Malware Analysis Report

2024-11-30 21:39

Sample ID 231231-b9tzeabcg5
Target 23666b8a1e9a9674de55a37457ac8150
SHA256 4ddc4eaf33d9c98a9c6a13f96188cf2b1867f42952da56d362e7988585900752
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ddc4eaf33d9c98a9c6a13f96188cf2b1867f42952da56d362e7988585900752

Threat Level: Known bad

The file 23666b8a1e9a9674de55a37457ac8150 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 01:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 01:51

Reported

2024-01-05 03:01

Platform

win10v2004-20231222-en

Max time kernel

4s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23666b8a1e9a9674de55a37457ac8150.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23666b8a1e9a9674de55a37457ac8150.dll,#1

C:\Windows\system32\SppExtComObj.Exe

C:\Windows\system32\SppExtComObj.Exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\VKJ8pRh\SppExtComObj.Exe

C:\Users\Admin\AppData\Local\VKJ8pRh\SppExtComObj.Exe

C:\Windows\system32\CustomShellHost.exe

C:\Windows\system32\CustomShellHost.exe

C:\Users\Admin\AppData\Local\gPH\CustomShellHost.exe

C:\Users\Admin\AppData\Local\gPH\CustomShellHost.exe

C:\Users\Admin\AppData\Local\55HWT0vGk\dpapimig.exe

C:\Users\Admin\AppData\Local\55HWT0vGk\dpapimig.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

memory/1940-2-0x000001AE85850000-0x000001AE85857000-memory.dmp

memory/1940-0-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-7-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-12-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-15-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-19-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-23-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-28-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-32-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-36-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-41-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-44-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-48-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-51-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-54-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-56-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-59-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-62-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-63-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-65-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-67-0x0000000000D30000-0x0000000000D37000-memory.dmp

memory/3420-64-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-76-0x00007FFE9C0C0000-0x00007FFE9C0D0000-memory.dmp

memory/3420-61-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-60-0x0000000140000000-0x000000014037F000-memory.dmp

memory/2168-96-0x000002171BC90000-0x000002171BC97000-memory.dmp

memory/3420-58-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-57-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-55-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3644-113-0x000002CCF0F30000-0x000002CCF0F37000-memory.dmp

memory/6044-130-0x000001C560570000-0x000001C560577000-memory.dmp

memory/3420-53-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-52-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-50-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-49-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-46-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-47-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-45-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-43-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-42-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-40-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-39-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-38-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-37-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-35-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-34-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-33-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-31-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-30-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-29-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-27-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-26-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-25-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-24-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-22-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-21-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-20-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-18-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-17-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-16-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-14-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-13-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-11-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-10-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-9-0x00007FFE9AE8A000-0x00007FFE9AE8B000-memory.dmp

memory/3420-8-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1940-6-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3420-4-0x0000000000D70000-0x0000000000D71000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 01:51

Reported

2024-01-05 03:03

Platform

win7-20231215-en

Max time kernel

195s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23666b8a1e9a9674de55a37457ac8150.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ex711\psr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\KXgy0\Netplwiz.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\jXCHtCekV\eudcedit.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\Low\\mVniuyp1AQ\\Netplwiz.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\KXgy0\Netplwiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jXCHtCekV\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ex711\psr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 1616 N/A N/A C:\Windows\system32\psr.exe
PID 1188 wrote to memory of 1616 N/A N/A C:\Windows\system32\psr.exe
PID 1188 wrote to memory of 1616 N/A N/A C:\Windows\system32\psr.exe
PID 1188 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\ex711\psr.exe
PID 1188 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\ex711\psr.exe
PID 1188 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\ex711\psr.exe
PID 1188 wrote to memory of 2232 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1188 wrote to memory of 2232 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1188 wrote to memory of 2232 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1188 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\KXgy0\Netplwiz.exe
PID 1188 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\KXgy0\Netplwiz.exe
PID 1188 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\KXgy0\Netplwiz.exe
PID 1188 wrote to memory of 756 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1188 wrote to memory of 756 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1188 wrote to memory of 756 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1188 wrote to memory of 1140 N/A N/A C:\Users\Admin\AppData\Local\jXCHtCekV\eudcedit.exe
PID 1188 wrote to memory of 1140 N/A N/A C:\Users\Admin\AppData\Local\jXCHtCekV\eudcedit.exe
PID 1188 wrote to memory of 1140 N/A N/A C:\Users\Admin\AppData\Local\jXCHtCekV\eudcedit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23666b8a1e9a9674de55a37457ac8150.dll,#1

