Malware Analysis Report

2024-11-15 08:50

Sample ID 240125-cdwnssdgf2
Target 736f4c09867897af390e3e0bf50a0b23
SHA256 fee679a74d93c6adee409515fdf168e955e056dae2949cbf848a48e03a8ac97d
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fee679a74d93c6adee409515fdf168e955e056dae2949cbf848a48e03a8ac97d

Threat Level: Known bad

The file 736f4c09867897af390e3e0bf50a0b23 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 01:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 01:58

Reported

2024-01-25 02:00

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\736f4c09867897af390e3e0bf50a0b23.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\YFXLWlp\\Dxpserver.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 1384 N/A N/A C:\Windows\system32\spinstall.exe
PID 1208 wrote to memory of 1384 N/A N/A C:\Windows\system32\spinstall.exe
PID 1208 wrote to memory of 1384 N/A N/A C:\Windows\system32\spinstall.exe
PID 1208 wrote to memory of 1484 N/A N/A C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe
PID 1208 wrote to memory of 1484 N/A N/A C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe
PID 1208 wrote to memory of 1484 N/A N/A C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe
PID 1208 wrote to memory of 2956 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1208 wrote to memory of 2956 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1208 wrote to memory of 2956 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1208 wrote to memory of 1568 N/A N/A C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe
PID 1208 wrote to memory of 1568 N/A N/A C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe
PID 1208 wrote to memory of 1568 N/A N/A C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe
PID 1208 wrote to memory of 1968 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1208 wrote to memory of 1968 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1208 wrote to memory of 1968 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1208 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe
PID 1208 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe
PID 1208 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe
PID 1208 wrote to memory of 2032 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1208 wrote to memory of 2032 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1208 wrote to memory of 2032 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1208 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe
PID 1208 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe
PID 1208 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\736f4c09867897af390e3e0bf50a0b23.dll,#1

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe

C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe

C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe

C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe

Network

N/A

Files

memory/2208-0-0x0000000001BE0000-0x0000000001BE7000-memory.dmp

memory/2208-1-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-4-0x0000000077996000-0x0000000077997000-memory.dmp

memory/1208-5-0x0000000002170000-0x0000000002171000-memory.dmp

memory/1208-12-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-11-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-10-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-9-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-14-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-13-0x0000000140000000-0x000000014037A000-memory.dmp

memory/2208-8-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-7-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-15-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-16-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-17-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-18-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-20-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-19-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-22-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-21-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-23-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-25-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-24-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-26-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-28-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-27-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-29-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-31-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-32-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-30-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-35-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-34-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-33-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-40-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-41-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-39-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-38-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-37-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-36-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-47-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-46-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-45-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-44-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-43-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-42-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-50-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-49-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-48-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-54-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-53-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-52-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-51-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-56-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-55-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-61-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-62-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-60-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-59-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-58-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-57-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-63-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-64-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-65-0x0000000140000000-0x000000014037A000-memory.dmp

memory/1208-69-0x0000000002140000-0x0000000002147000-memory.dmp

memory/1208-77-0x0000000077AA1000-0x0000000077AA2000-memory.dmp

memory/1208-78-0x0000000077C00000-0x0000000077C02000-memory.dmp

\Users\Admin\AppData\Local\k16Ck\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

C:\Users\Admin\AppData\Local\k16Ck\VERSION.dll

MD5 959843c47eaa9bf47c245f7a7c54cc2d
SHA1 2dcdd7573d2610e191c93dd9258bd34b4ff9db84
SHA256 43aa786c45ea377bc4a94866a73c928a1c837847886d2beac226fb0bd4545a47
SHA512 c4a708ad81d4b74199789314fa6b9271b3dac8bd5d860468fd5e20f4170ea0385e031925e895f9bb218e1d050008686725aacc1672ef18ec7222590066d1fcc0

memory/1484-105-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\QvEm\SnippingTool.exe

MD5 7633f554eeafde7f144b41c2fcaf5f63
SHA1 44497c3d6fada0066598a6170b90c53e28ddf96c
SHA256 890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
SHA512 7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

