Malware Analysis Report

2024-11-15 08:50

Sample ID 240122-mz4awafbb4
Target 6f7d97ba73906e0867f0f46d5c537049
SHA256 9abc5f5cc3312da7b9eb0e44a7a2306afd47d84c49b9cb86ed120cadfc05c824
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9abc5f5cc3312da7b9eb0e44a7a2306afd47d84c49b9cb86ed120cadfc05c824

Threat Level: Known bad

The file 6f7d97ba73906e0867f0f46d5c537049 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 10:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 10:55

Reported

2024-01-22 10:57

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7d97ba73906e0867f0f46d5c537049.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\iOLCtp4kk\BitLockerWizardElev.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\oPrXNnp\shrpubw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\FsDb\fveprompt.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\tumEqtx6E\\shrpubw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iOLCtp4kk\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oPrXNnp\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FsDb\fveprompt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 324 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1240 wrote to memory of 324 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1240 wrote to memory of 324 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1240 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\iOLCtp4kk\BitLockerWizardElev.exe
PID 1240 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\iOLCtp4kk\BitLockerWizardElev.exe
PID 1240 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\iOLCtp4kk\BitLockerWizardElev.exe
PID 1240 wrote to memory of 2204 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1240 wrote to memory of 2204 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1240 wrote to memory of 2204 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1240 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\oPrXNnp\shrpubw.exe
PID 1240 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\oPrXNnp\shrpubw.exe
PID 1240 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\oPrXNnp\shrpubw.exe
PID 1240 wrote to memory of 1944 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1240 wrote to memory of 1944 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1240 wrote to memory of 1944 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1240 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\FsDb\fveprompt.exe
PID 1240 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\FsDb\fveprompt.exe
PID 1240 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\FsDb\fveprompt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7d97ba73906e0867f0f46d5c537049.dll,#1

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\iOLCtp4kk\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\iOLCtp4kk\BitLockerWizardElev.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\oPrXNnp\shrpubw.exe

C:\Users\Admin\AppData\Local\oPrXNnp\shrpubw.exe

C:\Windows\system32\fveprompt.exe

C:\Windows\system32\fveprompt.exe

C:\Users\Admin\AppData\Local\FsDb\fveprompt.exe

C:\Users\Admin\AppData\Local\FsDb\fveprompt.exe

Network

N/A

Files

memory/2448-0-0x0000000140000000-0x0000000140185000-memory.dmp

memory/2448-2-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1240-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/1240-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/1240-7-0x0000000140000000-0x0000000140185000-memory.dmp

memory/2448-8-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-9-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-10-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-13-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-12-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-11-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-14-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-15-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-19-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-18-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-17-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-16-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-23-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-24-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-22-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-21-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-20-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-29-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-28-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-27-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-26-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-25-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-35-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-34-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-33-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-32-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-31-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-30-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-36-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-41-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-40-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-39-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-38-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-37-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-43-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-42-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-45-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-46-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-44-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-47-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-48-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-50-0x00000000021E0000-0x00000000021E7000-memory.dmp

memory/1240-56-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-57-0x0000000076EC1000-0x0000000076EC2000-memory.dmp

memory/1240-58-0x0000000077020000-0x0000000077022000-memory.dmp

memory/1240-67-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1240-73-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Local\iOLCtp4kk\BitLockerWizardElev.exe

MD5 73f13d791e36d3486743244f16875239
SHA1 ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA256 2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512 911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

C:\Users\Admin\AppData\Local\iOLCtp4kk\FVEWIZ.dll

MD5 c338f3236bebfca55f5ee1113b2a63e8
SHA1 2f907b6c463a3c3577c63e125ee219cbbfd1d972
SHA256 d3b36a4222fc21dd9eac4c533c2e84f1b239b54ff23c22fce4cb5d7854f18aee
SHA512 d94b55f7e6b7500ece9d3396f8fc9055dc377b0644a67295569a5b15a6691aeb26bec3e8196c40bd41359f3fe83ad892bef4656907e79b32323dbea3701eb7bc

memory/1728-85-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\oPrXNnp\shrpubw.exe

