165fb59360683122125271d668cfb28c3ad9502d559e491856005178fb22a254

Resubmissions

29-04-2024 17:56

240429-wjgllsgg29 10

17-04-2024 14:59

240417-sc15wsef8y 10

16-04-2024 14:20

240416-rnxq6sdg3t 10

Analysis

max time kernel
1764s
max time network
1604s
platform
windows10-1703_x64
resource
win10-20240404-de
resource tags

arch:x64arch:x86image:win10-20240404-delocale:de-deos:windows10-1703-x64systemwindows
submitted
16-04-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Size

628KB
MD5

97a26d9e3598fea2e1715c6c77b645c2
SHA1

c4bf3a00c9223201aa11178d0f0b53c761a551c4
SHA256

e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
SHA512

acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
SSDEEP

12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xeezdllq = "\"C:\\Users\\Admin\\AppData\\Roaming\\XCgv\\BitLockerWizard.exe\""

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Windows\system32\5TH4\RdpSaUacHelper.exe	cmd.exe
File opened for modification	C:\Windows\system32\5TH4\RdpSaUacHelper.exe	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

fodhelper.exe

description ioc process

File created C:\Windows\rescache\_merged\2717123927\1590785016.pri fodhelper.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3416 schtasks.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	fodhelper.exe

pid	process
3416	schtasks.exe

Modifies registry class 10 IoCs

Processes:

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\ms-settings\shell\open\command
Key deleted	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\ms-settings\shell
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\ms-settings
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\ms-settings\shell
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\PHR.cmd"
Key deleted	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\ms-settings\shell\open
Key deleted	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\ms-settings
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\ms-settings\shell\open\command
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\ms-settings\shell\open
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\ms-settings\shell\open\command\DelegateExecute

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3332

pid	process
3332

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fodhelper.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3332 wrote to memory of 1316	3332		BitLockerWizard.exe
PID 3332 wrote to memory of 1316	3332		BitLockerWizard.exe
PID 3332 wrote to memory of 652	3332		cmd.exe
PID 3332 wrote to memory of 652	3332		cmd.exe
PID 3332 wrote to memory of 3212	3332		RdpSaUacHelper.exe
PID 3332 wrote to memory of 3212	3332		RdpSaUacHelper.exe
PID 3332 wrote to memory of 1536	3332		cmd.exe
PID 3332 wrote to memory of 1536	3332		cmd.exe
PID 3332 wrote to memory of 2184	3332		fodhelper.exe
PID 3332 wrote to memory of 2184	3332		fodhelper.exe
PID 2184 wrote to memory of 4108	2184	fodhelper.exe	cmd.exe
PID 2184 wrote to memory of 4108	2184	fodhelper.exe	cmd.exe
PID 4108 wrote to memory of 3416	4108	cmd.exe	schtasks.exe
PID 4108 wrote to memory of 3416	4108	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 4560	3332		cmd.exe
PID 3332 wrote to memory of 4560	3332		cmd.exe
PID 4560 wrote to memory of 4940	4560	cmd.exe	schtasks.exe
PID 4560 wrote to memory of 4940	4560	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 1312	3332		cmd.exe
PID 3332 wrote to memory of 1312	3332		cmd.exe
PID 1312 wrote to memory of 1544	1312	cmd.exe	schtasks.exe
PID 1312 wrote to memory of 1544	1312	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 2256	3332		cmd.exe
PID 3332 wrote to memory of 2256	3332		cmd.exe
PID 2256 wrote to memory of 2372	2256	cmd.exe	schtasks.exe
PID 2256 wrote to memory of 2372	2256	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 2356	3332		cmd.exe
PID 3332 wrote to memory of 2356	3332		cmd.exe
PID 2356 wrote to memory of 3260	2356	cmd.exe	schtasks.exe
PID 2356 wrote to memory of 3260	2356	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 4240	3332		cmd.exe
PID 3332 wrote to memory of 4240	3332		cmd.exe
PID 4240 wrote to memory of 3236	4240	cmd.exe	schtasks.exe
PID 4240 wrote to memory of 3236	4240	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 2584	3332		cmd.exe
PID 3332 wrote to memory of 2584	3332		cmd.exe
PID 2584 wrote to memory of 2332	2584	cmd.exe	schtasks.exe
PID 2584 wrote to memory of 2332	2584	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 4684	3332		cmd.exe
PID 3332 wrote to memory of 4684	3332		cmd.exe
PID 4684 wrote to memory of 5116	4684	cmd.exe	schtasks.exe
PID 4684 wrote to memory of 5116	4684	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 3972	3332		cmd.exe
PID 3332 wrote to memory of 3972	3332		cmd.exe
PID 3972 wrote to memory of 4544	3972	cmd.exe	schtasks.exe
PID 3972 wrote to memory of 4544	3972	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 4100	3332		cmd.exe
PID 3332 wrote to memory of 4100	3332		cmd.exe
PID 4100 wrote to memory of 3920	4100	cmd.exe	schtasks.exe
PID 4100 wrote to memory of 3920	4100	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 4104	3332		cmd.exe
PID 3332 wrote to memory of 4104	3332		cmd.exe
PID 4104 wrote to memory of 3144	4104	cmd.exe	schtasks.exe
PID 4104 wrote to memory of 3144	4104	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 4108	3332		cmd.exe
PID 3332 wrote to memory of 4108	3332		cmd.exe
PID 4108 wrote to memory of 2532	4108	cmd.exe	schtasks.exe
PID 4108 wrote to memory of 2532	4108	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 4940	3332		cmd.exe
PID 3332 wrote to memory of 4940	3332		cmd.exe
PID 4940 wrote to memory of 2844	4940	cmd.exe	schtasks.exe
PID 4940 wrote to memory of 2844	4940	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 1308	3332		cmd.exe
PID 3332 wrote to memory of 1308	3332		cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4568

