Analysis Overview
SHA256
ae2ad50601ea9427bbd5976872c8854d51b8411b1d542a6df8d32169b62848ec
Threat Level: Known bad
The file 06757f0f902f5be0f5997657f6eb9265 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-29 23:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 23:05
Reported
2023-12-30 06:26
Platform
win7-20231215-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\VKk0QVuQvA1\\wextract.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1308 wrote to memory of 3028 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 1308 wrote to memory of 3028 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 1308 wrote to memory of 3028 | N/A | N/A | C:\Windows\system32\Netplwiz.exe |
| PID 1308 wrote to memory of 912 | N/A | N/A | C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe |
| PID 1308 wrote to memory of 912 | N/A | N/A | C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe |
| PID 1308 wrote to memory of 912 | N/A | N/A | C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe |
| PID 1308 wrote to memory of 2584 | N/A | N/A | C:\Windows\system32\wextract.exe |
| PID 1308 wrote to memory of 2584 | N/A | N/A | C:\Windows\system32\wextract.exe |
| PID 1308 wrote to memory of 2584 | N/A | N/A | C:\Windows\system32\wextract.exe |
| PID 1308 wrote to memory of 2824 | N/A | N/A | C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe |
| PID 1308 wrote to memory of 2824 | N/A | N/A | C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe |
| PID 1308 wrote to memory of 2824 | N/A | N/A | C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe |
| PID 1308 wrote to memory of 2908 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1308 wrote to memory of 2908 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1308 wrote to memory of 2908 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1308 wrote to memory of 2792 | N/A | N/A | C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe |
| PID 1308 wrote to memory of 2792 | N/A | N/A | C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe |
| PID 1308 wrote to memory of 2792 | N/A | N/A | C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\06757f0f902f5be0f5997657f6eb9265.dll,#1
C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe
C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe
C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe
C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe
C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe
C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe
Network
Files
memory/2000-0-0x0000000000330000-0x0000000000337000-memory.dmp
memory/2000-1-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-4-0x00000000778E6000-0x00000000778E7000-memory.dmp
memory/1308-5-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
memory/1308-7-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/2000-8-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-9-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-11-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-10-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-12-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-13-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-14-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-15-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-16-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-17-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-18-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-19-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-20-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-21-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-23-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-22-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-25-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-24-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-26-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-27-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-28-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-29-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-31-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-30-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-32-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-33-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-34-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-35-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-36-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-37-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-39-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-38-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-40-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-41-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-42-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-43-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-44-0x0000000002A90000-0x0000000002A97000-memory.dmp
