Malware Analysis Report

2024-11-30 21:38

Sample ID 240105-jex2ksgee7
Target 431ef761b4ddc5ff6a03fc64f78049c6
SHA256 bde6eb15f88b80cd90a5805a05f54b19e1c224fa47d8762950044394e82f5016
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bde6eb15f88b80cd90a5805a05f54b19e1c224fa47d8762950044394e82f5016

Threat Level: Known bad

The file 431ef761b4ddc5ff6a03fc64f78049c6 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 07:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 07:35

Reported

2024-01-05 07:39

Platform

win7-20231215-en

Max time kernel

9s

Max time network

135s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\431ef761b4ddc5ff6a03fc64f78049c6.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\dbXC5vFZ\spreview.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\dbXC5vFZ\spreview.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dbXC5vFZ\spreview.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1320 wrote to memory of 2620 N/A N/A C:\Windows\system32\spreview.exe
PID 1320 wrote to memory of 2620 N/A N/A C:\Windows\system32\spreview.exe
PID 1320 wrote to memory of 2620 N/A N/A C:\Windows\system32\spreview.exe
PID 1320 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\dbXC5vFZ\spreview.exe
PID 1320 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\dbXC5vFZ\spreview.exe
PID 1320 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\dbXC5vFZ\spreview.exe
PID 1320 wrote to memory of 2900 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1320 wrote to memory of 2900 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1320 wrote to memory of 2900 N/A N/A C:\Windows\system32\msinfo32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\431ef761b4ddc5ff6a03fc64f78049c6.dll

C:\Users\Admin\AppData\Local\dbXC5vFZ\spreview.exe

C:\Users\Admin\AppData\Local\dbXC5vFZ\spreview.exe

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\kepC\msinfo32.exe

C:\Users\Admin\AppData\Local\kepC\msinfo32.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\T2otuC\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\T2otuC\WindowsAnytimeUpgradeResults.exe

Network

N/A

Files

memory/1904-1-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1904-0-0x0000000001C80000-0x0000000001C87000-memory.dmp

memory/1320-4-0x0000000077416000-0x0000000077417000-memory.dmp

memory/1320-9-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-17-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-21-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-28-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-32-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-31-0x0000000002130000-0x0000000002137000-memory.dmp

memory/1320-40-0x0000000077621000-0x0000000077622000-memory.dmp

memory/1320-39-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-41-0x0000000077780000-0x0000000077782000-memory.dmp

memory/1320-30-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-29-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-27-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-26-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-25-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-50-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-24-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-23-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-56-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-57-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-22-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-20-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-19-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-18-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-16-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-15-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-14-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-13-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-12-0x0000000140000000-0x00000001401AE000-memory.dmp

\Users\Admin\AppData\Local\dbXC5vFZ\spreview.exe

MD5 837a2b3aa5229d002d281ee1a6bc2804
SHA1 b8884a09f49e235fc517bf3c599c3ded7333de33
SHA256 9fa54072cdb16bbe2886087c4a1afc3ad331b0448ab91e868b1da6536d62db4a
SHA512 693090e41281550b834b5ed1ce42a2a0de3b0ad0234b6b0f42dc340a59f73ee2de105387f74d930c8a2a0ddfe43f4cbddd5ca6158b875c55eec69b526643d15d

C:\Users\Admin\AppData\Local\dbXC5vFZ\VERSION.dll

MD5 3641b4004ab0fbce8f59272991b2b40a
SHA1 42b2a1e90e54eeddd3c6d1e65ea006fb8bb78a7a
SHA256 64a01c9734046a9e5ad991c1e8d6385c60b32cc5026517e28d6ccb60f0073ff1
SHA512 0ad039fa21ed77d8dc508d4d9de04fe0ae5500bb36ef8cd98d8de175b3586f74abad8a2bf87f2fa7ac5b971b1c45727df9d07c25a91acaef65d5de2a5357f3c4