\Users\Admin\AppData\Local\QvEm\slc.dll

MD5 58787c8a3f1b7b4b511aa735b79d2cd5
SHA1 96bcbd2c9cf87ede17a25e95eda96ba1171a09bf
SHA256 1ff2979a16cb202124f72d196d276453a5234e52f1d157f638df0a5c40fae66e
SHA512 e4c07af389b06ec61367efd8a8149b8ad8b13161a55baa042a0a56b9fe1f9cf97b53b408f67c0dc482643f220e81385e0d29dbeed3811234ef3c6637d1614c10

memory/1208-123-0x0000000077996000-0x0000000077997000-memory.dmp

memory/1568-125-0x0000000000120000-0x0000000000127000-memory.dmp

\Users\Admin\AppData\Local\6Jn\Dxpserver.exe

MD5 4d38389fb92e43c77a524fd96dbafd21
SHA1 08014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256 070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA512 02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

C:\Users\Admin\AppData\Local\6Jn\XmlLite.dll

MD5 d13998e695b9a489ec9c72a26b77359d
SHA1 d4ada77aeda6845e5a8323244549e2f0dc30e9d6
SHA256 d4499394031f6e3cd4de47266131e071246a4db2f58877dc98bf1b85726f45e4
SHA512 3872e97f9f12de1af0bbaf53a912a3ab9acc57de1fdb804f4433c6a9b0f4daaf1e43bc3287b80bb1ab2d390a9e34e887be05321abcba534803fc07c15993cbaf

memory/1736-138-0x00000000001F0000-0x00000000001F7000-memory.dmp

\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe

MD5 b795e6138e29a37508285fc31e92bd78
SHA1 d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a
SHA256 01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659
SHA512 8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

C:\Users\Admin\AppData\Local\qLT6b\slc.dll

MD5 dddf0650057a9829b318e04ca649712b
SHA1 2a7536c1a41714a4a414c59cddf3dadceb051069
SHA256 6bf59a4cf6b430b08be2e0d8040d021479a24f5a54ca7ab4452694bb3e1625ca
SHA512 2cfe9b1cc4721dd359a24494b70d9bc25cb6ba3460e70dc957942ef99c5aa4d79c440ca92c509f7f0c1b0d1951b99d57fb975c19c3607f74cf298092e3f15df8

memory/1620-157-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 446aee12d83216e14a6be88e30f14504
SHA1 89cfac8fd71c730139b0ee4442532b1a97d20278
SHA256 5188e885664b6a89a8316d23e0b2adf0b7fa6b483fafb850ceb424bad7167428
SHA512 244cbe4a354281cae1c50544b08e2b657c38393cf3b5979150a64ff9887d8da43fbb70ac528b677a7b5aca0853634532add97d537bd793e56cd93925a2e2a8b2

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 01:58

Reported

2024-01-25 02:00

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\736f4c09867897af390e3e0bf50a0b23.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\736f4c09867897af390e3e0bf50a0b23.dll,#1

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Users\Admin\AppData\Local\I1dV\tabcal.exe

C:\Users\Admin\AppData\Local\I1dV\tabcal.exe

C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe

C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe

C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 201.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4752-1-0x0000000140000000-0x000000014037A000-memory.dmp

memory/4752-0-0x0000000140000000-0x000000014037A000-memory.dmp

memory/4752-2-0x0000022958F00000-0x0000022958F07000-memory.dmp

memory/3560-6-0x00007FF93FD3A000-0x00007FF93FD3B000-memory.dmp

memory/3560-5-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/3560-9-0x0000000140000000-0x000000014037A000-memory.dmp

memory/4752-8-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-10-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-11-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-12-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-13-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-14-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-15-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-16-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-18-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-19-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-20-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-21-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-17-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-22-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-23-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-24-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-25-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-26-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-27-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-28-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-31-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-33-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-35-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-34-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-36-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-38-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-39-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-37-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-40-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-32-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-30-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-42-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-44-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-49-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-52-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-53-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-54-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-56-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-57-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-59-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-60-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-62-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-61-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-58-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-63-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-65-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-66-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-64-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-70-0x0000000002270000-0x0000000002277000-memory.dmp

memory/3560-55-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-51-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-50-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-48-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-47-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-78-0x00007FF9413E0000-0x00007FF9413F0000-memory.dmp

memory/3560-46-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-45-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-43-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-41-0x0000000140000000-0x000000014037A000-memory.dmp

memory/3560-29-0x0000000140000000-0x000000014037A000-memory.dmp

C:\Users\Admin\AppData\Local\ouTw\dwmapi.dll

MD5 2b8f1bba13981c24e973a5200953697d
SHA1 9beb70b38b464c3a84a8c6a7484de7fbd9091e36
SHA256 579096f8d85d13b16a86eebd75bcbf051702d3b945bce47789ced46471031adf
SHA512 490a1df25fb6b7ade00c1a48947b827aeed183075e75fca6aa8b4b92ed88adae5bb4041173583f7c40675cf23d117a77aa7dbd661b4b5baaa5e6c619e26e25f7

