Malware Analysis Report

2024-11-30 21:28

Sample ID 240106-mlk75seahq
Target 45dad2872d00b40918d651ca11ce9698.exe
SHA256 8c3419a2c24c2c7169506a5efa26b3f5c2c5832497eefd93ef10bc066237f3ba
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c3419a2c24c2c7169506a5efa26b3f5c2c5832497eefd93ef10bc066237f3ba

Threat Level: Known bad

The file 45dad2872d00b40918d651ca11ce9698.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 10:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 10:33

Reported

2024-01-06 10:35

Platform

win7-20231129-en

Max time kernel

149s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45dad2872d00b40918d651ca11ce9698.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\KoX2lpLBF\spreview.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\aEzVC8aT\rdrleakdiag.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\gTACB\DisplaySwitch.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\8GUF867B\\40JMY4~1\\RDRLEA~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gTACB\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\KoX2lpLBF\spreview.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aEzVC8aT\rdrleakdiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 2620 N/A N/A C:\Windows\system32\spreview.exe
PID 1276 wrote to memory of 2620 N/A N/A C:\Windows\system32\spreview.exe
PID 1276 wrote to memory of 2620 N/A N/A C:\Windows\system32\spreview.exe
PID 1276 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\KoX2lpLBF\spreview.exe
PID 1276 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\KoX2lpLBF\spreview.exe
PID 1276 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\KoX2lpLBF\spreview.exe
PID 1276 wrote to memory of 2176 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1276 wrote to memory of 2176 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1276 wrote to memory of 2176 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1276 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\aEzVC8aT\rdrleakdiag.exe
PID 1276 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\aEzVC8aT\rdrleakdiag.exe
PID 1276 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\aEzVC8aT\rdrleakdiag.exe
PID 1276 wrote to memory of 2764 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1276 wrote to memory of 2764 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1276 wrote to memory of 2764 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1276 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\gTACB\DisplaySwitch.exe
PID 1276 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\gTACB\DisplaySwitch.exe
PID 1276 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\gTACB\DisplaySwitch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45dad2872d00b40918d651ca11ce9698.dll,#1

C:\Users\Admin\AppData\Local\KoX2lpLBF\spreview.exe

C:\Users\Admin\AppData\Local\KoX2lpLBF\spreview.exe

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

C:\Users\Admin\AppData\Local\aEzVC8aT\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\aEzVC8aT\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\gTACB\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\gTACB\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

Network

N/A

Files

memory/2392-1-0x0000000000390000-0x0000000000397000-memory.dmp

memory/2392-0-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-4-0x0000000077556000-0x0000000077557000-memory.dmp

memory/1276-5-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1276-11-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-27-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-36-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-38-0x00000000025C0000-0x00000000025C7000-memory.dmp

memory/1276-47-0x00000000777C0000-0x00000000777C2000-memory.dmp

memory/1276-46-0x0000000077661000-0x0000000077662000-memory.dmp

memory/1276-45-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-61-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-60-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2520-74-0x0000000140000000-0x000000014016D000-memory.dmp

memory/2520-79-0x0000000140000000-0x000000014016D000-memory.dmp

memory/2520-76-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1276-65-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-56-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-37-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-35-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-34-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-33-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-32-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-31-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-30-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-29-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-28-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-26-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-25-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-24-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-23-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-22-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-21-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-20-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2272-104-0x0000000140000000-0x000000014016D000-memory.dmp

memory/2272-100-0x0000000000380000-0x0000000000387000-memory.dmp

memory/1276-19-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-18-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-17-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-16-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-15-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-14-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-13-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-12-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-10-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-9-0x0000000140000000-0x000000014016C000-memory.dmp

memory/1276-8-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2392-7-0x0000000140000000-0x000000014016C000-memory.dmp

memory/2824-118-0x0000000000280000-0x0000000000287000-memory.dmp

memory/1276-147-0x0000000077556000-0x0000000077557000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 10:33

Reported

2024-01-06 10:36

Platform

win10v2004-20231215-en

Max time kernel

121s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45dad2872d00b40918d651ca11ce9698.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\u2A1f3PhT9\\CameraSettingsUIHost.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qHSQP\unregmp2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QfLA\CameraSettingsUIHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aX0\FXSCOVER.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 3292 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3428 wrote to memory of 3292 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3428 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\qHSQP\unregmp2.exe
PID 3428 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\qHSQP\unregmp2.exe
PID 3428 wrote to memory of 1976 N/A N/A C:\Windows\system32\CameraSettingsUIHost.exe
PID 3428 wrote to memory of 1976 N/A N/A C:\Windows\system32\CameraSettingsUIHost.exe
PID 3428 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\QfLA\CameraSettingsUIHost.exe
PID 3428 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\QfLA\CameraSettingsUIHost.exe
PID 3428 wrote to memory of 4628 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3428 wrote to memory of 4628 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3428 wrote to memory of 5024 N/A N/A C:\Users\Admin\AppData\Local\aX0\FXSCOVER.exe
PID 3428 wrote to memory of 5024 N/A N/A C:\Users\Admin\AppData\Local\aX0\FXSCOVER.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45dad2872d00b40918d651ca11ce9698.dll,#1

