Malware Analysis Report

2024-11-13 16:42

Sample ID 240131-pgp2msbha5
Target 846540a9573e476e30b92db75daf0040
SHA256 5e53ece48ca9fe32af72a2718f10fe2dd25db88a393f7011a3805115f6b6bd46
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e53ece48ca9fe32af72a2718f10fe2dd25db88a393f7011a3805115f6b6bd46

Threat Level: Known bad

The file 846540a9573e476e30b92db75daf0040 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-31 12:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 12:18

Reported

2024-01-31 12:20

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\846540a9573e476e30b92db75daf0040.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\j4pH\dpapimig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\ZRUA9L~1\\dpapimig.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\j4pH\dpapimig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2632 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1264 wrote to memory of 2632 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1264 wrote to memory of 2632 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1264 wrote to memory of 2284 N/A N/A C:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe
PID 1264 wrote to memory of 2284 N/A N/A C:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe
PID 1264 wrote to memory of 2284 N/A N/A C:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe
PID 1264 wrote to memory of 2896 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1264 wrote to memory of 2896 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1264 wrote to memory of 2896 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1264 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\j4pH\dpapimig.exe
PID 1264 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\j4pH\dpapimig.exe
PID 1264 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\j4pH\dpapimig.exe
PID 1264 wrote to memory of 1632 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1264 wrote to memory of 1632 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1264 wrote to memory of 1632 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1264 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe
PID 1264 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe
PID 1264 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\846540a9573e476e30b92db75daf0040.dll,#1

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\j4pH\dpapimig.exe

C:\Users\Admin\AppData\Local\j4pH\dpapimig.exe

C:\Windows\system32\ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

C:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe

C:\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe

Network

N/A

Files

memory/2276-0-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2276-1-0x0000000001B60000-0x0000000001B67000-memory.dmp

memory/1264-4-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

memory/1264-5-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/1264-7-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-9-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-12-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-13-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-15-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-14-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-16-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-18-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-19-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-20-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-21-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-17-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-24-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-25-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-26-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-28-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-29-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-30-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-33-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-31-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-32-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-27-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-36-0x0000000002B00000-0x0000000002B07000-memory.dmp

memory/1264-35-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-43-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-50-0x0000000076F60000-0x0000000076F62000-memory.dmp

memory/1264-49-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-44-0x0000000076E01000-0x0000000076E02000-memory.dmp

memory/1264-34-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-23-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-22-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-11-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-10-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2276-8-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1264-55-0x0000000140000000-0x00000001401AF000-memory.dmp

\Users\Admin\AppData\Local\SnNx\OptionalFeatures.exe

MD5 eae7af6084667c8f05412ddf096167fc
SHA1 0dbe8aba001447030e48e8ad5466fd23481e6140
SHA256 01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512 172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

\Users\Admin\AppData\Local\SnNx\appwiz.cpl

MD5 07f53023b27901d3a18416a0ad6b6e72
SHA1 27d4754466dbe35db844cafd282fe0b6e31d8d28
SHA256 62b6299bfd292b82da10ff0687417c15de0bd3bc2b3ba8bb084f9fefec565a52
SHA512 9dffc20ba2744596022f21773f7b2bfef695c9c2201a18c0cdff51fcb2e45664a8b54904ff0bb88e37750977cf3608dd4c310f17e776c0ed4713e27ee7779053

memory/2284-69-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/2284-74-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/2284-68-0x0000000000270000-0x0000000000277000-memory.dmp

memory/1264-59-0x0000000140000000-0x00000001401AF000-memory.dmp

\Users\Admin\AppData\Local\j4pH\dpapimig.exe

MD5 0e8b8abea4e23ddc9a70614f3f651303
SHA1 6d332ba4e7a78039f75b211845514ab35ab467b2
SHA256 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA512 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

