Analysis Overview
SHA256
c092366b339a5d407c5cda3fda5c319d83012510638e78d89461ec973ea3e615
Threat Level: Known bad
The file 1d7960eb16722c63af8924dcf0d7df96 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 21:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 21:45
Reported
2024-01-04 14:45
Platform
win7-20231215-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\xGVnT2X\\tabcal.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d7960eb16722c63af8924dcf0d7df96.dll,#1
C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe
C:\Users\Admin\AppData\Local\fUX3s9UJ\iexpress.exe
C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe
C:\Users\Admin\AppData\Local\ao2AYVXR\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\4hRr9pF\SystemPropertiesProtection.exe
Network
Files
memory/2500-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2500-0-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-4-0x0000000076EF6000-0x0000000076EF7000-memory.dmp
memory/1100-14-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-28-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-40-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-51-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-53-0x00000000024F0000-0x00000000024F7000-memory.dmp
memory/1100-64-0x0000000077160000-0x0000000077162000-memory.dmp
memory/1100-61-0x0000000077001000-0x0000000077002000-memory.dmp
memory/1100-71-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-60-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1460-92-0x0000000000090000-0x0000000000097000-memory.dmp
memory/1100-52-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-50-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-49-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-48-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-47-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-46-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-45-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-44-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-43-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-42-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-41-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-39-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-38-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-37-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-36-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-35-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-34-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-33-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-32-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-31-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-30-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-29-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-27-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-26-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-25-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-24-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-23-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-22-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-21-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-20-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-19-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-18-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-17-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-16-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-15-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-13-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-12-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-11-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/2440-129-0x0000000000420000-0x0000000000427000-memory.dmp
memory/1100-10-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-9-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/2500-8-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-7-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/1100-5-0x00000000024E0000-0x00000000024E1000-memory.dmp
memory/1100-153-0x0000000076EF6000-0x0000000076EF7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 21:45
Reported
2024-01-04 14:46
Platform
win10v2004-20231215-en
Max time kernel
154s
Max time network
163s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Jtsr8C9B\\PresentationHost.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3440 wrote to memory of 5056 | N/A | N/A | C:\Windows\system32\FileHistory.exe |
| PID 3440 wrote to memory of 5056 | N/A | N/A | C:\Windows\system32\FileHistory.exe |
| PID 3440 wrote to memory of 4180 | N/A | N/A | C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe |
| PID 3440 wrote to memory of 4180 | N/A | N/A | C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe |
| PID 3440 wrote to memory of 1804 | N/A | N/A | C:\Windows\system32\PresentationHost.exe |
| PID 3440 wrote to memory of 1804 | N/A | N/A | C:\Windows\system32\PresentationHost.exe |
| PID 3440 wrote to memory of 2452 | N/A | N/A | C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe |
| PID 3440 wrote to memory of 2452 | N/A | N/A | C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe |
| PID 3440 wrote to memory of 3384 | N/A | N/A | C:\Windows\system32\ie4uinit.exe |
| PID 3440 wrote to memory of 3384 | N/A | N/A | C:\Windows\system32\ie4uinit.exe |
| PID 3440 wrote to memory of 3480 | N/A | N/A | C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe |
| PID 3440 wrote to memory of 3480 | N/A | N/A | C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d7960eb16722c63af8924dcf0d7df96.dll,#1
C:\Windows\system32\FileHistory.exe
C:\Windows\system32\FileHistory.exe
C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe
C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe
C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe
C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe
C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe
C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/5064-0-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/5064-2-0x000001FB24CE0000-0x000001FB24CE7000-memory.dmp