\Users\Admin\AppData\Local\dbXC5vFZ\VERSION.dll

MD5 04754ee51ef0d7875a9330251045bce9
SHA1 e7636725b532e63242f40696a3b83984d25d8ef4
SHA256 5798637114f49aa9a3e58e9a9b2645b1db9d5a36c453b6423d617138a9c94748
SHA512 8e4ed0514733cbee3acf891e076aafa5767ee8dc9767205dbf6ea384f6869c50c8960205afc4d7f340d17e83ec15f7cb99287eb1d2d709143c880b63f0d5621b

C:\Users\Admin\AppData\Local\dbXC5vFZ\spreview.exe

MD5 02ad3d2e620e7be40de0fc1e95da1c75
SHA1 c43aa6dcdc110a7386ecb6a72aff19829db0c25c
SHA256 9f7de7d7016a862897c0dd4c1a0b752b80947aff76b759df3e943e2b6722c3ab
SHA512 c8ec1b1ee6eed6e937fc2dc35a41c5c60ea5b7f0b5930968b1e288167156cfaaae3934e60529f3237f4cb5df6315d6a4a252fd211917b86a0fbcc93bd10daefc

memory/1320-11-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-10-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/2656-68-0x0000000000320000-0x0000000000327000-memory.dmp

memory/1904-8-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/2656-69-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2656-73-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1320-7-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1320-5-0x0000000002150000-0x0000000002151000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Og\spreview.exe

MD5 6cfe5b7fb99064719977ca36607c17ce
SHA1 d842add4efa7772edc3355a624df897047b73cd6
SHA256 fe06ac828fbb0f755d75796b02b5416b1ba2a319dd8a7e1a337aa8e09ecea4c4
SHA512 61a212e8490cc2107e3038af7a0650ba6f6ead7f5e8225f6384ecf53c5d506d00f5f424b45c3aafd564192dd54b1d74653b19935564b96e39888c965e85ff4f1

\Users\Admin\AppData\Local\kepC\msinfo32.exe

MD5 b4c28526fe14512f5459616854041b40
SHA1 7ae8f067f2c2b7c55ee5a3616c2492d7cd3f101f
SHA256 fe8aa0017b54259987f738f37aefd2cf0e5f4c28e8b74fc7f04b2e29e3e16614
SHA512 099c26be96ffc77321b7175fd103292ab8a4708d6af9d133af9d3efa13535e91448efe56cae1de238a1325b455e91356e3800dfe8b215de9147edcbd5955ded3

C:\Users\Admin\AppData\Local\kepC\MFC42u.dll

MD5 0569ce090ec4ddf6139a7d72ab537cf9
SHA1 a6cd0e36cf02eafa6952c579d3aefc3a65faa395
SHA256 ae6ac4e7ece9272efaf34e6fc0d656f32373faa17db4bbb9f3dc4ad7ff297183
SHA512 3fcf9d92e48635f3be2b7745d1c09d71bf21eb140a7e38a4106a127d6f4caecf3b1b38933d102257a5dd802c18058ebaf25f51b88cf93ac8b64101aef39e1436

\Users\Admin\AppData\Local\kepC\MFC42u.dll

MD5 9a2c0cb426b931860b642f0ea6f1a2a2
SHA1 5a345d4f057623f5313ee675d269d43c9ee76508
SHA256 d6fe6985ae702cca5b660b3a36c2782c7823f1bf2b5bf185b5c22f80b8298401
SHA512 51ef6ae3a50456b81deb88fe9e2dc5767851a866e96fd13b7506f8185a09102e4a93ab8cd4bf2f0460ad575cc35690b17f01c0910dc42af2d68f16d7dc4e7045

memory/2928-90-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/2928-86-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/2928-85-0x0000000000210000-0x0000000000217000-memory.dmp

C:\Users\Admin\AppData\Local\kepC\msinfo32.exe

MD5 7ed15066bd417002b64edd6607ca494c
SHA1 0c49bc639b7897f9a53a3ca50added4e032550b5
SHA256 17dd3dec806c8dc08c067ebf75f94ce6ad6f6310a197f4550c408f16ab9ec408
SHA512 a496db5fa8f8594ff3dfbc54dee8446c4bd041f94abec4ad417bcd6a6550777a9ad70674feaabad201d935901387fa4929eaebd07024f76f7312755256e687f0

