Malware Analysis Report

2024-11-15 08:50

Sample ID 240119-knk9tabbb5
Target 672feea11a362219307b071df8f2dfa3
SHA256 2ba43678d9bb9bc374a126ea5792659d1b09bcb9ecb21dcbc233889a27082eef
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ba43678d9bb9bc374a126ea5792659d1b09bcb9ecb21dcbc233889a27082eef

Threat Level: Known bad

The file 672feea11a362219307b071df8f2dfa3 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-19 08:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-19 08:44

Reported

2024-01-19 08:47

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\672feea11a362219307b071df8f2dfa3.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\RqQ N/A N/A
File opened for modification C:\Windows\System32\D8 N/A N/A
File opened for modification C:\Windows\System32\nfw N/A N/A
File opened for modification C:\Windows\System32\GKGcJAHnbYS N/A N/A
File opened for modification C:\Windows\System32\zdsn1yZXRcg N/A N/A
File opened for modification C:\Windows\System32\voCCun4G N/A N/A
File opened for modification C:\Windows\System32\e7j7qfEpn7z N/A N/A
File opened for modification C:\Windows\System32\0crGwn N/A N/A
File opened for modification C:\Windows\System32\fkOK3 N/A N/A
File opened for modification C:\Windows\System32\qYxfpHk N/A N/A
File opened for modification C:\Windows\System32\wxTiiAWjLDT N/A N/A
File opened for modification C:\Windows\System32\irbZMK N/A N/A
File opened for modification C:\Windows\System32\79 N/A N/A
File opened for modification C:\Windows\System32\GGaOZat0V N/A N/A
File opened for modification C:\Windows\System32\8tnGL N/A N/A
File opened for modification C:\Windows\System32\saA1TzDAOB N/A N/A
File opened for modification C:\Windows\System32\2MxXm N/A N/A
File opened for modification C:\Windows\System32\3UE9h N/A N/A
File opened for modification C:\Windows\System32\qh N/A N/A
File opened for modification C:\Windows\System32\2nj4dRP9 N/A N/A
File opened for modification C:\Windows\System32\gP N/A N/A
File opened for modification C:\Windows\System32\TabJcaHyK N/A N/A
File opened for modification C:\Windows\System32\8PsIEFp N/A N/A
File opened for modification C:\Windows\System32\B2sV0206 N/A N/A
File opened for modification C:\Windows\System32\pJlH4 N/A N/A
File opened for modification C:\Windows\System32\JDHLwWEmg N/A N/A
File opened for modification C:\Windows\System32\dIttYbYCEYO N/A N/A
File opened for modification C:\Windows\System32\6O7xbuNO N/A N/A
File opened for modification C:\Windows\System32\lr2GD N/A N/A
File opened for modification C:\Windows\System32\ZCVcg3 N/A N/A
File opened for modification C:\Windows\System32\0sSL N/A N/A
File opened for modification C:\Windows\System32\hfvARfi1L N/A N/A
File opened for modification C:\Windows\System32\dZcmfJ0c N/A N/A
File opened for modification C:\Windows\System32\oO4Trrd5 N/A N/A
File opened for modification C:\Windows\System32\6U0ovszxnL N/A N/A
File opened for modification C:\Windows\System32\JtgxP1tuB N/A N/A
File opened for modification C:\Windows\System32\JO1A N/A N/A
File opened for modification C:\Windows\System32\TTBrF N/A N/A
File opened for modification C:\Windows\System32\4CBE7k N/A N/A
File opened for modification C:\Windows\System32\Tvv95f3 N/A N/A
File opened for modification C:\Windows\System32\syTggeZcW8 N/A N/A
File opened for modification C:\Windows\System32\Ar9rUmHVa5 N/A N/A
File opened for modification C:\Windows\System32\ZGzYZEtLd8q N/A N/A
File opened for modification C:\Windows\System32\g3taispl N/A N/A
File opened for modification C:\Windows\System32\Lu N/A N/A
File opened for modification C:\Windows\System32\Evj7TGVF N/A N/A
File opened for modification C:\Windows\System32\aM49EUrHRSW N/A N/A
File opened for modification C:\Windows\System32\EJHyLzj4 N/A N/A
File opened for modification C:\Windows\System32\WBJYUloIcX N/A N/A
File opened for modification C:\Windows\System32\iAr N/A N/A
File opened for modification C:\Windows\System32\dQZHNKj1hs N/A N/A
File opened for modification C:\Windows\System32\Sh N/A N/A
File opened for modification C:\Windows\System32\YkFcamkA6ew N/A N/A
File opened for modification C:\Windows\System32\i9hlrclUj4r N/A N/A
File opened for modification C:\Windows\System32\IaewGNtBF N/A N/A
File opened for modification C:\Windows\System32\MolS4sUhiQ N/A N/A
File opened for modification C:\Windows\System32\71Op07k N/A N/A
File opened for modification C:\Windows\System32\oz N/A N/A
File opened for modification C:\Windows\System32\ZgdtYxiUGow N/A N/A
File opened for modification C:\Windows\System32\Q2WUCZ32V N/A N/A
File opened for modification C:\Windows\System32\69 N/A N/A
File opened for modification C:\Windows\System32\Pc N/A N/A
File opened for modification C:\Windows\System32\rY N/A N/A
File opened for modification C:\Windows\System32\Y1pGee6ME N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\672feea11a362219307b071df8f2dfa3.dll,#1

