Malware Analysis Report

2024-11-30 21:28

Sample ID 240107-lpa1xaadbp
Target 48a3c56fe0632fde64f2932afc94f9c0
SHA256 075c91511b4358c6e72aaee2e8ea3b67d6f4caee1eb2b4fa92cbf659ea7c8c62
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

075c91511b4358c6e72aaee2e8ea3b67d6f4caee1eb2b4fa92cbf659ea7c8c62

Threat Level: Known bad

The file 48a3c56fe0632fde64f2932afc94f9c0 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 09:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 09:42

Reported

2024-01-07 09:44

Platform

win7-20231129-en

Max time kernel

3s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\48a3c56fe0632fde64f2932afc94f9c0.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\48a3c56fe0632fde64f2932afc94f9c0.dll,#1

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\gl6pZ3Q6\psr.exe

C:\Users\Admin\AppData\Local\gl6pZ3Q6\psr.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\NXuuQ4MB\wscript.exe

C:\Users\Admin\AppData\Local\NXuuQ4MB\wscript.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Users\Admin\AppData\Local\BoGPae\rdpclip.exe

C:\Users\Admin\AppData\Local\BoGPae\rdpclip.exe

Network

N/A

Files

memory/2548-1-0x0000000000430000-0x0000000000437000-memory.dmp

memory/2548-0-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-4-0x00000000774F6000-0x00000000774F7000-memory.dmp

memory/1380-10-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-17-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-28-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-36-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-45-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-55-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-63-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-65-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-64-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-69-0x0000000002E00000-0x0000000002E07000-memory.dmp

memory/1380-62-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-78-0x0000000077760000-0x0000000077762000-memory.dmp

memory/1380-77-0x0000000077601000-0x0000000077602000-memory.dmp

memory/1380-60-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-61-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-59-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1844-105-0x0000000000510000-0x0000000000517000-memory.dmp

memory/1380-58-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-57-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-56-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-54-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-53-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-52-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-51-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-50-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-49-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-48-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-47-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-46-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-44-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-43-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-42-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-41-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-40-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-39-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-38-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-37-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-35-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-34-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1536-132-0x0000000000490000-0x0000000000497000-memory.dmp

memory/1380-33-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-32-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-31-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-30-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-29-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-27-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-26-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-25-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-24-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-23-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-22-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-21-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-20-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-19-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-18-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-16-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-15-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-14-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-13-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1440-156-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1380-12-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-11-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-9-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/2548-8-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-7-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1380-5-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/1380-187-0x00000000774F6000-0x00000000774F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 09:42

Reported

2024-01-07 09:45

Platform

win10v2004-20231215-en

Max time kernel

167s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\48a3c56fe0632fde64f2932afc94f9c0.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\r6za\\SysResetErr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\L6aFUrz\EaseOfAccessDialog.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VDJuNtU\SysResetErr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\EhSAgT7\bdechangepin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 2536 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3520 wrote to memory of 2536 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3520 wrote to memory of 3112 N/A N/A C:\Users\Admin\AppData\Local\L6aFUrz\EaseOfAccessDialog.exe
PID 3520 wrote to memory of 3112 N/A N/A C:\Users\Admin\AppData\Local\L6aFUrz\EaseOfAccessDialog.exe
PID 3520 wrote to memory of 1808 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3520 wrote to memory of 1808 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3520 wrote to memory of 3948 N/A N/A C:\Users\Admin\AppData\Local\VDJuNtU\SysResetErr.exe
PID 3520 wrote to memory of 3948 N/A N/A C:\Users\Admin\AppData\Local\VDJuNtU\SysResetErr.exe
PID 3520 wrote to memory of 976 N/A N/A C:\Windows\system32\bdechangepin.exe
PID 3520 wrote to memory of 976 N/A N/A C:\Windows\system32\bdechangepin.exe
PID 3520 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\EhSAgT7\bdechangepin.exe
PID 3520 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\EhSAgT7\bdechangepin.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\48a3c56fe0632fde64f2932afc94f9c0.dll,#1

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\L6aFUrz\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\L6aFUrz\EaseOfAccessDialog.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\SysResetErr.exe

