Malware Analysis Report

2024-11-30 21:28

Sample ID 240107-x6pq6scecn
Target a0f41bb92994a10264ad86e919305f37.exe
SHA256 d184fdbcb99208ebb87d37628cc85ab3a262db30b4d5db1269c3d99ed83ed026
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d184fdbcb99208ebb87d37628cc85ab3a262db30b4d5db1269c3d99ed83ed026

Threat Level: Known bad

The file a0f41bb92994a10264ad86e919305f37.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Dridex payload

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:28

Reported

2024-01-07 19:30

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0f41bb92994a10264ad86e919305f37.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0f41bb92994a10264ad86e919305f37.dll,#1

C:\Users\Admin\AppData\Local\sda\Utilman.exe

C:\Users\Admin\AppData\Local\sda\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\jjD\shrpubw.exe

C:\Users\Admin\AppData\Local\jjD\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\Tgr7pEo\wusa.exe

C:\Users\Admin\AppData\Local\Tgr7pEo\wusa.exe

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2104-0-0x00007FFE753F0000-0x00007FFE754A8000-memory.dmp

memory/2104-2-0x000002A6B3CB0000-0x000002A6B3CB7000-memory.dmp

memory/3488-10-0x00007FFE81BDA000-0x00007FFE81BDB000-memory.dmp

memory/3488-21-0x0000000007810000-0x0000000007817000-memory.dmp

memory/3488-19-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-29-0x00007FFE835B0000-0x00007FFE835C0000-memory.dmp

memory/3488-38-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-28-0x00007FFE835C0000-0x00007FFE835D0000-memory.dmp

memory/3488-27-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-18-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-17-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-16-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-15-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-14-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-13-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-12-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-11-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-9-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-8-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-7-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-6-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-5-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3488-3-0x0000000007D30000-0x0000000007D31000-memory.dmp

memory/2104-41-0x00007FFE753F0000-0x00007FFE754A8000-memory.dmp

memory/1592-48-0x00007FFE651A0000-0x00007FFE65259000-memory.dmp

memory/1592-53-0x00007FFE651A0000-0x00007FFE65259000-memory.dmp

memory/1592-49-0x000001FF7EBF0000-0x000001FF7EBF7000-memory.dmp

memory/2828-69-0x00007FFE65540000-0x00007FFE655F9000-memory.dmp

memory/2828-66-0x0000027194450000-0x0000027194457000-memory.dmp

memory/2828-64-0x00007FFE65540000-0x00007FFE655F9000-memory.dmp

memory/1432-82-0x000001DF27EE0000-0x000001DF27EE7000-memory.dmp

memory/1432-85-0x00007FFE651D0000-0x00007FFE65289000-memory.dmp

memory/1432-80-0x00007FFE651D0000-0x00007FFE65289000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:28

Reported

2024-01-07 19:31

Platform

win7-20231215-en

Max time kernel

150s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0f41bb92994a10264ad86e919305f37.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\qPY\tcmsetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\keO\p2phost.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Pqz\winlogon.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\5BtFVW8\\p2phost.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qPY\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\keO\p2phost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Pqz\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2816 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1260 wrote to memory of 2816 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1260 wrote to memory of 2816 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1260 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\qPY\tcmsetup.exe
PID 1260 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\qPY\tcmsetup.exe
PID 1260 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\qPY\tcmsetup.exe
PID 1260 wrote to memory of 2060 N/A N/A C:\Windows\system32\p2phost.exe
PID 1260 wrote to memory of 2060 N/A N/A C:\Windows\system32\p2phost.exe
PID 1260 wrote to memory of 2060 N/A N/A C:\Windows\system32\p2phost.exe
PID 1260 wrote to memory of 2256 N/A N/A C:\Users\Admin\AppData\Local\keO\p2phost.exe
PID 1260 wrote to memory of 2256 N/A N/A C:\Users\Admin\AppData\Local\keO\p2phost.exe
PID 1260 wrote to memory of 2256 N/A N/A C:\Users\Admin\AppData\Local\keO\p2phost.exe
PID 1260 wrote to memory of 1592 N/A N/A C:\Windows\system32\winlogon.exe
PID 1260 wrote to memory of 1592 N/A N/A C:\Windows\system32\winlogon.exe
PID 1260 wrote to memory of 1592 N/A N/A C:\Windows\system32\winlogon.exe
PID 1260 wrote to memory of 1672 N/A N/A C:\Users\Admin\AppData\Local\Pqz\winlogon.exe
PID 1260 wrote to memory of 1672 N/A N/A C:\Users\Admin\AppData\Local\Pqz\winlogon.exe
PID 1260 wrote to memory of 1672 N/A N/A C:\Users\Admin\AppData\Local\Pqz\winlogon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0f41bb92994a10264ad86e919305f37.dll,#1

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\qPY\tcmsetup.exe

C:\Users\Admin\AppData\Local\qPY\tcmsetup.exe

C:\Windows\system32\p2phost.exe

C:\Windows\system32\p2phost.exe

C:\Users\Admin\AppData\Local\keO\p2phost.exe

C:\Users\Admin\AppData\Local\keO\p2phost.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\winlogon.exe

