Malware Analysis Report

2024-11-30 21:47

Sample ID 231230-pwakhacea5
Target 18ce21df381f95bce473c5b0489ef5a8
SHA256 65e319da7fc39cf75fdb67f1f86b906b205b3d0f2351110f339a1d1d8a3b5e19
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65e319da7fc39cf75fdb67f1f86b906b205b3d0f2351110f339a1d1d8a3b5e19

Threat Level: Known bad

The file 18ce21df381f95bce473c5b0489ef5a8 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 12:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 12:40

Reported

2024-01-03 12:26

Platform

win7-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\18ce21df381f95bce473c5b0489ef5a8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\yy7WVVB\msconfig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Y5r\rstrui.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\cu7igs\xpsrchvw.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\ECHVIP~1\\rstrui.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\yy7WVVB\msconfig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Y5r\rstrui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cu7igs\xpsrchvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 1388 N/A N/A C:\Windows\system32\msconfig.exe
PID 1184 wrote to memory of 1388 N/A N/A C:\Windows\system32\msconfig.exe
PID 1184 wrote to memory of 1388 N/A N/A C:\Windows\system32\msconfig.exe
PID 1184 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\yy7WVVB\msconfig.exe
PID 1184 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\yy7WVVB\msconfig.exe
PID 1184 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\yy7WVVB\msconfig.exe
PID 1184 wrote to memory of 2572 N/A N/A C:\Windows\system32\rstrui.exe
PID 1184 wrote to memory of 2572 N/A N/A C:\Windows\system32\rstrui.exe
PID 1184 wrote to memory of 2572 N/A N/A C:\Windows\system32\rstrui.exe
PID 1184 wrote to memory of 1416 N/A N/A C:\Users\Admin\AppData\Local\Y5r\rstrui.exe
PID 1184 wrote to memory of 1416 N/A N/A C:\Users\Admin\AppData\Local\Y5r\rstrui.exe
PID 1184 wrote to memory of 1416 N/A N/A C:\Users\Admin\AppData\Local\Y5r\rstrui.exe
PID 1184 wrote to memory of 1288 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1184 wrote to memory of 1288 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1184 wrote to memory of 1288 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1184 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\cu7igs\xpsrchvw.exe
PID 1184 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\cu7igs\xpsrchvw.exe
PID 1184 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\cu7igs\xpsrchvw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\18ce21df381f95bce473c5b0489ef5a8.dll,#1

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\yy7WVVB\msconfig.exe

C:\Users\Admin\AppData\Local\yy7WVVB\msconfig.exe

C:\Users\Admin\AppData\Local\Y5r\rstrui.exe

C:\Users\Admin\AppData\Local\Y5r\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\cu7igs\xpsrchvw.exe

C:\Users\Admin\AppData\Local\cu7igs\xpsrchvw.exe

Network

N/A

Files

memory/1428-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1428-0-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-4-0x0000000077456000-0x0000000077457000-memory.dmp

memory/1184-5-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1428-8-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-18-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-17-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-30-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-40-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-47-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-46-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-50-0x00000000025D0000-0x00000000025D7000-memory.dmp

memory/1184-57-0x0000000077661000-0x0000000077662000-memory.dmp

memory/1184-58-0x00000000777C0000-0x00000000777C2000-memory.dmp

memory/1184-56-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-67-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-73-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-48-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-45-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-44-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-43-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-42-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-41-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-39-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-38-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-37-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1620-87-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1184-36-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-35-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-34-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-33-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-32-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-31-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-29-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-28-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-27-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-26-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-25-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-24-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-23-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-22-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-21-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-20-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-19-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-16-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-15-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-14-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1416-111-0x0000000000380000-0x0000000000387000-memory.dmp

memory/1184-13-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-12-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-11-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-10-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-9-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1184-7-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1996-135-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1184-161-0x0000000077456000-0x0000000077457000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\eCHvIprL9c\SRCORE.dll

MD5 f8c769cfc201d979096974877126943f
SHA1 5a9252a406fcabf8e8e6680700b680626620914d
SHA256 6e34897071ff1b8f314336ad68e1da8bd5f85644125aa994e03b6ffe6f8deb72
SHA512 f90d76aee49959a29749d8b61bdbd0de9f008d41f2cb8565630445cfe82efdbb02505c003fc6bf2d3eba8374d8802f4fc0f6f3e6a5e07407111d9fb8f9e3d004

