Analysis Overview
SHA256
5ba39417a43ac8190e9251866b1049b3eebd029c8856d93e77649f62549d3ff8
Threat Level: Known bad
The file 1732a5c98ec8eaaf345b95acba0d06e4 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 11:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 11:31
Reported
2024-01-03 08:04
Platform
win7-20231215-en
Max time kernel
151s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\dB4N4NewFS\\winlogon.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1272 wrote to memory of 1772 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 1272 wrote to memory of 1772 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 1272 wrote to memory of 1772 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 1272 wrote to memory of 2620 | N/A | N/A | C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe |
| PID 1272 wrote to memory of 2620 | N/A | N/A | C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe |
| PID 1272 wrote to memory of 2620 | N/A | N/A | C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe |
| PID 1272 wrote to memory of 1808 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1272 wrote to memory of 1808 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1272 wrote to memory of 1808 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1272 wrote to memory of 2028 | N/A | N/A | C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe |
| PID 1272 wrote to memory of 2028 | N/A | N/A | C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe |
| PID 1272 wrote to memory of 2028 | N/A | N/A | C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe |
| PID 1272 wrote to memory of 588 | N/A | N/A | C:\Windows\system32\icardagt.exe |
| PID 1272 wrote to memory of 588 | N/A | N/A | C:\Windows\system32\icardagt.exe |
| PID 1272 wrote to memory of 588 | N/A | N/A | C:\Windows\system32\icardagt.exe |
| PID 1272 wrote to memory of 268 | N/A | N/A | C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe |
| PID 1272 wrote to memory of 268 | N/A | N/A | C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe |
| PID 1272 wrote to memory of 268 | N/A | N/A | C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1732a5c98ec8eaaf345b95acba0d06e4.dll,#1
C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe
C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe
C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe
C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe
C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe
C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe
Network
Files
memory/2408-0-0x0000000000190000-0x0000000000197000-memory.dmp
memory/2408-1-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-4-0x0000000076F36000-0x0000000076F37000-memory.dmp
memory/1272-5-0x00000000029D0000-0x00000000029D1000-memory.dmp
memory/1272-8-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-9-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-13-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-12-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-16-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-14-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-15-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-17-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-20-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-23-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-22-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-21-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-19-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-18-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-24-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-25-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-26-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-27-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-30-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-32-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-34-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-35-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-39-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-40-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-41-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-43-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-46-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-50-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-52-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-51-0x00000000029A0000-0x00000000029A7000-memory.dmp