C:\Users\Admin\AppData\Local\VDJuNtU\SysResetErr.exe

C:\Users\Admin\AppData\Local\VDJuNtU\SysResetErr.exe

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\bdechangepin.exe

C:\Users\Admin\AppData\Local\EhSAgT7\bdechangepin.exe

C:\Users\Admin\AppData\Local\EhSAgT7\bdechangepin.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2348-0-0x0000018FD3800000-0x0000018FD3807000-memory.dmp

memory/2348-1-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-4-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

memory/3520-7-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-9-0x00007FFD492DA000-0x00007FFD492DB000-memory.dmp

memory/3520-10-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-11-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-12-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-13-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-14-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-15-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-8-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/2348-6-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-16-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-17-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-18-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-20-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-22-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-21-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-19-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-23-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-25-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-26-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-30-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-31-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-28-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-32-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-33-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-35-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-36-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-37-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-40-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-41-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-43-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-42-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-39-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-38-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-34-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-29-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-27-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-24-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-44-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-45-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-46-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-49-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-51-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-50-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-54-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-55-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-56-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-58-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-59-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-61-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-62-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-65-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-64-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-68-0x0000000001070000-0x0000000001077000-memory.dmp

memory/3520-63-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-60-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-57-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-52-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-77-0x00007FFD4ADC0000-0x00007FFD4ADD0000-memory.dmp

memory/3520-53-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-48-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3520-47-0x0000000140000000-0x00000001402E0000-memory.dmp

C:\Users\Admin\AppData\Local\L6aFUrz\OLEACC.dll

MD5 90ca33741fa3f3317b299fc1494cabe3
SHA1 437675e3fbd69bbbc34a18050f28422badf71beb
SHA256 4b8d03d5c508eb62a2b5606e0893a50c9dccce094f43777cf78c4cdf83e3fbe4
SHA512 e862c009576f23bbe611f7cffaf578d070cce087c5262a0dc3c5e2f949423845da4f3c4372c1e08b249aae5e3ab071b540e07fe36dfa5ab4b2a5a2606ed64d70

C:\Users\Admin\AppData\Local\L6aFUrz\OLEACC.dll

MD5 ae647eafec7b916d8c04ebcf9a037e30
SHA1 25bcc1fe8217cdfaa03590e9a9a96159e22ad912
SHA256 685998db7e683c4e27d3b68ca8e862606f1b9e6fdd4ddbce0b2064946057945d
SHA512 0ca6d38b8a1f8886e670169759940642c2741de246bc9e4ea9a4a96c666584787555d01b721c61dc554b255b8db060bc445565e1bc9e2f0b13aed3735b3fa2ab

memory/3112-97-0x0000024F8B980000-0x0000024F8B987000-memory.dmp

C:\Users\Admin\AppData\Local\L6aFUrz\EaseOfAccessDialog.exe

MD5 fe1a921b5a33f362e9604c7b373d1aff
SHA1 3834b4e68ab03d696dfe49f84c3d82cd2df2dc04
SHA256 3235ccf494d8d33c8c2ed0705eae615e72fa8ca36df4e4d1bd6b11a49c211623
SHA512 0eb812bf353e13c373cf32406c92b21f46a53612c42b541c2430adde994271bdc1555ac52b9c666708fbc782e694edbeb4811e48138ff587f7a2529a0ed40f33

C:\Users\Admin\AppData\Local\L6aFUrz\EaseOfAccessDialog.exe

MD5 d18b9fd270ebea1a1d2ddebb57c94871
SHA1 2589f3f14deb55fc98e16384631ba0f3dd113869
SHA256 9a1ccb3d49226bb2f59b06d5400e2f5a3367dd56e5cb5501dc0baa3956099fb0
SHA512 fb813703ef9b85934ebfe0468e7e7dd6ee306a548dfb0b87bec7f22754a54e0a3f9a863cbbb605286b5dda76222bec456bcfc905b944769dc7bafed965f69313

C:\Users\Admin\AppData\Local\VDJuNtU\DUI70.dll

MD5 01a01060cfd7dd82f442204298549671
SHA1 5fb28aa2cfce44cbafb5219e96ac660f46e03365
SHA256 ea3dc6a4fcdb3d7dbc3664d0f8a60fd6113fb7de93efd67694e7506bf5156769
SHA512 e345b7ad298466db85a7b0df0c1c8ada8187ce97116cc07afc2cd9122515ef5c451e6d649a7964927a61ad5fbfe598ba7ddb55df65ef6510c94bff53dc595cbd

C:\Users\Admin\AppData\Local\VDJuNtU\DUI70.dll

MD5 40439025294bbf4c5ff1f9e5405a2459
SHA1 e02a428db3fb7a31e445542ef6ac73b5005efd7d
SHA256 5d1f18d5bf3689090693a8601e2be29f453442130a72ca291d316701ae4ee25d
SHA512 48328d806728fbee8f8519baa275ab918c210b5fcdb8f8f587fcd2b7e1b55e984854470cc18d4085e634af904316bd4d8dddbc1c2dfd9782268e4203bbd736d1

