Analysis Overview
SHA256
22cfa40d7e29bf79dc313aa90b86ea3a7716d0a95e553cfe8d112098645a039b
Threat Level: Known bad
The file 706c428f1cdf3c4e2003ba9c1a54b608 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 19:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 19:52
Reported
2024-01-23 19:55
Platform
win7-20231215-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ocD\msdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iOo\javaws.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ocD\msdt.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iOo\javaws.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\aLC1Q\\javaws.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ocD\msdt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\iOo\javaws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1224 wrote to memory of 2336 | N/A | N/A | C:\Windows\system32\msdt.exe |
| PID 1224 wrote to memory of 2336 | N/A | N/A | C:\Windows\system32\msdt.exe |
| PID 1224 wrote to memory of 2336 | N/A | N/A | C:\Windows\system32\msdt.exe |
| PID 1224 wrote to memory of 2580 | N/A | N/A | C:\Users\Admin\AppData\Local\ocD\msdt.exe |
| PID 1224 wrote to memory of 2580 | N/A | N/A | C:\Users\Admin\AppData\Local\ocD\msdt.exe |
| PID 1224 wrote to memory of 2580 | N/A | N/A | C:\Users\Admin\AppData\Local\ocD\msdt.exe |
| PID 1224 wrote to memory of 572 | N/A | N/A | C:\Windows\system32\javaws.exe |
| PID 1224 wrote to memory of 572 | N/A | N/A | C:\Windows\system32\javaws.exe |
| PID 1224 wrote to memory of 572 | N/A | N/A | C:\Windows\system32\javaws.exe |
| PID 1224 wrote to memory of 272 | N/A | N/A | C:\Users\Admin\AppData\Local\iOo\javaws.exe |
| PID 1224 wrote to memory of 272 | N/A | N/A | C:\Users\Admin\AppData\Local\iOo\javaws.exe |
| PID 1224 wrote to memory of 272 | N/A | N/A | C:\Users\Admin\AppData\Local\iOo\javaws.exe |
| PID 1224 wrote to memory of 2948 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 1224 wrote to memory of 2948 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 1224 wrote to memory of 2948 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 1224 wrote to memory of 2428 | N/A | N/A | C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe |
| PID 1224 wrote to memory of 2428 | N/A | N/A | C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe |
| PID 1224 wrote to memory of 2428 | N/A | N/A | C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\706c428f1cdf3c4e2003ba9c1a54b608.dll,#1
C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
C:\Users\Admin\AppData\Local\ocD\msdt.exe
C:\Users\Admin\AppData\Local\ocD\msdt.exe
C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
C:\Users\Admin\AppData\Local\iOo\javaws.exe
C:\Users\Admin\AppData\Local\iOo\javaws.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe
Network
Files
memory/2092-1-0x0000000000390000-0x0000000000397000-memory.dmp
memory/2092-0-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-4-0x0000000077816000-0x0000000077817000-memory.dmp
memory/1224-5-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1224-16-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-15-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-17-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-18-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-14-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-13-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-19-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-26-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-25-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-24-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-23-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-22-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-21-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-20-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-12-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-11-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-10-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-9-0x0000000140000000-0x0000000140169000-memory.dmp