memory/1272-49-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-47-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-48-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-59-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-60-0x0000000077141000-0x0000000077142000-memory.dmp
memory/1272-63-0x00000000772A0000-0x00000000772A2000-memory.dmp
memory/1272-44-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-45-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-42-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-38-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-37-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-36-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-70-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-33-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-31-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-28-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-29-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-11-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-76-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1272-10-0x0000000140000000-0x0000000140212000-memory.dmp
memory/2408-7-0x0000000140000000-0x0000000140212000-memory.dmp
C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe
| MD5 | 6d46216e8a91b9abe632e8e9989b30fe |
| SHA1 | 0736f51b8522b123e12cd5d6de0cfd0d41048a78 |
| SHA256 | 2c12c9234eb173db4384207536bdba5e6b968dea0f22bd0a1c26c035b7a6ca73 |
| SHA512 | 883a3c4cef8996a73d9ee53b08fec87fc3ccbe2802f59062246b14c9cfff09b10234d5e63339054a3b02928b841e6186da525c1d577bcf72d8867ed7ae1cb533 |
\Users\Admin\AppData\Local\NPVSt\srvcli.dll
| MD5 | 469792a7038883d108de7d748e9a5b6e |
| SHA1 | 3dc48636b63d6c3f8b5b419f071cfd54e7628416 |
| SHA256 | a4fd872eda65620716c46ae1d109a64a81ae38e42e1ecc9478e40da261d1974c |
| SHA512 | 2788f85146ad5e748bd374936ccf31636ad931f3ee970cbb992dc919cb4911a53daf4373b2a29751afd8383235b5e8f051f2b68fe3485a090ad25ef9f623baa2 |
C:\Users\Admin\AppData\Local\NPVSt\srvcli.dll
| MD5 | a5f9e3064e69d7a4e453ed966cd04b54 |
| SHA1 | 7f68acec80ef23e371ff408b876afde36d66b79d |
| SHA256 | a2e46a374502c77c6033f7a2caf61d4e2dc1c6fb1e32ac10e014430f57de0e99 |
| SHA512 | 2dd204e3f5a75e8e169d98879439d72ce58f33e8c9846f707dce5af373272b1d92ea26b80c8146488a75661f0d8c1025b83bc7fd44fa1ed99e763016805e6cd4 |
\Users\Admin\AppData\Local\NPVSt\shrpubw.exe
| MD5 | bc426482fb02f7e4fc4a597da923c46f |
| SHA1 | c887f332a4097b4b52e5019e8a23ad0e0f7131e1 |
| SHA256 | cceb3ca66184e8269a1de6a884b308d37b64d988af1b52d5e4f03f1a20a68153 |
| SHA512 | 92f65d2360c1c2e94580a945f2b9dfd7daead7c2b7e80e7f942cbdc311fd9decf67b7076101eaf3bce47a189e0f2664e48706beefd40be6b004b364cf2d598ef |
memory/2620-88-0x0000000000130000-0x0000000000137000-memory.dmp
C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe
| MD5 | d5f4e9a4175a33acedca7ad70d452f37 |
| SHA1 | d1699a7188aaef030b2ee330e8d40d50fce0b7e1 |
| SHA256 | f3fdf127a92322f1df17800c03408fd0a99e3ebc18ec06acaade3697b155139d |
| SHA512 | 50539c2aaaaf97edf670e992ff3a8c8d4dd1cbf3e3d143c2cf10b128994e50d9d746e159052c877ac08853cafa5d5a157cc701f474f4c31b87f903153a4c35f4 |
C:\Users\Admin\AppData\Local\74EoYSNwZ\WINSTA.dll
| MD5 | 0f6f4ca76c22f72a77ca75e7a2328fa5 |
| SHA1 | 7b5fbb4ef5d8f7f4be37c72912064ce4ab1cbc1a |
| SHA256 | 252da9e06e4c8ccdf3a7738b48e2c548ddd4d52855fbafa02b6f2ce6793202d1 |