C:\Users\Admin\AppData\Local\kepC\msinfo32.exe

MD5 c4050bdaf15e236b7f7e3bb3e3c35094
SHA1 8121d9f324b5d00900256accb30b357ce9d3ffce
SHA256 3d2758bd1a1ab9de5ed0fcb20e9b17c1a694f45d075baa006ba48d256ee4ca98
SHA512 f719255e55d2b56e450bc7e4d269517f15b9ce6671bccd9f561abbb16936bd14e803846efa8aec2bad1aaec1c2b464d1f7329b94617c2d4e6d85c9c54c790940

C:\Users\Admin\AppData\Local\T2otuC\DUI70.dll

MD5 9d013280dd91df2f8b69881bb40b6710
SHA1 d31799b444218c58cb7953221ddefeef7d82f83e
SHA256 9a56c08330b6b92200ba9af66f59f07c233ee3f0159c3dc4b3cb15c00f77d5df
SHA512 e099067c0b1c203bb40635ffa5c7896f997bc2621113cd3c409a6701c597525104d7af9562cd79377af0c929dfa459a2ee4cca29e69362b80c59c146fca6cd25

\Users\Admin\AppData\Local\T2otuC\DUI70.dll

MD5 e424a4d8fe284d8d096fd20eff9536c6
SHA1 75526d85fd0e234ad720933d6b27d3ee29e41071
SHA256 c51563bbbff8f8b189d2b160b334f6b93b1082c2588796fa23640fab44fdf340
SHA512 3a92730727306ff13774cd584c2048804fe9ae2634fe63cf86f0539179c6ff6f2e6543a3584aed487be5c66cfe087b1126c4c158e8ed4f09849bbda4d5e06970

memory/1944-105-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/1944-109-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/1944-104-0x0000000000170000-0x0000000000177000-memory.dmp

C:\Users\Admin\AppData\Local\T2otuC\WindowsAnytimeUpgradeResults.exe

MD5 4840c54db3bc5a010eb165a68df58e8a
SHA1 96a3cc2ab64fea0ef43bded0745808de6ff7854f
SHA256 be375c833aab19801406b59744f15ef7062dc4f808a2095feed11a74d0531bee
SHA512 393219f5c6462e82566049535b3cb0a56150442fb900af5017c3917435959ee322490631ff74794ab74fadc2a9d15da8ff7e1e376e3a53164f4c63722fda3c6d

C:\Users\Admin\AppData\Local\T2otuC\WindowsAnytimeUpgradeResults.exe

MD5 5ac289ace2c0e1e4f5b9c551c0822160
SHA1 dd4a26a554eee2bb00f77c8e91403b579612bb2e
SHA256 afc3fd6626e55e28196f697f760e398348d4ff52703ef4d2ed33182bf894f19f
SHA512 e6e4f8ba0db68e23f6e2b7c094f3d86fb6c160b79f6cc261c9235e81e133f302abe8846f790b2c6ff64fa253c19709cd4088ccb58cf94bd5a39240e77480623f

\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\BoPQaXOQFD\WindowsAnytimeUpgradeResults.exe

MD5 88fa60dbe4aea41dd9c09eaf21e52376
SHA1 e1d276ca827bf0d659325158813bc70648cd26df
SHA256 1e1c0a4030ff9dda4d52eaf1e8416f9dea9d4b53834a33bee87b77a48462a7f8
SHA512 2533091c09a246269b069e7b22853e1e2518f9c83a2f1a0aedbbbfd9dab972721964ccd5be8c72d9daba5ca35fc14d41741ed6aa98ee17e1efe802b59226765f

memory/1320-131-0x0000000077416000-0x0000000077417000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 797f68156237ea74d238f65cae0ed4d2
SHA1 a3ee2a3dab392707613ee1492141551f3cd89f0f
SHA256 4633e818d3ccf55b1fc63b18fe3d4ca543046992fcbf1cc7add32c037bc3c9af
SHA512 53385b950ed571e1a4f869688b1cfb5bce8df07d9b59fcf636aa33515594fe2a281cb882b5ae2a13d27930e6ff09b34392b5adeaf92cd40b12a6036334d13dd3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Og\VERSION.dll