C:\Users\Admin\AppData\Local\j4pH\DUI70.dll

MD5 abe5488c01911486ad2c880deb2b66dd
SHA1 7af9bf3dcf64ee9bc2075e9d6d4d48ac0c9b7a81
SHA256 c340749fcd47303b505182242ed19ab75cf88b78be0e31f6b7a56a3cab96f2ac
SHA512 627387a9139bccd5d3c331304a76d6f34c7e4a7610ea00b735d279ecd0a0d202e8ef7db3bb24c7dc617dab59a26dc0663f0ccde831f3170cd2b0bc46ee6a346d

memory/2928-88-0x0000000000280000-0x0000000000287000-memory.dmp

memory/2928-89-0x0000000140000000-0x00000001401E3000-memory.dmp

memory/2928-94-0x0000000140000000-0x00000001401E3000-memory.dmp

\Users\Admin\AppData\Local\Q3TKK\ComputerDefaults.exe

MD5 86bd981f55341273753ac42ea200a81e
SHA1 14fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA256 40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA512 49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

C:\Users\Admin\AppData\Local\Q3TKK\appwiz.cpl

MD5 66c4f866c690b0d8e7bf1f390b944c59
SHA1 ef3de43bf564848284cb41c82792a84e6d699a3a
SHA256 28a7170a5d0713a6dbbdb57a7a227fa088ed0b340c1a7280985abb5cf9761e70
SHA512 a1c5837f674f433200d3a3efeafa6cbe4d0904806d9c490dc001269a68bcc510b4136e4542db8d3e1969d6d306c3cff1b01bef266f50346c836d1ccad8d55ad0

memory/1892-106-0x0000000000310000-0x0000000000317000-memory.dmp

memory/1892-112-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1264-128-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 dfc9477ea536c88ea49ed88b0bee20b3
SHA1 ad9f1048221127e3ccbc97cfdf5b7fbf9127242b
SHA256 83004035e192db7c9cb430b85b0a792b910c5ff6c46ca2777d5cf47d4f7a1020
SHA512 09a04cad5f140c7533bfcb94145c9fc4ae539bb4909a215fd8c6b9a97a6fd1dcbd5ebac18457463fe5698fd90777f5c6aed2bf6678df11e007e96c3a4b4473ee

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 12:18

Reported

2024-01-31 12:20

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\846540a9573e476e30b92db75daf0040.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\AD23jVrT\\Taskmgr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FCo\tabcal.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 4904 N/A N/A C:\Windows\system32\tabcal.exe
PID 3424 wrote to memory of 4904 N/A N/A C:\Windows\system32\tabcal.exe
PID 3424 wrote to memory of 3528 N/A N/A C:\Users\Admin\AppData\Local\FCo\tabcal.exe
PID 3424 wrote to memory of 3528 N/A N/A C:\Users\Admin\AppData\Local\FCo\tabcal.exe
PID 3424 wrote to memory of 2884 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3424 wrote to memory of 2884 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3424 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe
PID 3424 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe
PID 3424 wrote to memory of 4788 N/A N/A C:\Windows\system32\SystemSettingsRemoveDevice.exe
PID 3424 wrote to memory of 4788 N/A N/A C:\Windows\system32\SystemSettingsRemoveDevice.exe
PID 3424 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exe
PID 3424 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\846540a9573e476e30b92db75daf0040.dll,#1

C:\Users\Admin\AppData\Local\FCo\tabcal.exe

C:\Users\Admin\AppData\Local\FCo\tabcal.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe

C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

memory/1632-1-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1632-0-0x00000183BDAD0000-0x00000183BDAD7000-memory.dmp

memory/3424-4-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/3424-8-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-10-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-12-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-11-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-13-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-9-0x00007FFF0690A000-0x00007FFF0690B000-memory.dmp

memory/3424-15-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-14-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-16-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1632-7-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-6-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-17-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-18-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-19-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-20-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-21-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-22-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-23-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-25-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-24-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-26-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-29-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-33-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-32-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-34-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-37-0x0000000002D60000-0x0000000002D67000-memory.dmp

memory/3424-35-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-30-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-31-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-27-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-28-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-43-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-44-0x00007FFF07A20000-0x00007FFF07A30000-memory.dmp

memory/3424-53-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3424-55-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Users\Admin\AppData\Local\FCo\HID.DLL