C:\Users\Admin\AppData\Local\Pqz\winlogon.exe

C:\Users\Admin\AppData\Local\Pqz\winlogon.exe

Network

N/A

Files

memory/2252-0-0x000007FEF6950000-0x000007FEF6A08000-memory.dmp

memory/2252-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1260-3-0x0000000077176000-0x0000000077177000-memory.dmp

memory/1260-6-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-4-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/1260-9-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-8-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-10-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-12-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-15-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-13-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-14-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-11-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-7-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-16-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-20-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-17-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-19-0x0000000002A20000-0x0000000002A27000-memory.dmp

memory/1260-18-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-28-0x00000000773E0000-0x00000000773E2000-memory.dmp

memory/1260-29-0x0000000077410000-0x0000000077412000-memory.dmp

memory/1260-27-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-38-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1260-40-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/2252-41-0x000007FEF6950000-0x000007FEF6A08000-memory.dmp

memory/1260-50-0x0000000077176000-0x0000000077177000-memory.dmp

\Users\Admin\AppData\Local\qPY\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

C:\Users\Admin\AppData\Local\qPY\TAPI32.dll

MD5 4df36c65c9432a9d095a027c6d3aa259
SHA1 8dae546630c7cc75600e0c56507d71f1dec8ef8f
SHA256 e9c2db9edf2b45fef68fe47a2c109a7fabc033f0c594ff6dd6aca036f85660ea
SHA512 afa1bcb07d9c31c292cb2801e11944c3683ca1de213e3f51c8c103ba1e98e3a722847c0b617e8718539300e8452ab74e09108168fffa9e93c7f9ccb7a3f4c4b6

memory/2932-57-0x0000000000200000-0x0000000000207000-memory.dmp

memory/2932-56-0x000007FEF6970000-0x000007FEF6A2A000-memory.dmp

memory/2932-61-0x000007FEF6970000-0x000007FEF6A2A000-memory.dmp

C:\Users\Admin\AppData\Local\keO\p2phost.exe

MD5 4b13b1f4f48cce5d9a1acccddae1998f
SHA1 4a1d112d1eafb8d45c715ec37e34a5e38d0d9377
SHA256 010731808368019633827667560e534f5cda7295d9ae04585e099e238fb1a184
SHA512 e16516f85de923e24c5baf95e6fa937802fcc3834cfe25ed0fc45c54ba66ee4dfa2b2d94664a0c5684a42fc3e71d212cc094e0778d3146fcf84a95f1ed22a5b4

memory/2256-73-0x000007FEF6970000-0x000007FEF6A29000-memory.dmp

memory/2256-75-0x0000000000310000-0x0000000000317000-memory.dmp

\Users\Admin\AppData\Local\keO\P2P.dll

MD5 6ecfeadc70b6e19027385af48ab40bf3
SHA1 4e6c84545a51df488fe9ceede1f050c276851084
SHA256 9d9cfcf4e475387687e55cd9109b4e72085866aae77e69ab306919a700c73f54
SHA512 8a8adf193fa8502680c5c3f5b0baa623885caf6dc393f4cfdae5039a42ff6b66ab473891502f32df8dfbd8d2049201c529a37003100f680c0974b4ddceb5e1f8

memory/2256-77-0x000007FEF6970000-0x000007FEF6A29000-memory.dmp

C:\Users\Admin\AppData\Local\keO\P2P.dll

MD5 beb51156965a44e2a48bf666a4d9dda4
SHA1 8f391ba67c7ac7e81cc21b77a2fdc9ea13899b68
SHA256 1cbe703ef2e31240876c205ac46ed5afa4f17b23ccd2f68c7b4a7bc073d6d6a7
SHA512 5dbc5ee8f180dbda0db2c760112e5673995d83280f21aa25abee274839c99e4ca7eae4116dbea593e2cec2e154f97a32967d16afceb284da68aef07dae12dc13

\Users\Admin\AppData\Local\keO\p2phost.exe

MD5 f43042df2fb2a731c2510f6b5c3f3431
SHA1 f6ec608b0d9eaaa2b1e0807e211d0972b9d1698f
SHA256 c1af5d78c48efdf39dd149266855044f09335b19449a6b7f3ef189c5174de2c7
SHA512 ede1f9b3cc70fd28bf9910669b561278dfa0fc676028402d2b93837aba59312b8b6b92bac353518ee4ad4bd2188f33843140a48efd4c1b7cc33e1fe8265ce1e6

C:\Users\Admin\AppData\Local\keO\p2phost.exe

MD5 3e70152cb32a513f27220beb753f3142
SHA1 e12dea5802ae58ecca5b0abc43ea79e5e6231651
SHA256 f456d05929400fca342b8d16faa8f09e3750fedc51929820c02e543faf600865
SHA512 baca02773c81b0ae4b9bc8fdf662fd0dea3b98d0aa00d8b2861117b89d6717001cda13e08bea6b2157b98a7a52fb518874355d0920703f6ce0e88d49a761c4d1

