Malware Analysis Report

2024-11-30 21:30

Sample ID 231229-23cdwsbgar
Target 06757f0f902f5be0f5997657f6eb9265
SHA256 ae2ad50601ea9427bbd5976872c8854d51b8411b1d542a6df8d32169b62848ec
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae2ad50601ea9427bbd5976872c8854d51b8411b1d542a6df8d32169b62848ec

Threat Level: Known bad

The file 06757f0f902f5be0f5997657f6eb9265 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 23:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 23:05

Reported

2023-12-30 06:26

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\06757f0f902f5be0f5997657f6eb9265.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\VKk0QVuQvA1\\wextract.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 3028 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1308 wrote to memory of 3028 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1308 wrote to memory of 3028 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1308 wrote to memory of 912 N/A N/A C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe
PID 1308 wrote to memory of 912 N/A N/A C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe
PID 1308 wrote to memory of 912 N/A N/A C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe
PID 1308 wrote to memory of 2584 N/A N/A C:\Windows\system32\wextract.exe
PID 1308 wrote to memory of 2584 N/A N/A C:\Windows\system32\wextract.exe
PID 1308 wrote to memory of 2584 N/A N/A C:\Windows\system32\wextract.exe
PID 1308 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe
PID 1308 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe
PID 1308 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe
PID 1308 wrote to memory of 2908 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1308 wrote to memory of 2908 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1308 wrote to memory of 2908 N/A N/A C:\Windows\system32\rdpshell.exe
PID 1308 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe
PID 1308 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe
PID 1308 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\06757f0f902f5be0f5997657f6eb9265.dll,#1

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe

C:\Users\Admin\AppData\Local\92E4R\Netplwiz.exe

C:\Windows\system32\wextract.exe

C:\Windows\system32\wextract.exe

C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe

C:\Users\Admin\AppData\Local\IfUgxvo\wextract.exe

C:\Windows\system32\rdpshell.exe

C:\Windows\system32\rdpshell.exe

C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe

C:\Users\Admin\AppData\Local\Ixyx\rdpshell.exe

Network

N/A

Files

memory/2000-0-0x0000000000330000-0x0000000000337000-memory.dmp

memory/2000-1-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-4-0x00000000778E6000-0x00000000778E7000-memory.dmp

memory/1308-5-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/1308-7-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/2000-8-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-9-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-11-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-10-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-12-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-13-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-14-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-15-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-16-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-17-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-18-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-19-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-20-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-21-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-23-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-22-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-25-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-24-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-26-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-27-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-28-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-29-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-31-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-30-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-32-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-33-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-34-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-35-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-36-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-37-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-39-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-38-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-40-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-41-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-42-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-43-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-44-0x0000000002A90000-0x0000000002A97000-memory.dmp

memory/1308-51-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-52-0x0000000077AF1000-0x0000000077AF2000-memory.dmp

memory/1308-53-0x0000000077C50000-0x0000000077C52000-memory.dmp

memory/1308-62-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-68-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1308-70-0x0000000140000000-0x00000001401BA000-memory.dmp

\Users\Admin\AppData\Local\92E4R\Netplwiz.exe

MD5 e43ec3c800d4c0716613392e81fba1d9
SHA1 37de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

C:\Users\Admin\AppData\Local\92E4R\NETPLWIZ.dll

MD5 0f26c96cab988349f4837dfa51269d41
SHA1 3c245325b737a4e3f3b656e2387898463d1ec551
SHA256 5907a2aadde2e043cce921a5fdc67d6e953cc9c0261d39567896f11bb36556fa
SHA512 24005c42a8fb671412ad6927c54fe346abb66f710955e43c1cdf0fe9b7206d5145bfc5930a703a0be6a96618869f57739048f292d742455d8b3cd9a8539e46b9

memory/912-81-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/912-80-0x0000000000410000-0x0000000000417000-memory.dmp

memory/912-86-0x0000000140000000-0x00000001401BB000-memory.dmp

\Users\Admin\AppData\Local\IfUgxvo\wextract.exe

MD5 1ea6500c25a80e8bdb65099c509af993
SHA1 6a090ef561feb4ae1c6794de5b19c5e893c4aafc
SHA256 99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2
SHA512 b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