memory/652-99-0x0000000140000000-0x000000014037B000-memory.dmp

memory/652-106-0x0000000140000000-0x000000014037B000-memory.dmp

C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe

MD5 d1aa2f6b121ee1720bc96c43586d53e4
SHA1 fb9a4add8819166517ef41ea6e339a159d78a678
SHA256 f16051cc00f9a09b4edbd36c90db27ff473c0a30a98e4d140b7fa542aa5d7a2a
SHA512 a8037698f8708616c2502dc14f62afa5e0d755d41ee526881fc48b5c0c6c92a4cc86861f300f210722384e4258dd4a55e2b6494b77c841dea4450f357240746d

C:\Users\Admin\AppData\Local\I1dV\HID.DLL

MD5 29e420e28b5c434713e2a26a3162c9e4
SHA1 aa9db52988713e5c884b6b5d16073ccccbf5d889
SHA256 8c431afad454a6eef73df50bfbc95d056909e1dea35fc0b2126dbd6f44ca24e7
SHA512 7620265e0f3606618dc83640b91e7b5e2b0fe14c8b2db5ad5920b9d3e890924bf2c64f55a954211cd52d5cda0923d424e5c61fb407c8bf7454814382dde72dcd

C:\Users\Admin\AppData\Local\I1dV\HID.DLL

MD5 134a973f4be89dff7dda8569df5c90d4
SHA1 e6141f063d896c13a43ba7961be87e085b73391d
SHA256 e88491164066572aec8f0eba853d88baaa16c8cac62c5df5df179854ea5f524c
SHA512 dd3d305b58877624a431202c6f58cab70817d72d6ead53238efa43735e43ebd09e7d01fa60389f68830ccbe38515d021f808d9d6f214dacec1039450417df426

memory/3820-121-0x000001A377FD0000-0x000001A377FD7000-memory.dmp

memory/3820-125-0x0000000140000000-0x000000014037B000-memory.dmp

C:\Users\Admin\AppData\Local\I1dV\tabcal.exe

MD5 80fa3f2ef26e9907a4a563ab895270f6
SHA1 6866489f96f66dcf3b299eb0af690987a8eccd5b
SHA256 d16c9df8f5be3249379537a03f787d8a10ed5545285d7a150006c2534374c8d1
SHA512 c9cae8bc9b070bb56860597688c4426fb30009e6bf5caa13c1abd98d242344b505227c4476f5e575f740830ab2862f17fdfcbc850cae84b8cf477cde7d0de11f

C:\Users\Admin\AppData\Local\4QvI\VERSION.dll

MD5 cc5ef8a99065f897429bfcbb4d006182
SHA1 2394913f7fc638a64a2e80a61d20e00fd18db933
SHA256 94361032eb2f48f73c9dad85977445b7a6f309ca5b96ffd66895bcb89c2a06c4
SHA512 8172b99525a871348d38636aedebe2a98306d7c4d7ff01aadb2d058732fd4c2e1543dfd7685ede32f3dc743e152391c71fb9c0d9cb0cd9852cc98c458a2228b5

C:\Users\Admin\AppData\Local\4QvI\VERSION.dll

MD5 0ab3ef9eb975e98a5a16da5284e6cbeb
SHA1 232f41fb251f1afabae748d01b98af258bdd9d32
SHA256 4613bf931ff2a64db868f799ed322faa1c91b2501a80b8a2c3794101aca7ead8
SHA512 bcbf42d3b3b81c1cd15e76389437b7cd3fc66d2e4ce3c7afde552788cac651f18d8cdad732c9f6fba3038ed96304d2af8e55800db9e5d22d283f581db88f58c2

memory/776-139-0x0000024F73960000-0x0000024F73967000-memory.dmp

memory/776-144-0x0000000140000000-0x000000014037B000-memory.dmp

C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe

MD5 0114a6dde0ac90a0958e935f8d60d00a
SHA1 ea0685a568f273d103b1f5f276939063f6926293
SHA256 a7a1b91ef43934111c1900486d446157587a592d3a4bd25389c29674ba690e10
SHA512 24f2c7cce2dd65ad5b816ba5a117b36a62bcb38166ca40953246bd5b8329f54fbefaf1dd766f8c7213e192a792d56560f0d50d02c5032b1b32440dbd6bcc1eb4