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\ex711\psr.exe

C:\Users\Admin\AppData\Local\ex711\psr.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\KXgy0\Netplwiz.exe

C:\Users\Admin\AppData\Local\KXgy0\Netplwiz.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\jXCHtCekV\eudcedit.exe

C:\Users\Admin\AppData\Local\jXCHtCekV\eudcedit.exe

Network

N/A

Files

memory/1252-0-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1252-1-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-4-0x0000000077A26000-0x0000000077A27000-memory.dmp

memory/1188-8-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1252-7-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-5-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/1188-10-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-11-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-9-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-13-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-12-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-16-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-17-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-19-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-22-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-21-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-27-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-26-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-37-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-38-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-41-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-40-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-39-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-36-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-35-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-34-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-33-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-32-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-31-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-30-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-47-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-50-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-49-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-55-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-58-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-62-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-61-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-63-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-64-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-65-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-60-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-68-0x0000000002730000-0x0000000002737000-memory.dmp

memory/1188-59-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-57-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-56-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-77-0x0000000077D90000-0x0000000077D92000-memory.dmp

memory/1188-76-0x0000000077C31000-0x0000000077C32000-memory.dmp

memory/1188-54-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-53-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-52-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-51-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-48-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-46-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-45-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-44-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-43-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-42-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-29-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-28-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-25-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-24-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-23-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-20-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-18-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-15-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1188-14-0x0000000140000000-0x000000014037F000-memory.dmp

\Users\Admin\AppData\Local\ex711\psr.exe

MD5 cdd3b3004afdf63f8ef618dbcd5b91ca
SHA1 3842a7b1f869aaa2e5fd15152a9f7fb053a7a886
SHA256 ed50275dfd70219c8fca0621272d22fa9dd1693e12e99071ac82cab17c2b9da0
SHA512 d471cf4d50e6c565c0a4b50e1012b6a408dcc20a070d7a2130b6bb4d8345cf378623500a24aec3b2e177ec97fcc5cdd920260efac6de1e6dc291c589dd0c8813

C:\Users\Admin\AppData\Local\ex711\psr.exe

MD5 a333189a5b29f4aa1156a22c34cea305
SHA1 7771ebfc95bf15301cf7dce0b9fca4fc332b3316
SHA256 25690e88605ee30bae0d744195d7e1ed1fc3955758ad7b20ca1bcb45bbb0560f
SHA512 c6675174cf61643b90cd6ecc6cd0b415063b928c3e7687dc4b9b95361bea6ddf19b457396fb1e715d641c9d6f046dc9e0b274804aeafd70625224666a913c42c

\Users\Admin\AppData\Local\ex711\VERSION.dll

MD5 fb47f097c7ec416c18c8658ae619c38f
SHA1 cf65cf6914a2b34240059a9717144a0a8d217968
SHA256 35e045fda18d7afcfc30eb8c66968d9e7b2bde8ea8dfcbe5498add20411efdf3
SHA512 0cffcd4b5ec22d2bde7826ede45e4c5c403444e03bac673823557fd7f7eec4da0ce5fc52a536f8a41ffa5749c0f4f10335017b6b6471fe4e35426286219fcb03

memory/2772-104-0x0000000000610000-0x0000000000617000-memory.dmp

C:\Users\Admin\AppData\Local\ex711\VERSION.dll

MD5 31a05c7d786c7e878205dd406f1dca01
SHA1 bc0a1dc6e87b9fc673c61198bbd9dd9573995601
SHA256 6e277edda3a10241d74c9e0044016f7d9ba59475b63f08a6479d0253f42e11a9
SHA512 14a0f4654ba8233bcc19dc3c0a568af74d02f9c7bff3e51ff6c7c0dbaf1ece452733d7fd6daebb48201269aa9c305aae0659f1e81b5ac4ed757bbb4b107adf1d

C:\Users\Admin\AppData\Local\ex711\psr.exe

MD5 cbc1e70836289e7d71dd592f50cacd70
SHA1 7f4fc2812889e3db4bbf40384292d294d7427e64
SHA256 9bd62b122ec94fbf0c466fc6945cf9548692bd5c484a6e9eb076d538bb2c85f4
SHA512 c2cda3ba3eef7760546c0ed3793d8d54cfd32566a40a2903f1a76dd1c7b5d77d11a73a11f2c37d7729b4aaa666fba3b6e4115137cf4096f86200c5d647a81e5a

memory/1188-121-0x0000000077A26000-0x0000000077A27000-memory.dmp

\Users\Admin\AppData\Local\KXgy0\Netplwiz.exe

MD5 e43ec3c800d4c0716613392e81fba1d9
SHA1 37de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