| SHA512 | d6011d61cd00fc54a4a6e5474a5fff4e8364b381dd7d7eb8859f34382bba62c5a5127564df40cb08cd3b5e98cff14adc27c54277b664d0bcbcbcf8b401e83b85 |
\Users\Admin\AppData\Local\74EoYSNwZ\WINSTA.dll
| MD5 | d2407b5c2d7fa0be735117401ecd32a1 |
| SHA1 | e7952d66f90887a99146c88319c7c452252f9deb |
| SHA256 | a36503f29dbb1bf4163481ff7a750d0894aec59310a6ecbb965e0297a8cefa44 |
| SHA512 | a7e05428323340e8494ccb65b5300a88167f7a0fac7cf4450fd97040752ba81845acb651803c5d8a1386e0d557cdd09a9e5b36fdb8110948ee5bea97d886fa89 |
memory/1272-109-0x0000000076F36000-0x0000000076F37000-memory.dmp
memory/2028-111-0x0000000000310000-0x0000000000317000-memory.dmp
C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe
| MD5 | e323d64e62b24cb1a7a9a1f7500d680d |
| SHA1 | 1480be3c11b8075ed4cb93acf4b03428255481b5 |
| SHA256 | d56abd632a6b82408cf0cd236facf4a2731feb1d4d38957ea0689365fb34f43c |
| SHA512 | c20fc228a11a530794661bbce6681dbcb8580d23198152206221222e9655448239524d4bffe47d0843c8c36a62b623fd847c720bebc929e311b8f4aed2f36730 |
\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe
| MD5 | 0edc3c681983b7710885d2ff2958bba8 |
| SHA1 | a7b76898f9345cffca260a6b88e559389b46dc0c |
| SHA256 | ea0aa0807243fb4e7bd0ab59e3e665c65d452a7ce189a7c96b89116af49553fd |
| SHA512 | f2a42b1b44e57b9c17d031b59f386ce363f816a2f4a10bd0656170dffa80b11421e9ce1699d9645273c8ce943c93b9cbc6cd79535e78e9861c9bca1925742e36 |
C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe
| MD5 | 913c6750cf6b5c542879cc1281ccbaa6 |
| SHA1 | 713c702ca708e2444575b187cb4b3c59c86fce10 |
| SHA256 | de8fcdd72915ae1565d8a2e97f28a325418fd609623a04d9388081fe055903c1 |
| SHA512 | dcb6df9ef99d86ffd74bf115fdda3cc18c7cf9c7b7289737078db5a3772bce507b40ec46850d64ee02df34db7fd4cab2cf4d7e3c4504ca902b613d6f8f1f121b |
C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe
| MD5 | 07dac92b5e966297efb65deb6a59bcdc |
| SHA1 | e27a40a56630dfa1c6e406d5ebb62c726476e938 |
| SHA256 | 426535c1ad94cdb625035de0bb3f945f1734b28f8bf06063817f566a7c0bdc4c |
| SHA512 | 30ced6eb0a97d983e945ec22f29f7994fff76ee4e37a677b6201fa62800596d0a65b22949dc30f306229f709038c91197cf4f137587778eeea8e440f0c3fadfd |
C:\Users\Admin\AppData\Local\yLuKd\UxTheme.dll
| MD5 | 26b496852655819ba49217c56e8fb743 |
| SHA1 | 5f830184c0d5445881df12f006d1508075ecaae8 |
| SHA256 | 5431af54babc079160f1ad83de605e3955185bf5c0d73a5b8aa6daa15d879d03 |
| SHA512 | 8607f2119ce21a641fc6045ec58f8e8a494e3d051a120573f5927118f42856bc2cfbf6397ebf894925dd4d169e944ff7387e748c2fbc5c7620974dadb9d3b9f5 |
\Users\Admin\AppData\Local\yLuKd\UxTheme.dll
| MD5 | 462fc7cbc4fc9167d7a28a3a425ea467 |
| SHA1 | 064454ab1749c1c95fa62fe38b948ae1df03f6fe |
| SHA256 | 0a37f365009554ad7bd19f1170708009a8f94e5abb814547ddd4fea55794c5ee |
| SHA512 | 82b75861ad76c4b92e44e9ff606e7f57bff1e7793120400830ebfa5f1674f9489f0319e73cafa5e4116d622c8bd68b6bcfbbf33e8d242558e4cd441bdc979fc6 |
\Users\Admin\AppData\Local\yLuKd\icardagt.exe
| MD5 | b00b88c1b1a6a31b59be3a16d2614e24 |
| SHA1 | c56d5526c128e769041521ca6960368212dc6a4b |
| SHA256 | 2526b410dc42931011c1a3b89ebbf595354d34ccbc628f3767c53ee88c4b90cb |
| SHA512 | f7e774cc645cc3bc329f09695cd64c232631980e6b6ac884dc2d709606aa4e8509afc4f2d0be327b7553d116ac9bc924bd9e27f0329bf5707a0430488c9c7b70 |
memory/268-131-0x00000000001A0000-0x00000000001A7000-memory.dmp
C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe
| MD5 | 11fe443f287e8eecba59bc40ee1ee96b |
| SHA1 | d91274fb5846bbd7266d5b281cd20cbd9a9dc98a |
| SHA256 | c9538c7671de2846dbe5ad3afd885bf14c114f7661d30f09c01a6e94eb3b9c05 |
| SHA512 | adb5c2f174703934d8f7186e39f453f1989a700c351f3e9443e5826f0951ee72aebbd0ed53e68094e55ea279de9476e3eaab634bd078c8654fd0752d201a4160 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\ovarRR\icardagt.exe
| MD5 | 36e7c7232caef1de2e8b558edeae3dee |
| SHA1 | f8408966990a1158c25a8d689644c255f6c57658 |
| SHA256 | 81bd443fb394485b3946c131df9f10cbb87c708088f69f3ad549c2fe8678ed00 |
