Malware Analysis Report

2024-11-15 08:50

Sample ID 240123-ylh9bsggf9
Target 706c428f1cdf3c4e2003ba9c1a54b608
SHA256 22cfa40d7e29bf79dc313aa90b86ea3a7716d0a95e553cfe8d112098645a039b
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22cfa40d7e29bf79dc313aa90b86ea3a7716d0a95e553cfe8d112098645a039b

Threat Level: Known bad

The file 706c428f1cdf3c4e2003ba9c1a54b608 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 19:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 19:52

Reported

2024-01-23 19:55

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\706c428f1cdf3c4e2003ba9c1a54b608.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ocD\msdt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\iOo\javaws.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\aLC1Q\\javaws.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ocD\msdt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iOo\javaws.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2336 N/A N/A C:\Windows\system32\msdt.exe
PID 1224 wrote to memory of 2336 N/A N/A C:\Windows\system32\msdt.exe
PID 1224 wrote to memory of 2336 N/A N/A C:\Windows\system32\msdt.exe
PID 1224 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\ocD\msdt.exe
PID 1224 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\ocD\msdt.exe
PID 1224 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\ocD\msdt.exe
PID 1224 wrote to memory of 572 N/A N/A C:\Windows\system32\javaws.exe
PID 1224 wrote to memory of 572 N/A N/A C:\Windows\system32\javaws.exe
PID 1224 wrote to memory of 572 N/A N/A C:\Windows\system32\javaws.exe
PID 1224 wrote to memory of 272 N/A N/A C:\Users\Admin\AppData\Local\iOo\javaws.exe
PID 1224 wrote to memory of 272 N/A N/A C:\Users\Admin\AppData\Local\iOo\javaws.exe
PID 1224 wrote to memory of 272 N/A N/A C:\Users\Admin\AppData\Local\iOo\javaws.exe
PID 1224 wrote to memory of 2948 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1224 wrote to memory of 2948 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1224 wrote to memory of 2948 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1224 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe
PID 1224 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe
PID 1224 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\706c428f1cdf3c4e2003ba9c1a54b608.dll,#1

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\ocD\msdt.exe

C:\Users\Admin\AppData\Local\ocD\msdt.exe

C:\Windows\system32\javaws.exe

C:\Windows\system32\javaws.exe

C:\Users\Admin\AppData\Local\iOo\javaws.exe

C:\Users\Admin\AppData\Local\iOo\javaws.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe

Network

N/A

Files

memory/2092-1-0x0000000000390000-0x0000000000397000-memory.dmp

memory/2092-0-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-4-0x0000000077816000-0x0000000077817000-memory.dmp

memory/1224-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1224-16-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-15-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-17-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-18-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-14-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-13-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-19-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-26-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-25-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-24-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-23-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-22-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-21-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-20-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-12-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-11-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-10-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-9-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2092-8-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-7-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-28-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-30-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-31-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-29-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-27-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-32-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-34-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-36-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1224-35-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-43-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-45-0x0000000077B80000-0x0000000077B82000-memory.dmp

memory/1224-44-0x0000000077A21000-0x0000000077A22000-memory.dmp

memory/1224-33-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-54-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1224-60-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Users\Admin\AppData\Local\ocD\msdt.exe

MD5 aecb7b09566b1f83f61d5a4b44ae9c7e
SHA1 3a4a2338c6b5ac833dc87497e04fe89c5481e289
SHA256 fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5
SHA512 6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

C:\Users\Admin\AppData\Local\ocD\wer.dll

MD5 213392b3514791546c9366ef10d1af20
SHA1 5c3353c4bdd2ff7abe33fe0b792e1e3c3a073fee
SHA256 7a9c0f847ee198084e949537b3dbb1f35f16b01bfe1687238044ddece6d6cbc0
SHA512 64a85f11cd562250bb80200b7458516a6911c10d2b3d576c647d9cdf67b57a685033d296ab0d233c165f53f3d08bb14c21bd8533145ce0f8ab63e64879fcf7c4

memory/2580-72-0x00000000001D0000-0x00000000001D7000-memory.dmp

memory/2580-73-0x0000000140000000-0x000000014016A000-memory.dmp

memory/2580-78-0x0000000140000000-0x000000014016A000-memory.dmp

\Users\Admin\AppData\Local\iOo\javaws.exe

MD5 f94bc1a70c942621c4279236df284e04
SHA1 8f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256 be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA512 60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