Network

N/A

Files

memory/1984-0-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1984-1-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1292-4-0x0000000077616000-0x0000000077617000-memory.dmp

memory/1292-5-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/1292-8-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-10-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-15-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-16-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-18-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-19-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-20-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-21-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-26-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-27-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-28-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-31-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-32-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-33-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-29-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-34-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-35-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-37-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-38-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-39-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-40-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-41-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-36-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-30-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-42-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-46-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-45-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-44-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-48-0x0000000002A50000-0x0000000002A57000-memory.dmp

memory/1292-47-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-43-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-25-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-23-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-55-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-24-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-22-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-17-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-14-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-12-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-13-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-11-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-9-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1984-7-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-56-0x0000000077721000-0x0000000077722000-memory.dmp

memory/1292-57-0x0000000077880000-0x0000000077882000-memory.dmp

memory/1292-66-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-70-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-75-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1292-77-0x0000000077616000-0x0000000077617000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-19 08:44

Reported

2024-01-19 08:47

Platform

win10v2004-20231222-en

Max time kernel

12s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\672feea11a362219307b071df8f2dfa3.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\6HDL\\sdclt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0p2z\sdclt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 5088 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3480 wrote to memory of 5088 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3480 wrote to memory of 392 N/A N/A C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe
PID 3480 wrote to memory of 392 N/A N/A C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe
PID 3480 wrote to memory of 4288 N/A N/A C:\Windows\system32\sdclt.exe
PID 3480 wrote to memory of 4288 N/A N/A C:\Windows\system32\sdclt.exe
PID 3480 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\0p2z\sdclt.exe
PID 3480 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\0p2z\sdclt.exe
PID 3480 wrote to memory of 3284 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3480 wrote to memory of 3284 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3480 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exe
PID 3480 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\672feea11a362219307b071df8f2dfa3.dll,#1

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\0p2z\sdclt.exe

C:\Users\Admin\AppData\Local\0p2z\sdclt.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
FR 20.74.47.205:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp

Files

memory/2548-1-0x0000000140000000-0x0000000140232000-memory.dmp

memory/2548-0-0x0000024560BD0000-0x0000024560BD7000-memory.dmp

memory/3480-7-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-8-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-9-0x00007FFE4AB8A000-0x00007FFE4AB8B000-memory.dmp

memory/3480-10-0x0000000140000000-0x0000000140232000-memory.dmp

memory/2548-6-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-13-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-14-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-15-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-11-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-16-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-12-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-17-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-18-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-19-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-24-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-26-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-25-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-29-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-30-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-27-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-31-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-32-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-34-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-38-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-40-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-39-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-37-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-36-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-35-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-33-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-28-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-23-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-22-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-21-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-20-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/3480-41-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-42-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-43-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-44-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-47-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-48-0x0000000002AB0000-0x0000000002AB7000-memory.dmp

memory/3480-46-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-45-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-55-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-56-0x00007FFE4C300000-0x00007FFE4C310000-memory.dmp

memory/3480-65-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-67-0x0000000140000000-0x0000000140232000-memory.dmp

