Malware Analysis Report

2024-11-13 16:42

Sample ID 240125-zmzs5sfbd6
Target 757e0a2c79443f7d9de1d2fa72898839
SHA256 18d9182f2a3793c2c3eae6bb486603ed056d9bd1d3303da091ceaa8fbed7228b
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18d9182f2a3793c2c3eae6bb486603ed056d9bd1d3303da091ceaa8fbed7228b

Threat Level: Known bad

The file 757e0a2c79443f7d9de1d2fa72898839 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 20:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 20:50

Reported

2024-01-25 20:53

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\757e0a2c79443f7d9de1d2fa72898839.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\4webIN\\msconfig.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dxIZ\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bdronWpUY\msconfig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4UAW\MusNotifyIcon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 3060 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3560 wrote to memory of 3060 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3560 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\dxIZ\DisplaySwitch.exe
PID 3560 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\dxIZ\DisplaySwitch.exe
PID 3560 wrote to memory of 4404 N/A N/A C:\Windows\system32\msconfig.exe
PID 3560 wrote to memory of 4404 N/A N/A C:\Windows\system32\msconfig.exe
PID 3560 wrote to memory of 2104 N/A N/A C:\Users\Admin\AppData\Local\bdronWpUY\msconfig.exe
PID 3560 wrote to memory of 2104 N/A N/A C:\Users\Admin\AppData\Local\bdronWpUY\msconfig.exe
PID 3560 wrote to memory of 4596 N/A N/A C:\Windows\system32\MusNotifyIcon.exe
PID 3560 wrote to memory of 4596 N/A N/A C:\Windows\system32\MusNotifyIcon.exe
PID 3560 wrote to memory of 4452 N/A N/A C:\Users\Admin\AppData\Local\4UAW\MusNotifyIcon.exe
PID 3560 wrote to memory of 4452 N/A N/A C:\Users\Admin\AppData\Local\4UAW\MusNotifyIcon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\757e0a2c79443f7d9de1d2fa72898839.dll,#1

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\dxIZ\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\dxIZ\DisplaySwitch.exe

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\bdronWpUY\msconfig.exe

C:\Users\Admin\AppData\Local\bdronWpUY\msconfig.exe

C:\Windows\system32\MusNotifyIcon.exe

C:\Windows\system32\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\4UAW\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\4UAW\MusNotifyIcon.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/3140-1-0x00007FF932A90000-0x00007FF932B37000-memory.dmp

memory/3140-0-0x00000252FE2F0000-0x00000252FE2F7000-memory.dmp

memory/3560-3-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/3560-6-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-7-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-8-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-9-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-5-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-11-0x00007FF93FD3A000-0x00007FF93FD3B000-memory.dmp

memory/3560-12-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-14-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-13-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-10-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-15-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-16-0x00000000026E0000-0x00000000026E7000-memory.dmp

memory/3560-17-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-26-0x00007FF9413D0000-0x00007FF9413E0000-memory.dmp

memory/3560-25-0x00007FF9413E0000-0x00007FF9413F0000-memory.dmp

memory/3560-24-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3560-35-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/3140-38-0x00007FF932A90000-0x00007FF932B37000-memory.dmp

C:\Users\Admin\AppData\Local\dxIZ\DisplaySwitch.exe

MD5 1698cf33da2818e0d7dddbfcff3fe40f
SHA1 163efb7359e1c15ac7f192758fa3dc71c9cfe47b
SHA256 e0c88f993bad878d8f8ac0a154d95369545fda4701b78b73aa3b78cef6f27eaa
SHA512 f9958816c9c532cd22fcdb54864cb25168cc3e9552a888fd056b7154cfb1f678a5e77da620966712bbc4500e14481f962a783ab24ce3c0ea854eea27cd2ecc39

C:\Users\Admin\AppData\Local\dxIZ\UxTheme.dll

MD5 3de59507bb4e43d2a144755303ad9c92
SHA1 5051a1ec6b9fe813df80f59a444cc512d3a0adea
SHA256 79d91a6e4391e1f046785b67941088f7e5755fe95e4b163d78b50f5e9f6cc4b9
SHA512 b0e0dbfeab7a714c331ef9fa1097063326c4d9b1a34a41f6a6cfefc139cac2486e457562288d189ea4b2ebf2344deab7fb06d2144362f918582fb692e22ed920

memory/4612-45-0x00007FF922830000-0x00007FF9228D8000-memory.dmp

memory/4612-46-0x0000017356020000-0x0000017356027000-memory.dmp

memory/4612-50-0x00007FF922830000-0x00007FF9228D8000-memory.dmp

C:\Users\Admin\AppData\Local\dxIZ\DisplaySwitch.exe

MD5 5338d4beddf23db817eb5c37500b5735
SHA1 1b5c56f00b53fca3205ff24770203af46cbc7c54
SHA256 8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e
SHA512 173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