MD5 29e6d0016611c8f948db5ea71372f76c
SHA1 01d007a01020370709cd6580717f9ace049647e8
SHA256 53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512 300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

C:\Users\Admin\AppData\Local\oPrXNnp\MFC42u.dll

MD5 692082607b170df2c355ff99e2b6d747
SHA1 843bc4849ab9036e7cd8fafa10ba98e6d20bfb5f
SHA256 1612a214923e9b7d61a6b9403dbe75f2aad84148759447d60ee06b01b68e3ba6
SHA512 2e8a3c562ea18b783d75cfbe3575fdc692b5ba2f5a425d1eddc5a5ebb1880ad59943e064c9da017eb262a467d9b4015c07a9d4285151ccf872a624384a193f17

memory/1864-103-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\FsDb\fveprompt.exe

MD5 dc2c44a23b2cd52bd53accf389ae14b2
SHA1 e36c7b6f328aa2ab2f52478169c52c1916f04b5f
SHA256 7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921
SHA512 ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

\Users\Admin\AppData\Local\FsDb\slc.dll

MD5 c1102bdd574a4b1dd56329a7d04334fa
SHA1 fae430640c4e72efe27cfc5bc01ae3c4cdd23b0c
SHA256 5d66e82dafb6657a5a0675fc52ce0202cadc3e36c22ab04a50d89b3eb201a072
SHA512 24a7364b743a77fc081200d28c09e3a2f6fc775857229b2ffbb051d995989fd759d128b57b340e8c48c402c97216a11d6b3072c4bae088105cb3f7a08c64f52d

memory/1736-125-0x0000000000320000-0x0000000000327000-memory.dmp

memory/1240-145-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 1e187829c2ffe0eda1b1b6e82f5fb625
SHA1 c392b5c68c7ab796b27305b8c979079be53d17a9
SHA256 59a85e9a03c10cb0aab39163428beec66ea9f3c3e8f4f33585218c6924417dd4
SHA512 889a98c89fb0af661f656d9c0ad1cba83f99b1cc878908ee46d475de507dba3a5b5e7e509ba9935e44ef40aff1bfed145ebbb486f600d53e5b7c2cddf174fadb

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 10:55

Reported

2024-01-22 10:57

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7d97ba73906e0867f0f46d5c537049.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\lMA9ZqiHm2\\SystemPropertiesComputerName.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 1048 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3480 wrote to memory of 1048 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3480 wrote to memory of 2400 N/A N/A C:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exe
PID 3480 wrote to memory of 2400 N/A N/A C:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exe
PID 3480 wrote to memory of 2444 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3480 wrote to memory of 2444 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3480 wrote to memory of 4632 N/A N/A C:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exe
PID 3480 wrote to memory of 4632 N/A N/A C:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exe
PID 3480 wrote to memory of 3692 N/A N/A C:\Windows\system32\isoburn.exe
PID 3480 wrote to memory of 3692 N/A N/A C:\Windows\system32\isoburn.exe
PID 3480 wrote to memory of 788 N/A N/A C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe
PID 3480 wrote to memory of 788 N/A N/A C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7d97ba73906e0867f0f46d5c537049.dll,#1

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe

C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe

C:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exe

C:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp

Files

memory/212-0-0x0000000140000000-0x0000000140185000-memory.dmp

memory/212-2-0x00000139245E0000-0x00000139245E7000-memory.dmp

memory/3480-5-0x00007FFB30A7A000-0x00007FFB30A7B000-memory.dmp

memory/3480-4-0x00000000092E0000-0x00000000092E1000-memory.dmp

memory/3480-7-0x0000000140000000-0x0000000140185000-memory.dmp

memory/212-8-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-9-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-10-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-11-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-15-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-16-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-17-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-18-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-19-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-22-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-21-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-24-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-23-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-20-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-25-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-26-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-27-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-28-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-14-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-13-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-29-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-12-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-32-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-37-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-38-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-39-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-40-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-41-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-45-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-47-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-50-0x0000000003330000-0x0000000003337000-memory.dmp

memory/3480-48-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-46-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-56-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-44-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-57-0x00007FFB321E0000-0x00007FFB321F0000-memory.dmp

memory/3480-68-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-66-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-43-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-42-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-36-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-35-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-34-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-33-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-31-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3480-30-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Local\63ZE8qx\MFC42u.dll