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:1316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\T5Ck.cmd
1⤵
PID:652

C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
1⤵
PID:3212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\dPR2BQ.cmd
1⤵
- Drops file in System32 directory
PID:1536

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\PHR.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Rcdyofwazvalcnc" /TR C:\Windows\system32\5TH4\RdpSaUacHelper.exe /SC minute /MO 60 /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:3416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:5116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1308
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1580
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3588
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1464
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1904
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1788
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2756
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4128
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1056
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2488
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4100
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:516
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3092
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3060
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1312
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:5060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2368
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:5032
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4704
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2496
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2260
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4680
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1864
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:200
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4968
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1536
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3556
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4108
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:5104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4484
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4112
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2088
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4220
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4160
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4308
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2188
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4776
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1624
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4976
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1492
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4212
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3940
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1212
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4164
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2428
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:5092
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3604
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3776
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3324
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4168
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3264
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:684
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3756
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2580
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:5056
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4548
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1084
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3532
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3516
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4048
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4664
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3408
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3416
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2592
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3580
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4068
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3656
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:4944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:2072
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3380
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1016
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:5020
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3400
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4480
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1864
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:612
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:2348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:1628
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:1716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:3364
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Rcdyofwazvalcnc"
1⤵
PID:4832
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Rcdyofwazvalcnc"
  2⤵
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PHR.cmd

Filesize
138B

MD5
faf61c05e5ec2ded80b4e80725fd7587

SHA1
46dc823c65fc81998ba629c683de3093bf55ef5d

SHA256
e6d7d85cc91824cfc0974684215414e8e685883f7a25129a063605f809b32050

SHA512
2ed3e5972c883918e6587f66dbee9ef9418857d8b5c8859b4e0b86eaa423fb8b154fca5b51369a8d42e6b0dcf931e901801d1db7c09199bf72b9320c5ec6d35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\T5Ck.cmd

Filesize
233B

MD5
6948773e3e6fa4377d016dbb09bdef5c

SHA1
1e9b392219611e2cf8bbc0512445e46a3b575b45

SHA256
a3731b0caffa10d4a4f62cd1e99a47102d55c08a2469c1584b8fd1177d246137

SHA512
90f10bb69f7ea21cbc8da72e79d590c2e29c16f4dab887263fe26709eb30548fadb0fae41abbce909ab2b36b4dcf6c359c918fef4f834a4cfe95bf8fd8c8bdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TfXEDEB.tmp