memory/776-137-0x0000000140000000-0x000000014037B000-memory.dmp

C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe

MD5 dd816d990e088461d2effcc101016437
SHA1 fd280d5678bb2457821bcae025a364f557b73ff2
SHA256 53de8ba90bc45a2e781b110438dc54327225556e9340448bc79cf36bfa9946cd
SHA512 3c453757be6e198305d53c6edb2a5b5dffd947bdc5e09d77a053e27119f9fe7283a34541dccd655c2c894261a6270c986a01a4a4af97e2fad20dfd2df9173fa5

memory/3820-119-0x0000000140000000-0x000000014037B000-memory.dmp

C:\Users\Admin\AppData\Local\I1dV\tabcal.exe

MD5 06e9b28a3b363ca0e48f18838f2a83a5
SHA1 9b4a30a7ec7dfff854cec32aa80026bcf97dddd9
SHA256 49dc58405aaaf780343ba83308d073b017e5857af73ce26e3a947a79b66ebd61
SHA512 25b0f2e458e3b35850dc7a65a7ee45fe12c238dbb2d0ad55538d9cf858712cc2c8de4da6f9394b645dbfdf112a51fd295c6d75377df16debd96c6c3d35b8be24

memory/652-102-0x000001DCE2EC0000-0x000001DCE2EC7000-memory.dmp

C:\Users\Admin\AppData\Local\ouTw\dwmapi.dll

MD5 c5eb6e49fca25b6fe96bcef681b2d834
SHA1 3564b4a46b51505ba014ec3e56c957be8bd8c2f2
SHA256 2e822b974cf59d7c5cb35ae6268ac5dd4ac1b6ef66aa64ba405f5d68ca27517d
SHA512 5ad8d6356ed4bec81a8b78793ee9381d575958cf215e99f929cbfdebd9e9bc49310edf607c207776759dcf8f69573ada5a357ec4e7c0462341fc3e2a4492e6c4

C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe

MD5 8a6bd96793482deb5ba0b4480507ef68
SHA1 beacb9719b6dba6475779a78d7566408552a5e7b
SHA256 275a8bd3c97affabccc37e50e431ae473b7f5a7dab735420bc75875dc00750ed
SHA512 2034634c3c1a781fbf90f76255141ff6d4d101fedccfae165a1b56dafbfcde4dc345f2804d03addf48613f5866619a2de1c99d92c749e35d58f03eee9399e3d6

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

MD5 4a77fd1cb398a293be6fbeaa1a9fa43c
SHA1 8e9f6a2e970860f263df18914bacb182285dee86
SHA256 a7afd238100140185208f1bcde06643f9804ac002b88d634265a10bde9b96cd3
SHA512 67a235fb2166f78bfaab0227dead3d9a5a8ea4003c59c7f10242d449205fe7f7e9e37da36f3ba954cf37328623c89bbb832ee45b065c6c4d29154a2094d32603

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\mXH1SS4Scy\dwmapi.dll

MD5 374b1a87db7a944d44f90b8ea6ba0e2a
SHA1 d7670aeb3878be26113f8735239937df99e4520d
SHA256 e23c4e81843af1a169980dc56bf99c3decbaf07a2214695039b99c0ce8a912d7
SHA512 3d7adad8406cdd17d3608735d500fa57822eb49d5d4d1444e8cfaa49ead730d0784de3a04e4c0cf49b70daf07a52267b85d68b8ce8c3f7dec872fde7ab2d7dbe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NLv9\HID.DLL

MD5 d243039eba4df7ffc30ddea5c6c67294
SHA1 07c66e1669705ac708452e715f5f5fee013b4740
SHA256 a1e15f2a9d6a38eecb215b09cf8a2ba7da89f6fb943f303117526f938f656393
SHA512 defe15e24d3431ceb6c5b026830378637b121398c7e70e142eb39d4a1a64907fe4600897d922ebaef98a1e68f7285c958d6d123a7102b6e80ec860ce8a00e434

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\xS7DOTg4YA\VERSION.dll

MD5 9ece18e459dcc1d0244185a118600d25
SHA1 1f519661af4f4cf8e31d76b46cf973659fcefa3f
SHA256 f95677f22210a378df2a30626dae7653091a1dfbca6894573876d1d8932a6f4b
SHA512 9e31a58ac620683f223875d441e89b6be382acb8351526da62d37a1708751774956dd0820f2625525b7146bf26029a72f070251838da4d609e1d521d4f27f5a7