memory/1308-51-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-52-0x0000000077AF1000-0x0000000077AF2000-memory.dmp
memory/1308-53-0x0000000077C50000-0x0000000077C52000-memory.dmp
memory/1308-62-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-68-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/1308-70-0x0000000140000000-0x00000001401BA000-memory.dmp
\Users\Admin\AppData\Local\92E4R\Netplwiz.exe
| MD5 | e43ec3c800d4c0716613392e81fba1d9 |
| SHA1 | 37de6a235e978ecf3bb0fc2c864016c5b0134348 |
| SHA256 | 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c |
| SHA512 | 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08 |
C:\Users\Admin\AppData\Local\92E4R\NETPLWIZ.dll
| MD5 | 0f26c96cab988349f4837dfa51269d41 |
| SHA1 | 3c245325b737a4e3f3b656e2387898463d1ec551 |
| SHA256 | 5907a2aadde2e043cce921a5fdc67d6e953cc9c0261d39567896f11bb36556fa |
| SHA512 | 24005c42a8fb671412ad6927c54fe346abb66f710955e43c1cdf0fe9b7206d5145bfc5930a703a0be6a96618869f57739048f292d742455d8b3cd9a8539e46b9 |
memory/912-81-0x0000000140000000-0x00000001401BB000-memory.dmp
memory/912-80-0x0000000000410000-0x0000000000417000-memory.dmp
memory/912-86-0x0000000140000000-0x00000001401BB000-memory.dmp
\Users\Admin\AppData\Local\IfUgxvo\wextract.exe
| MD5 | 1ea6500c25a80e8bdb65099c509af993 |
| SHA1 | 6a090ef561feb4ae1c6794de5b19c5e893c4aafc |
| SHA256 | 99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2 |
| SHA512 | b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb |
C:\Users\Admin\AppData\Local\IfUgxvo\VERSION.dll
| MD5 | 55404af70ad6f761dec2483681dde95c |
| SHA1 | 11bcb4664613afbd0ee8783ad6c791194012de0e |
| SHA256 | 243d5b51f69b7b5631eca48cf870c1ec7589d23fddb03213d72b17b6fbee9e99 |
| SHA512 | 29831fdcf36f289550b3971d620b9ea3170766353c305e352df71b2e19ef2cefa33bbe5a9accd8582a508ebadce80fad848ebfbce37f6a3e90bd803914081eef |
memory/2824-99-0x0000000000320000-0x0000000000327000-memory.dmp
\Users\Admin\AppData\Local\Ixyx\rdpshell.exe
| MD5 | a62dfcea3a58ba8fcf32f831f018fe3f |
| SHA1 | 75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b |
| SHA256 | f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e |
| SHA512 | 9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603 |
C:\Users\Admin\AppData\Local\Ixyx\WTSAPI32.dll
| MD5 | 573ecdfb11e15ad2792c704f0b4381f3 |
| SHA1 | 290b95d02611ebf941319afc1fcacb9d90f8a95d |
| SHA256 | cb480da37e646ae60303ff95bf99bac3e570b05db80a07fe33cdd607d66ef038 |
| SHA512 | 61f6e38371c07ca88887f6e0d80109040a8ed86285b04881897500b93f7a5a0d029394884bd47fd56f053b32748011e47f21a4e2e27d62c7a1d8ecae48d208df |
memory/2792-116-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/1308-138-0x00000000778E6000-0x00000000778E7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | 08123b4b785085a51376d425aeb2da3e |
| SHA1 | 97babed3e0dda49ca7ab343ff737b47de1c2c315 |
| SHA256 | c4d71981dce95b763343afd5527f504a6c3ab6aa860b57bc4ba84688b795013c |
| SHA512 | 349191e4c222d189466e8061abd1737c5f3d07e51131c128e6387c38c19de8ef84c37a6493a3c21de09c55318f2dce49fe2a1e9bf1d8d3e7c87587c3a3cfa2cf |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 23:05
Reported
2023-12-30 06:27
Platform
win10v2004-20231215-en
Max time kernel
18s
Max time network
151s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\06757f0f902f5be0f5997657f6eb9265.dll,#1
C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
C:\Users\Admin\AppData\Local\tEcwNK\isoburn.exe
C:\Users\Admin\AppData\Local\tEcwNK\isoburn.exe
C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
C:\Users\Admin\AppData\Local\c98YH5\psr.exe
C:\Users\Admin\AppData\Local\c98YH5\psr.exe
C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
C:\Users\Admin\AppData\Local\472dBAsAH\GamePanel.exe
C:\Users\Admin\AppData\Local\472dBAsAH\GamePanel.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
Files
memory/2672-0-0x000002914D9D0000-0x000002914D9D7000-memory.dmp