memory/2092-8-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-7-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-28-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-30-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-31-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-29-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-27-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-32-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-34-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-36-0x0000000002590000-0x0000000002597000-memory.dmp
memory/1224-35-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-43-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-45-0x0000000077B80000-0x0000000077B82000-memory.dmp
memory/1224-44-0x0000000077A21000-0x0000000077A22000-memory.dmp
memory/1224-33-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-54-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1224-60-0x0000000140000000-0x0000000140169000-memory.dmp
C:\Users\Admin\AppData\Local\ocD\msdt.exe
| MD5 | aecb7b09566b1f83f61d5a4b44ae9c7e |
| SHA1 | 3a4a2338c6b5ac833dc87497e04fe89c5481e289 |
| SHA256 | fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5 |
| SHA512 | 6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746 |
C:\Users\Admin\AppData\Local\ocD\wer.dll
| MD5 | 213392b3514791546c9366ef10d1af20 |
| SHA1 | 5c3353c4bdd2ff7abe33fe0b792e1e3c3a073fee |
| SHA256 | 7a9c0f847ee198084e949537b3dbb1f35f16b01bfe1687238044ddece6d6cbc0 |
| SHA512 | 64a85f11cd562250bb80200b7458516a6911c10d2b3d576c647d9cdf67b57a685033d296ab0d233c165f53f3d08bb14c21bd8533145ce0f8ab63e64879fcf7c4 |
memory/2580-72-0x00000000001D0000-0x00000000001D7000-memory.dmp
memory/2580-73-0x0000000140000000-0x000000014016A000-memory.dmp
memory/2580-78-0x0000000140000000-0x000000014016A000-memory.dmp
\Users\Admin\AppData\Local\iOo\javaws.exe
| MD5 | f94bc1a70c942621c4279236df284e04 |
| SHA1 | 8f46d89c7db415a7f48ccd638963028f63df4e4f |
| SHA256 | be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c |
| SHA512 | 60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52 |
C:\Users\Admin\AppData\Local\iOo\VERSION.dll
| MD5 | 1daa5a9cbf5d3861c7b982d87207511d |
| SHA1 | 5701d227804ff5609d0b8e8a84588f2d37ed6c1f |
| SHA256 | 73671aac3e08e4e6f59b324a5e17c39a13df4a8ce8b3bfc9ccc44f230b9bb5df |
| SHA512 | 6d80e531350f1088ed601a7f48b87d64fb5c97170c91796776d922da3f8bbd5e6b5c9636d884da808a170a4e8e60924571ac27a08796d4f48993d75be2462bf8 |
memory/272-91-0x00000000001F0000-0x00000000001F7000-memory.dmp
\Users\Admin\AppData\Local\xgBL\appwiz.cpl
| MD5 | acf818af83b1ea00392f2ce293d203fc |
| SHA1 | 6f84de0e100e154d1271fed79fb09c4eb945f3e1 |
| SHA256 | ac4c5b95e1c9faebff642e5da2616cac5879133d7d4aeb54977c27047ee19c27 |
| SHA512 | f6112e46825c897dc4ef2d7c27cd3086f58c826b5fe695e7e646d5d7f677dcf1536292b57a4f9ceaa9a2802a7375021466904584c0facb08073694bdcfec0bd1 |
C:\Users\Admin\AppData\Local\xgBL\OptionalFeatures.exe
| MD5 | eae7af6084667c8f05412ddf096167fc |
| SHA1 | 0dbe8aba001447030e48e8ad5466fd23481e6140 |
| SHA256 | 01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc |
| SHA512 | 172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d |
memory/2428-109-0x0000000000270000-0x0000000000277000-memory.dmp
memory/2428-114-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1224-130-0x0000000077816000-0x0000000077817000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | 56258109373a1e7d9ebaa8691415f131 |
| SHA1 | ba239640bca22de27fca669bc3a080e7504fd800 |
| SHA256 | 255d18eb1d8849d1f72b1c830348a4aaf7f8e19730443667f444214d91f98aed |
| SHA512 | d63a013fc950161af12f96d192fe3949f5a9e7a95a025dabcdb12934fb14a181a4154f0ffd669f868125a1340a62158a2f5cc7c178a63e32436d55c99c8e4145 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 19:52
Reported
2024-01-23 19:55
Platform
win10v2004-20231215-en
Max time kernel
1s
Max time network
158s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\706c428f1cdf3c4e2003ba9c1a54b608.dll,#1
C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\edlk\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\edlk\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\vaJ8\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\vaJ8\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe
C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 65.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.17.96.in-addr.arpa | udp |