MD5 0d92f5dde6d48b3ccbb1f23b5e50725f
SHA1 fd9c9078cabc2bef9ece6e61acb5443a3cdda4d6
SHA256 3e187888153c2970d3f1011fcebc7b84e7deee708090194da9d28d038c0db229
SHA512 1bcaf6f258cafb97795c860c8671a2aac8c92070f3adbb46c955b5f97b5a4448c57af040d2d4484444356a240bd4f2365555dca2621c4cac69ef1f4eb8dd37f1

memory/3528-65-0x000001E46D0B0000-0x000001E46D0B7000-memory.dmp

memory/3528-70-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3528-64-0x0000000140000000-0x00000001401B0000-memory.dmp

C:\Users\Admin\AppData\Local\FCo\tabcal.exe

MD5 f775f99812e3478654cfe51c7624a3e1
SHA1 596a9265f299a6d2fcf9a6f26f34a16fc0381d43
SHA256 58d03f748eea6b8ee9defdb3e4822682550afb5437fbdd234e0752e90d785caf
SHA512 15c84af025ed5e54e3bf746a45c0d5b4347082cd09cd2298d604db255f6fa91b7b9f03dfb52cf3613c7fbd2e1c1935a34d11ac3ad8903b8ca25ef88dd6ce2b30

C:\Users\Admin\AppData\Local\FCo\HID.DLL

MD5 e16b852ad225cfe8701bbf96c5066fd6
SHA1 2236213edc4a9d9f0510d113f058936a477b44e4
SHA256 555a00014e686c391f976ca4d40642575242aa92e2c9316183f2bb270f16b622
SHA512 58b566a792be5a2aba451120356c88fd6593418ea53f2d349bd47a64d8dfb915e18a0ed4778cdc77a4794bf941a00719899874c52abc757c1a7b592c0ad79f32

C:\Users\Admin\AppData\Local\P7i2fm7d\UxTheme.dll

MD5 ddc4b8cc8f081cb550dacf29c3ed98da
SHA1 c7a81bded3091196d1bca25f6f0e2dc3564edcd3
SHA256 e02527e87dbd68e7cf5946e2af0663371769d209282c56a081b2daa2d2b14351
SHA512 ab89959ad05c64c9843f2211b158432553b08843e73528b5e48bcb2bea27828956597384bedeae71796c707a2fe72691bf490d617bae873256e5b244126d04f0

C:\Users\Admin\AppData\Local\P7i2fm7d\UxTheme.dll

MD5 da13880c91a4a3e754d74d84e1b96f2a
SHA1 b10854057c7cd9617e5a2a85c316f65b638f3a40
SHA256 28486df92c1480bacc636d113d2d1de6087188e38e74ec4f420dad86278ee9b6
SHA512 317540c6b3e3727c40c5dc9cf43e459b10d1555536ec8d57326b0c440f6708e2e876206a811a9c5f923f1c3cad4ec1533b0fe25a30a7ef5691bd3fce76aad7a4

C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe

MD5 7b091b311e32e4247470225bfb6c5e8d
SHA1 9cd0dcc0719d1aa94ba94027512a2df490ec5791
SHA256 78b9de939e411b18e43dd381d5258317f1a3e189a10c549751aac1dcd9f55cbb
SHA512 7edf82ea12a6960031235ae13b8acfd4fe7ce81906d1c8f336ea80d94dfe9f32e46adaf98ea85933c8a3ac0e2b06b1d3a98a83ead6ad4a721e2b0e630e742882

memory/2888-81-0x00000130D18B0000-0x00000130D18B7000-memory.dmp

C:\Users\Admin\AppData\Local\FCo\tabcal.exe

MD5 40f4014416ff0cbf92a9509f67a69754
SHA1 1798ff7324724a32c810e2075b11c09b41e4fede
SHA256 f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c
SHA512 646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

memory/2888-87-0x0000000140000000-0x00000001401B0000-memory.dmp

C:\Users\Admin\AppData\Local\P7i2fm7d\Taskmgr.exe

MD5 41c865e0ed719e994dbe76d727b911c3
SHA1 9611f367db454a09df2a01e96a83eea4e28276e3
SHA256 f6d0fc8250c8ca6a647d9d5154fc8131301b0866e143afd6ea221ba4333aefdf
SHA512 3305041629b52eea474608d2b398e82a6c9eff6be6da60ac61f1aeae78b2bc0adf238a60f8c50c16703b71277c050b8426d5fb981a0695bccea2954c9f44b8d6