C:\Users\Admin\AppData\Local\iOo\VERSION.dll

MD5 1daa5a9cbf5d3861c7b982d87207511d
SHA1 5701d227804ff5609d0b8e8a84588f2d37ed6c1f
SHA256 73671aac3e08e4e6f59b324a5e17c39a13df4a8ce8b3bfc9ccc44f230b9bb5df
SHA512 6d80e531350f1088ed601a7f48b87d64fb5c97170c91796776d922da3f8bbd5e6b5c9636d884da808a170a4e8e60924571ac27a08796d4f48993d75be2462bf8

memory/272-91-0x00000000001F0000-0x00000000001F7000-memory.dmp

\Users\Admin\AppData\Local\xgBL\appwiz.cpl

MD5 acf818af83b1ea00392f2ce293d203fc
SHA1 6f84de0e100e154d1271fed79fb09c4eb945f3e1
SHA256 ac4c5b95e1c9faebff642e5da2616cac5879133d7d4aeb54977c27047ee19c27
SHA512 f6112e46825c897dc4ef2d7c27cd3086f58c826b5fe695e7e646d5d7f677dcf1536292b57a4f9ceaa9a2802a7375021466904584c0facb08073694bdcfec0bd1

C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe

MD5 eae7af6084667c8f05412ddf096167fc
SHA1 0dbe8aba001447030e48e8ad5466fd23481e6140
SHA256 01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512 172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

memory/2428-109-0x0000000000270000-0x0000000000277000-memory.dmp

memory/2428-114-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1224-130-0x0000000077816000-0x0000000077817000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 56258109373a1e7d9ebaa8691415f131
SHA1 ba239640bca22de27fca669bc3a080e7504fd800
SHA256 255d18eb1d8849d1f72b1c830348a4aaf7f8e19730443667f444214d91f98aed
SHA512 d63a013fc950161af12f96d192fe3949f5a9e7a95a025dabcdb12934fb14a181a4154f0ffd669f868125a1340a62158a2f5cc7c178a63e32436d55c99c8e4145

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 19:52

Reported

2024-01-23 19:55

Platform

win10v2004-20231215-en

Max time kernel

1s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\706c428f1cdf3c4e2003ba9c1a54b608.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\706c428f1cdf3c4e2003ba9c1a54b608.dll,#1

C:\Windows\system32\omadmclient.exe

C:\Windows\system32\omadmclient.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\edlk\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\edlk\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\vaJ8\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\vaJ8\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe

C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 65.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 49.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp

Files

memory/2640-0-0x00000244CFA70000-0x00000244CFA77000-memory.dmp

memory/2640-1-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-5-0x00007FFAF2DBA000-0x00007FFAF2DBB000-memory.dmp

memory/3556-7-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-11-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-16-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-20-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-25-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-23-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-26-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-27-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-29-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-28-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-31-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-32-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-34-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-33-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-36-0x0000000007630000-0x0000000007637000-memory.dmp

memory/3556-35-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-30-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-24-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-22-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-21-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-19-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-18-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-17-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-15-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-13-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-14-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-12-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-10-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-9-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-43-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-44-0x00007FFAF3160000-0x00007FFAF3170000-memory.dmp

memory/2640-8-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-4-0x0000000007650000-0x0000000007651000-memory.dmp

memory/3556-53-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3556-55-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll

MD5 701a71f2b74f5092847975606808ca4d
SHA1 89274d5e375a3c62007f2e894cbbeb4879d315c7
SHA256 65c283350046436b646cdc292b860b9a2cfd608b8c507a7bcce9affecb8a503e
SHA512 ea74780939280255210feb24392af2d16eef96fe4892bb3c6cffc9acfca8354831ae01c97fb79987ddd32c63ca88866afce1aa8250aff76b757c36f69f5ff8b8