MD5 54b7c8d1324f00bae261d9491df0da00
SHA1 608ef1104361ec2dddf70c43d6b78c9ff49c7022
SHA256 578f46c289a050933cbba3ce82bc5a20a6752b5e1122372694c63788439d1c79
SHA512 e3c582aa6053b3876d2bdaf56866bfcf2002684de8f9d8298ba2a57dc0cfffa7b74bc095b2b6b49f09c96b0e47cfc1904b375691152ba960341cc06407873c22

memory/2400-84-0x0000000140000000-0x000000014018C000-memory.dmp

C:\Users\Admin\AppData\Local\63ZE8qx\FXSCOVER.exe

MD5 5769f78d00f22f76a4193dc720d0b2bd
SHA1 d62b6cab057e88737cba43fe9b0c6d11a28b53e8
SHA256 40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31
SHA512 b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

memory/4632-95-0x0000000140000000-0x0000000140186000-memory.dmp

memory/4632-96-0x0000000140000000-0x0000000140186000-memory.dmp

memory/4632-103-0x0000000140000000-0x0000000140186000-memory.dmp

memory/4632-98-0x00000198B8A90000-0x00000198B8A97000-memory.dmp

C:\Users\Admin\AppData\Local\WzoIOwa\SystemPropertiesComputerName.exe

MD5 6711765f323289f5008a6a2a04b6f264
SHA1 d8116fdf73608b4b254ad83c74f2232584d24144
SHA256 bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512 438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

C:\Users\Admin\AppData\Local\GgmHemHr\UxTheme.dll

MD5 f1b170ea1dda44677c3ba38e3cbf50cd
SHA1 50681fbf6da59e7f2db40b624f0bda7dcb187894
SHA256 7d6a5854e3b9d9b1c5cb37535ba0e57702205e370799fa63853955dd72917e03
SHA512 e495817e48f96403b083fd6372917ea93f8b08fbe729c343a05221b28c14c723bcf24980a1c43fefd1bb29627a267a12093888736f47aca257d0fd08b293c79b

memory/788-121-0x0000000140000000-0x0000000140186000-memory.dmp

C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe

MD5 a89c25f7990178de6ade691a6a4af103
SHA1 22198054dd8dd2ea22b8af496f46bfe522be638c
SHA256 4325a1d1bf5359c223124d5f8317ab5e62e19752f8516beab36bcf32d6f4d0f0
SHA512 eb7fbbe9cc6a1520b0d810973e071f93495fefbb68c4854e3067d432bcc6c43734d1af4f28df6354aa718437d614726a9b7b73c3b3454836af8548b1a0678555

memory/788-116-0x00000213CDCB0000-0x00000213CDCB7000-memory.dmp

C:\Users\Admin\AppData\Local\GgmHemHr\UxTheme.dll

MD5 cd7a0dc0979c29163e515a93322dad7b
SHA1 f78d56ebcaa40676b85eb8ac6508b08d06b5ee96
SHA256 ca125724013118043cbd16f4a9c3a2295e61539fac93bd3762433ccb76fb1e2b
SHA512 50aefa848a6c4b26d36b79e432102a148a33f6cde225064aa33f39561e4a37f2b310a124e960f8c851ab8944fd9d7a0e5dcbac521a429c201997c9fac511eec6

C:\Users\Admin\AppData\Local\GgmHemHr\isoburn.exe

MD5 d0424a92635b8082986fa890fd11533a
SHA1 2817f53c507781cc07fe1573acd6cac65c3d210f
SHA256 6d08bbb342146b59718ee5968209b752cd0888b17de7d5ab07e2496e4368c3f9
SHA512 4594cd42d3590aba6ff0cc7704949cf0e30cabce06a9841a76145e2c08451af8513b335dc5ff90871831be5f50f96f244fbcfe9c3fc19310b5df1a57b7be083e