MD5 3c310707aad2dab5ea32be85a63dcf77
SHA1 10a21f326c863acaced6fd344db9fb941e6e09f3
SHA256 32c44c4ec5650c261bc38580cfa97ab4bde4c6c71c61a7c67c434a1b943f6e02
SHA512 d070473dd24c67996fc1608482b95bee9270492bfad24c5a7db92a59a477de565e1fcc1496b1c81bf30b76a3816c164b57926258b3151adcd02dd9fc78715519

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5DaNgqJ\MFC42u.dll

MD5 d3fc06772101220913981f079ee82038
SHA1 0fb625e3749ab78e8e618c9c92de5dd20985e125
SHA256 2578ece7e3e2dbb61001941d81f2ccd30753c964ae1dc952e4ab98d97ef4f701
SHA512 d138f0b81caf650bbfb4b29f66990facc8b412fa443e23d732d9e752005364b5043ccd3f8cb491501e1c3681ac0ce72d373b72aba4424991849c0dcb224b1752

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\BoPQaXOQFD\DUI70.dll

MD5 50d7f85655d0eec02f4d0598be186130
SHA1 9ee21a22b44850f340576a38ced55920aa7b4355
SHA256 f59470667e8e72e50f33d4a74c7433c3113725e698214e516d5040727d131298
SHA512 04fc89631ff86d1ac2fe5d2b1c57fcb05108ded2005169d6f8575b4d60f4d1b19be5ff3296ec035f4b11149ad57cdce211197ab2dddc30864a20f3c3337e9563

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 07:35

Reported

2024-01-05 07:38

Platform

win10v2004-20231215-en

Max time kernel

17s

Max time network

159s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\431ef761b4ddc5ff6a03fc64f78049c6.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\431ef761b4ddc5ff6a03fc64f78049c6.dll

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\GnzJb0hI\cttune.exe

C:\Users\Admin\AppData\Local\GnzJb0hI\cttune.exe

C:\Windows\system32\usocoreworker.exe

C:\Windows\system32\usocoreworker.exe

C:\Users\Admin\AppData\Local\WPe9\usocoreworker.exe

C:\Users\Admin\AppData\Local\WPe9\usocoreworker.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\b9jUjO\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\b9jUjO\DevicePairingWizard.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 20.189.173.3:443 tcp

Files

memory/1532-0-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1532-1-0x0000000000570000-0x0000000000577000-memory.dmp

memory/3132-4-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/3132-6-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1532-7-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-8-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-10-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-11-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-12-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-13-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-9-0x00007FFE1FB2A000-0x00007FFE1FB2B000-memory.dmp

memory/3132-14-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-16-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-17-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-19-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-20-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-21-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-22-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-18-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-15-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-25-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-24-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-26-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-27-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-28-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-29-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-30-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-23-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-32-0x0000000000880000-0x0000000000887000-memory.dmp

memory/3132-31-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-39-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-40-0x00007FFE201C0000-0x00007FFE201D0000-memory.dmp

memory/3132-49-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3132-51-0x0000000140000000-0x00000001401AE000-memory.dmp

C:\Users\Admin\AppData\Local\GnzJb0hI\OLEACC.dll

MD5 27ab0c7321bd8680ca97f78f084b15a7
SHA1 90499c6ad6240d6b67dd9d3120cf1ffccabe0e8e
SHA256 4df57b86dd62431243ff7d000a81566c287dcdecd80095c7eb02daad32a31e53
SHA512 18aba97abbe6e48cbd316867e3ee4e2569aa6fa1a058ebcfb95cab009ed1a9df89e2ef2cc41dc44cf561d075261c36b8d802fa53fe49c389712c71c6c3212ec9