C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe

MD5 643b671742f0ce8f4d6fc96d00e71597
SHA1 79735cf624c98a932b75fbfcd860be807b7d8ee2
SHA256 3a75a4cf5833ba5ecd1196d8d2b16cf040fc3d2daf0aebf4298014aa3e596976
SHA512 9fe3df3a7de19934a07ce83d51e3275d6cbfc007c9d15cdfe71f576bda941ad1fc6e129c65a7aee93e4f0f81bca528cad746cebdcfa9b978fcf86c7e1ac33a49

C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll

MD5 287c9cde6c9b41d941245a271ad72bad
SHA1 49f13e6cb1887a2055fade2ddb34d8358ac69073
SHA256 3607509832b1ac80d6020d6a710db27a251105ba7943a75b33c77a6fbfa53c3f
SHA512 9f1df7fcf686b72a7a977e7fe9054b0703b48cfd2eaa9efa989f61499a65854af974316d1d61898af2c9200535f5bd9348134dc1f8d973c5d7c75d94adc97acd

memory/1208-67-0x0000020FD4DF0000-0x0000020FD4DF7000-memory.dmp

memory/1208-66-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1208-72-0x0000000140000000-0x000000014016A000-memory.dmp

C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe

MD5 616ae83739ea1f90abe55f89bf96fcc5
SHA1 997aef54da588559bfe642b8605bcd1546d28489
SHA256 0bb5de5f2177663061d5d52146f8138a71e734c950cd436a5f695b423ed17f70
SHA512 deafd997cb8669158b7578bc044fdc6bf52499a507b3b737ec536fab68795029b2661093b12edef745ecec6a4862bdf35f46cafe87aec23cd321acd3c02b20b8

C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll

MD5 3839d0bf80748bf372ab51605802e633
SHA1 a91366466ff5f3948a48d920779c33f464d7a5d1
SHA256 a236a146ff2a84b2d7b4e9abb9a640576cc223bafccb22575817c351878fa424
SHA512 ab4f570a848cabd985106e553cd05a96481fd4db6ff4deee675a2141a9e2e031d9cea7a9bae55da4a17a434357cc2a83bd122c1b06cbb79105272ba46f6e76bc

C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll

MD5 a2fe86348bd66d0555a70d2ddc5bc8ec
SHA1 a0c494062a629c2759285d67a4f3650b767d868a
SHA256 bc3dea993c6c2ac149584374088881120456a33a63c1ff22de4e6608cb3e5e98
SHA512 8e97c2c9fd102741d75e6a71a2e149c4356d74875be10e0820d4c461f0b5340cc4fb5650873ce46684f8f9e2af81c763933939747f395717804a72f9f1d5e0a9

C:\Users\Admin\AppData\Local\vaJ8\UxTheme.dll

MD5 6cf801a60387ea807170680e796d55da
SHA1 05df3f71b273da19268137cf882444ec7cefe2ca
SHA256 294398b842356ddb9a4c8a1565429752768936974e5076677edb1cb599996cd5
SHA512 81074b61209cfcd6155d5bea46ef95360dd4d8b4870fe6dfb1cebc23c92247910433ac52910f8fc6416e006e610114de52c4161930f661d4fd12f2bb34c3bcaa

memory/1936-83-0x0000021834A60000-0x0000021834A67000-memory.dmp

C:\Users\Admin\AppData\Local\vaJ8\UxTheme.dll

MD5 8211d674831d4c6b4c94c22de4ee5aef
SHA1 e35f1276f1f65111d1791f30ae5542a6ca140053
SHA256 b60c8a916116f3afb93d101ebc9e63bb3c4a637f5f6c46e4ccd7cdd9394a2b62
SHA512 32b764a15e0bfdf7d40bfea8f84d898aa33269d7471a3b00a7329f89b956cd0362be1914ba6bc41bfc9bb67d1de1c6169e855cf7329604c0a6fa13d2f3e47b7c

memory/1936-89-0x0000000140000000-0x000000014016A000-memory.dmp

C:\Users\Admin\AppData\Local\vaJ8\EhStorAuthn.exe

MD5 d45618e58303edb4268a6cca5ec99ecc
SHA1 1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256 d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA512 5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