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\qgfh\WINMM.dll

MD5 864038b313998ae14e460dcfc3e1e4de
SHA1 2d4c6e2adfe869a1e8200826de95b6ac6c5219d7
SHA256 1f2b81a0298e157eae7d0642f258e1f078109b8d0778229d6105d493b16b0902
SHA512 cab3dacc12b5da0854d4ed46f612aba53b7d74a7bf2072a6dca94400cc0f5937e93b5b04fea162d09b9bd6e18ed1e87c02328d0749fe285749626b593ce5c4eb

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 12:40

Reported

2024-01-03 12:26

Platform

win10v2004-20231215-en

Max time kernel

180s

Max time network

196s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\18ce21df381f95bce473c5b0489ef5a8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\e7V\\sethc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Vrs\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BiQgyLJE9\GamePanel.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\g0FUxYgf\SystemSettingsAdminFlows.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 5012 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3428 wrote to memory of 5012 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3428 wrote to memory of 4628 N/A N/A C:\Users\Admin\AppData\Local\g0FUxYgf\SystemSettingsAdminFlows.exe
PID 3428 wrote to memory of 4628 N/A N/A C:\Users\Admin\AppData\Local\g0FUxYgf\SystemSettingsAdminFlows.exe
PID 3428 wrote to memory of 1368 N/A N/A C:\Windows\system32\sethc.exe
PID 3428 wrote to memory of 1368 N/A N/A C:\Windows\system32\sethc.exe
PID 3428 wrote to memory of 3792 N/A N/A C:\Users\Admin\AppData\Local\Vrs\sethc.exe
PID 3428 wrote to memory of 3792 N/A N/A C:\Users\Admin\AppData\Local\Vrs\sethc.exe
PID 3428 wrote to memory of 2068 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3428 wrote to memory of 2068 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3428 wrote to memory of 3960 N/A N/A C:\Users\Admin\AppData\Local\BiQgyLJE9\GamePanel.exe
PID 3428 wrote to memory of 3960 N/A N/A C:\Users\Admin\AppData\Local\BiQgyLJE9\GamePanel.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\18ce21df381f95bce473c5b0489ef5a8.dll,#1

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\g0FUxYgf\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\g0FUxYgf\SystemSettingsAdminFlows.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\Vrs\sethc.exe

C:\Users\Admin\AppData\Local\Vrs\sethc.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Users\Admin\AppData\Local\BiQgyLJE9\GamePanel.exe

C:\Users\Admin\AppData\Local\BiQgyLJE9\GamePanel.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/772-0-0x00000148CB5C0000-0x00000148CB5C7000-memory.dmp

memory/772-1-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-4-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3428-6-0x0000000140000000-0x000000014020E000-memory.dmp

memory/772-7-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-9-0x00007FFBB9AAA000-0x00007FFBB9AAB000-memory.dmp

memory/3428-10-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-11-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-12-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-13-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-8-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-14-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-15-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-16-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-17-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-18-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-19-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-22-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-21-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-23-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-25-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-24-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-26-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-27-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-29-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-30-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-28-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-20-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-32-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-31-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-33-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-34-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-35-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-36-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-37-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-39-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-38-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-40-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-41-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-43-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-44-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-46-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-45-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-42-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-47-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-49-0x0000000000FA0000-0x0000000000FA7000-memory.dmp

memory/3428-48-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-56-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-57-0x00007FFBBB060000-0x00007FFBBB070000-memory.dmp

memory/3428-66-0x0000000140000000-0x000000014020E000-memory.dmp

memory/3428-68-0x0000000140000000-0x000000014020E000-memory.dmp

C:\Users\Admin\AppData\Local\g0FUxYgf\SystemSettingsAdminFlows.exe

MD5 50adb2c7c145c729b9de8b7cf967dd24
SHA1 a31757f08da6f95156777c1132b6d5f1db3d8f30
SHA256 a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec
SHA512 715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

