Analysis

  • max time kernel
    88s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2024 20:49

General

  • Target

    6dfd7436bd4deb041e0a6690557c4397.dll

  • Size

    1.5MB

  • MD5

    6dfd7436bd4deb041e0a6690557c4397

  • SHA1

    8689cb744b5e5d497a20d4f95a479cf3d1b07ef7

  • SHA256

    670c71a7ce5a1d03db1879db686c7f2ba96a4e6488cc14aa093b3831ea02405d

  • SHA512

    a86ae46acc04e5f976c9410544c1977949ba48fc26bd05d0324ae59db0cfe178873e18029290f81950ac2b58fb4a2a43b699e15123b46dfd282b011f159fc085

  • SSDEEP

    12288:qVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:3fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 61 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6dfd7436bd4deb041e0a6690557c4397.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4220
  • C:\Windows\system32\msdt.exe
    C:\Windows\system32\msdt.exe
    1⤵
      PID:1608
    • C:\Users\Admin\AppData\Local\XgdPOMC\msdt.exe
      C:\Users\Admin\AppData\Local\XgdPOMC\msdt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1128
    • C:\Windows\system32\systemreset.exe
      C:\Windows\system32\systemreset.exe
      1⤵
        PID:3400
      • C:\Users\Admin\AppData\Local\WIiFVS4\systemreset.exe
        C:\Users\Admin\AppData\Local\WIiFVS4\systemreset.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:972
      • C:\Windows\system32\rstrui.exe
        C:\Windows\system32\rstrui.exe
        1⤵
          PID:2576
        • C:\Users\Admin\AppData\Local\PttLEu\rstrui.exe
          C:\Users\Admin\AppData\Local\PttLEu\rstrui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3016
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4752
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3800
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4536
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2904
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4800
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2464
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3824
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4348
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3496
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:2356
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:4424
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:4280
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                  PID:1132
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:4272
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:3788
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:4328
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:3396
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:644
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:3728
                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                              1⤵
                                PID:4556
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                  PID:4996
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:2828
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                      PID:4280
                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:3320
                                      • C:\Windows\explorer.exe
                                        explorer.exe
                                        1⤵
                                          PID:1884
                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                          1⤵
                                            PID:208
                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:3768
                                            • C:\Windows\explorer.exe
                                              explorer.exe
                                              1⤵
                                                PID:3688
                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                1⤵
                                                  PID:3168
                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                  1⤵
                                                  • Modifies Installed Components in the registry
                                                  • Modifies registry class
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:2356
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:4024
                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                    1⤵
                                                      PID:4064
                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                        PID:792
                                                      • C:\Windows\explorer.exe
                                                        explorer.exe
                                                        1⤵
                                                          PID:1412
                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                          1⤵
                                                            PID:3516
                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                            1⤵
                                                              PID:236
                                                            • C:\Windows\explorer.exe
                                                              explorer.exe
                                                              1⤵
                                                                PID:1612

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                Filesize

                                                                471B

                                                                MD5

                                                                1af595ccc6eb6fc50da263b1b56f6124

                                                                SHA1

                                                                6843b70ecb14c33709c6abf56b4766e08fbd0b7b

                                                                SHA256

                                                                904b2751181d601bad7740fc6dd88df654ac7eea99047a047ef9adc37fa95ff9

                                                                SHA512

                                                                e14099da90e8aa2ecf22dbe971243f092eeb41d2c305af568d8c6ddb47de800fed646d808c79d9f318fbfca26fc753237fce8eee57b7758e4f99e3c6f73f773f

                                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

                                                                Filesize

                                                                412B

                                                                MD5

                                                                47ba3c28557aa9fb73ee141cb2d9ea62

                                                                SHA1

                                                                9751c9fe567cab95cc3ef24eb80b827154d60587

                                                                SHA256

                                                                4f49321e98b076eadd085364e619d1a21aa93904b0c13066c223c7d84c76f245

                                                                SHA512

                                                                bee627e257ec04768ecc10c32053243b40c32dcc880568656ebc3e9a148172cd1be92448c7b225a36c519081e421112f158c95339646e8c8694254ed77029db0

                                                              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HVCJPK60\microsoft.windows[1].xml