Files
memory/2640-0-0x00000244CFA70000-0x00000244CFA77000-memory.dmp
memory/2640-1-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-5-0x00007FFAF2DBA000-0x00007FFAF2DBB000-memory.dmp
memory/3556-7-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-11-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-16-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-20-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-25-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-23-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-26-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-27-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-29-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-28-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-31-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-32-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-34-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-33-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-36-0x0000000007630000-0x0000000007637000-memory.dmp
memory/3556-35-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-30-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-24-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-22-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-21-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-19-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-18-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-17-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-15-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-13-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-14-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-12-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-10-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-9-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-43-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-44-0x00007FFAF3160000-0x00007FFAF3170000-memory.dmp
memory/2640-8-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-4-0x0000000007650000-0x0000000007651000-memory.dmp
memory/3556-53-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3556-55-0x0000000140000000-0x0000000140169000-memory.dmp
C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll
| MD5 | 701a71f2b74f5092847975606808ca4d |
| SHA1 | 89274d5e375a3c62007f2e894cbbeb4879d315c7 |
| SHA256 | 65c283350046436b646cdc292b860b9a2cfd608b8c507a7bcce9affecb8a503e |
| SHA512 | ea74780939280255210feb24392af2d16eef96fe4892bb3c6cffc9acfca8354831ae01c97fb79987ddd32c63ca88866afce1aa8250aff76b757c36f69f5ff8b8 |
C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe
| MD5 | 643b671742f0ce8f4d6fc96d00e71597 |
| SHA1 | 79735cf624c98a932b75fbfcd860be807b7d8ee2 |
| SHA256 | 3a75a4cf5833ba5ecd1196d8d2b16cf040fc3d2daf0aebf4298014aa3e596976 |
| SHA512 | 9fe3df3a7de19934a07ce83d51e3275d6cbfc007c9d15cdfe71f576bda941ad1fc6e129c65a7aee93e4f0f81bca528cad746cebdcfa9b978fcf86c7e1ac33a49 |
C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll
| MD5 | 287c9cde6c9b41d941245a271ad72bad |
| SHA1 | 49f13e6cb1887a2055fade2ddb34d8358ac69073 |
| SHA256 | 3607509832b1ac80d6020d6a710db27a251105ba7943a75b33c77a6fbfa53c3f |
| SHA512 | 9f1df7fcf686b72a7a977e7fe9054b0703b48cfd2eaa9efa989f61499a65854af974316d1d61898af2c9200535f5bd9348134dc1f8d973c5d7c75d94adc97acd |
memory/1208-67-0x0000020FD4DF0000-0x0000020FD4DF7000-memory.dmp
memory/1208-66-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1208-72-0x0000000140000000-0x000000014016A000-memory.dmp
C:\Users\Admin\AppData\Local\bOjF4Jk\omadmclient.exe
| MD5 | 616ae83739ea1f90abe55f89bf96fcc5 |
| SHA1 | 997aef54da588559bfe642b8605bcd1546d28489 |
| SHA256 | 0bb5de5f2177663061d5d52146f8138a71e734c950cd436a5f695b423ed17f70 |
| SHA512 | deafd997cb8669158b7578bc044fdc6bf52499a507b3b737ec536fab68795029b2661093b12edef745ecec6a4862bdf35f46cafe87aec23cd321acd3c02b20b8 |
C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll
| MD5 | 3839d0bf80748bf372ab51605802e633 |
| SHA1 | a91366466ff5f3948a48d920779c33f464d7a5d1 |
| SHA256 | a236a146ff2a84b2d7b4e9abb9a640576cc223bafccb22575817c351878fa424 |
| SHA512 | ab4f570a848cabd985106e553cd05a96481fd4db6ff4deee675a2141a9e2e031d9cea7a9bae55da4a17a434357cc2a83bd122c1b06cbb79105272ba46f6e76bc |