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\qHSQP\unregmp2.exe

C:\Users\Admin\AppData\Local\qHSQP\unregmp2.exe

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Users\Admin\AppData\Local\QfLA\CameraSettingsUIHost.exe

C:\Users\Admin\AppData\Local\QfLA\CameraSettingsUIHost.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\aX0\FXSCOVER.exe

C:\Users\Admin\AppData\Local\aX0\FXSCOVER.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3528-0-0x000001B7ED030000-0x000001B7ED037000-memory.dmp

memory/3528-1-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

memory/3428-7-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-6-0x00007FF9B4F2A000-0x00007FF9B4F2B000-memory.dmp

memory/3528-8-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-9-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-10-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-11-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-12-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-13-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-14-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-15-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-16-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-17-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-18-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-19-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-20-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-21-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-22-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-23-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-24-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-25-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-26-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-27-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-28-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-29-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-30-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-31-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-32-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-33-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-34-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-35-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-36-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-38-0x0000000002A30000-0x0000000002A37000-memory.dmp

memory/3428-37-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-45-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-46-0x00007FF9B6160000-0x00007FF9B6170000-memory.dmp

memory/3428-57-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3428-55-0x0000000140000000-0x000000014016C000-memory.dmp

C:\Users\Admin\AppData\Local\qHSQP\unregmp2.exe

MD5 a6fc8ce566dec7c5873cb9d02d7b874e
SHA1 a30040967f75df85a1e3927bdce159b102011a61
SHA256 21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d
SHA512 f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

C:\Users\Admin\AppData\Local\qHSQP\VERSION.dll

MD5 b0737520a4d626894445f770ddd5e86f
SHA1 0da74e5f4998a2e0cde1ad0399a1d28e87b9210b
SHA256 1b36eac31cbee444991450189c50de2105a83ac990351cb19092e6eba3d64421
SHA512 fb2aa20b2aa4efd0173518ea69456c1b6fdf1950cd61260f1585ada30cf43e24975c891db1beee0df2efb369654c13b9b9a5c2de6ff2c33e6cb10a1de3629155

memory/3188-66-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3188-67-0x000001EC8DB10000-0x000001EC8DB17000-memory.dmp

memory/3188-72-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Users\Admin\AppData\Local\QfLA\CameraSettingsUIHost.exe

MD5 9e98636523a653c7a648f37be229cf69
SHA1 bd4da030e7cf4d55b7c644dfacd26b152e6a14c4
SHA256 3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717
SHA512 41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

C:\Users\Admin\AppData\Local\QfLA\DUI70.dll

MD5 1609a9ee4ef563dfdb4bf02400b68071
SHA1 c373d7bdbd098aac1489e250960d7b1fe8a8a4f7
SHA256 79873a1cb02804508fd221deeec6d8b7df60e836b63a327d5b24862bcde35a72
SHA512 b2d60dd0ff716c4748b32a7a7ce798258ff37dd10c902bbd9029b9c07c190d9e3328ff8fe282db7f586c13510a4e26d16da43c34119d5cf900a78f9c61f0c1d0

memory/2936-83-0x00000215003A0000-0x00000215003A7000-memory.dmp

memory/2936-84-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/2936-89-0x0000000140000000-0x00000001401B2000-memory.dmp

C:\Users\Admin\AppData\Local\aX0\MFC42u.dll

MD5 e5f0eef3cba62f9dccdf6ca64ee5f591
SHA1 2bcaaf04dcf3459444ad86066fb823bb0dcf3bfa
SHA256 dc8c09a9a73f75c0c3fd8434cf69d4c2d05aa7c2778ea3edfe7f7131143ebcaf
SHA512 65c39b50db09ceebd600d2386dd2647c4427b52d84475b87fef2cd02da4e027a82ef023ed2f419a5f2499f87f4ca87363fe985ee083c0646a341b67c4cbc0743

C:\Users\Admin\AppData\Local\aX0\FXSCOVER.exe

MD5 5769f78d00f22f76a4193dc720d0b2bd
SHA1 d62b6cab057e88737cba43fe9b0c6d11a28b53e8
SHA256 40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31
SHA512 b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

memory/5024-100-0x0000024E15F20000-0x0000024E15F27000-memory.dmp

memory/5024-101-0x0000000140000000-0x0000000140173000-memory.dmp

memory/5024-106-0x0000000140000000-0x0000000140173000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 95df32e9667e8aa82ab866b228b1d216
SHA1 820413876cbd49bd1cfddff15f43bb81e1892661
SHA256 877c3836ce6d1bcdab9e7ef4b27458227c0de587966dd39a04f57f0787b0aa5a
SHA512 d1638e247d3fffcfe92337cf2fda0f2ad06087308a4b2615f8f4c824903ceaca2862fefda3e2b17e157a150760441538bc38afc01638b5a10cc84f6573b2a511