C:\Users\Admin\AppData\Local\bdronWpUY\msconfig.exe

MD5 39009536cafe30c6ef2501fe46c9df5e
SHA1 6ff7b4d30f31186de899665c704a105227704b72
SHA256 93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04
SHA512 95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

C:\Users\Admin\AppData\Local\bdronWpUY\VERSION.dll

MD5 1cb84c7c3c7f531c41509f1dc905cb35
SHA1 941c8d9ef37a13b94b360dca75168cf7a300c82e
SHA256 5086650122f86455d17115a7ba37c76a00e251ec668856da81c10b119ac879ca
SHA512 3399e5588558f729cc6fa2b5e658eb8f4516962d213f2018a0eff107fe8b2b852b3c3a114fb7c47bf19eb3063b17212e10ce468ccbf4c2346693c3abba641bd4

memory/2104-61-0x00007FF922C90000-0x00007FF922D38000-memory.dmp

memory/2104-63-0x000001BC20AA0000-0x000001BC20AA7000-memory.dmp

memory/2104-66-0x00007FF922C90000-0x00007FF922D38000-memory.dmp

C:\Users\Admin\AppData\Local\4UAW\MusNotifyIcon.exe

MD5 c54b1a69a21e03b83ebb0aeb3758b6f7
SHA1 b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c
SHA256 ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf
SHA512 2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

C:\Users\Admin\AppData\Local\4UAW\UxTheme.dll

MD5 09d9b6e1a939eb3cdaac2a2073965704
SHA1 89571c16fe41ca88aa7a0555e097cf403e79b84d
SHA256 be2098396ee87049760910c4a90fc67ab76523dec8024e3b112958ba92777ccf
SHA512 4a2fc0a9169e44122dd5aa1d39aa49e960bb9d7e4b7ff97916244d6b568c3b37fd6f9eeae343900c91abf4ae69c22aa308096d42d6912ffaff34c31a34a0a181

memory/4452-82-0x00007FF922C90000-0x00007FF922D38000-memory.dmp

memory/4452-79-0x0000017008C00000-0x0000017008C07000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

MD5 e74d5585c34afd5e3b8e65260e5f7f76
SHA1 aa186f751cb4df52d9f31bce371324169d1c0c4c
SHA256 39f688f9377a6e947546b18c6aa6340fa6d4fa2c49044b3264ad96835c192891
SHA512 47c344e473be214bfe188403ded0014e85575d1ee0406b193945440bf1f09cc2b861b304982dad1bcaf6ae7f68c98fd83937d7a1896cccdfda2c7159a832546b

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 20:50

Reported

2024-01-25 20:53

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\757e0a2c79443f7d9de1d2fa72898839.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\W6AJD6p55\slui.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\T90p\cttune.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\MO5rl152XC\\slui.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\W6AJD6p55\slui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\T90p\cttune.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2572 N/A N/A C:\Windows\system32\spreview.exe
PID 1272 wrote to memory of 2572 N/A N/A C:\Windows\system32\spreview.exe
PID 1272 wrote to memory of 2572 N/A N/A C:\Windows\system32\spreview.exe
PID 1272 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe
PID 1272 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe
PID 1272 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe
PID 1272 wrote to memory of 2924 N/A N/A C:\Windows\system32\slui.exe
PID 1272 wrote to memory of 2924 N/A N/A C:\Windows\system32\slui.exe
PID 1272 wrote to memory of 2924 N/A N/A C:\Windows\system32\slui.exe
PID 1272 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\W6AJD6p55\slui.exe
PID 1272 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\W6AJD6p55\slui.exe
PID 1272 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\W6AJD6p55\slui.exe
PID 1272 wrote to memory of 1932 N/A N/A C:\Windows\system32\cttune.exe
PID 1272 wrote to memory of 1932 N/A N/A C:\Windows\system32\cttune.exe
PID 1272 wrote to memory of 1932 N/A N/A C:\Windows\system32\cttune.exe
PID 1272 wrote to memory of 288 N/A N/A C:\Users\Admin\AppData\Local\T90p\cttune.exe
PID 1272 wrote to memory of 288 N/A N/A C:\Users\Admin\AppData\Local\T90p\cttune.exe
PID 1272 wrote to memory of 288 N/A N/A C:\Users\Admin\AppData\Local\T90p\cttune.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\757e0a2c79443f7d9de1d2fa72898839.dll,#1

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

C:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe

C:\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe

C:\Windows\system32\slui.exe

C:\Windows\system32\slui.exe

C:\Users\Admin\AppData\Local\W6AJD6p55\slui.exe

C:\Users\Admin\AppData\Local\W6AJD6p55\slui.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\T90p\cttune.exe