C:\Users\Admin\AppData\Local\KXgy0\NETPLWIZ.dll

MD5 eab2c03a641a6007bd902dd77ed976e7
SHA1 4b42c4a2673b994c793340f1da3b6776fc4316d6
SHA256 eb46683b8df384b09a72835edfaba2623d3a53d46dc995db439ff47c58c53fe0
SHA512 9456015e1b70d52a53639b449b12db1d9804a14d4692449bb805bb80fdf826465503990786dc378acd048007b41ab4c1d4473f5903719eb4d9db8843e95867ce

memory/2396-129-0x0000000000080000-0x0000000000087000-memory.dmp

\Users\Admin\AppData\Local\jXCHtCekV\eudcedit.exe

MD5 35e397d6ca8407b86d8a7972f0c90711
SHA1 6b39830003906ef82442522d22b80460c03f6082
SHA256 1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde
SHA512 71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

C:\Users\Admin\AppData\Local\jXCHtCekV\MFC42u.dll

MD5 f999f9217c87453e980e8193d6d24e83
SHA1 a7ce9b816a525235a0003c00d00dc61003e149f1
SHA256 eb046b49dd02a6fec036f15c2e2e5d62510c8948580b89bce29d061ab63656bc
SHA512 21072486d2d143c3c12d1b56cdd3e711c40b816b3c8840ab8d8227a199a7f3e497e3978d878d57a257e33598e203f1d1be4723ff99cc04a79ece61c1efaec9a1

\Users\Admin\AppData\Local\jXCHtCekV\MFC42u.dll

MD5 fb277f4c991273d38d97f51282f65f6f
SHA1 2ae8df0646f9c418b3fe99750bc36889af0612e5
SHA256 9d174186faf37035a98b85d92307a627995e262ed194aed0e2ab36e70c92ec44
SHA512 566073275dc93b468fd1d23892980c8b78fa98cf525f038dab17d74fe9e0ea2dcdd8c79c135a67a849e1ec1a043b7e1dd373589100dc4945ef36f341710956c6

memory/1140-147-0x0000000000280000-0x0000000000287000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\5bRrtbu9w\eudcedit.exe

MD5 5b2659667cc9658336a8511d2b7ff242
SHA1 d0702456a7beed8977a97723cfc27e66e850fe53
SHA256 6ea1c36285a5a60df9de5bce4762eaac3b3f450ffaf73fdd8c69bf7a2b335991
SHA512 1956d826410ccdc6d86c5e6287b4d48bd938d4ca5f5fad4ca438806d18467062317281b1e534eb981591f10b5060d01d06ab44f08953c64020e3f313c3e7dd61

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 53d508f0ab9f115c43bfd98435c5b4ff
SHA1 d1c0652ddca8011df4b99ab2a21f9c4549c049f0
SHA256 b41cecc834cb4d05c911c9813d229e8293989c86bc7e32519bad531353ea58a0
SHA512 54840bd9f037be8a25db75f31a9857412192333588fc6767272bc53113925237b344fe2aa54228cdf2d6b418dcedb6934b10bc9e76a7063d404423c4827075c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\67dQ\VERSION.dll

MD5 23b61a07970679166a105256f1f148ba
SHA1 7de22ffb0a844069537180a6943e06e54963a3cd
SHA256 ea64b16a73c8651adc37ce9a0febd2f4d1fecc60442e7cfe29cdc2d3d0b4d3b1
SHA512 9ae738b644c64b385ef0f1431f9df19207e4e6531e9c7fe3b5ed21538917bbd6b2a658be3b51ece236f827f88fd16c80f8092b29238f36b25c62ac0d3f6aae99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5bRrtbu9w\MFC42u.dll

MD5 6ba38ea31ed3dff1321bbab4f70bfa8b
SHA1 4ed7925474b41e25b2b9cd8f486ac60fd856be55
SHA256 2b82cf52cea5f322adaf0c2270264d75e20abdd1e8eedc0441183a7e7d9a4f07
SHA512 30dd7b343fe7d1dfa1213adb06a62ed700873c254b10a810cdb9415a92b1c8eee5d13dfe49d9a64afaf3dc469fb68de1bd9daf2de141ba241b1e904f011d7d30