Malware Analysis Report

2024-11-30 21:07

Sample ID 231230-g2n13sddh9
Target 10e0923a9df7e76e9ca30923dceca843
SHA256 11b7a4d4ceb03cce0efcd4fd1a3f314b99f30971d4a2aebbd6086f44dfb68bf5
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11b7a4d4ceb03cce0efcd4fd1a3f314b99f30971d4a2aebbd6086f44dfb68bf5

Threat Level: Known bad

The file 10e0923a9df7e76e9ca30923dceca843 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 06:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 06:18

Reported

2024-01-01 04:33

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10e0923a9df7e76e9ca30923dceca843.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\daN9K\\DWWIN.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FRoKV\mstsc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cE94tNAhI\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FCFRv\DeviceEnroller.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 3776 N/A N/A C:\Windows\system32\mstsc.exe
PID 3468 wrote to memory of 3776 N/A N/A C:\Windows\system32\mstsc.exe
PID 3468 wrote to memory of 1632 N/A N/A C:\Users\Admin\AppData\Local\FRoKV\mstsc.exe
PID 3468 wrote to memory of 1632 N/A N/A C:\Users\Admin\AppData\Local\FRoKV\mstsc.exe
PID 3468 wrote to memory of 2500 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3468 wrote to memory of 2500 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3468 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\cE94tNAhI\DWWIN.EXE
PID 3468 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\cE94tNAhI\DWWIN.EXE
PID 3468 wrote to memory of 3388 N/A N/A C:\Windows\system32\DeviceEnroller.exe
PID 3468 wrote to memory of 3388 N/A N/A C:\Windows\system32\DeviceEnroller.exe
PID 3468 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\FCFRv\DeviceEnroller.exe
PID 3468 wrote to memory of 4104 N/A N/A C:\Users\Admin\AppData\Local\FCFRv\DeviceEnroller.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10e0923a9df7e76e9ca30923dceca843.dll,#1

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\FCFRv\DeviceEnroller.exe

C:\Users\Admin\AppData\Local\FCFRv\DeviceEnroller.exe

C:\Windows\system32\DeviceEnroller.exe

C:\Windows\system32\DeviceEnroller.exe

C:\Users\Admin\AppData\Local\cE94tNAhI\DWWIN.EXE

C:\Users\Admin\AppData\Local\cE94tNAhI\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\FRoKV\mstsc.exe

C:\Users\Admin\AppData\Local\FRoKV\mstsc.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/5040-0-0x00000194EE050000-0x00000194EE057000-memory.dmp

memory/5040-1-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-5-0x00007FFEE030A000-0x00007FFEE030B000-memory.dmp

memory/3468-4-0x00000000080D0000-0x00000000080D1000-memory.dmp

memory/5040-8-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-9-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-10-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-11-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-12-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-14-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-15-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-21-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-24-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-23-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-28-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-32-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-38-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-43-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-44-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-45-0x00000000080B0000-0x00000000080B7000-memory.dmp

memory/3468-53-0x00007FFEE04A0000-0x00007FFEE04B0000-memory.dmp

memory/3468-62-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-64-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1632-79-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1632-74-0x0000000140000000-0x0000000140182000-memory.dmp

memory/4568-93-0x000002088E0C0000-0x000002088E0C7000-memory.dmp

memory/4568-96-0x0000000140000000-0x0000000140181000-memory.dmp

memory/4568-90-0x0000000140000000-0x0000000140181000-memory.dmp

memory/4104-109-0x0000029181110000-0x0000029181117000-memory.dmp

memory/1632-73-0x0000028B947E0000-0x0000028B947E7000-memory.dmp

memory/3468-52-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-42-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-41-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-40-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-39-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-37-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-36-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-35-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-34-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-33-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-31-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-30-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-29-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-27-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-26-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-25-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-22-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-20-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-18-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-19-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-17-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-16-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-13-0x0000000140000000-0x0000000140180000-memory.dmp

memory/3468-7-0x0000000140000000-0x0000000140180000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 06:18