\Users\Admin\AppData\Local\Pqz\winlogon.exe

MD5 19f89668d2d2895b2da5a8906e71f42d
SHA1 82aed3129f55ee32c5dc6ed3c9796b1554b081c4
SHA256 d371822d369fbf650648e64a39a52dd0b4ab49143382482cdc4c6491f9ebbcc7
SHA512 df9c1dff11a2f934f3f75322e61955f9ba3c9a0d2898c1fd57bbe6f3cbf21a9ea1f408e73749df804fffd044933c061c9ed12da39bd5291b2996079ec63297f2

C:\Users\Admin\AppData\Local\Pqz\WINSTA.dll

MD5 f29c825789df2e96426f3897d573ba3f
SHA1 d365461225ff7d8cdc68a88bcbd9133729a16e21
SHA256 3f162a6504852870b5f91dfac808f6d97b66c0fd248ef837b95fed3c54009d8e
SHA512 d74d26a809da22fecfe15d52b7974cd855bda9334d2874878aa7faf901f6208036a6063d5067c2f774cdf02e1f9d5240781d00f5f7958e1f31f071b67a08ecf0

\Users\Admin\AppData\Local\Pqz\WINSTA.dll

MD5 d8e31d5003d29c4c40f898ca4997a270
SHA1 09794fc27925383dc6276b4473d0764463fb0ff7
SHA256 2705283dae37c954289a511f592c65b1f1ed303bdf03c028da6fa45fa8fe5e38
SHA512 33d6b44df89e99db34dfa428beb46975995f22dd1c28daff20cbf8db6ef784e7e12ec1dcf7dfa8645b80f4d8c3fae69e0d620d6c7cb6a87ffec0f1484ead8880

C:\Users\Admin\AppData\Local\Pqz\winlogon.exe

MD5 167f2ef25b2b9c4def8a549311f13ed3
SHA1 e9b1211b18ab02054bc772df57784a81fd66076c
SHA256 120393b40a4fa0494764a476d2996d87bfb0e1f29efc9544d423da830c40e41e
SHA512 2316112ae64ca3ba6a4d52a2b67515c9c3ee01186f1094abdc9f9a3426b86421c011813a7b4c3c942775f883340d9d4e0c1340622fa3c962ffc47f6c20fe5b1a

memory/1672-90-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1672-95-0x000007FEF6970000-0x000007FEF6A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Pqz\winlogon.exe

MD5 054005405f3cde19c2059b205baf10fd
SHA1 dfcdf87dd8917f93ddc2d23b6b03e08c34c0ed96
SHA256 47ef6f7558c29ff0e3b394cd8b73ab9be0ddd6e3e12e3f21cbf79af273f6e7c9
SHA512 db6092924f3718ddb65be3d94977b00bf5215399bc1be9ad76d9ae8493677e6b572223f64232d77cfee035090632ee62183b1e42806d42a3b12970a578cd0ec6

\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\xSH9\winlogon.exe

MD5 513b95034df858a27ed7a31607933b7d
SHA1 3adeb4b2082a31c163781ae1d7c918931b9decf3
SHA256 5615382b4692db2bc579f92626a23ce5504e6521fe0167b5758cda0474451b87
SHA512 8403089bbc3bdf0b8208ec789dbb8e4c86547e2268a4a00384810c857123d035714886dda1c80d36032b4d01ced58cb50c048e02ccbd584932054e2efe462904

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 0a36c3d4ec14a56521eebde52cc96a4e
SHA1 8436cf5d35907029f774834525658379aa5333b8
SHA256 bb8c639b7b8aa452cf194a6e50a457af48e9cb1854c2843e05c25ab35442ac7b
SHA512 cf95dc17edede9c2e84380be544e47d5afd89ec791b26949846d170fbf461d99248534c130ac4db5573e176eab0c20e374d33539fc45e52541446add0c76f6b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\5BtFVW8\P2P.dll

MD5 fe30dfe2eff50dfa09210736e1f114c5
SHA1 6f06ed39fad41e23483984f2886a30840a129390
SHA256 c39ea5eacdf16656b1fbe9b34c097475667949795561540826874b856d3eab31
SHA512 0a68de282ebe688207be3802d62972e6e97412d680cb54ab4a1fa6b540dddbab4e9d82272c80910f213e2c7a55fc67a48b81db29eac940e3ee21b015603a71cd

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\xSH9\WINSTA.dll

MD5 1d5df93cfb34af3fd18351b4b18f7efc
SHA1 2703cf4cbf90ab169873aa6924682505fb0da917
SHA256 b017e73388c12c69802e6fcb902aff1977ef04b6355d891985198435560a6942
SHA512 8cef9811af52d4471a9d64e564602e940d988d08b0ea4f5b021d995e30c05d2afd53d64d78e9dc9121749926cf2577e84c46ada75da1c6f0bab300a260d72fd3