Malware Analysis Report

2024-11-30 21:47

Sample ID 240101-ygv3bsgeek
Target 0fe25a00394d1eaf4e182704b924fd54.exe
SHA256 4ba3c5dd250ef9b7afbd8968e20eef9be70988e415d4e8bb7480ac3f5ffb159c
Tags
dridex botnet payload evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ba3c5dd250ef9b7afbd8968e20eef9be70988e415d4e8bb7480ac3f5ffb159c

Threat Level: Known bad

The file 0fe25a00394d1eaf4e182704b924fd54.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet payload evasion persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-01 19:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 19:45

Reported

2024-01-01 19:49

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fe25a00394d1eaf4e182704b924fd54.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fe25a00394d1eaf4e182704b924fd54.dll

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\pKb5FdPP\Taskmgr.exe

C:\Users\Admin\AppData\Local\pKb5FdPP\Taskmgr.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\wjMlYI\mblctr.exe

C:\Users\Admin\AppData\Local\wjMlYI\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\FeYq5g4\FXSCOVER.exe

C:\Users\Admin\AppData\Local\FeYq5g4\FXSCOVER.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 32.179.17.96.in-addr.arpa udp
GB 88.221.134.33:80 tcp
GB 88.221.134.33:80 tcp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
GB 88.221.134.33:80 tcp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp

Files

memory/4520-0-0x00000000012C0000-0x00000000012C7000-memory.dmp

memory/4520-1-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4520-7-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-14-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-20-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-26-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-32-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-36-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-42-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-47-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-51-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-50-0x0000000001120000-0x0000000001127000-memory.dmp

memory/3488-58-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-70-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-68-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-59-0x00007FF9F64A0000-0x00007FF9F64B0000-memory.dmp

memory/3488-49-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-48-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-46-0x0000000140000000-0x0000000140216000-memory.dmp

memory/756-79-0x000001CF047B0000-0x000001CF047B7000-memory.dmp

memory/756-80-0x0000000140000000-0x000000014025C000-memory.dmp

memory/3488-45-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-44-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-43-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-40-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-41-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-38-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4108-96-0x0000026792090000-0x0000026792097000-memory.dmp

memory/3820-115-0x0000014975180000-0x0000014975187000-memory.dmp

memory/3488-39-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-37-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-35-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-34-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-33-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-31-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-30-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-29-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-28-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-27-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-25-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-24-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-23-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-22-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-21-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-19-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-18-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-17-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-16-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-15-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-13-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-12-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-11-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-10-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-9-0x00007FF9F4EEA000-0x00007FF9F4EEB000-memory.dmp

memory/3488-8-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-6-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3488-4-0x00000000030C0000-0x00000000030C1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 19:45

Reported

2024-01-01 19:50

Platform

win7-20231215-en

Max time kernel

186s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fe25a00394d1eaf4e182704b924fd54.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\oj3M7a\dwm.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\aJQYe\SystemPropertiesRemote.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pZNnqWAyA\SnippingTool.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\YjfAOli\msdt.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\3HHG3kJE\\SystemPropertiesRemote.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oj3M7a\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aJQYe\SystemPropertiesRemote.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pZNnqWAyA\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\YjfAOli\msdt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 1180 N/A N/A C:\Windows\system32\dwm.exe
PID 1376 wrote to memory of 1180 N/A N/A C:\Windows\system32\dwm.exe
PID 1376 wrote to memory of 1180 N/A N/A C:\Windows\system32\dwm.exe
PID 1376 wrote to memory of 1384 N/A N/A C:\Users\Admin\AppData\Local\oj3M7a\dwm.exe
PID 1376 wrote to memory of 1384 N/A N/A C:\Users\Admin\AppData\Local\oj3M7a\dwm.exe
PID 1376 wrote to memory of 1384 N/A N/A C:\Users\Admin\AppData\Local\oj3M7a\dwm.exe
PID 1376 wrote to memory of 2380 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1376 wrote to memory of 2380 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1376 wrote to memory of 2380 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1376 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\aJQYe\SystemPropertiesRemote.exe
PID 1376 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\aJQYe\SystemPropertiesRemote.exe
PID 1376 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\aJQYe\SystemPropertiesRemote.exe
PID 1376 wrote to memory of 2056 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1376 wrote to memory of 2056 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1376 wrote to memory of 2056 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1376 wrote to memory of 1760 N/A N/A C:\Users\Admin\AppData\Local\pZNnqWAyA\SnippingTool.exe
PID 1376 wrote to memory of 1760 N/A N/A C:\Users\Admin\AppData\Local\pZNnqWAyA\SnippingTool.exe
PID 1376 wrote to memory of 1760 N/A N/A C:\Users\Admin\AppData\Local\pZNnqWAyA\SnippingTool.exe
PID 1376 wrote to memory of 2332 N/A N/A C:\Windows\system32\msdt.exe
PID 1376 wrote to memory of 2332 N/A N/A C:\Windows\system32\msdt.exe
PID 1376 wrote to memory of 2332 N/A N/A C:\Windows\system32\msdt.exe
PID 1376 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\YjfAOli\msdt.exe
PID 1376 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\YjfAOli\msdt.exe
PID 1376 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\YjfAOli\msdt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fe25a00394d1eaf4e182704b924fd54.dll