C:\Users\Admin\AppData\Local\GnzJb0hI\OLEACC.dll

MD5 7bf4f26c83f8a6161a1b5ee7628d7aad
SHA1 f4f6a35b7bf4905c08b5874c440c04078354a573
SHA256 31fac59dd6db8526daeefc79105463785b9f9c62a86a361d3de5eb24ad9ebb9b
SHA512 62bd2cf656ef317ea4b860701f8a33c170fbb4928a1718ee76f04da837cbd2a6a0bce0533bf2f09ba3c0b13a6832a62c8c6b36fac319cf5e1e6066cbcd22ebf2

memory/1152-61-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1152-66-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1152-60-0x0000026673850000-0x0000026673857000-memory.dmp

C:\Users\Admin\AppData\Local\GnzJb0hI\cttune.exe

MD5 fa924465a33833f41c1a39f6221ba460
SHA1 801d505d81e49d2b4ffa316245ca69ff58c523c3
SHA256 de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da
SHA512 eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

C:\Users\Admin\AppData\Local\WPe9\XmlLite.dll

MD5 03857ca552b5373ee931c9e2be6c569b
SHA1 12df62f9d7edf006211075717c61d632538f1081
SHA256 592eb6d33d414fc0c0e647cb7ea36237802e8bc3064772d8cf1294e455724d68
SHA512 ac206ce5901b697e2f23fe746c262b4e71d6e063c03b548e16b274bec8bd253c613d45a6890a2a986fd0d3c44ed653f496dabc7519c594716af68e7fac1c2037

C:\Users\Admin\AppData\Local\WPe9\XmlLite.dll

MD5 ea794a02eb78074463b6d7d516d27931
SHA1 91f877b30af37e94f0cbc5ec8e6862086fbe23d0
SHA256 dec251c572a9e9174735ed6fee1a82145323370d7516853e3277e5387799b45d
SHA512 1a5a113b89d978c9954885648a11fa0fdc6eeedaf53d9ca45172d1d7a99bdeaccbe558157a022e2e6810badac1dd6101c6f9cba50f723ebc9c6befdd42dc7b02

memory/952-78-0x000002B1354C0000-0x000002B1354C7000-memory.dmp

C:\Users\Admin\AppData\Local\WPe9\usocoreworker.exe

MD5 7b5aa4b2452ae0c8cdd195498c25b564
SHA1 7d386e67d1c21db02006acab0ff58c0151c78024
SHA256 ed8089608de9da202fc1f9250275e71222fa97f12f73c28913adbf1a2ec90b47
SHA512 a0c74419046993b487e7b4290c95e6f4bedc62d53161de8d0dbbbe32d371b2585481ac72e31f09de5d0dff6f3d289378f92e36f72b9c11ee8954ba825151081a

memory/952-83-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Users\Admin\AppData\Local\WPe9\usocoreworker.exe

MD5 9ecaa26752678a99f2f2990e117d3df4
SHA1 88a57f74036d0226aaceed815a1424b0db5d1386
SHA256 89221d455a04cf2b6f85dc23e3a2fdf17b2b4469abf33c85fd618e8db0453259
SHA512 df259e51efd154f69b13fa82d957a8805ca370077b5c1c8327b2412a2116cd5273260b4d36ca92826a45971860b0bfcf8372b72d643a384f7a2fd7e383d54ae4

C:\Users\Admin\AppData\Local\b9jUjO\MFC42u.dll

MD5 322b17231a73ff3a6847b8024e00602e
SHA1 50adc66f3ac94f9fa85ae1a00c4b1f701d25049e
SHA256 ce0b4ca123b9db246e931a4dd01b2fa8bd63244b255219ff58394e0815a226e9
SHA512 3732d67a87dbe0882370db1a0295f773b2e02dc24adb4feb544f42db80af5d96dc793a085bc8a4f47a916e052c51f13f146e3438a091617fb2924728c72b1146