| SHA512 | 2e267b1e044ee3e90017f17da6070eb759e8959a6abe5fe21739a56d45287f2c3679717723b7430c6165a10810434098e3f6e400f3052a548bbefad173ee2257 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk
| MD5 | 042ca93ea07fcfe8bf54e9b5b637e8f5 |
| SHA1 | cb46c5fcc50035493b1b46d3f949ba6622f88d50 |
| SHA256 | 945f6f2a465264343dd9de44b8db6b84bf05d504a88f6abdbd97403522783267 |
| SHA512 | 7a6bbb2fbbdea0ee47ce6ea55631842e570591a18fd35a7f969ab29b6bdcc40a7f7be5414b4785eb6e71905b97d47d8a27cf1a4605f366351a0f687a8b654165 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\r2F\srvcli.dll
| MD5 | 1762f6e525a8e5671b5d8648d2eaae72 |
| SHA1 | 11243360531e0187102d08c13fe4fd69907df8e5 |
| SHA256 | 27fab2358f7fa8d5f489d39d24ee347d9383f9d28a12f7f892d24402402a837b |
| SHA512 | 4944d8a46d337c367211c10a794ee97c32ebd9d7ba8161a2eea745c4e2bb43bb66f778e59af201d06acfdcbd4a0ffa61f1b6b3925efd6ef1c6e4a341ad2ebcfe |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\dB4N4NewFS\WINSTA.dll
| MD5 | 34a8b40b846ffa0c21e15d5a530c7dbf |
| SHA1 | 3603ac5af1bc1794671c15068173817a2fa569f6 |
| SHA256 | f80bb0a49bb41f13f577fe904f086ad245d621592c9174006fd2f46b91d2f742 |
| SHA512 | 47e539dca1966d5998ff8dc83059e9ff483467f9c887dbe07e8412885b1553d590f22ac05c14f33b3280cd71b99fe72dd368695ace542033ceffe0f5a0b3b887 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\ovarRR\UxTheme.dll
| MD5 | bdd5b8575cc81a61626ec62b02044109 |
| SHA1 | 8e4b70057d5a6efd1fcb02c9b85675dacaeafe12 |
| SHA256 | 6cd914e80312f79b02ceaa39796e7ae2a7bb48ad6bee8162c844f224923bc0da |
| SHA512 | 6f56a0e662fda0e6ebd4e3c5640d6e2026454f128971c54464754b26d4b705f57f59c2e1e30c97939c4eec8d2272b3df2accd47985480d2972d756fe35c34d9b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 11:31
Reported
2024-01-03 08:04
Platform
win10v2004-20231215-en
Max time kernel
89s
Max time network
155s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\WrkBC\cttune.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\WrkBC\cttune.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\dr6A\\recdisc.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\WrkBC\cttune.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1732a5c98ec8eaaf345b95acba0d06e4.dll,#1
C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
C:\Users\Admin\AppData\Local\WrkBC\cttune.exe
C:\Users\Admin\AppData\Local\WrkBC\cttune.exe
C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe
C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe
C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 137.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| GB | 87.248.205.0:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| GB | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3876-0-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3876-2-0x000001C1D5500000-0x000001C1D5507000-memory.dmp
memory/3368-6-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3876-7-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-12-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-14-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-18-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-23-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-24-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-27-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-30-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-29-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-31-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-32-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-34-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-33-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-35-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-36-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-38-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-37-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-28-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-26-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-25-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