C:\Users\Admin\AppData\Local\oj3M7a\dwm.exe

C:\Users\Admin\AppData\Local\oj3M7a\dwm.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\aJQYe\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\aJQYe\SystemPropertiesRemote.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\pZNnqWAyA\SnippingTool.exe

C:\Users\Admin\AppData\Local\pZNnqWAyA\SnippingTool.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\YjfAOli\msdt.exe

C:\Users\Admin\AppData\Local\YjfAOli\msdt.exe

Network

N/A

Files

memory/2852-0-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2852-1-0x0000000000130000-0x0000000000137000-memory.dmp

memory/1376-4-0x0000000076F46000-0x0000000076F47000-memory.dmp

memory/2852-8-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-7-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-11-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-14-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-17-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-19-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-23-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-26-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-30-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-35-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-39-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-40-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-43-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-47-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-49-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-51-0x0000000002560000-0x0000000002567000-memory.dmp

memory/1376-50-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-48-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-58-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-60-0x00000000771B0000-0x00000000771B2000-memory.dmp

memory/1376-59-0x0000000077051000-0x0000000077052000-memory.dmp

memory/1376-46-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-45-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-44-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-42-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-41-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-38-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-37-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-36-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-34-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-33-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-32-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-69-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-31-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-29-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-75-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-28-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-27-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-25-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-24-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-22-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-21-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-20-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-18-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-16-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-15-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-13-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-12-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-10-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-9-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1376-5-0x0000000002580000-0x0000000002581000-memory.dmp

\Users\Admin\AppData\Local\oj3M7a\UxTheme.dll

MD5 8caa3f0a6039ac1fdd9dbf7cb184fec0
SHA1 701af611fa1119784860f09ecd61316fe54a71ed
SHA256 3cc4aa869e9b979269d9330f2ea2458a7700b656793629c127fed388c757cdf2
SHA512 fd3d221fbdf75aade587e776fe1cf0f2c21b506328edc7f1b92158f1607d4117372f528e7c47b124fd4b2f65f1df4003ba0e975ace0836a7cdecf9dd73954c20

memory/1384-87-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\oj3M7a\dwm.exe

MD5 3e97ed119eb6e5b09a4b37c38d2f4d86
SHA1 2bed858b05932ae68af557d10e03ba7a49832c5a
SHA256 fbadb28e9b75cdfbcc9a9f68b6ff6b32d4ec73fa68d9b2f55d65f448e4411854
SHA512 f98887ef4bd3ec1b158f9fb4e9a2c04f240697992171516641d61ae81abbc293043306f5e67fbe0d42039981580e5772392c2967d53a7b18278f0d9a855feba3

C:\Users\Admin\AppData\Local\oj3M7a\UxTheme.dll

MD5 0c002ee3d095945559113ce7b2462e78
SHA1 c6d83f5cb2e042f4d9a54fb5a51af0ac3b260aec
SHA256 0e042e664180a74c93a0e0f69d45e734962e3ff664b39ac7931327d53a9e24ab
SHA512 3b99410a8fdb16f435ffb96e8a31fe61f8c2196d87f9394b30be9ac0293181b2c8c2042b1a8ef726608d8e8c5eaac8641b7091ba89b3c1efc243b370e6cde5f6