C:\Users\Admin\AppData\Local\b9jUjO\DevicePairingWizard.exe

MD5 fb4ec343c8ff5e65b4cf4beec9ff7db3
SHA1 9c4aad48bab9b72ba7a16655a469a35ba00c3255
SHA256 b88f77c8b04ac15feffc848d205ba2dae08b776fefd6332597731ee981aaa9e5
SHA512 fa594c98feedd066dbbd58bddd70109d532f3e80ca64da1b4d43d596544d7d774b320e9b514def43c3a2fa10b4bbff986e13cbc24c737fab247a2a780e47102a

C:\Users\Admin\AppData\Local\b9jUjO\MFC42u.dll

MD5 da7c43bd961133d93c62a8316b1104f2
SHA1 3defbf8c78e0d96a486c61ebe004fd0c23482aeb
SHA256 55f69234bc8c605b74c3d4ae5f7f7b2b1f53bd706691d6237e8e6f177bc569c4
SHA512 e95d055958205d730992ded42465caa5d19f0bb00eac67b23ed6fab3b6e39fa55dbc4963e73b5a3e5b06ec2af3457676e2fa99ea16a4a988d0da26ca38f8d258

memory/3364-94-0x000002512A2E0000-0x000002512A2E7000-memory.dmp

memory/3364-100-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3364-95-0x0000000140000000-0x00000001401B5000-memory.dmp

C:\Users\Admin\AppData\Local\b9jUjO\DevicePairingWizard.exe

MD5 c2675a595884d019cb6ab92765921374
SHA1 09acf07ee6e3fd7337b9382cce032e016d29e5aa
SHA256 3e6e524597ddbc49938502f10f0c3ff17a87ee07289bd6a5ca0a331917668e1d
SHA512 626ef0c1d3636de3e3552881bc6e21d543559d011507bbcf4f2791c83ee35e2961f8f159eec8dd98355b0f732868659f8d1e2ca533648467cacc621f66eed648

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 81210ed00305b4d6b75960ece300bd84
SHA1 81e74eb0b7716d6e4414719965b1d71726b12832
SHA256 0c7a151c89efa7b1d22849116ab732e246a3f0e093903bce3299c01dd0ef3805
SHA512 d90492084b1298ae430f3b2bd586a982a62df524f51eb0a5df3d4e70d727bdb82591d4177405e41f471086f45e29dfcef7c6f6ac6a6c85cc28975ba05523ad67

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\1UcJV\OLEACC.dll

MD5 19d8aac7a39e7852b93dd453f50f57ac
SHA1 d258fabcafdf9c7a792012add172c662c950c1d0
SHA256 ead97abb887a8ea95aea9c3d4757978bdfd351b0b27d368f031d9feefe3b4867
SHA512 ee99ed9f53ca357216e68c9322af51f532d489be988f9315fb15633ff118e930a0803394d6fa18c14c3beed59ea5c2397345e68d39a9a41563eb70c70c4ee684

C:\Users\Admin\AppData\Roaming\Microsoft\Vault\JLCEhIZ\XmlLite.dll

MD5 e969d2553db703b7e19a6551ee05a93f
SHA1 3a0e63e6caa0a9b968f0829b77d801369b057baa
SHA256 c742a35e29f9a3a6b350dd135106e972b4c6d1155f048f2af096d2692a983f09
SHA512 0d47646d98e63bfbd8bb130f287f3eddbc3db5b7385a0790912e8bc731266a0fda70d69f24acf02c073a67142774c68b149eb3b9b7f95e6f7036c8e4c4bebe2d

C:\Users\Admin\AppData\Roaming\Microsoft\Proof\xnS0zVA9Lf\MFC42u.dll

MD5 007f8c5072786ed66517b3e8d0da948b
SHA1 1db48091fe5212e1ebe6ebb3e6fee67b3dd61fdb
SHA256 54c46503219436498273057c4833e94c6e133f63e21131271d2b7fbf3049b9f6
SHA512 705fffeecabedd10c99f1bfcd406255538dddba8d13463c8a78b2bb8eb53fb555e7fb1c29f9d2c2759bc0f0b43a249ab612baface318540675bdf41730748522