Reported

2024-01-01 04:33

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10e0923a9df7e76e9ca30923dceca843.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Ur8o\iexpress.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\v0Evo8n3\ddodiag.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\SBAOmhBk\isoburn.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\yrVYWiK8Hs\\ddodiag.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ur8o\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\v0Evo8n3\ddodiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SBAOmhBk\isoburn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 2872 N/A N/A C:\Windows\system32\iexpress.exe
PID 1324 wrote to memory of 2872 N/A N/A C:\Windows\system32\iexpress.exe
PID 1324 wrote to memory of 2872 N/A N/A C:\Windows\system32\iexpress.exe
PID 1324 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Ur8o\iexpress.exe
PID 1324 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Ur8o\iexpress.exe
PID 1324 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Ur8o\iexpress.exe
PID 1324 wrote to memory of 1580 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1324 wrote to memory of 1580 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1324 wrote to memory of 1580 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1324 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\v0Evo8n3\ddodiag.exe
PID 1324 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\v0Evo8n3\ddodiag.exe
PID 1324 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\v0Evo8n3\ddodiag.exe
PID 1324 wrote to memory of 1872 N/A N/A C:\Windows\system32\isoburn.exe
PID 1324 wrote to memory of 1872 N/A N/A C:\Windows\system32\isoburn.exe
PID 1324 wrote to memory of 1872 N/A N/A C:\Windows\system32\isoburn.exe
PID 1324 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\SBAOmhBk\isoburn.exe
PID 1324 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\SBAOmhBk\isoburn.exe
PID 1324 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\SBAOmhBk\isoburn.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\10e0923a9df7e76e9ca30923dceca843.dll,#1

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\Ur8o\iexpress.exe

C:\Users\Admin\AppData\Local\Ur8o\iexpress.exe

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

C:\Users\Admin\AppData\Local\v0Evo8n3\ddodiag.exe

C:\Users\Admin\AppData\Local\v0Evo8n3\ddodiag.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\SBAOmhBk\isoburn.exe

C:\Users\Admin\AppData\Local\SBAOmhBk\isoburn.exe

Network

N/A

Files

memory/2512-0-0x0000000140000000-0x0000000140180000-memory.dmp

memory/2512-1-0x0000000000390000-0x0000000000397000-memory.dmp

memory/1324-4-0x0000000077846000-0x0000000077847000-memory.dmp

memory/1324-5-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/1324-7-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-9-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-13-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-18-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-22-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-24-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-31-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-34-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-38-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-40-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-42-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-44-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-46-0x00000000026A0000-0x00000000026A7000-memory.dmp

memory/1324-43-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-41-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-39-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-53-0x0000000077A51000-0x0000000077A52000-memory.dmp

memory/1324-54-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

memory/1324-52-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-36-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-37-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-35-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-33-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-32-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-30-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-63-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-29-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-28-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-27-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-26-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-67-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-25-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-23-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-21-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-20-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-19-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-17-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-16-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-15-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-14-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-12-0x0000000140000000-0x0000000140180000-memory.dmp

memory/1324-11-0x0000000140000000-0x0000000140180000-memory.dmp

C:\Users\Admin\AppData\Local\Ur8o\VERSION.dll

MD5 373ff3cb41985eafdac550f522a09eea
SHA1 a22bf2713a3d608d7621bdb670ec59ddb9aafd43
SHA256 d0e3226ef2c3412819e770e4ff9f0263daf4ac036412cd6614de34d14e61a400
SHA512 ebc42fe01a4a64299d0f603c0c49a5065ef31f6ad6ee2e189eda4c28080a70414c8e1ae064617faa8adc4f1bdbf35e2809dbd70623187ebcdd7490c21447f633

C:\Users\Admin\AppData\Local\Ur8o\iexpress.exe

MD5 857e29de13f102909ea776e896a3a14f
SHA1 2cb1def9568e1cf5ed7e24e45c1651e67ce82738
SHA256 4930b1650362d221c7eaa7b1213e2c166b182db30ff9cc9561e912d91266c35b
SHA512 231211770a03d0bede3bdc59b349a98f65d753482ed6bebc988fd6817a5b97fc8c4ae931f04dbbc8b55ded98646b07fd72153f49cfa5ea63bdd87881b26bd1f0