C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe

MD5 ccb77de7fc80373670ad5b6909bc328c
SHA1 a7cd84914eb982a2762c56acc5f55350646a2030
SHA256 76e3b50a1e4497ab5e713d4a932e4152481840b1316a86d884a11ffc273ac5e4
SHA512 df410ebbe928ed1f6a35c09fe30e4e0cd24bc826fac585b387c8b8e55e1e28702435f4f9b1568fd8b43d90d254e92431bb0babdff77d689275e331ff91f29694

memory/392-77-0x0000000140000000-0x0000000140233000-memory.dmp

memory/392-76-0x000001CB79940000-0x000001CB79947000-memory.dmp

memory/392-82-0x0000000140000000-0x0000000140233000-memory.dmp

C:\Users\Admin\AppData\Local\F1VHZ\appwiz.cpl

MD5 ba52e79913a7fd82e1c31fcdafa17b10
SHA1 4bdeffe109abe2ef513d8586832d26fd13d02266
SHA256 f78254132eaaac423188da551b4f52a16a3a0a2f4ce54c6dffa427737d3875f0
SHA512 042b60fe88303d63b629954b265ebb017b08f3f2ed8777da4d316c0ac65c4373f22f7cb4cdb95f02e9aad1d5d41dfbdc6b68d63da45ad67aa1ff9a3c5d9b4ad5

C:\Users\Admin\AppData\Local\F1VHZ\appwiz.cpl

MD5 9a1db82ee3994e92a5fd98a605e124e2
SHA1 0a525a63a56d3312fbf74003121a5133bf52ce33
SHA256 c653de50b15784f2723be8990fe9340fc0f1fe70320af2f11cb26418935779bd
SHA512 547f13da603dc166218d0ac39b9e288b6c031d5b49317b73b960a9703bd03993503acb184336f3091b20f34d264cdf31379a8674c36a6355b0c648362f775c9b

C:\Users\Admin\AppData\Local\F1VHZ\OptionalFeatures.exe

MD5 b4fd8631d5d22c5949827b00b2aa0fd2
SHA1 487bcb33a7db1e75d6767b91471e56581b13070b
SHA256 1aa7d6e54fb487bee82e663acad8b7ff7ad8999985fa05ff14a56270e14233be
SHA512 95ab0ec59b253f4f979051711322ae8f00495d9bb08dcd4480475ab9474db959579ba245cc24ed96e2c3c19429dba2780fe26aae4073301c673fc8f6d5adcf65

C:\Users\Admin\AppData\Local\0p2z\WTSAPI32.dll

MD5 34e57bafae0c49cd80f075b36372f33e
SHA1 94e7c85607b6daa3e5c3f925e269cbe8a0e58d0b
SHA256 35a441466aa17e7d6925a58067809a4525d2ea8be319b83c978bda068e4414db
SHA512 0165bf956a0da41e17c6a977ba68f80fbc29543d325c844e50acbb60e1a0e2bf93c630ae9a2a52deb5a1f9bcd05d135e7a207a6cd43f8c21a4b300eec1e1c149

memory/856-93-0x0000025F059A0000-0x0000025F059A7000-memory.dmp

C:\Users\Admin\AppData\Local\0p2z\WTSAPI32.dll

MD5 f392fc7b9488c69211b3345bb09a088d
SHA1 22defe211b720986599d8606011b15a5d1fb3c56
SHA256 2e45eba40ce65c0e058fda982db1f39314a7ef136a99594a8adda5db39f72733
SHA512 9ac2028760d3ab17b872ba25c51dbf9c1f6c354035476c8cf7099f14b1177a7575bccf2793a8839f719215bc8a59df66dacf5ee60654d6168a985c1e06612717

C:\Users\Admin\AppData\Local\0p2z\sdclt.exe

MD5 f15b88ea80441442ddc20635f134a286
SHA1 b642cffc9932cd8f21c5f79015eebea4495c9cd9
SHA256 b34bac9deb33f119c044c39bef743fd0a8b25a0dde3103a5277b73a67ca68b2a
SHA512 587ab788cbdd87dc6c25bd2b15aaca827342d759c4360b22c11a8c9da2fbd773df277fa85e379020ea333016568a3cbf26d74550ba5aa3d60c18b19a3ba405da