-22-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-21-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-20-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-19-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-17-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-39-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-40-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-43-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-42-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-44-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-41-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-16-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-48-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-50-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-51-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-52-0x0000000000390000-0x0000000000397000-memory.dmp
memory/3368-49-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-47-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-46-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-45-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-15-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-13-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-11-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-10-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-9-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-59-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-60-0x00007FFC56780000-0x00007FFC56790000-memory.dmp
memory/3368-8-0x00007FFC54AFA000-0x00007FFC54AFB000-memory.dmp
memory/3368-69-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3368-71-0x0000000140000000-0x0000000140212000-memory.dmp
C:\Users\Admin\AppData\Local\WrkBC\OLEACC.dll
| MD5 | cc3280e57757e1ef0e746a112b3647b6 |
| SHA1 | 9c62a2f872d15b16b34a5479d2bb4ebd579e233d |
| SHA256 | fd97ed50abf79ee77e63795387cff838568a2018f5b50f262527a4dd874f72b5 |
| SHA512 | 5790fa31492fd3127ea9e26ed65c316c0bb0b219bc122fd5f958247781acaed565a85c1ea43ea5ba77f00ded77975a8c81f885076ed1b88e32bddca61ae7b791 |
C:\Users\Admin\AppData\Local\WrkBC\OLEACC.dll
| MD5 | d5aa070d3bd68b109d07b34424741a48 |
| SHA1 | 9021aefa72fcc1cb83ddfaa04121de0c09afb014 |
| SHA256 | 7c29f591a0bc81849ca7ad66f9412d0b536c5658308e7714dc1d2d319573a6d4 |
| SHA512 | 3325a08f044723333cfd311f5a844ac69f4b43302bdcd6aa73867b68f0a19f892db514b6e569772eded82b7931ef30516822fc221cf3f49b0eac704d1f0f059f |
memory/4124-81-0x0000017328900000-0x0000017328907000-memory.dmp
memory/4124-80-0x0000000140000000-0x0000000140213000-memory.dmp
C:\Users\Admin\AppData\Local\WrkBC\cttune.exe
| MD5 | 452dcdca7d693548387ad646e9b359d5 |
| SHA1 | ea74dabe00ad9336a5170aaed6f8704e7ddb4a06 |
| SHA256 | 76906c623de4d96eaa9fce0ec48b1e8553e74d1306516cbc82e5b585897fc62e |
| SHA512 | 440a7354e8a949fe9d524d9e1122e23d2a10bfebcad5d3e993fc053c135708b8c01e36eab830227bebacb289135bfc69f6a8343e95fcaea74ffd4dc32c173c35 |
C:\Users\Admin\AppData\Local\WrkBC\cttune.exe
| MD5 | 925e63c632b3bb7ad8d6cfba63c304c7 |
| SHA1 | 14860b89a2f2b9be8d2b9ca7c6ba1d664374cc8d |
| SHA256 | ea0a7c063def75de956bcf241ff8f447cc7a6e5c9828cca37dcbf768cc8d91df |
| SHA512 | fcc1f286e5988ec2d2241e2ded1fc387b52e55399b6641b617d00c48332d819e08ce85f31982fdf683de6e129c9a2ad7ac31abd452f705c4de05b26433ca1b6d |
memory/3368-4-0x0000000002310000-0x0000000002311000-memory.dmp
C:\Users\Admin\AppData\Local\WcmnPL\ReAgent.dll
| MD5 | 8fdb754f8b1e656c5dfae7b9cb607048 |
| SHA1 | 9af849cc5d8ee55a6cae16fa8dcf0f0da4877498 |
| SHA256 | 7f8571f7bd13ec09c0de22661de9b4561c3cca89e39c999a49c98be187273499 |
| SHA512 | 79ccded17816ed79f5f57c206a78802700f0773118d87fa9b80dd6a175890314ca3ad3eb0aa092f7e336807da3c040bd9fff17e6def7af1895d1841e0c56174f |
C:\Users\Admin\AppData\Local\WcmnPL\ReAgent.dll
| MD5 | e245fccef6aa30de779a797c646db893 |
| SHA1 | 565bdea4a9ea9ee89112bdb46bd628ac08b856b6 |
| SHA256 | 4b8600d278fbf40a370729c6279fe076552c9af27178937925bb8121bb4e8822 |
