9f
SHA256 093b2229f3857fd6620dd1e477f3b40c742724809ae4daebd9a5647598983c18
SHA512 fcd56807f77487946f1f6e969ea69cbfc03c633a4b0625d0252017225b303ca8d0397317169e33d06780a0a2db62c5373082fd2e0f25d734ed36cfac69f38cd2

memory/3860-107-0x0000015CCA440000-0x0000015CCA447000-memory.dmp

C:\Users\Admin\AppData\Local\s5ey809U\UxTheme.dll

MD5 e1464387232510a9d3ffe7864d006f5e
SHA1 3696b2be69cccff87aea19ffcbd8398d2e10d367
SHA256 7194501f70a58d6c5a66cf421c3bb1ef5affa9ba054c5b9e19fffdc3cbe30bad
SHA512 91a9bca682d6b4e69a121b141d888bd639993e98dbd5f48208fe265686d998be46c109eb12085d29fa902f970513cb6f49b869b299d2d2ca025436572f8ab964

memory/3500-10-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\s5ey809U\RecoveryDrive.exe

MD5 306d6e5b24a06ce798b4ba29a9a6d57a
SHA1 99514b5ed90d627857aaa2454382c254b916a8bd
SHA256 4c463df92e0689638d73035807e28d608541967fc02985245bd35b332393c2bb
SHA512 d63ae15c884dd6e478c1d7fe1e2e1e2ae9ea117a52cf53e7eaa18dfb1f856cc25a15196fe88fc7f5e3dea8c61c01a24d3a1496cc43b3af982e19c3ed26952e5b

memory/3500-9-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/4048-8-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-7-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3500-4-0x0000000000D20000-0x0000000000D21000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 5c9c2782b01f9d9cfdfca0128de2f0ed
SHA1 3694638e854459abb42c1becf68fb45c64ae2746
SHA256 86cd32ed0325fa05558eccae00056769bb265066cbb7cf559a5533678f76a3b2
SHA512 c340b94d4ee0ffc675efac397a3c06188177653235a7359b7f74067ef552c31216bca7fc8baa135d5bb8ecd5efdfde24ca14875288e3523d18962a232c911c0e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Z6v2NWa\WTSAPI32.dll

MD5 f81a51bee41c89859c0a6db958839f52
SHA1 76cd005cdf3ceaa530ba31ead85be1f3c08589c8
SHA256 bfe8d77bb000bebdc5f2c2d91437fa3ab011492d88689b1a666cb6f5cc929ffb
SHA512 250487b7779ae29e40e1d7980a9f26ef8be804f90504d1dacece8c743aa28a8167c73a8c7332d8439d3e9136c3665d68df3d1ba422aae61a40e55749ae69715e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\G1N\WINSTA.dll

MD5 3efa78d56621e892ea25446a427d9564
SHA1 98f888d31f10835c2f49c30492af0ed490dd8b28
SHA256 5c191bad069dfd838d4496bd16185453df05802db9c529bee957391ca8ded42c
SHA512 4c96da4a6bd63421a7beb8354094c795f6533434d3f26426022008062ba2817d4f5aef6719655d713daafbe2e99d142bd2f7dc8dd1da9c981b0ebe280b724162

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\aVnyY6U\UxTheme.dll

MD5 6796172b06d63d17c29f9285e32d3a95
SHA1 deb0ac89564b3500d357299509a379fa802aa984
SHA256 42888ba19dc80403e94bad61c1781a218da12c46d6b0c3cd21aa1d9264cafbf6
SHA512 53780cd0230a1f96344c73af42b555f245855fde18fec0a3b5726444bb79d6dc31f7f261a788a131d37e87d9a40911a7f23a76aebf1538984282bd12a12adf61