C:\Users\Admin\AppData\Local\VDJuNtU\SysResetErr.exe

MD5 090c6f458d61b7ddbdcfa54e761b8b57
SHA1 c5a93e9d6eca4c3842156cc0262933b334113864
SHA256 a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512 c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

memory/3948-114-0x00000153D2130000-0x00000153D2137000-memory.dmp

C:\Users\Admin\AppData\Local\EhSAgT7\DUI70.dll

MD5 ff3b992b312dc9b7daddc6d3601e2b83
SHA1 10250a412a08df44217c918db049ff754e62c64c
SHA256 a6b83bee6ac79c75ff2a5c67c632485e03523bed0e8a167161a47c6acc206af6
SHA512 470ddce60e7d55e535e801358fd1821d24d33cddc2050542c50bcfc1b46c415ce5d858c051fb42d28b4046a086798abf7c50af58a5cf91ff501edba16db66619

memory/4880-131-0x0000021839910000-0x0000021839917000-memory.dmp

C:\Users\Admin\AppData\Local\EhSAgT7\DUI70.dll

MD5 d682e37046947e9ee3a97c442a8363da
SHA1 15b8798d45ff1926600c48e5cb21b3f358ecd48c
SHA256 345e8acda1f6f32d03725ce70bf61208a6d46897793ba0fb5788ab9c37e07daa
SHA512 5c72148067cb6699745160c7767c5cdcaa2ee4a28df0f7eab9e7d6cdc79e562433f74d4af8c369948e15117559a843dd4f1461e22fc3d1c926c37f4a542dec2e

C:\Users\Admin\AppData\Local\EhSAgT7\bdechangepin.exe

MD5 72143d82f61873389c232334bf88965b
SHA1 f97b257cd8969f5e7498f4b7b9ba4c51adf1384b
SHA256 cb566d9fdc44d37e7239025773a026f33976286af099fced552ac630085bc75e
SHA512 b303ef3eb05cf632aced68eec915a66f5c84716e6a68f955d97fe093ebd2068928371bb40c2996bd7ebd0b156596a023b228b0291ec7357c09a1a80643e4578b

C:\Users\Admin\AppData\Local\EhSAgT7\bdechangepin.exe

MD5 7d5f583ba5271bf97ea75a2bec5527b6
SHA1 fc4f894a421f568e646816af1be3e2be329e7bda
SHA256 37db01effa14586fce31c4efff6406ea0de27016e5671ab9bb215fcdc1d54ba5
SHA512 ce9fd31b40d6e4d0f975229d140d4a698866d8aefccafa1809d7619852ab53b8a405e95c410200d2130c4ae8e6e918f4193f3163e9e231a0644ef44df8ec4de2

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 de49ce25464d804dfe7cfc36ff6fb9fe
SHA1 a0d816862f06a233e4f5fd91e111118349116ebd
SHA256 d1cf3129a39d087a04d376ae4cf1e17ac54b06616202ea26c0fc2455e9151a7f
SHA512 16115b088c44aa36cf6f31434a995eb8c0ea9cf59d958e65688f7926c17baedee547696d36db9121c1133d08d6e4cfeb2f4b87349d5369dac4fd9ec735b3b25f

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\ul8B5w1E\OLEACC.dll

MD5 ff9db7e91cb6688156f30329568f5833
SHA1 30eaba8be33109b4b6a3198bb2acc6a0c3201055
SHA256 ac4ded518b561aa50b34b463fcd987259de025f4ab69ae62120da16ba7161fcf
SHA512 cb5c13d84d64beac2dc2695918934294bfd9ef17e38abafdf37bc3d85bba3427d090af0bb53d9633fe771bda1386b09c5d491a20e13f4120f9b80836bf48dd05

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\r6za\DUI70.dll

MD5 cee365d6416a56afd6b579a6420d10cc
SHA1 c7333c8d350ed827ad65b4425bf2ea70600eecd3
SHA256 7fa5384059816c20b736bfd005d3d34541ae4f170e80231f429d4cb38c7c89cc
SHA512 7e301e0adea4a4598c267b51f63e746ed1a4eb3d0a39cb04cd9dfec1b6cdd9826a44c5c145cbeb9365843017eec31e06e5482d41e6e038e82043498f6a008cbb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\7N\DUI70.dll

MD5 cd1eabc44a705c154738ecdf6c8f9f5e
SHA1 4e2ec9bc72e4941dfeb69f6e70d0771ad763fec8
SHA256 8a3fd5f8c0e34834966c2783b3ad5b332b33418eb51c3b391d5d88f8d590b8ec
SHA512 833510466db2daee95663ab3d550260e27bbc3efa4dc52434ea34e684d04e9abde0ed1db968c37f02ddd9bbc3a8576feff88d1cf1661e84f17a370301826a4f1