C:\Users\Admin\AppData\Local\IfUgxvo\VERSION.dll

MD5 55404af70ad6f761dec2483681dde95c
SHA1 11bcb4664613afbd0ee8783ad6c791194012de0e
SHA256 243d5b51f69b7b5631eca48cf870c1ec7589d23fddb03213d72b17b6fbee9e99
SHA512 29831fdcf36f289550b3971d620b9ea3170766353c305e352df71b2e19ef2cefa33bbe5a9accd8582a508ebadce80fad848ebfbce37f6a3e90bd803914081eef

memory/2824-99-0x0000000000320000-0x0000000000327000-memory.dmp

\Users\Admin\AppData\Local\Ixyx\rdpshell.exe

MD5 a62dfcea3a58ba8fcf32f831f018fe3f
SHA1 75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b
SHA256 f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e
SHA512 9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

C:\Users\Admin\AppData\Local\Ixyx\WTSAPI32.dll

MD5 573ecdfb11e15ad2792c704f0b4381f3
SHA1 290b95d02611ebf941319afc1fcacb9d90f8a95d
SHA256 cb480da37e646ae60303ff95bf99bac3e570b05db80a07fe33cdd607d66ef038
SHA512 61f6e38371c07ca88887f6e0d80109040a8ed86285b04881897500b93f7a5a0d029394884bd47fd56f053b32748011e47f21a4e2e27d62c7a1d8ecae48d208df

memory/2792-116-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1308-138-0x00000000778E6000-0x00000000778E7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 08123b4b785085a51376d425aeb2da3e
SHA1 97babed3e0dda49ca7ab343ff737b47de1c2c315
SHA256 c4d71981dce95b763343afd5527f504a6c3ab6aa860b57bc4ba84688b795013c
SHA512 349191e4c222d189466e8061abd1737c5f3d07e51131c128e6387c38c19de8ef84c37a6493a3c21de09c55318f2dce49fe2a1e9bf1d8d3e7c87587c3a3cfa2cf

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 23:05

Reported

2023-12-30 06:27

Platform

win10v2004-20231215-en

Max time kernel

18s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\06757f0f902f5be0f5997657f6eb9265.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\06757f0f902f5be0f5997657f6eb9265.dll,#1

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\tEcwNK\isoburn.exe

C:\Users\Admin\AppData\Local\tEcwNK\isoburn.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\c98YH5\psr.exe

C:\Users\Admin\AppData\Local\c98YH5\psr.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Users\Admin\AppData\Local\472dBAsAH\GamePanel.exe

C:\Users\Admin\AppData\Local\472dBAsAH\GamePanel.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp

Files

memory/2672-0-0x000002914D9D0000-0x000002914D9D7000-memory.dmp

memory/2672-1-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-4-0x0000000001550000-0x0000000001551000-memory.dmp

memory/3384-9-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-13-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-17-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-21-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-24-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-29-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-31-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-35-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-37-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-38-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-41-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-40-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-42-0x0000000001500000-0x0000000001507000-memory.dmp

memory/3384-43-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-39-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-36-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-34-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-33-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-32-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-30-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-28-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-27-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-26-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-25-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-23-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-22-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-20-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-19-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-18-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-16-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-15-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-14-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-12-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-11-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-10-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-8-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-7-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-6-0x00007FFAF569A000-0x00007FFAF569B000-memory.dmp

memory/2672-50-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-52-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-53-0x00007FFAF6BE0000-0x00007FFAF6BF0000-memory.dmp

memory/3384-62-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3384-64-0x0000000140000000-0x00000001401BA000-memory.dmp

C:\Users\Admin\AppData\Local\tEcwNK\isoburn.exe

MD5 ad19ec45c94e06aaf6d7a1efd69b2aae
SHA1 1232c62d5ae0b897ddab5e646068d183cf235318
SHA256 a061a44e46ec2e5b1bd9870d01a225713f3178b4bd595eb519bbf534b7b97354
SHA512 f417bedc64bf0c718ba640f70bbdd44d96aeaf4a2b9ccba59d175617d1c7630d7a86f34d4cefc1a5eff6c04fd634be251a8f23a0008dc7b9f88b4d9b34dc4eef

C:\Users\Admin\AppData\Local\tEcwNK\UxTheme.dll

MD5 b26ab5dea30d7a79fbe21ff99510f04d
SHA1 b524cf8c3edb3ed735908e0c6aa8c2f6434394ae
SHA256 ea916499b6d5a573ac9e7aaaff69bae0288815e86f1d156f452212c82877863d
SHA512 88ac35fddaa45a88486b6dfac203110b69a7974123fc1a2ef2f6f64bdfcda6fa10d2c8619db601e4337d3b09b3b24d7d0230607d6d613e6d49981bf2e70ac3b0