C:\Users\Admin\AppData\Local\bOjF4Jk\XmlLite.dll
| MD5 | a2fe86348bd66d0555a70d2ddc5bc8ec |
| SHA1 | a0c494062a629c2759285d67a4f3650b767d868a |
| SHA256 | bc3dea993c6c2ac149584374088881120456a33a63c1ff22de4e6608cb3e5e98 |
| SHA512 | 8e97c2c9fd102741d75e6a71a2e149c4356d74875be10e0820d4c461f0b5340cc4fb5650873ce46684f8f9e2af81c763933939747f395717804a72f9f1d5e0a9 |
C:\Users\Admin\AppData\Local\vaJ8\UxTheme.dll
| MD5 | 6cf801a60387ea807170680e796d55da |
| SHA1 | 05df3f71b273da19268137cf882444ec7cefe2ca |
| SHA256 | 294398b842356ddb9a4c8a1565429752768936974e5076677edb1cb599996cd5 |
| SHA512 | 81074b61209cfcd6155d5bea46ef95360dd4d8b4870fe6dfb1cebc23c92247910433ac52910f8fc6416e006e610114de52c4161930f661d4fd12f2bb34c3bcaa |
memory/1936-83-0x0000021834A60000-0x0000021834A67000-memory.dmp
C:\Users\Admin\AppData\Local\vaJ8\UxTheme.dll
| MD5 | 8211d674831d4c6b4c94c22de4ee5aef |
| SHA1 | e35f1276f1f65111d1791f30ae5542a6ca140053 |
| SHA256 | b60c8a916116f3afb93d101ebc9e63bb3c4a637f5f6c46e4ccd7cdd9394a2b62 |
| SHA512 | 32b764a15e0bfdf7d40bfea8f84d898aa33269d7471a3b00a7329f89b956cd0362be1914ba6bc41bfc9bb67d1de1c6169e855cf7329604c0a6fa13d2f3e47b7c |
memory/1936-89-0x0000000140000000-0x000000014016A000-memory.dmp
C:\Users\Admin\AppData\Local\vaJ8\EhStorAuthn.exe
| MD5 | d45618e58303edb4268a6cca5ec99ecc |
| SHA1 | 1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513 |
| SHA256 | d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c |
| SHA512 | 5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd |
C:\Users\Admin\AppData\Local\edlk\SYSDM.CPL
| MD5 | d1fd78be8f1d9e8bf3762965356b1fbc |
| SHA1 | 67396f71236dea6868997ea2e05ff784e761cda6 |
| SHA256 | 5bb77831ec8687e9849eecc000b7cd5766d205efe018d811129c4b64d33f901c |
| SHA512 | 1232a5c73fae3548f06198f3726d457f50dba68f1aaa1cbe022a7a3b877556aecf446eb79a64495d56d2a17ba2690ecbd2d6e2133182cdfd976b345d7a738f9a |
C:\Users\Admin\AppData\Local\edlk\SYSDM.CPL
| MD5 | a19228387e84b10ead3513cbf29d768a |
| SHA1 | 6f2beb8e878a2dd88230d65b4fb48b2588f5a240 |
| SHA256 | e99c2dfb1ca37677e8f835ffee92b7e56ed2fbe4601b5f7e0919263f5f0924ab |
| SHA512 | 6056ccbb9be2d25f135981a6b2fd38710add3d93420a8eca5079524d270b829e4d430fab091fb80c55bbc3d6eab5c20e97358fe4780abad857a2e4276c87d1ea |
memory/64-101-0x000001E4208E0000-0x000001E4208E7000-memory.dmp
C:\Users\Admin\AppData\Local\edlk\SystemPropertiesPerformance.exe
| MD5 | e4fbf7cab8669c7c9cef92205d2f2ffc |
| SHA1 | adbfa782b7998720fa85678cc85863b961975e28 |
| SHA256 | b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30 |
| SHA512 | c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6 |
memory/64-106-0x0000000140000000-0x000000014016A000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk
| MD5 | d919b6d93ec53dbe68e19e2e7b6a1ff9 |
| SHA1 | 0ebbf3bedcc35b57557aaf7e65ac404f5c1dcdc2 |
| SHA256 | 79c3324f6c65bc68b4e7bb4a5cf00e8bbab687aa019d1df538c1415ab382eeed |
| SHA512 | b0fadaf41f76613da72503d38ed4ce96eba0a7f65425c0e508d5da517214fd75245fc9369e0c045bf025da30eaffb9b5b58f184b565d776448caa698e7d91b3c |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\aoDuCF8rbr\XmlLite.dll
| MD5 | 371dba2f4e4568c391788ea271d6275b |
| SHA1 | 73354a0bdfa49eb2e02696c83ca3049d2b954348 |
| SHA256 | ddbf2d2f5f720f756f4180c1fb8eff0ea83ddca514ab01ff6bdf7dfbfc35c2b7 |
| SHA512 | 53917b9a16d84ac66d02ab0bb5563e58387b7986d9388faa0a5a5db933956bbbd305554da99edacbc65cdc37098fc5da5e5ec563bab3c5b87a4d0b026349d76f |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\aoDuCF8rbr\XzRaiWMOq\UxTheme.dll
| MD5 | d78b7c50e9a19001281da02040a0b6d2 |
| SHA1 | ce9fcd4b6df0418528143e011bb42a4f969914b5 |
| SHA256 | 2d667f18803916a2e619cb89785fcd7070c960b66a8510523980920ac269c330 |
| SHA512 | a22f7a87e380fb902e4c3ba57c0ea10e6bd465e23812f96b1833ba37a2b6e23b925092cad44eef2531a558a3d51f0986b150f51824a527ba9ca5b0a82ea908e2 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\ogj\SYSDM.CPL
| MD5 | cb45f96921418a42eb64cd2efde7c8a4 |
| SHA1 | 76f965faf6cfd37b6e3cec01626c9f953b1cc7b3 |
| SHA256 | 06851a71f213e55d80b637c3e29e10f68c9d59d2cad18ff887d1787712a6f701 |
| SHA512 | a3b2a5e58eef50b227381928d54bd33e4a5bed9df3408a77c0d5c00dd464996e7767280ae48be1350b802ab3fd4d67ae16be02c190b6fd66d1bc335737d21a94 |