| SHA512 | b6c7377b1ce7dba2abdab7490cf5905a6112620f3b892439aee51bed67748fc6c5211959eb9d1351abbc75eff5c1a246d3f99463f30378585932ddb7a91171be |
memory/2372-97-0x000001F2F88B0000-0x000001F2F88B7000-memory.dmp
C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe
| MD5 | dec457cd983decf93ba56bc2cc3634ad |
| SHA1 | e74f9fe78eb3576c188a4c53ea33b75c6098878c |
| SHA256 | ca751a359bfc1d8e981f34bbd110615426883637af5dd75da5d242fc30a2fc5d |
| SHA512 | ad95b00f19f0c0910c17b204035d76a8abf3b49e82ab9cd13d7fbc3250b42f94c6c054e513f3063c197793be6c67019af08257aed520c0f1215be2699503c5c2 |
C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe
| MD5 | 3bd0f2898ece531fbcf368e5224b47aa |
| SHA1 | 14817a1efeb40ab1908e103b552f3828d0456023 |
| SHA256 | ffc2d7d4e7475becb7b6660da1391947960f39200db92b26173cff62c2c47ccf |
| SHA512 | c5635ca83e5984cd63706824f3c616c191878e93ce0585464e6eecbaaa371752667bcae08db2695c069c14166f6cb26a638cdf0eb0e69237d5e0cdd3eaac005d |
C:\Users\Admin\AppData\Local\EwqLdRGQr\SYSDM.CPL
| MD5 | 927cbe2e19fe9408bcc257d79e5820b7 |
| SHA1 | a4a4d678865310d732c254abc63b921f2e255ae5 |
| SHA256 | 8a9420de2f358e934652a7a126f23d96a340e0108f42ecc203a9d8a1d2e93d91 |
| SHA512 | 044ea39d08ad7fc4d571485424db12d8b9ddd1bccad3f12fd5359fc9227fe2b6a3fff6f41da5ae66c45f9d2687c4699a915df6bcd717af30af5b44d80c0f70a5 |
C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe
| MD5 | 26640d2d4fa912fc9a354ef6cfe500ff |
| SHA1 | a343fd82659ce2d8de3beb587088867cf2ab8857 |
| SHA256 | a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37 |
| SHA512 | 26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc |
C:\Users\Admin\AppData\Local\EwqLdRGQr\SYSDM.CPL
| MD5 | d3e913ec95aa0b25f1994c614188acbc |
| SHA1 | 104dac7141991afd0f1f5f9376327fb82bcbefa9 |
| SHA256 | 7b19e1fab193b862d4f60a030c6155a7864f4c19b24bd2bd04556272f3c8ac77 |
| SHA512 | cd947c6d8ebbb3ace4c4d89cf01427a8586811e286d0580221f6964ec644ea9847f016068022655be4f9c1c18e175b2e837e01de9295c88b20e293e3a8635dea |
memory/100-114-0x0000019687650000-0x0000019687657000-memory.dmp
C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe
| MD5 | 831cab68f55d3c3195ff8433ba560ffa |
| SHA1 | 67d5696fff903f4f3a35190a3cd447a1861820b7 |
| SHA256 | 819dc05cc57a5f74215241f2747ae21fb568f0a472f76b7a5314ff48915d2261 |
| SHA512 | 74dcde33cfa5e72dc363389f2743a1c21d6cb2f51788947c23c2cecd48aaf7fa0bc1d2d0f36cecfd5fa00634ee9d5c96bed48f8b392778bd7f7f00f7a4fd00d1 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk
| MD5 | 513740f43f61e17ced073181621d742c |
| SHA1 | e7ca8c1b3814fe170d62de6f5bb32fa2f615b1a4 |
| SHA256 | 27087050ddca392be0edaa740fbc090dbf8ccf23e81ca0ecff0f59deb2107265 |
| SHA512 | 10b2771fa54076eb9e51af0b92f9c493fdef25eb7259a23de458a174ade01e6e6f822e5ef4469ac7d40ce93b39150db323cc3578a4eda2279591dcca138489d3 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\U8fcFPN\OLEACC.dll
| MD5 | 2d66e1a60a7f7f7f23416c7a738e2db3 |
| SHA1 | 586c2b6337e3b7c283bfb98c4ae96a06660e5f28 |
| SHA256 | 6d2e5c6ba7c0ae94eed66fb676fe4eb566c58396241c831e139448100cbc8bf8 |
| SHA512 | cfd178c599a5e7913b54c57eaa4e5e2c67c038fbd942641341ea172d9a9a134e70fbd6d92fb2eac387a87dc3d03a3cb51916095315ec67342217eb2dc2db231e |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\dr6A\ReAgent.dll
| MD5 | 33fcaa7a7427c8d8d03b9f55ddfefa3a |
| SHA1 | 7f51d7f38f7eeb8b94d3a4317d4522097dc57325 |
| SHA256 | 5e881d01d2e353a221bb9a12e7037fd8e345297867fc2ba13b9d18a8001fbb7e |
| SHA512 | 427e75a2703d6010174fd83324cc8715f56c5b73391d928fe16c898d877095a3d3b525138d41b77ef93c55a336dcb75207947d575f5a9837d35000080923d6ae |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\vKgmerL0\SYSDM.CPL
| MD5 | 4402aaa615afb8d993da1ab8df43cc48 |
| SHA1 | 658c30911e8037711f6c32ee7cf85b89226e49a5 |
| SHA256 | 147649adaca70003d356e9c6030be425222e2d8030f38f69b6c6b73bd2be43b0 |
| SHA512 | 0d03008c21a5fd13c5d919e90f8e23ab0b84ca05912e3705ab3bb590c589519e2a9d15013c40b7d9e4aadf0a92f8f0d0be08e365eff997781a8ec70cecf94386 |