C:\Users\Admin\AppData\Local\WzoIOwa\SYSDM.CPL

MD5 defec8037532b01c15373ca2a9faa987
SHA1 c05c4ecf7e8758ca32178aee0f29f607b31aed67
SHA256 142b4a6c9804c21e3630ce1f1b1ddc98ecd3dce485275e3413a74de69a6e1a4e
SHA512 ce08385d306f75c8eb645b729b79a86feb3d7baf84ff38f71b4c359caa28eeac9c86bfde2d9f19597e90250d514b75427836ce4a72b2f63a11a6c85a3e2edd48

C:\Users\Admin\AppData\Local\WzoIOwa\SYSDM.CPL

MD5 34b6806c6b5cee9a6ca238024ff34e0e
SHA1 80f3aa1b9f309b563115a7133e1a780644f0379f
SHA256 fc0e646a4f94f492b6d7e74ed8d69d64b6e0d461a923e21af8b90e938c3018e1
SHA512 1599926952e0d0d599551c21330c1286b01a3153458e3773dcb9dfa4f17392131eea85c2c16d5ab2e78268563fdfa15f9ba1ca2178b686a5df8e636ea246c2c6

memory/2400-83-0x00000198F9660000-0x00000198F9667000-memory.dmp

memory/2400-80-0x0000000140000000-0x000000014018C000-memory.dmp

memory/2400-77-0x0000000140000000-0x000000014018C000-memory.dmp

C:\Users\Admin\AppData\Local\63ZE8qx\MFC42u.dll

MD5 a55aedef6d273880cf3f6c9e7fb940a6
SHA1 cae7ba4bd1edc038a602c39e4700d06f25fd2bf0
SHA256 859d0e5a712509fbb8e12d91fe6edf77b9c10844fae96eb464f7c251b18850b4
SHA512 5acd4e2e7bfb3b3af56a608bc96c59e94d9e6093ad730aa71929bb902707476272a215437b52cb721f23c81de5088b1d3f5aa014ef951b1b2b7d0e0248cf9508

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 f97f2c7bbed73335d9eb0b27914fa94f
SHA1 b185772d2c4b65b575728de30ef436fe2cee97c5
SHA256 ef16912de6cfd3e449cd4d288622abb72d4afc3f9e53209e237c274290332c2f
SHA512 b9b4acb39d4d9b1be5258c7cc30bb6da46ce3ba82be7a02430c40c16725b1a71c5bfea02954ec4eaef94d04fcd8e6b316c43a5431471f1b2aac2af62e50a5e30

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\h7\MFC42u.dll

MD5 1f8679b303071771b9e742575293f492
SHA1 93940b3b0add0f5c6b974f20c6c0c0b0552b39fa
SHA256 8323786991091280c896af68b3403bbce9cf821a7eba7a01e3540bd676883b5b
SHA512 926dc13398d342a6f914c01ff0bdae0a8201c74c9b71700b8dac0adbf6633b7ce545db69320178ad5e6e191b7a4d9d07dace3a9b790f64738da29c730361805e

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\lMA9ZqiHm2\SYSDM.CPL

MD5 29b7a3b41d5c013158cb24fb27366b6c
SHA1 8be2170d516911459511cd5adf848a5dfd6ce6d7
SHA256 16248768ad81ea58fb6751d8ef3099fbc89ae1df4026a4f4dae25143d5468587
SHA512 6e86899e5f279da4f708b8ea1de37eb84fb0d6843f1ee5d18d69a0685fc9e92b6e58b533167f767c656850030ddada16874b6e036aa9c3eacff4f46ec186ebd9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\DWt1\UxTheme.dll

MD5 de2ddd33bda4fb19b4cc48e0ed787584
SHA1 0cb9cbec7027d3edf5bbc8b7a21beee280f7782a
SHA256 eafdb8b7c07513866d1d663d056514f94a6c6805f6298d26d71a81730efde818
SHA512 b1a9fe8dbc749139ee828bb5cea4d23fdb23e3ce0e51881efdfd56e07396b09fff1530c04a1332e3a44fbdb3d55f9dfb5bc3074ce5278a039cb67b7881e62bd6