Malware Analysis Report

2024-11-30 21:16

Sample ID 231230-d5pv1afff2
Target 0d22c81b42302e2112892de0c0d6a36b
SHA256 8fd540d8ddd32217d844155363837a0364436b0ed7ec69f206446f29e0650332
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fd540d8ddd32217d844155363837a0364436b0ed7ec69f206446f29e0650332

Threat Level: Known bad

The file 0d22c81b42302e2112892de0c0d6a36b was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 03:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 03:35

Reported

2023-12-31 16:03

Platform

win10v2004-20231215-en

Max time kernel

2s

Max time network

5s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d22c81b42302e2112892de0c0d6a36b.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d22c81b42302e2112892de0c0d6a36b.dll,#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 03:35

Reported

2023-12-31 15:55

Platform

win7-20231215-en

Max time kernel

151s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d22c81b42302e2112892de0c0d6a36b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\axPA\\VAULTS~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 1868 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1264 wrote to memory of 1868 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1264 wrote to memory of 1868 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1264 wrote to memory of 284 N/A N/A C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe
PID 1264 wrote to memory of 284 N/A N/A C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe
PID 1264 wrote to memory of 284 N/A N/A C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe
PID 1264 wrote to memory of 2928 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1264 wrote to memory of 2928 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1264 wrote to memory of 2928 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1264 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe
PID 1264 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe
PID 1264 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe
PID 1264 wrote to memory of 2060 N/A N/A C:\Windows\system32\psr.exe
PID 1264 wrote to memory of 2060 N/A N/A C:\Windows\system32\psr.exe
PID 1264 wrote to memory of 2060 N/A N/A C:\Windows\system32\psr.exe
PID 1264 wrote to memory of 1112 N/A N/A C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe
PID 1264 wrote to memory of 1112 N/A N/A C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe
PID 1264 wrote to memory of 1112 N/A N/A C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d22c81b42302e2112892de0c0d6a36b.dll,#1

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe

C:\Windows\system32\VaultSysUi.exe

C:\Windows\system32\VaultSysUi.exe

C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe

C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe

C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe

Network

N/A

Files

memory/1104-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1104-1-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-4-0x0000000076E86000-0x0000000076E87000-memory.dmp

memory/1264-5-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

memory/1104-8-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-11-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-9-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-12-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-14-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-18-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-20-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-21-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-22-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-25-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-26-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-27-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-30-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-33-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-32-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-31-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-35-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-37-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-39-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-42-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-43-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-44-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-45-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-47-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-48-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-49-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-51-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-52-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-54-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-55-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-57-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-58-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-59-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-60-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-62-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-63-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-64-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-61-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-65-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-56-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-68-0x0000000002670000-0x0000000002677000-memory.dmp

memory/1264-53-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-50-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-46-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-41-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-40-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-38-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-76-0x0000000076F91000-0x0000000076F92000-memory.dmp

memory/1264-36-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-34-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-77-0x00000000770F0000-0x00000000770F2000-memory.dmp

memory/1264-28-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-29-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-24-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-23-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-19-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-17-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-16-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-15-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-13-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-10-0x0000000140000000-0x000000014033A000-memory.dmp

memory/1264-7-0x0000000140000000-0x000000014033A000-memory.dmp

C:\Users\Admin\AppData\Local\MgrThq\SYSDM.CPL

MD5 b4b4d8fe488fb8b3172301755abcb3b1
SHA1 e82210a03f74146dfbfd9d2f8bb7fb95a6c3237d
SHA256 abca673b6c79c80382bd1ab164172d147b5a7dc65eea80c7340c75b9da3c1d4c
SHA512 f308a44ec2453745347c63dc96fdc12876847bdc7c9dcbfbf3b40c216413c92dc8d5d712e23414af348d780fb8955aa30bab29142ff48126608a2fbc6b75d7cf