memory/5064-1-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-5-0x0000000002F10000-0x0000000002F11000-memory.dmp
memory/3440-7-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-10-0x00007FFE42BBA000-0x00007FFE42BBB000-memory.dmp
memory/3440-11-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-12-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-13-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-14-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/5064-9-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-8-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-15-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-16-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-17-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-18-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-19-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-20-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-21-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-22-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-23-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-24-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-25-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-26-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-27-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-28-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-29-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-30-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-31-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-32-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-33-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-34-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-35-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-36-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-37-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-38-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-39-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-40-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-41-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-42-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-44-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-43-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-45-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-46-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-47-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-48-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-49-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-50-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-51-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-52-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-54-0x0000000001290000-0x0000000001297000-memory.dmp
memory/3440-53-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-61-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-62-0x00007FFE44340000-0x00007FFE44350000-memory.dmp
memory/3440-71-0x0000000140000000-0x00000001401C6000-memory.dmp
memory/3440-73-0x0000000140000000-0x00000001401C6000-memory.dmp
C:\Users\Admin\AppData\Local\eDEFb\FileHistory.exe
| MD5 | eeba3dd643ced2781ec1b7e3cd6fa246 |
| SHA1 | 2d394173e603625e231633fc270072e854bac17b |
| SHA256 | bee0799a52fe65b8dc291de32f0c8b03b5a067915b1868bc8ba2a1b139c90b87 |
| SHA512 | 222d4fbc7ee57d75889698a0660996293a0143518fdecc1b222618796d76d40f2d3b00b071f92ab917ac8847f195d7de02df55b5e89dad8a80d110e464cd3271 |
C:\Users\Admin\AppData\Local\eDEFb\UxTheme.dll
| MD5 | f51db4e23edba0032fe10f1ae7ccf3c1 |
| SHA1 | 2e6646efed5b666620540847fc61067fa67c01bd |
| SHA256 | e5dd1abc940aa012b401e29a4c92c917c8feaa3d49e026f110de1941a909d607 |
| SHA512 | f138f55911681e6fb2178248056cbc042979a84e78f25fd06539f64a3542afe00199a6f993996377fbcedbf8f40afc30b6e4f66e268ffc9af6a8b9a7d002c0e8 |
memory/4180-83-0x0000000140000000-0x00000001401C7000-memory.dmp
memory/4180-82-0x0000000140000000-0x00000001401C7000-memory.dmp
memory/4180-85-0x0000027AA3DA0000-0x0000027AA3DA7000-memory.dmp
memory/4180-90-0x0000000140000000-0x00000001401C7000-memory.dmp
C:\Users\Admin\AppData\Local\aEL\PresentationHost.exe
| MD5 | ef27d65b92d89e8175e6751a57ed9d93 |
| SHA1 | 7279b58e711b459434f047e9098f9131391c3778 |
| SHA256 | 17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48 |
| SHA512 | 40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e |
C:\Users\Admin\AppData\Local\aEL\VERSION.dll
| MD5 | c23d867f1fca778932391be2c7b1210d |
| SHA1 | fb5098275afb7a86027af1f76840827841462b38 |
| SHA256 | de88d6e0df48efc41f5eaaafe1f6b34707a788ed669226a512a6e45303ef4358 |
| SHA512 | 87f1f131ec586e0274234d4ed23ac843ee26540e535467e46ce37335f441f95132e484d20fb7983ccc5f6435db29feb06daf999c98b534bb61ea7a5e7a0755d4 |
memory/2452-104-0x00000237460C0000-0x0000023746287000-memory.dmp
memory/2452-107-0x00000237460C0000-0x0000023746287000-memory.dmp
memory/2452-109-0x0000023746380000-0x0000023746387000-memory.dmp
memory/2452-115-0x00000237460C0000-0x0000023746287000-memory.dmp
C:\Users\Admin\AppData\Local\AEJX3MG\ie4uinit.exe
| MD5 | a2f0104edd80ca2c24c24356d5eacc4f |
| SHA1 | 8269b9fd9231f04ed47419bd565c69dc677fab56 |
| SHA256 | 5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c |
| SHA512 | e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390 |
C:\Users\Admin\AppData\Local\AEJX3MG\VERSION.dll
| MD5 | 42298b714f7ce638c6435c80e30278db |
| SHA1 | 95103990b2ce3459390961eddb194a91d5ff02a4 |
| SHA256 | 983f1905899ef52adb230275ff0ca9cf1df486a1c4cd3d00297c2846d23279d2 |
| SHA512 | f74e4d1d07e5072f2957168e51b01a804cedb80a8b5241ed867598931e40441b2790201d54e17292fa0deed1d0cfaed5df3fd9f1e1b5fac83ae68c4f70edb9d4 |
memory/3480-126-0x000001DF3E780000-0x000001DF3E947000-memory.dmp
memory/3480-129-0x000001DF3E780000-0x000001DF3E947000-memory.dmp
memory/3480-132-0x000001DF401B0000-0x000001DF401B7000-memory.dmp
memory/3480-140-0x000001DF3E780000-0x000001DF3E947000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 3f1c5fbb8f0774d5c627309b7b65cab5 |
| SHA1 | 6be2fd8c41bdd1619cf879950ca576dec0f69fa4 |
| SHA256 | 40a75644893ed5c2d90670db97982c94c569a436f0be8cbc08633633e4539a18 |
| SHA512 | e0d648e8e95f27292e2967572c83d3fe3f79c6ec774c4899f15aa0848efb0a5185b98a32be716978080a133d2d6ee71c55c4c7d78be0b245daa9242e03a0fa2b |