C:\Users\Admin\AppData\Local\g0FUxYgf\newdev.dll

MD5 504b5e56bf427ca3095953f4171e11bd
SHA1 6139e26fa571564f09d366838a58904b37653682
SHA256 a969f0b925145197c3448ecdd243773970583f40fcaee743a2544381e32b3b96
SHA512 369a2c2689d83025fc58545cf7808f1cdcf7429f58c167a188fa4f5fc2e2260c2089992a9e21654feb1a0046da2836bee4741570d8268e0e8e02c0fb6b22f38e

memory/4628-77-0x0000000140000000-0x000000014020F000-memory.dmp

memory/4628-78-0x0000023122430000-0x0000023122437000-memory.dmp

memory/4628-83-0x0000000140000000-0x000000014020F000-memory.dmp

C:\Users\Admin\AppData\Local\Vrs\sethc.exe

MD5 8ba3a9702a3f1799431cad6a290223a6
SHA1 9c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256 615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512 680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

C:\Users\Admin\AppData\Local\Vrs\UxTheme.dll

MD5 c6303fc3bff439ef6ba05ef1aa541e88
SHA1 2fc528cd0f50ab640112fd8bf128bf1059356738
SHA256 da41871e832caae44c4c6196af29b2503bd211ffa29895833c2cc2ecb79cec4d
SHA512 cb1755c4fea1075dfb1bbf6a57a14666af6ded3f66f0f21a6f2f10f01226bffd4fef3df0334ac61f14c5ef9e1a297febc83301f2c71c857099566d9be8fe2a6b

C:\Users\Admin\AppData\Local\Vrs\UxTheme.dll

MD5 c177ba8b61dc824e3bd788dae430634f
SHA1 f0e43894e08a1eadb6d80bef2c2d7af4552bc8cd
SHA256 31b066a4b481b5460c4a156821f0c1d263c46c8cdae545fa0dc3b71f75dd4fe1
SHA512 51078f9c531e69281dfc941e5c00d1b82f12e6f758da7478ff2a2d3ed362fc6e1ff96c1c0614008816fb609a4859d24bdb08b8cd09a264d439c315ee4121c8aa

memory/3792-95-0x0000014509260000-0x0000014509267000-memory.dmp

C:\Users\Admin\AppData\Local\BiQgyLJE9\GamePanel.exe

MD5 266f6a62c16f6a889218800762b137be
SHA1 31b9bd85a37bf0cbb38a1c30147b83671458fa72
SHA256 71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd
SHA512 b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

C:\Users\Admin\AppData\Local\BiQgyLJE9\UxTheme.dll

MD5 9915bfd3edbc9eb539abf12520795dd2
SHA1 893770a014d6862d115c82a1a7bf5226a9b520ef
SHA256 545598339fe952784345652a9b2e086c50b9ea6d10cab10dabef0cac12c6873a
SHA512 183bb3bd58c10e2da21b5c17521d8973483fdf739f98a99c13e52874125cfe51fd249e4a4b234a043b5f3b52cdeb92452d6aa4e7e7ee0eb2c4a5389deb606923

memory/3960-112-0x0000024E8D460000-0x0000024E8D467000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 8930e7604e352f064d03a029822ab67a
SHA1 b65a83a6a8f4eabd0f046c84fdbfee2022ed5366
SHA256 84ec3aa73fe88761ef4fc9831ac0499ae7a194e39eb8c134ae6c60ae38fadf0a
SHA512 d3929093a587ecefe6750bd10a547d4de983779bc04fd8051af1b7045d222237c4a5425fb7e2b772fdf4f745ce4060f2b03cbe940a9fd104b7df02b53f94ab98

C:\Users\Admin\AppData\Roaming\Microsoft\e7V\UxTheme.dll

MD5 328cb42daf091efb308f999d5e22739e
SHA1 4928d610a786ad88386062d9bbf4e25242aa3193
SHA256 b0406550b021fd7e2b9ad43f84b9e12b0fb617c24366246fbef7f3245dc54b32
SHA512 a9c8eeea5aeba7d8a31e52deb0320dd6f26676ac9693d3a4f0ef8bd2507908ca6492a473f6f5ed7ca7fc22b2f66849a224e2a5bf00d332b8bc561aea34ea993b