\Users\Admin\AppData\Local\MgrThq\SYSDM.CPL

MD5 11885312c055e478d274a4b1dc331708
SHA1 02c12633069fb71f143e77ee33806aec4d4cb92c
SHA256 81201b69ad402403551e9b0758f472f34a185da1c0237aea9b8e52235ab3fac6
SHA512 307b37cdccdf948dfa69fc83dc7f4287def056dd02e62b6c244d284b49d6c63750c76d323ac8dac25219bd752ebeaa58659e100b03acac660c981e296fa4fa46

C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe

MD5 d0d7ac869aa4e179da2cc333f0440d71
SHA1 e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA256 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA512 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

memory/284-104-0x0000000000080000-0x0000000000087000-memory.dmp

memory/1264-115-0x0000000076E86000-0x0000000076E87000-memory.dmp

C:\Users\Admin\AppData\Local\bIH1lsfZ\credui.dll

MD5 fc207db8d23a2eb6f0b012171c86abff
SHA1 eaee10e4b3edd3175b199578791513b0da6ac629
SHA256 6b51ea96dc53044e2d8a934cd4e7a55b1cfc7a1b82f3458b015ab1575e43a3ed
SHA512 fc846244e2cba3f0cc01b88937890e06c3ee3db9c75c070e217a379c35fdcbbef60fcbfa8a54e44db26e84ee6d9c86d2ff7e104b3e8336c669b176720f594a5d

\Users\Admin\AppData\Local\bIH1lsfZ\credui.dll

MD5 03b64cc2eda213f0261e67497a75dd87
SHA1 9516b023b8d357b080413ec35782d8562202cf77
SHA256 a899efe91c07ee8c8e682f9adc4ec2445b53e6a9600642967c7a76880bc13316
SHA512 0ba9469faa0127f583bb3c1f2bddf3e38df03bafa6bef6e8af922cdb30f873adb4403d961c43422bcf0763fbf7441689dd6a4835ff49212cf6c1dc20251dc612

C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe

MD5 f40ef105d94350d36c799ee23f7fec0f
SHA1 ee3a5cfe8b807e1c1718a27eb97fa134360816e3
SHA256 eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2
SHA512 f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

memory/2908-126-0x0000000000070000-0x0000000000077000-memory.dmp

C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe

MD5 fd1649c9d7d7ea6910fdaf3fd3e13bb8
SHA1 86b53528d0624501c55ceacaf9fded8d24de1f1f
SHA256 cd6d586a703147741559b5cc1c63b54b947a2d047f735084981e3ba6f9eefa7c
SHA512 b33909ec42273c08a56dd60ecf9679e1b080b5a0c8e2df0331a3168b8e09f6002e257d89f80fc71a56e1692fe44e5dbfad5275387e33c2674a460822181104a3

C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe

MD5 a638ab38064591c43b223cbd9cef44f4
SHA1 da31c71b849f48e6d1d7fbc330b4507bba320690
SHA256 1344bcfd90e81ed91d45384b70563a1634cdfcbb86d65aaf1f92ab4dc9eb1be5
SHA512 def00428190628610e1c0903a26f8d841b2ad477d52fcc3f1b59e9bfbced3ac3cf3bf1ff8cfcf36c0a5ad8f3db8a2d0d8bd963df77dac7a1810c99424032af4f

\Users\Admin\AppData\Local\Xh7axlA0\WTSAPI32.dll

MD5 f53cd996c6847ea6281816652b845421
SHA1 e21e6bc76aa81bb87894c74f6641b6f718af0c16
SHA256 68fd081866747a0f03df82391d7d7fce82199bf4b4271b0dee33d2f26f12cee7
SHA512 abf346a211ae8575517ceaafa6c0c791faa1f107e3d6b8adc928c0fd0a01a109e533e7334b39f219da63a38282c339d3cac4c82e9b9a06a3d2a54ead93f6ea5d