memory/2672-1-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-4-0x0000000001550000-0x0000000001551000-memory.dmp
memory/3384-9-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-13-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-17-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-21-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-24-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-29-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-31-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-35-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-37-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-38-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-41-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-40-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-42-0x0000000001500000-0x0000000001507000-memory.dmp
memory/3384-43-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-39-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-36-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-34-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-33-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-32-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-30-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-28-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-27-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-26-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-25-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-23-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-22-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-20-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-19-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-18-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-16-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-15-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-14-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-12-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-11-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-10-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-8-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-7-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-6-0x00007FFAF569A000-0x00007FFAF569B000-memory.dmp
memory/2672-50-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-52-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-53-0x00007FFAF6BE0000-0x00007FFAF6BF0000-memory.dmp
memory/3384-62-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/3384-64-0x0000000140000000-0x00000001401BA000-memory.dmp
C:\Users\Admin\AppData\Local\tEcwNK\isoburn.exe
| MD5 | ad19ec45c94e06aaf6d7a1efd69b2aae |
| SHA1 | 1232c62d5ae0b897ddab5e646068d183cf235318 |
| SHA256 | a061a44e46ec2e5b1bd9870d01a225713f3178b4bd595eb519bbf534b7b97354 |
| SHA512 | f417bedc64bf0c718ba640f70bbdd44d96aeaf4a2b9ccba59d175617d1c7630d7a86f34d4cefc1a5eff6c04fd634be251a8f23a0008dc7b9f88b4d9b34dc4eef |
C:\Users\Admin\AppData\Local\tEcwNK\UxTheme.dll
| MD5 | b26ab5dea30d7a79fbe21ff99510f04d |
| SHA1 | b524cf8c3edb3ed735908e0c6aa8c2f6434394ae |
| SHA256 | ea916499b6d5a573ac9e7aaaff69bae0288815e86f1d156f452212c82877863d |
| SHA512 | 88ac35fddaa45a88486b6dfac203110b69a7974123fc1a2ef2f6f64bdfcda6fa10d2c8619db601e4337d3b09b3b24d7d0230607d6d613e6d49981bf2e70ac3b0 |
C:\Users\Admin\AppData\Local\tEcwNK\UxTheme.dll
| MD5 | 08c6a135af06886401124d69cb42306b |
| SHA1 | fa4e3550b40beb60efcf8c898c196c618bf1f873 |
| SHA256 | 85ec449e91a6911d582b976707d5f5e8de376813777d1da24e5f1cff08fc1ab4 |
| SHA512 | 9c880d5a037a9ceee13ea900b64b3aef9dd09ca4c703bd5c3c6bebc6e87f9225ca314309b553fe27de8b8f33737c82f28048b69b720187ec06d3c18e0e37f0de |
memory/2240-73-0x0000013507430000-0x0000013507437000-memory.dmp
memory/2240-79-0x0000000140000000-0x00000001401BB000-memory.dmp
C:\Users\Admin\AppData\Local\tEcwNK\isoburn.exe
| MD5 | e9bb796d2d3c7ab88d2cc99ce93f294b |
| SHA1 | cfceaab1df2a5f8601925f9eb5f17a978cf2bf3a |
| SHA256 | 80ec8f2ae6d38d99b786fbce3cae3a78878d88b2fa2f00f5bc5fc87e2ab4c9bd |
| SHA512 | 4da20f8631353adc5df6ac4e9a762b172f3c7f1484c432316c34dce3741d759fed2ce65fdaa187df86eb9c048efeefe02fbe09de6342ee7927bb1621baf17dc4 |
memory/2240-74-0x0000000140000000-0x00000001401BB000-memory.dmp
C:\Users\Admin\AppData\Local\c98YH5\XmlLite.dll
| MD5 | d6702b9c88074e8d933777882cbd05f3 |
| SHA1 | e090a2849e7bfdce032223b069c1a86747f6ad24 |
| SHA256 | e79e0717c1e616e570008527ecf72616a328d3261994c42c9720a57112e67bfc |