C:\Users\Admin\AppData\Local\edlk\SYSDM.CPL

MD5 d1fd78be8f1d9e8bf3762965356b1fbc
SHA1 67396f71236dea6868997ea2e05ff784e761cda6
SHA256 5bb77831ec8687e9849eecc000b7cd5766d205efe018d811129c4b64d33f901c
SHA512 1232a5c73fae3548f06198f3726d457f50dba68f1aaa1cbe022a7a3b877556aecf446eb79a64495d56d2a17ba2690ecbd2d6e2133182cdfd976b345d7a738f9a

C:\Users\Admin\AppData\Local\edlk\SYSDM.CPL

MD5 a19228387e84b10ead3513cbf29d768a
SHA1 6f2beb8e878a2dd88230d65b4fb48b2588f5a240
SHA256 e99c2dfb1ca37677e8f835ffee92b7e56ed2fbe4601b5f7e0919263f5f0924ab
SHA512 6056ccbb9be2d25f135981a6b2fd38710add3d93420a8eca5079524d270b829e4d430fab091fb80c55bbc3d6eab5c20e97358fe4780abad857a2e4276c87d1ea

memory/64-101-0x000001E4208E0000-0x000001E4208E7000-memory.dmp

C:\Users\Admin\AppData\Local\edlk\SystemPropertiesPerformance.exe

MD5 e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1 adbfa782b7998720fa85678cc85863b961975e28
SHA256 b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512 c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

memory/64-106-0x0000000140000000-0x000000014016A000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

MD5 d919b6d93ec53dbe68e19e2e7b6a1ff9
SHA1 0ebbf3bedcc35b57557aaf7e65ac404f5c1dcdc2
SHA256 79c3324f6c65bc68b4e7bb4a5cf00e8bbab687aa019d1df538c1415ab382eeed
SHA512 b0fadaf41f76613da72503d38ed4ce96eba0a7f65425c0e508d5da517214fd75245fc9369e0c045bf025da30eaffb9b5b58f184b565d776448caa698e7d91b3c

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\aoDuCF8rbr\XmlLite.dll

MD5 371dba2f4e4568c391788ea271d6275b
SHA1 73354a0bdfa49eb2e02696c83ca3049d2b954348
SHA256 ddbf2d2f5f720f756f4180c1fb8eff0ea83ddca514ab01ff6bdf7dfbfc35c2b7
SHA512 53917b9a16d84ac66d02ab0bb5563e58387b7986d9388faa0a5a5db933956bbbd305554da99edacbc65cdc37098fc5da5e5ec563bab3c5b87a4d0b026349d76f

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\aoDuCF8rbr\XzRaiWMOq\UxTheme.dll

MD5 d78b7c50e9a19001281da02040a0b6d2
SHA1 ce9fcd4b6df0418528143e011bb42a4f969914b5
SHA256 2d667f18803916a2e619cb89785fcd7070c960b66a8510523980920ac269c330
SHA512 a22f7a87e380fb902e4c3ba57c0ea10e6bd465e23812f96b1833ba37a2b6e23b925092cad44eef2531a558a3d51f0986b150f51824a527ba9ca5b0a82ea908e2

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\ogj\SYSDM.CPL

MD5 cb45f96921418a42eb64cd2efde7c8a4
SHA1 76f965faf6cfd37b6e3cec01626c9f953b1cc7b3
SHA256 06851a71f213e55d80b637c3e29e10f68c9d59d2cad18ff887d1787712a6f701
SHA512 a3b2a5e58eef50b227381928d54bd33e4a5bed9df3408a77c0d5c00dd464996e7767280ae48be1350b802ab3fd4d67ae16be02c190b6fd66d1bc335737d21a94