C:\Users\Admin\AppData\Local\Xh7axlA0\WTSAPI32.dll

MD5 383bfcec3da9c932f1e6a919827b324b
SHA1 ecf539d7394467389a392a71bc85766cdf54b5d1
SHA256 abd82e71344ef35a57b276340ebccff2ae27c5127e8e0c42c014dd770373164c
SHA512 22706a949bc771afb5ce105a31dac1a634247dff273ef45881b571724f6afe9968d0a1a7f9a41410ab06f033579c44cbbfecaa589a3b1eb916104988cd990022

memory/1112-144-0x0000000000620000-0x0000000000627000-memory.dmp

\Users\Admin\AppData\Local\Xh7axlA0\psr.exe

MD5 92a751f078245fd104f08045780134d5
SHA1 d279a0737ce6faaf0e87a87198bc09e8b50bc950
SHA256 756c5de2de10061389c13e183b6c36e851202b637fb55fafcccd7ab6938eb844
SHA512 b50644a8da6a8c5ab622e6a0eaaf1fc838781fac57e8f5d15c53171058a2a941b4f3858aa02f3712fdd93dd9f3cd70d46e266bd2144f4d7ec48251207f3f51cd

C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe

MD5 a5a27a7a9e4379370ad63dbfa475c25c
SHA1 de512d11b54d21a88af2419453de5c81ffc67919
SHA256 5083dddafc302eaf63e678bc9e245ea2333f5ec7130ab209a8e094ab09e3f308
SHA512 bf135a0cc2aa3e7fca3e52eed6fbe4064a05365f6f02a373c9b4378b5a081601a581991f350a8e1a57aa2a3eac46c0d385ddb7ac8d9babeb275b3619e33ca7a4

\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\YH21QU4FEx8\psr.exe

MD5 c4b3674dcf4e60aaaf7aa58c3c3f3b1a
SHA1 1f4e71dc190fe2172830d0ae8872fab90ed9e81c
SHA256 77dbdc0f28bf6361d278f04f4d35a1a95807f12d32e48e84ab4049ad8214c758
SHA512 fe51caa5af79510bcbbc69ea8c042968458f9b8e86c159c3ba3391f3eca39b4721c288f0ad16788962508dba4f1efa306eb685904586007dc3daa026f8f79efe

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 1b3f3e02412a7231dcdb1a98bf56bb39
SHA1 58cb801c4647607e05a1f9da4ed8193a96d42d06
SHA256 45ee52f01c07226aab1ca38c32e4ee7299e04325ebee34f36cd06ad5cf054458
SHA512 9ca29f2d898efd51c730536f5c551ecdcb4f855ba9c2cc1fbac21cd37e5032fdd4be4eb1611b7a82e8ab8c1d9c8113c2261b533368f6246b775c9f6805f07957

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\34IllC2S\SYSDM.CPL

MD5 99cfea0bfde424dcafbd9ca676886345
SHA1 f06ceda32dcf2c2282db2bb1e4442135183c09ba
SHA256 dde3ae5631b8677c6d263f0fca8c958010e60953ef76a88719a84d3a38cbfa6f
SHA512 1cb4c493b330ab2e207a7984537621252f7d0a88580d73e482cf7b85afa25a84d2f15a0acf59e50cd3a1fe545a5bd5f806975b3854bcfc4fc32b83cd95111d5b

C:\Users\Admin\AppData\Roaming\Media Center Programs\axPA\credui.dll

MD5 33e141243bd476b2f9ca4dd6a1c110cd
SHA1 1e44c2f1107925ac9c759cb64a50adae5a3d6d22
SHA256 5b00eadf4b0d5fa5c5dcb49001a9770b5b48585efc51fe798feb94bdd5414e4a
SHA512 17cc53f0df9fe853e68c877bc7f6fdffc12fe1f287521bb3e79234eabeef03d9aa0ed4091d696e0b935ceae7939b18c67ac6a93c00a00b0a516b37467b58dd06

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\YH21QU4FEx8\WTSAPI32.dll

MD5 fe38ec9c988469ff42a6e808c556e1d9
SHA1 6aeea29ac71fd551d39eb76122e21289315a4abf
SHA256 0778a46a87b02e8b9a797a44c2ee2d38a147f1f3b1a5c1704316523077b6605c
SHA512 2dcd248928e6273d6cc4177d5e0a6c104ee39b24d910b4b3f873f9df006c8d619cce96a7ffc2ef263a821d99802271c2e0c444a4aab61e4dcc0def1e48be529a