Filesize
636KB

MD5
41677541c17b78e18ead70d82ea91cc2

SHA1
7bdb97d8c47fcc973cd12154ef26ae0e25259f2c

SHA256
b495472d062218ae5c8e201240242ed661ca87e59697cf610a97668678932bc6

SHA512
bffd5db96dd82497b07f8420ee0e1b49581b71ff4443258e62aa7292e1d7130574608cb5afc23c5c2a8f46a735e3787c8970376d7edb961c8cca57a9c723fdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dPR2BQ.cmd

Filesize
200B

MD5
8e1a9b73369e085b908776a74a6a527a

SHA1
a554d96b6704edc1348003ff5db22ce8946641f0

SHA256
b94443db26679ea067b0e071504b2c7f4c73b64e3a2bb70be8560277ccfb265f

SHA512
aa957cdf17f263905023719950151f8367ef9ddf8c7bee97e6863e8c3f9080b68ed01c8aa23ac7cfc365a8d45da2e5bacec8c6c92b0c544bb50c711f3445f245

Download Submit
C:\Users\Admin\AppData\Local\Temp\zFC505.tmp

Filesize
632KB

MD5
650c5a63168b7739a7e2f68c6bce5130

SHA1
f49c5de4fd7121751f4a91a364782f449752d8e4

SHA256
baf818c8dd30b55aad01c353e566a74e5a3957109df2777fcac098646b6560e4

SHA512
7dd95136a49c04f8eaf1fd18215ffd61fc4438ca18aa3679548d6b5b0bb0a24ea85c3ce57c13eec6f53781176e6b291497d15bd03640bd2e88afb9741810dbed

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xeezdllq.lnk

Filesize
938B

MD5
7a2551189f91d9df6570f81828f59f4a

SHA1
11a333566dde8b93e2ee88edccb747cd0f8197cf

SHA256
297f466ba267e84b93be457cd6304425c174e9617530f9b87b5a157177e49e5a

SHA512
b0f86e3254be7ed57545547d3b3c18f67fc90054ea4591bd6153bf8a64d5c76434f924bb77b3d883ae4d436ef4fb7de9e281a8d49fa990513c9dd9f80fe6ca5e

Download Submit
C:\Users\Admin\AppData\Roaming\XCgv\BitLockerWizard.exe

Filesize
100KB

MD5
c213e950a565d1fbe302961f029dddc8

SHA1
edeaf01a3dbfdfca54a5e25c121d9645dd75bf86

SHA256
f90e755a99ce576c643b751d4f87f4b301d0bf7264f74023225b9b8b7f2e302d

SHA512
081f5ee07b6ffae41e494a13c720a8fb92a05c68b1f72c0bc6422050fabc2a433b84f6a3991defa4bfc9d5a721fb8cd83927613d4423f918cf8e57427e825fb0

Download Submit
memory/3332-18-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-10-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-15-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-14-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-3-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3332-17-0x0000000000D00000-0x0000000000D07000-memory.dmp

Filesize
28KB

Download
memory/3332-24-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-27-0x00007FFC91815000-0x00007FFC91816000-memory.dmp

Filesize
4KB

Download
memory/3332-28-0x00007FFC91950000-0x00007FFC91952000-memory.dmp

Filesize
8KB

Download
memory/3332-37-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-39-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-13-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-12-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-11-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3332-7-0x00007FFC8FBB3000-0x00007FFC8FBB4000-memory.dmp

Filesize
4KB

Download
memory/4568-9-0x00007FFC85E30000-0x00007FFC85ECD000-memory.dmp

Filesize
628KB

Download
memory/4568-1-0x000002529C210000-0x000002529C217000-memory.dmp

Filesize
28KB

Download
memory/4568-0-0x00007FFC85E30000-0x00007FFC85ECD000-memory.dmp

Filesize
628KB

Download