\Users\Admin\AppData\Local\Ur8o\VERSION.dll

MD5 85da425b50f1b3884b23802422510b24
SHA1 ad1890abe60bc6465790218da093ccc0a07778de
SHA256 cccf7720072e75aa5f225e898a5331f32a2f70a8e06bc8c40d9c37e975e0ba97
SHA512 91ce3e277e9003be028791df94c99f455515f5b7cf0275f3681a1afb75026837399ce1c6b97e7e4eb345eaf94d07e8ff95fb263a3093fdf61b085db93c9ff800

\Users\Admin\AppData\Local\Ur8o\iexpress.exe

MD5 e16c362b440ef76214492cccb9e279c8
SHA1 d8511a3fbd90805aebd3a4794920e549326b70c3
SHA256 d816b39eab0233693334fa0385d5f4968c41228d55d375d5dbb5388558634aad
SHA512 c8f0df8bc19b9917d264e253681db0e2aa57781cf547f988502ee41d4b3a55a4cac1e84e8053c946cdb065ae3a598810e816c53646059e8f1534c0414b56d72e

memory/2528-82-0x0000000000310000-0x0000000000317000-memory.dmp

memory/2528-81-0x0000000140000000-0x0000000140181000-memory.dmp

memory/1324-10-0x0000000140000000-0x0000000140180000-memory.dmp

memory/2512-8-0x0000000140000000-0x0000000140180000-memory.dmp

C:\Users\Admin\AppData\Local\Ur8o\iexpress.exe

MD5 e815648525a41dd22cda5d8c8805cd10
SHA1 7a622b61707b44bc811f493000850415b4d64d69
SHA256 cf80c7b90d76cae9ddd5453f365f4a1d82a1a0d1a1a177163b46a9c9cd576f86
SHA512 299bfe71a02c419ed3549d5ca2654a572b5e56099ae164accd03058ece3b8a747e1c0bed144155559cd7685e3111e79f4e48ff6a8fc457c9794b3c14ffc97f46

C:\Users\Admin\AppData\Local\v0Evo8n3\XmlLite.dll

MD5 bf6167a0acb6b7c1763767a71d35772c
SHA1 74f2a7ca5c24f8f476095c4652dc527c7381d562
SHA256 c818b2a74438fe50971b9c8dfc7de69e496fb9fb9c1e09582b99b69400f591c0
SHA512 15824c18d33689e1e4250918f1831dbec6955b374b11bb341fb293cc1f11b6f28aad7b390b88a7e1236346a163524b9304dbb485ba43ba649c161a5768fb4f2c

\Users\Admin\AppData\Local\v0Evo8n3\XmlLite.dll

MD5 186588fb2a1ccf911e27ff9466056bd5
SHA1 f0aa4ba59a20e869fc57f4d1c469aef264f11986
SHA256 cd17eeb48d54468b60c9e6700ab476c48b4c07f39c018f11f84ef57a1d3edf1f
SHA512 64409b3cc2cbd23a538ba0c2e2da847ac90218e79c4070490ff49a5d076f69746bd30770c909a4cd4b5cfd6546b516d90399741d99dad4b6568b320baacaeefe

C:\Users\Admin\AppData\Local\v0Evo8n3\ddodiag.exe

MD5 99c6d9121fdffa0f07e7943c8aebe99c
SHA1 467b2843e9f32f26de1bae66564496b89cbf4382
SHA256 486270f9b7b110a090af17a7394fe62c36948ee88e9500e3f18c514b3065ae9d
SHA512 3b282974c6c143d0d681d5e741d5be9fad3603f89c2a60b1b4924635372d5051877a019cc58e85f5205e4af4e43fb5f9945ba785408b4297639bea96f356bce3

memory/1712-105-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\v0Evo8n3\ddodiag.exe

MD5 509f9513ca16ba2f2047f5227a05d1a8
SHA1 fe8d63259cb9afa17da7b7b8ede4e75081071b1a
SHA256 ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e
SHA512 ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

C:\Users\Admin\AppData\Local\v0Evo8n3\ddodiag.exe

MD5 cc5e426d973d7006ab4d8912dcf9746b
SHA1 30b6ddfc47e09e5d9c064cb79815d8a8a948b7fd
SHA256 0ba352e3f1715dd6aa25feb043769481be3d4b705e4d9ec96a27e2d5c0c7badc
SHA512 eca054bc986f7d05538375651f2f0bffea92e685a73d2570f27e94c87eb44d004dce13bbc3fdd987268e896a85d93e5b169bd5ac7cd6fd5cbef8250ff424cdde