                                                                Filesize

                                                                97B

                                                                MD5

                                                                72bf25ac6d3c8077e265f7625887105b

                                                                SHA1

                                                                51b52bc669e01811e9261069b4e6c703160f3b90

                                                                SHA256

                                                                760a918c3a9caefe1573ab926c6e3c703b0d0ce7cb3db83e018241bd5c72cad1

                                                                SHA512

                                                                f4d5a1a1b044a22f85cca274419fa6b4bf6debe41689305a642696de8858c10ace5312b95795d2e4a6ae9d3df3130a203294008879fc87a4b81e3d2e99684160

                                                              • C:\Users\Admin\AppData\Local\PttLEu\SPP.dll

                                                                Filesize

                                                                156KB

                                                                MD5

                                                                120d33156e8c11097b18a0c2af1ea2ac

                                                                SHA1

                                                                fab7526aa56a44bb525a8799220d33bf88bfba72

                                                                SHA256

                                                                bae242de5088170fde6b2d834fbf94704ac29aee3db70c72ac20d3e4ab7cf33a

                                                                SHA512

                                                                22239b797107df718554d3cb0eb76e8b97af112680707ab03f1ce5640ffbbbdf8e44a0da57eca27bf332b2a7d681b10eb92ed523c94167e48e4788cfa0cfac74

                                                              • C:\Users\Admin\AppData\Local\PttLEu\SPP.dll

                                                                Filesize

                                                                247KB

                                                                MD5

                                                                8aca8f110a04720451217855bf2026b9

                                                                SHA1

                                                                83c56fb03ba241a82b24d792c4e579748098f39f

                                                                SHA256

                                                                ac98943f7bfc79ab5a33e75eac7ff50fe49faf3bd80a03dab42a19a8cf4f207f

                                                                SHA512

                                                                6ef70b524ffda3da914b566fcdf06c8e4beada4a840d449495c2ae10a3f5fa121d8f8804e8f101f7ea7540d3ec2045d5b4cf6fd3ed3069282cc35aba1a592f0f

                                                              • C:\Users\Admin\AppData\Local\PttLEu\rstrui.exe

                                                                Filesize

                                                                266KB

                                                                MD5

                                                                328b1834c8b95f7e73598a3fe4d0999c

                                                                SHA1

                                                                9c26918ab19d7718fd63e0660e1fe50c29ec64d4

                                                                SHA256

                                                                9c915c7bee2144892b95b4674269064feacfd1093b5e21cfdaf6bcba319b2074

                                                                SHA512

                                                                018910d1a8a106e0ab5c505d91f495251589ee100e9060ab480631960720651eb96dce037f7dca4aa040729497a882a8b46e53450a7ffa809c95b6f14166b895

                                                              • C:\Users\Admin\AppData\Local\PttLEu\rstrui.exe

                                                                Filesize

                                                                268KB

                                                                MD5

                                                                4cad10846e93e85790865d5c0ab6ffd9

                                                                SHA1

                                                                8a223f4bab28afa4c7ed630f29325563c5dcda1a

                                                                SHA256

                                                                9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

                                                                SHA512

                                                                c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

                                                              • C:\Users\Admin\AppData\Local\WIiFVS4\DUI70.dll

                                                                Filesize

                                                                89KB

                                                                MD5

                                                                4853c82a60cba53e21b6aadb860cfd75

                                                                SHA1

                                                                6fed1c8a1743c8420851b841d8d1ef6a0fd6b769

                                                                SHA256

                                                                b05c12eb9ff71e03df31b17e1308d15f589a30298f0373d6f28c37467c750364

                                                                SHA512

                                                                eceb470f22166d46464a25efa523ab50969c549049c43b971f44aa001bafb2b90e8f53410a01011282c033e1b3819db1d6ec7d7f8f5eb1e9f0ef6ffeb0b62584

                                                              • C:\Users\Admin\AppData\Local\WIiFVS4\DUI70.dll

                                                                Filesize

                                                                86KB

                                                                MD5

                                                                da69dd3acfeced1318ea86aadc56b488

                                                                SHA1

                                                                96eb4293adc26550ca1eee7157e45e34cb96159e

                                                                SHA256

                                                                fd3c4028751108c0c17d1b1d37304e68c87e92b7d24a659002a70fece70c81b4

                                                                SHA512

                                                                32c47a1822ab1a9678bb270319c92166a5954998b3e5546a249c1f11c6646de76709860543fb8eba53ee54d4da7985599e5bccdba3a00e446bb33fe8e5ccc10f