C:\Users\Admin\AppData\Local\tEcwNK\UxTheme.dll

MD5 08c6a135af06886401124d69cb42306b
SHA1 fa4e3550b40beb60efcf8c898c196c618bf1f873
SHA256 85ec449e91a6911d582b976707d5f5e8de376813777d1da24e5f1cff08fc1ab4
SHA512 9c880d5a037a9ceee13ea900b64b3aef9dd09ca4c703bd5c3c6bebc6e87f9225ca314309b553fe27de8b8f33737c82f28048b69b720187ec06d3c18e0e37f0de

memory/2240-73-0x0000013507430000-0x0000013507437000-memory.dmp

memory/2240-79-0x0000000140000000-0x00000001401BB000-memory.dmp

C:\Users\Admin\AppData\Local\tEcwNK\isoburn.exe

MD5 e9bb796d2d3c7ab88d2cc99ce93f294b
SHA1 cfceaab1df2a5f8601925f9eb5f17a978cf2bf3a
SHA256 80ec8f2ae6d38d99b786fbce3cae3a78878d88b2fa2f00f5bc5fc87e2ab4c9bd
SHA512 4da20f8631353adc5df6ac4e9a762b172f3c7f1484c432316c34dce3741d759fed2ce65fdaa187df86eb9c048efeefe02fbe09de6342ee7927bb1621baf17dc4

memory/2240-74-0x0000000140000000-0x00000001401BB000-memory.dmp

C:\Users\Admin\AppData\Local\c98YH5\XmlLite.dll

MD5 d6702b9c88074e8d933777882cbd05f3
SHA1 e090a2849e7bfdce032223b069c1a86747f6ad24
SHA256 e79e0717c1e616e570008527ecf72616a328d3261994c42c9720a57112e67bfc
SHA512 c7af363d83d63cda44c2319e9173407d7526e54377a63334e38b090e519cc940bb3eb5305ef057c6931dbb27404de009b2e7cde9bd4a55c9d9af3a8fb747a164

C:\Users\Admin\AppData\Local\c98YH5\XmlLite.dll

MD5 59b0df6e6f2e0f7e1e432045c4b81393
SHA1 faa64aa86bdc54350cf9fbefd3bdbf871d9b9644
SHA256 0c1a46e4f353a67dc2f69094f84da6512f97780bccfd7d06c3eef188cac0d2e3
SHA512 50ac9e2c07adec9d4f4565660d5a1c0a38b4d057ce2d5507e49b8b2c8706bbc9ab13b749433cc721ace277812ab6b43ee4eb58542ee815a92afceda794d771a9

C:\Users\Admin\AppData\Local\c98YH5\XmlLite.dll

MD5 6c6a9414d7ea733854bb291a842453e1
SHA1 21859c452d2dc4bc9f23e2eb4433123790efc675
SHA256 992de858b0ff2412a2c771aa6836c6f6b8bafdb1e93f3dc2a3af4415ca282232
SHA512 a4c8bcb0b177e44ea37029cf0c031204eefb0700a172a14ead5e16fd7861099e44b268c2d7909fda531c69713765842019f13ea8c2b01a1ad647c54f78925abb

memory/1792-91-0x0000029FC0BA0000-0x0000029FC0BA7000-memory.dmp

C:\Users\Admin\AppData\Local\c98YH5\psr.exe

MD5 9d224e27dcc684bf79a4c646f2682abf
SHA1 680063e009fa1e787b553d29ca79cd79e6db37c6
SHA256 3ae642570dc4bc32f3e46631677bbb9a6a95eb0f3e9e91de5d1eb203d0cd6fdb
SHA512 0287d7e186f74eb4181989383c4d0aa9d596c65b4f98ded07125e1acb8c27b95606a5bf81d0f6636bcd41c2669b7dba6ece2cc7e1e09bee53b92b4724ebac729