C:\Users\Admin\AppData\Local\SBAOmhBk\isoburn.exe

MD5 f8051f06e1c4aa3f2efe4402af5919b1
SHA1 bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA256 50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA512 5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

\Users\Admin\AppData\Local\SBAOmhBk\UxTheme.dll

MD5 12bb63bdb03d54a406a176ba71262f66
SHA1 43755428278d85ed89420951994dfe05cabc4673
SHA256 7b0712f3372dc948989837f92259eec426ace8920c4740bc395768961ab8c47f
SHA512 e8db1ab0e10a3dea2e4a48cc1c0b7c2ab3c53fa52528511f6e6834b7ac2345958a5d2d79bee57d10232468c77a31319e0772f392c56d62fd6f90be2e13ca6dc1

C:\Users\Admin\AppData\Local\SBAOmhBk\UxTheme.dll

MD5 d746e32f91ef0b8f85a857e8600800b8
SHA1 dd8fb967c5bb979c5e90f559a6ec310ff9993412
SHA256 91aa761e27b1dbf91a2b075f49e002f0a82d1f5babde14734a19591f3b4bcc4c
SHA512 496e614dac9f134694f8b84b9d1912bd7ecff339a71010cff1deed2a060d0d33fc4e57aa6cf608cdd04176959173088e3ef17694307cd42c59126f6c5dba8e8a

memory/764-124-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\9LwTn1V7z\isoburn.exe

MD5 ab7b24e063c8672a64a6b7be1eab637b
SHA1 a5badfbda9527dd112c2074e6180fb248a8aa189
SHA256 bf54ee23802dd65a469a55b41350a862836124289cf418b10892c8e051d5edd3
SHA512 451bc0c49a1ce1618bc1e9ec63d729a8e7ebac9aed02c837410654ab001f6c717d6f98e6a68c1f446205dfc017f97bcb2f8aa8dec0d8dec22dff8ad497d80546

memory/1324-145-0x0000000077846000-0x0000000077847000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 13c9e24eedec961a7c3859164674b096
SHA1 1274ab49dbd0d2756de7f58f814d86247484e6a3
SHA256 b1b87f04f616d70e28c1b58d5f98197879b965d250f2d926e99ff17d16e5c678
SHA512 10afa1a4b1b46fa0e7195abb5df9c8cefc14bd4fcef52f4deaa06339f563c7654ea83f0bd94df9bf21eb53264998ae409577332f9cf26b1dc790a18cfbd80b63

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\jr\VERSION.dll

MD5 df0850772891e7c49a580e3fe0dfdff6
SHA1 9409073547bd27bb23538afe792550aeda9dbde8
SHA256 8996c38f10d6382ff2a983bc392821c4f9318317e38ea10f740cc7fa1593f765
SHA512 39f8143a099537ae489c9aad58f23c52eadd000d3d3112daeaa4ec0ac692ed5ede60b65f25461123d71ebd14269e7a8d0d4b3b6ff31418be573b5ae8435a6622

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\yrVYWiK8Hs\XmlLite.dll

MD5 b2273bf8fede0b371f37e1227ea562b4
SHA1 9a8e6f99328562b5a069b56e944c76f8e1f6c920
SHA256 4d30b9a7f265a24427bb2ce5200a047b4651c2c2bd4199a68f6aca1dd2f97ffb
SHA512 33cb4fe19b052f294753b0c37cf25d51bcc231e9fb9b26e11997a7c6448a84a0d227c1feedfc47436e5e5fade72fe3a4baab3377d32ab02184fab31a663c2177

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\9LwTn1V7z\UxTheme.dll

MD5 b568cfdda714399a04ed63e8d14eb24d
SHA1 7328b597877d1a9bd549b50515a781752bec739e
SHA256 dfb30fdf83d08e0fff91c6884c2d3f28177f6aad77b478cdc2bf4b4dcfac9345
SHA512 6dc6d754fef7b91c9640641023971d93cf4e79af51a389f96d88cbf152351fdf0450d0252d7c31979b5921ffa465c137d56e26a1880fac68b87ba56d4e50c60d