                                                              • C:\Users\Admin\AppData\Local\WIiFVS4\systemreset.exe

                                                                Filesize

                                                                449KB

                                                                MD5

                                                                259232e900396086fcf9d5529aa45aee

                                                                SHA1

                                                                2271b9d87060e79586b0580beed89f575c1ad370

                                                                SHA256

                                                                96660c6eaafba6ec99acc1667ab4320703db38f23e5337906d984322b6afd5e0

                                                                SHA512

                                                                e2fead3fa33157d0e440fe5c2cc8b663e9b364c7bcd43c5381fad5e9bc6fb0862c7986e9eaffa74151a0e5c93847460a6873ba8f4f389f9501557181659e3913

                                                              • C:\Users\Admin\AppData\Local\WIiFVS4\systemreset.exe

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                a9c462fa1e0fa77ed85d5d08d34a8e7b

                                                                SHA1

                                                                c6cc0276edfc39729fd57058aa16ea017ce84cf9

                                                                SHA256

                                                                2f48f46e049426886362b927cd81f59b8ebfedef7670fe8901f3e1b58f2339d2

                                                                SHA512

                                                                6b3deb328cd1db6ab872188afaf46cd38e9adb47d6637272dd8749566e7e9d6887c1197b3f62aac7e5b9c45176bd46fc83f5f4e52951a019c637097bc152658b

                                                              • C:\Users\Admin\AppData\Local\XgdPOMC\msdt.exe

                                                                Filesize

                                                                191KB

                                                                MD5

                                                                79da1a6cdf2970daaa6b2ba166cd4229

                                                                SHA1

                                                                945758f55ab78e95ba470e6c2ddb1be7d6ec689b

                                                                SHA256

                                                                266511ead345e1501e563e0aed112fc2c30f167f78358f6ffebaa3caa7d66dde

                                                                SHA512

                                                                bfbf482725b1e50e9389e7492e86213e2577657cf4a84366714fce3384123768553cb372b51696e528764185cd143d4322543808577adadabd33f63127971355

                                                              • C:\Users\Admin\AppData\Local\XgdPOMC\msdt.exe

                                                                Filesize

                                                                97KB

                                                                MD5

                                                                73ef47267a5b214f33f4805160856b9e

                                                                SHA1

                                                                925afdfbd45959064f7e37253d41f92dd404c67e

                                                                SHA256

                                                                817e254be91f042e1f047f5549b4b88b10c8a4a4aab8f7675b0ce77f0102ad38

                                                                SHA512

                                                                6a482f8f67e11d344e2b9b5e33b642fa0d8ec7141de8a1d4753b4f46754b6bd2b421f9b4402c39ee814488c9d56c34366c58ab3b0d58e8ea934a35ed40413568

                                                              • C:\Users\Admin\AppData\Local\XgdPOMC\wer.dll

                                                                Filesize

                                                                268KB

                                                                MD5

                                                                f92a36dc2859b33dbf2c6c478c13e32c

                                                                SHA1

                                                                4e5f04f12a3e1b2462989b29f49c9f518fb33c06

                                                                SHA256

                                                                791f717834b482bd95ba5b350ab598444557b39967697a83a86d147299536f37

                                                                SHA512

                                                                291888945e7f2854d225b32e473eb4eea0f3dc9cb2ebbef0ac5ff865243515aaa1fd2eed9cdba4e936e932c494e780f4b3676383c3b893fbe0339552030674d4

                                                              • C:\Users\Admin\AppData\Local\XgdPOMC\wer.dll

                                                                Filesize

                                                                211KB

                                                                MD5

                                                                79900d371203a518625ef6ab30880aae

                                                                SHA1

                                                                226899d6c7fecc074560d9a304c139bd1d9d89cf

                                                                SHA256

                                                                664010be2ee93c65bdc6afebef9fa907b892d7f73f6bd341f922d941567fb349

                                                                SHA512

                                                                8ec95a40c06dd02bfb28f1693d1082d10d7379182890054fdf5a7389bb2b735df5a46b69adea88d76b4ff64703efe61ea7d632f8baae0166ea2fd74d2a6a4aaa