memory/1792-97-0x0000000140000000-0x00000001401BB000-memory.dmp

C:\Users\Admin\AppData\Local\c98YH5\psr.exe

MD5 a56e2cbc1d7958bb39663c5549f8b03e
SHA1 3e3850e425d730be051a0b3a6820acaf14f74fe0
SHA256 0489ad1f87cc458650f0491dbf3a2f402de05ecbdce773a0e0b3d493f347a644
SHA512 ae7ea8ac1449a228136a182c5e391b063b69b3317339b950d67847f8395a0defba2dbc991b007918c094906dc12e4d4c2ea4f27769bd0c4b720bc3685bc9ea9b

memory/4412-108-0x000001D6A7F70000-0x000001D6A7F77000-memory.dmp

C:\Users\Admin\AppData\Local\472dBAsAH\GamePanel.exe

MD5 1e7c1e39c62abc019c0d4a56f4466d56
SHA1 e54743c3aa943fa4a49226e666dd30b6f5722bde
SHA256 23a146e81d63e06c257df96b7f6ae553372bb2303d4e00069aebfc3ce6884b2d
SHA512 bd4ae40612710a5d0643f3d5f0afce3af2722348ce04337cd2fd5bbbe748086a7c96b42072481e8488ed2e149b53dc93191682fd40b630eabd95b225faa9d9e8

C:\Users\Admin\AppData\Local\472dBAsAH\UxTheme.dll

MD5 46a5e098ef18babd7bb8c922a9b66e18
SHA1 063fdb82191bde22eb311ac918f49356581c84c6
SHA256 70587503de79e3bd1d9ac258dceff1d3c06c2ef9c0d6863cb2ac17667e48a46c
SHA512 8432b2ac534de17430e0d0ff830e0cdfb44f1c23918f0130f862d7eb2e171931664997e1f9d302c5c60fe4e3694fb396b1f55c7c19032de3f5a610de7fd46698

C:\Users\Admin\AppData\Local\472dBAsAH\UxTheme.dll

MD5 f71f35c9dd048ebd9ec751e7879e1611
SHA1 d2713f219d8c1833a9e2e2bfe2f9232067e23a49
SHA256 290d38a70af324a55cb7aadeae86dd365795d52c10186969a157faf7bc0e40be
SHA512 c5ad7198076db74b54a5c3430ebddf40fa16f6e0b8a9d72af514e5c72a5a73ca411b8f36e3e6d3d683ff2edb006d07ce4051cd158349acc32478c6f13a66cea5

C:\Users\Admin\AppData\Local\472dBAsAH\GamePanel.exe

MD5 f18e222e66e075f9562877560232aaef
SHA1 a15b7218292b4cf7b592934065dc981bd28f6f8d
SHA256 e345d290bac19b4e98bff9cd50168012af5e54ab652eda05de46b248d0123c78
SHA512 b606af03c0eebe720e8bd093212fe98ae3a064f54165cd633d036c9d577254017398e36af7f207ca4f327ade66f2151c900127a4859d2e82a07885ba2714860c

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 3ab97077d51348e470f86ab4ce706a5f
SHA1 7fdaa66160ccc05a0ad3db2e78efedf2cc1c8d19
SHA256 02146440a81385197492390c279ce9197273716ce9bebc279bd90f556c1aaf3f
SHA512 2c08e90e926c38b1f8c8adb916d496e67c033b29ebaa532c44076e98540f0b26e35dbc17fc6a31e2a20c88198e42eb142c2ed2879bae156ad2e237caafb4b0ba

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983843758-932321429-1636175382-1000\u2FlSkVS\UxTheme.dll

MD5 75d3dc712a80b8ff601459d7a490b063
SHA1 13fa50934678e8f07f5790777aae5846a006707e
SHA256 f8f3ed968e321963292e6a7b0a569d926da37c934ede7175521f0c8807c3637b
SHA512 a22543a969e6271b7e4cbbfdf90272b795b0d678a0a7429bbcee9f3337bbc063e930093da23305ee266f2c0b53c9834fa3642c87573fc1ae2f7eb3186629d275

C:\Users\Admin\AppData\Roaming\Microsoft\Word\aSZnqHtFYvX\XmlLite.dll

MD5 87440dadb17880f79168ba7dcb5540ee
SHA1 f792a0a7104337c509699b54d233ff92696e7059
SHA256 b3c652752c66bc7ce09a75b1015b65271ebe6784d92ce06abf15d42a315e2ac2
SHA512 cd7b1b166f16bf9f9e758c32ac507d3de12e25178ff6f01f41a0a42ee40f3d7fae199db8dcbaa56bd303116f62e56b950c7d37c2eccb143b4f69b800c269579f