C:\Users\Admin\AppData\Local\T90p\cttune.exe

Network

N/A

Files

memory/1768-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1768-1-0x000007FEF6F70000-0x000007FEF7017000-memory.dmp

memory/1272-3-0x0000000077806000-0x0000000077807000-memory.dmp

memory/1272-4-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/1272-7-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-9-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-10-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-12-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-14-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-17-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-16-0x0000000002210000-0x0000000002217000-memory.dmp

memory/1272-15-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-13-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-11-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-8-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-6-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-24-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-26-0x0000000077AA0000-0x0000000077AA2000-memory.dmp

memory/1272-25-0x0000000077A70000-0x0000000077A72000-memory.dmp

memory/1272-37-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1272-35-0x0000000140000000-0x00000001400A7000-memory.dmp

memory/1768-38-0x000007FEF6F70000-0x000007FEF7017000-memory.dmp

\Users\Admin\AppData\Local\tvVMyL8fZ\spreview.exe

MD5 704cd4cac010e8e6d8de9b778ed17773
SHA1 81856abf70640f102b8b3defe2cf65669fe8e165
SHA256 4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512 b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

C:\Users\Admin\AppData\Local\tvVMyL8fZ\VERSION.dll

MD5 3a5efc53cd7f1604c088bb2e5f308520
SHA1 b966121f1290011ab3f097b5042c09ca32e3fabe
SHA256 7bb631134bb0e14080f0eed540407f456ee5e5a83b9dd97363cb4d44782e7cf9
SHA512 f1840a304008c49c96970ddd1c21ac322575e375e67092dce37b75e6ed1bb96e5207612f0db4fbb6e6ac88e43e47231b69be37f3ae6de7098afd3e4a462515f7

memory/2612-52-0x000007FEF7020000-0x000007FEF70C8000-memory.dmp

memory/2612-53-0x0000000000410000-0x0000000000417000-memory.dmp

memory/2612-57-0x000007FEF7020000-0x000007FEF70C8000-memory.dmp

memory/1272-62-0x0000000077806000-0x0000000077807000-memory.dmp

\Users\Admin\AppData\Local\W6AJD6p55\slui.exe

MD5 c5ce5ce799387e82b7698a0ee5544a6d
SHA1 ed37fdb169bb539271c117d3e8a5f14fd8df1c0d
SHA256 34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c
SHA512 79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

C:\Users\Admin\AppData\Local\W6AJD6p55\WINBRAND.dll

MD5 0f232baba4d39571b154b880710c9ab7
SHA1 9259e6bca876bfcb56aa7d6f276272e18f532e3f
SHA256 06001b493c35d4c28c0c0acd3ad5bf098811d942e1147813db765fba213617e5
SHA512 f681db5a3dec52416646958df5b6291e27f150264651b9b5779104263b4767e18601dca41204a4fa0994d7976c608fded4726368a219499bf8460956df270f80

memory/2904-70-0x000007FEF6960000-0x000007FEF6A08000-memory.dmp

memory/2904-72-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2904-75-0x000007FEF6960000-0x000007FEF6A08000-memory.dmp

\Users\Admin\AppData\Local\T90p\cttune.exe

MD5 7116848fd23e6195fcbbccdf83ce9af4
SHA1 35fb16a0b68f8a84d5dfac8c110ef5972f1bee93
SHA256 39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6
SHA512 e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

C:\Users\Admin\AppData\Local\T90p\OLEACC.dll

MD5 e117eaf81777895c668a81e2ea6ee047
SHA1 f87fb5901001d9e6290188292dcfacaf088fb762
SHA256 39acf884289c55948161fbfe5f1cb17ad7ffc4de4badc806b33d2cf14309abf4
SHA512 7d840aadde23982285e8addf3e5dd946e8304265af53786272c41648807564baf777d0005fd90d6e1e8cf91a42a8e51edae85a86c5972f1406f57b7757eb1ecb

memory/288-88-0x0000000000370000-0x0000000000377000-memory.dmp

memory/288-92-0x000007FEF6960000-0x000007FEF6A08000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 d40cf5df27feadd09a00e7f8ff162cc9
SHA1 83fa0469d96d6a0655838dbf14dbf38551ff3f91
SHA256 c4f5ebdf9fe838f8a0b636605a70d7ef4cb985b27af7aa373249569316508709
SHA512 bdd92686c16616b82011a6a8f3fd9987cb53d6bfc53caf29b646e9e170d3d39b31016ceefecd01a99ffa6b3f38ce7aa3ccb67039d4427a9c5f7ce1ba90a57ec6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\1u\OLEACC.dll

MD5 85f77645b0445c630413fa925e54c1ca
SHA1 ee42131d6fa64ae0daacdad0c87bcf449e9b84cf
SHA256 aacdf4b4f7aeadaf05b5bd1fdbcd9d7b9460476eb4da7af03087231a1b7fd562
SHA512 c54423af3d5827a3604c23197022375fd25b312afeb41b11798b8ea8993c979c8d142d9282c944f9172a2d81f59184fe4fe25fd8a4089d921017af29dc602d76