C:\Users\Admin\AppData\Local\dwTv\SYSDM.CPL

MD5 646cea338c8b39c63b12ef4f55c68bc7
SHA1 c2efd39bd114024cd83a7f6d301611981cc591fb
SHA256 cd7278233deb875805654e006bd1cc787ad5d0656aefede62af55b1028861cd1
SHA512 5910a6fe2db5d786aa14ee578186158f6f7084a04e6d2c6bba89615bddc2ff113a9443fee738c18855f5793772b3637db6a42ca45887c288352ca458d19b09d5

memory/2496-110-0x0000025065F60000-0x0000025065F67000-memory.dmp

C:\Users\Admin\AppData\Local\dwTv\SYSDM.CPL

MD5 008db85b1cbaa9fd6f37bcab0b100d9e
SHA1 d643cb700ab8b8612a1c78e926e284a7ac9b77e1
SHA256 c354d6eb5ddb91df8decaa84da31fced1174bd4955073503a95f4b5f0f112be4
SHA512 a3ea402314bbeae45119187ac561c372e83e7815f2588517aa7761be1f2842fecdf5ed959fd20d4ceb6133f9c8bff92bccd15d3544531773dc10e570ee868c47

C:\Users\Admin\AppData\Local\dwTv\SystemPropertiesPerformance.exe

MD5 e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1 adbfa782b7998720fa85678cc85863b961975e28
SHA256 b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512 c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

C:\Users\Admin\AppData\Local\0p2z\sdclt.exe

MD5 bee2b9320a12b32e08f6be8e3b501690
SHA1 7b1fa8fa04b7f740cc13bbe381833d1446795f1b
SHA256 a87533b814add5d8cb20ad07c49046721d8a201e635330902c9e74717e753837
SHA512 e228e43bd0887acb47af6e2fba0d40967f8f4ed661e8b43871915cfc2da8398e141eb16d085ffc26434925adaecc505fdd513976b83773a524bb6e9302f57aa6

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 1cb25593f5d8b79daf20d9e6dde59b1f
SHA1 8ee574b66c9d32b2f5292c8667a69b86d6269e09
SHA256 24a1b783f4032148ca2abfcf7558beabeefdeb62aee0647fef244ad09f94791d
SHA512 984064945696488a32e39b623673d38667ba9fe0abee025e01888e98e7942b2a195aa08946f04b6e38657e9406dea1c1fe708789066366674c63f6378686c24e

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\YpWRfm\appwiz.cpl

MD5 a27bd4f099e29a79b536d9efedc4a501
SHA1 b5dda25f1c692033cc771c042fba85a5843a91b9
SHA256 e920d1963206a756292996b326fcbb7ca2a9cc5e0905ecd9329365ba4fce9015
SHA512 0ba0e57a55385276c4cbbf390d97f168ed1100a5c62991f139bb39b5c1d3da86e830b703fc72e87ac24b694ed91b6426f116f6fcbea564099214db67f28fdcea

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\6HDL\WTSAPI32.dll

MD5 68306cd11ee5ed2a8021be7065890012
SHA1 e7b33e4d42790d07a3e8bf4c6ce641968938bf08
SHA256 79951f3d11a47777e33a50e5dc3a3c80a5d0d5c341435e371b81fe7bc24be6a6
SHA512 638375ca73172551d44c6f32290c44ff20b2816a151b78aedf01a409f5f328acefa365dd92e1445034712419e1a0a4626e3203d03577add1099580dbddeb8cf3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\zxs0ONiO\SYSDM.CPL

MD5 d8a95693d30c1a242e63679ce566875c
SHA1 af29b9a8a4ebdb9a9e6c129ed605a1daac162079
SHA256 03859996f4e90b11f513617d577cfc92335b8bb18f14ecffe12ab2e87c4f88e0
SHA512 4931c782e191d41f14c26e9c0b623aabf50a18677b66af78390ad68549322628585d797acc35d495d21c534b6b7ad4248c694c34eb7f35d91d02bb9ab8f595d5