C:\Users\Admin\AppData\Local\djC8\DUI70.dll

MD5 ef4619bc348e58fa377280e819c3ba8a
SHA1 8a3bdeb739454f5d33b9a09e2dde787aa81831e3
SHA256 cb6bb444012aad5b160828b25a1453d88f21805a4559d8f03df4e1622e53a0be
SHA512 73e73ebb65a1c673ad814c5160e6987cfb840182aee318126ced81a5d872775c28f75bbc40d9687860868d25586fff7b74d662e881f3a0b52e4b18c7a9e390c0

memory/4104-100-0x0000024C820D0000-0x0000024C820D7000-memory.dmp

memory/4104-101-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/4104-106-0x0000000140000000-0x00000001401F5000-memory.dmp

C:\Users\Admin\AppData\Local\djC8\SystemSettingsRemoveDevice.exe

MD5 7853f1c933690bb7c53c67151cbddeb0
SHA1 d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6
SHA256 9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d
SHA512 831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

C:\Users\Admin\AppData\Local\djC8\DUI70.dll

MD5 6873d168d1b157ce0306fca408ab51b0
SHA1 eb02734b0845d4e56c42bc6bc7672877e44d6c96
SHA256 42e201f86c65c03ea848b815eecd036ae7541aca573cd2066419aaba52038352
SHA512 f32f1c28ae938c4e0629954eaf2b5870cca0b92a3d61d16dccff39d23589caadaa8752e27c78acb02e80f77d31a8219efdd7604974a20e10117a81324ddaefba

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

MD5 21b3f963cd5bce3a3f89ba85a17a7252
SHA1 684c759d568130ad9281a12f4e16907c24d64504
SHA256 27ed215a8b71a6a6efc6aca911708144a1e5f215b7a96d9b76689ac15c8c7a7a
SHA512 3203be0f6f546fa95a30d64f59cdd64839f5ed08a28d501490833a750074c3830a82ee3fcb97016afc9a19db554e55c9413d2b0328a2ef199b433546894bba55

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\C9\HID.DLL

MD5 c613576a44366b8c492b68951e2dff47
SHA1 1f719649578fbdc34ed9d626473fe58470c736b2
SHA256 b4ba1ae0c083849c449ddc9b0723846769ca68c841ba058552fd7ea9d829213a
SHA512 8e0fb3dc4725f3f143eeb42c63bc4c99294002f090046e54224d02b3ffd13a19f076366b2b89b4ece9e8b438b46443a1ca3bd986e535170633dbba63865ff14e

C:\Users\Admin\AppData\Roaming\Microsoft\Word\AD23jVrT\UxTheme.dll

MD5 f1954dc28c2666fef391397468703799
SHA1 82ffe18308f183f0ba2621ae7d20f89c7cccd4d4
SHA256 258372d47d52d302d28a9857ab253fd110bab5997f0299e95307025b8c2a4b94
SHA512 877052fd9ae1b7d15b2e5026aefd8a25dc298a6e24e6e4a263bd8d36b7af5dda6054cf770dc576f9d68faadb5c0d2c555aead3299e4d190253ac0372c068001f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\FTEAFjRbqiP\DUI70.dll

MD5 ec2ed4ce93f96b5b29c337f3d2d887b0
SHA1 a7d326ae5d06f2066e9e4b11a647682ce6729ff8
SHA256 18437cd52a2a4cbcbf3b61c65c024348655cc8be54227f415a95b4b94cfb33f8
SHA512 5ec3abee2195e15c921eccd3d0960c7bd7d6aeed4d17aac5c6e87fb179310029251862aa334c7aa6cc7440f1049089a00cca928185a3998767575b907eefe95d