                                                              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                1e46989c9693a04524023139e4be062a

                                                                SHA1

                                                                497f4ed252e0759a1bfe9599692eb95fc6e5e9df

                                                                SHA256

                                                                c4bd69e3ea1f6b04de1a2af967950c1eac9d5b46d2c72066ef0ecf1694d61c7f

                                                                SHA512

                                                                bb44657a4a4b3c8ffcfaef600bcd4920d931403717375723290804f5efed5bda6f8c8deee6eb1a67a88aefafb1f092e255044c30490014c5ec1c0179802b30cd

                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\kyvZmHmBuB\DUI70.dll

                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                f7ff1d8ec27011a861fa9daacb10154b

                                                                SHA1

                                                                22675bf115dbf67cecb93b49add062ab9e6dc1f2

                                                                SHA256

                                                                5e4229517e0701fd4141e11f9019b953dbbee4a6c4880109b056b75af6eafd31

                                                                SHA512

                                                                8e902a11cf463957e0947486ecfa1be29ffaba4813c4e74330a83ef8b096fc5369a69b22b4363637eef4fa11e0d4bee46513cb97577a720c9dfdfb336547792d

                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\tyrZ\SPP.dll

                                                                Filesize

                                                                1.5MB

                                                                MD5

                                                                53a6fe822edb58309bcd6ebd77fe6d23

                                                                SHA1

                                                                6f25cc4f37e0e2f32349817a1b72d2a7a9ac028b

                                                                SHA256

                                                                1de22129fa621a31882069acd565d1f411ed7f24165879e74f8059878fcac644

                                                                SHA512

                                                                c16a347f72269330e60ba45df98c10795d32c2d72da132c26d63182ba6beb2ba8b4a55cf05025e51d50325dbfdee883790aaed67b9ecf1b02d6e8ef3967d970e

                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\JT\wer.dll

                                                                Filesize

                                                                1.5MB

                                                                MD5

                                                                105f36ae9fd93bbaaf6733add1ef86eb

                                                                SHA1

                                                                b9722b83636aff79470ee0c324e332a90699cebb

                                                                SHA256

                                                                00af18090f8bab313d904639ea3429d58bbb0c0fc63f48113763e997a6469acb

                                                                SHA512

                                                                1111d39a1b49425bcf93ddeb959eb91a217608d0f7480e7294eb2d5008fbe20ecfc235b08fd2e56c09beef02c6675167ca23b3f6452144e54ac053591c445354

                                                              • memory/972-95-0x000001700C0B0000-0x000001700C0B7000-memory.dmp

                                                                Filesize

                                                                28KB

                                                              • memory/1128-84-0x0000000140000000-0x0000000140188000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/1128-78-0x0000016485940000-0x0000016485947000-memory.dmp

                                                                Filesize

                                                                28KB

                                                              • memory/1128-79-0x0000000140000000-0x0000000140188000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3016-112-0x0000018C35300000-0x0000018C35307000-memory.dmp

                                                                Filesize

                                                                28KB

                                                              • memory/3316-22-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-58-0x00007FFD07F20000-0x00007FFD07F30000-memory.dmp

                                                                Filesize

                                                                64KB

                                                              • memory/3316-31-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-29-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-32-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-33-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-34-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-36-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-37-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-35-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-38-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-28-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-39-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-43-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-46-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-48-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-49-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-50-0x00000000006D0000-0x00000000006D7000-memory.dmp

                                                                Filesize

                                                                28KB

                                                              • memory/3316-47-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-45-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-44-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-41-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-42-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-40-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-57-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-30-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-67-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-69-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-27-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-26-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-25-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-24-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-23-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-4-0x0000000007E20000-0x0000000007E21000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/3316-21-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-20-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-19-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-18-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-17-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-15-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-16-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-14-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-6-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-8-0x00007FFD0641A000-0x00007FFD0641B000-memory.dmp

                                                                Filesize

                                                                4KB

                                                              • memory/3316-13-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-12-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-11-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-10-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/3316-9-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/4220-7-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/4220-1-0x0000000140000000-0x0000000140186000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                              • memory/4220-0-0x000001CAA7570000-0x000001CAA7577000-memory.dmp

                                                                Filesize

                                                                28KB