\Users\Admin\AppData\Local\oj3M7a\dwm.exe

MD5 0920fa13a00eb23548e28278a44c3700
SHA1 f33f95e57378758196991668bc75cdace23ba841
SHA256 d5b962d06f9d7f6d1028b049bcb037552a304bd1d2309248f02fa95a3a1d0e7a
SHA512 f89846ec54305b965f5dbf15b1befa0a0207ce215f541a45f460b3f0ead62a0b3160614fb741720da3263625898c79eae7bd46bbfafc6ac1db9082a6c542aac3

C:\Users\Admin\AppData\Local\oj3M7a\dwm.exe

MD5 f162d5f5e845b9dc352dd1bad8cef1bc
SHA1 35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA256 8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA512 7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

memory/1376-98-0x0000000076F46000-0x0000000076F47000-memory.dmp

\Users\Admin\AppData\Local\aJQYe\SystemPropertiesRemote.exe

MD5 d0d7ac869aa4e179da2cc333f0440d71
SHA1 e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA256 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA512 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

C:\Users\Admin\AppData\Local\aJQYe\SYSDM.CPL

MD5 13786976ac504e03dd2f8acfc2ef3444
SHA1 3c7e064c03d5293ee3e78d7525f00cf62b009cae
SHA256 7f6681827539517772274da9dcd5a0370c51d8604b58cc65e8c521ca8ff695ab
SHA512 48f47eaa12b1e076b773b52ccda419d3f4f5f7dad9de3f504c3889a10ad1c6ac14eb79be114757f545eedcb8f9c39a7b0f82048446589072d38146ec237d6ffb

memory/1608-106-0x0000000000370000-0x0000000000377000-memory.dmp

\Users\Admin\AppData\Local\pZNnqWAyA\SnippingTool.exe

MD5 7633f554eeafde7f144b41c2fcaf5f63
SHA1 44497c3d6fada0066598a6170b90c53e28ddf96c
SHA256 890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
SHA512 7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

C:\Users\Admin\AppData\Local\pZNnqWAyA\UxTheme.dll

MD5 960a5185bb00dc2bcfd00763fa825bb0
SHA1 f7f30312c9386a822d4fa42d9cc3bff6d8fbd9ca
SHA256 ec9761e6e6782256d92f02c27e08aa816fdaee634029a78d67d01b527ea3ed8e
SHA512 5c74acae45c4123b18930f40a4a8cc13ee4196bd478e3bb3fef6eb0c6a73dd2b6cc06a1c93c1470710c4f6cd17fe98bc09c04249fed72a923fb6f3fd637aef24

memory/1760-125-0x00000000001A0000-0x00000000001A7000-memory.dmp

\Users\Admin\AppData\Local\YjfAOli\msdt.exe

MD5 aecb7b09566b1f83f61d5a4b44ae9c7e
SHA1 3a4a2338c6b5ac833dc87497e04fe89c5481e289
SHA256 fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5
SHA512 6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

\Users\Admin\AppData\Local\YjfAOli\wer.dll

MD5 aafc14378eea115bf87a234c546f55c9
SHA1 26c7668d1f172f3055eba0dc09d9179b9f3dd154
SHA256 cd8102c5f67c890708a376f34f52f83897238a6eab32b879e322531ab10df4c4
SHA512 4c0a479de26aa23019fee47ed68c1266b70c6e9c1177278bfd8b6b34f05863fecad0333db252d65d3c5fe64f346324445e2ac02f26d6fb6c45d39f88e2f83b63

memory/2072-138-0x0000000000210000-0x0000000000217000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 4b8acc8c2d65c5967df3a5e14658b00a
SHA1 35e46de2149d3eb92a4f029aeeb1d584e34f6cf9
SHA256 8b733064741943bb9f02a87d5b9cb7de877b6cf159e3fd65a3ce462c8b521f50
SHA512 80d55ffce1f24fb844b57e5d41cfc9e7660a98ea79ac3a342282983f4070a4827e3697d91ccd8de9c985d73c1bddd04a58478ee926453012d8dd07d2d14fbd4b

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\hdnf8lbCm\UxTheme.dll

MD5 a7ccba63c407de0435e1cf0e44730500
SHA1 c34eff92467a9ed864c38f3264d4684ef08da639
SHA256 d8b1dc785dfc135d5c72075222342f3bd130993eaed911b8436dcd20f9328134
SHA512 494735b20a87bf95d26ec85d8549834a6d0e5787739d7f3bdb10bc0ef9d5a8104765fbc8197b092d78a81a265b06d1b454cd52867c3fa4dc23a0c8d7ccadd67c