| SHA512 | c7af363d83d63cda44c2319e9173407d7526e54377a63334e38b090e519cc940bb3eb5305ef057c6931dbb27404de009b2e7cde9bd4a55c9d9af3a8fb747a164 |
C:\Users\Admin\AppData\Local\c98YH5\XmlLite.dll
| MD5 | 59b0df6e6f2e0f7e1e432045c4b81393 |
| SHA1 | faa64aa86bdc54350cf9fbefd3bdbf871d9b9644 |
| SHA256 | 0c1a46e4f353a67dc2f69094f84da6512f97780bccfd7d06c3eef188cac0d2e3 |
| SHA512 | 50ac9e2c07adec9d4f4565660d5a1c0a38b4d057ce2d5507e49b8b2c8706bbc9ab13b749433cc721ace277812ab6b43ee4eb58542ee815a92afceda794d771a9 |
C:\Users\Admin\AppData\Local\c98YH5\XmlLite.dll
| MD5 | 6c6a9414d7ea733854bb291a842453e1 |
| SHA1 | 21859c452d2dc4bc9f23e2eb4433123790efc675 |
| SHA256 | 992de858b0ff2412a2c771aa6836c6f6b8bafdb1e93f3dc2a3af4415ca282232 |
| SHA512 | a4c8bcb0b177e44ea37029cf0c031204eefb0700a172a14ead5e16fd7861099e44b268c2d7909fda531c69713765842019f13ea8c2b01a1ad647c54f78925abb |
memory/1792-91-0x0000029FC0BA0000-0x0000029FC0BA7000-memory.dmp
C:\Users\Admin\AppData\Local\c98YH5\psr.exe
| MD5 | 9d224e27dcc684bf79a4c646f2682abf |
| SHA1 | 680063e009fa1e787b553d29ca79cd79e6db37c6 |
| SHA256 | 3ae642570dc4bc32f3e46631677bbb9a6a95eb0f3e9e91de5d1eb203d0cd6fdb |
| SHA512 | 0287d7e186f74eb4181989383c4d0aa9d596c65b4f98ded07125e1acb8c27b95606a5bf81d0f6636bcd41c2669b7dba6ece2cc7e1e09bee53b92b4724ebac729 |
memory/1792-97-0x0000000140000000-0x00000001401BB000-memory.dmp
C:\Users\Admin\AppData\Local\c98YH5\psr.exe
| MD5 | a56e2cbc1d7958bb39663c5549f8b03e |
| SHA1 | 3e3850e425d730be051a0b3a6820acaf14f74fe0 |
| SHA256 | 0489ad1f87cc458650f0491dbf3a2f402de05ecbdce773a0e0b3d493f347a644 |
| SHA512 | ae7ea8ac1449a228136a182c5e391b063b69b3317339b950d67847f8395a0defba2dbc991b007918c094906dc12e4d4c2ea4f27769bd0c4b720bc3685bc9ea9b |
memory/4412-108-0x000001D6A7F70000-0x000001D6A7F77000-memory.dmp
C:\Users\Admin\AppData\Local\472dBAsAH\GamePanel.exe
| MD5 | 1e7c1e39c62abc019c0d4a56f4466d56 |
| SHA1 | e54743c3aa943fa4a49226e666dd30b6f5722bde |
| SHA256 | 23a146e81d63e06c257df96b7f6ae553372bb2303d4e00069aebfc3ce6884b2d |
| SHA512 | bd4ae40612710a5d0643f3d5f0afce3af2722348ce04337cd2fd5bbbe748086a7c96b42072481e8488ed2e149b53dc93191682fd40b630eabd95b225faa9d9e8 |
C:\Users\Admin\AppData\Local\472dBAsAH\UxTheme.dll
| MD5 | 46a5e098ef18babd7bb8c922a9b66e18 |
| SHA1 | 063fdb82191bde22eb311ac918f49356581c84c6 |
| SHA256 | 70587503de79e3bd1d9ac258dceff1d3c06c2ef9c0d6863cb2ac17667e48a46c |
| SHA512 | 8432b2ac534de17430e0d0ff830e0cdfb44f1c23918f0130f862d7eb2e171931664997e1f9d302c5c60fe4e3694fb396b1f55c7c19032de3f5a610de7fd46698 |
C:\Users\Admin\AppData\Local\472dBAsAH\UxTheme.dll
| MD5 | f71f35c9dd048ebd9ec751e7879e1611 |
| SHA1 | d2713f219d8c1833a9e2e2bfe2f9232067e23a49 |
| SHA256 | 290d38a70af324a55cb7aadeae86dd365795d52c10186969a157faf7bc0e40be |
| SHA512 | c5ad7198076db74b54a5c3430ebddf40fa16f6e0b8a9d72af514e5c72a5a73ca411b8f36e3e6d3d683ff2edb006d07ce4051cd158349acc32478c6f13a66cea5 |
C:\Users\Admin\AppData\Local\472dBAsAH\GamePanel.exe
| MD5 | f18e222e66e075f9562877560232aaef |
| SHA1 | a15b7218292b4cf7b592934065dc981bd28f6f8d |
| SHA256 | e345d290bac19b4e98bff9cd50168012af5e54ab652eda05de46b248d0123c78 |
| SHA512 | b606af03c0eebe720e8bd093212fe98ae3a064f54165cd633d036c9d577254017398e36af7f207ca4f327ade66f2151c900127a4859d2e82a07885ba2714860c |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk
| MD5 | 3ab97077d51348e470f86ab4ce706a5f |
| SHA1 | 7fdaa66160ccc05a0ad3db2e78efedf2cc1c8d19 |
| SHA256 | 02146440a81385197492390c279ce9197273716ce9bebc279bd90f556c1aaf3f |
| SHA512 | 2c08e90e926c38b1f8c8adb916d496e67c033b29ebaa532c44076e98540f0b26e35dbc17fc6a31e2a20c88198e42eb142c2ed2879bae156ad2e237caafb4b0ba |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983843758-932321429-1636175382-1000\u2FlSkVS\UxTheme.dll
| MD5 | 75d3dc712a80b8ff601459d7a490b063 |
| SHA1 | 13fa50934678e8f07f5790777aae5846a006707e |
| SHA256 | f8f3ed968e321963292e6a7b0a569d926da37c934ede7175521f0c8807c3637b |
| SHA512 | a22543a969e6271b7e4cbbfdf90272b795b0d678a0a7429bbcee9f3337bbc063e930093da23305ee266f2c0b53c9834fa3642c87573fc1ae2f7eb3186629d275 |
C:\Users\Admin\AppData\Roaming\Microsoft\Word\aSZnqHtFYvX\XmlLite.dll
| MD5 | 87440dadb17880f79168ba7dcb5540ee |
| SHA1 | f792a0a7104337c509699b54d233ff92696e7059 |
| SHA256 | b3c652752c66bc7ce09a75b1015b65271ebe6784d92ce06abf15d42a315e2ac2 |
| SHA512 | cd7b1b166f16bf9f9e758c32ac507d3de12e25178ff6f01f41a0a42ee40f3d7fae199db8dcbaa56bd303116f62e56b950c7d37c2eccb143b4f69b800c269579f |