Analysis Overview
SHA256
d546192dbec47bd4bf67aa7558a9b4019773b1373ed32de51c4e83b5b6a724b5
Threat Level: Known bad
The file 174607483f14cc2c3dae74fb06e151ef was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 11:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 11:35
Reported
2024-01-03 08:15
Platform
win7-20231215-en
Max time kernel
148s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\Ym\\SYSTEM~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\174607483f14cc2c3dae74fb06e151ef.dll,#1
C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe
C:\Users\Admin\AppData\Local\UEuRzMk\Utilman.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\tQd0dyI\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\UdC9\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
Network
Files
memory/2520-2-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2520-0-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-4-0x0000000077836000-0x0000000077837000-memory.dmp
memory/1196-17-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-30-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-35-0x0000000002D70000-0x0000000002D77000-memory.dmp
memory/1196-41-0x0000000077BA0000-0x0000000077BA2000-memory.dmp
memory/1196-50-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-56-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-59-0x0000000140000000-0x0000000140120000-memory.dmp
memory/2628-73-0x0000000140000000-0x0000000140154000-memory.dmp
memory/2628-71-0x0000000000090000-0x0000000000097000-memory.dmp
memory/2628-68-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1196-40-0x0000000077A41000-0x0000000077A42000-memory.dmp
memory/1196-39-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-31-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-29-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-28-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-27-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-26-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-25-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-24-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-23-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-22-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-21-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-20-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-19-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-18-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-16-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-15-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-14-0x0000000140000000-0x0000000140120000-memory.dmp
memory/2860-92-0x0000000140000000-0x0000000140121000-memory.dmp
memory/2860-97-0x0000000140000000-0x0000000140121000-memory.dmp
memory/2860-95-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1196-13-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-12-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-11-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-10-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-9-0x0000000140000000-0x0000000140120000-memory.dmp
memory/2520-8-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-7-0x0000000140000000-0x0000000140120000-memory.dmp
memory/1196-5-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1980-114-0x0000000140000000-0x0000000140121000-memory.dmp
memory/1980-109-0x0000000000280000-0x0000000000287000-memory.dmp
memory/1196-130-0x0000000077836000-0x0000000077837000-memory.dmp
memory/2860-141-0x0000000000190000-0x0000000000197000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 11:35
Reported
2024-01-03 08:15
Platform
win10v2004-20231215-en
Max time kernel
19s
Max time network
151s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\o36\mspaint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RrD5f\raserver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\o36\mspaint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RrD5f\raserver.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\E23I1Pj61\\mspaint.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\o36\mspaint.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\RrD5f\raserver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 4804 | N/A | N/A | C:\Windows\system32\SystemPropertiesAdvanced.exe |
| PID 3436 wrote to memory of 4804 | N/A | N/A | C:\Windows\system32\SystemPropertiesAdvanced.exe |
| PID 3436 wrote to memory of 452 | N/A | N/A | C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe |
| PID 3436 wrote to memory of 452 | N/A | N/A | C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe |
| PID 3436 wrote to memory of 1292 | N/A | N/A | C:\Windows\system32\mspaint.exe |
| PID 3436 wrote to memory of 1292 | N/A | N/A | C:\Windows\system32\mspaint.exe |
| PID 3436 wrote to memory of 2192 | N/A | N/A | C:\Users\Admin\AppData\Local\o36\mspaint.exe |
| PID 3436 wrote to memory of 2192 | N/A | N/A | C:\Users\Admin\AppData\Local\o36\mspaint.exe |
| PID 3436 wrote to memory of 3328 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 3436 wrote to memory of 3328 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 3436 wrote to memory of 4072 | N/A | N/A | C:\Users\Admin\AppData\Local\RrD5f\raserver.exe |
| PID 3436 wrote to memory of 4072 | N/A | N/A | C:\Users\Admin\AppData\Local\RrD5f\raserver.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\174607483f14cc2c3dae74fb06e151ef.dll,#1
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Users\Admin\AppData\Local\RrD5f\raserver.exe
C:\Users\Admin\AppData\Local\RrD5f\raserver.exe
C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
C:\Users\Admin\AppData\Local\o36\mspaint.exe
C:\Users\Admin\AppData\Local\o36\mspaint.exe
C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\fxQSm\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| IE | 20.223.36.55:443 | tcp | |
| IE | 20.223.36.55:443 | tcp | |
| IE | 20.223.36.55:443 | tcp | |
| IE | 20.223.36.55:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
Files
memory/640-1-0x00000278BE410000-0x00000278BE417000-memory.dmp
memory/640-0-0x0000000140000000-0x0000000140120000-memory.dmp
memory/640-7-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-18-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-28-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-32-0x00000000078B0000-0x00000000078B7000-memory.dmp
memory/3436-31-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-39-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-51-0x0000000140000000-0x0000000140120000-memory.dmp
memory/452-60-0x0000000140000000-0x0000000140121000-memory.dmp
memory/452-66-0x0000000140000000-0x0000000140121000-memory.dmp
memory/452-61-0x000001C0BACC0000-0x000001C0BACC7000-memory.dmp
memory/2192-78-0x000002CA51C80000-0x000002CA51C87000-memory.dmp
memory/2192-82-0x0000000140000000-0x0000000140122000-memory.dmp
memory/4072-97-0x0000000140000000-0x0000000140121000-memory.dmp
memory/4072-93-0x00000281B9F70000-0x00000281B9F77000-memory.dmp
memory/2192-79-0x0000000140000000-0x0000000140122000-memory.dmp
memory/3436-49-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-40-0x00007FFB88D40000-0x00007FFB88D50000-memory.dmp
memory/3436-30-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-29-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-27-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-26-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-25-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-24-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-23-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-22-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-21-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-20-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-19-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-17-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-16-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-15-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-14-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-13-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-12-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-11-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-8-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-10-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-9-0x00007FFB87D6A000-0x00007FFB87D6B000-memory.dmp
memory/3436-6-0x0000000140000000-0x0000000140120000-memory.dmp
memory/3436-4-0x00000000078D0000-0x00000000078D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ecxR8p8hNk\SYSDM.CPL
| MD5 | 9fb8e9c0c04130466cfedd80a476261e |
| SHA1 | 1172b1f4a7acfe5fedc4f9739f68cdb5326299ea |
| SHA256 | defaf668afa79c391677c8777d8a49bdc0311596ddff563315b35f56d0097bcb |
| SHA512 | 0c52869024c5a1d1f68a7be0a8d7549dc4c76ab26f16a2659b374d792ee038408e53ea8a2695198a747fc882b275551fed3f03d6829a78a066916a6fed17b5c4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\E23I1Pj61\WINMM.dll
| MD5 | 8db9833ee17c0f616f2eb2f663cbc1da |
| SHA1 | df905c4da9cc1b281bf0603389abce2b6efc8b81 |
| SHA256 | 3b623470fe88e09f3fba8e373325d8c8aeccd25541e8e843aecf76550493193f |
| SHA512 | 94af690d4f6e1613842248ca8d03f4779d0d7944a44f9ac3d7df4689f81cac81a9d193b73a9aa33f59d03bce8272bce1a370cda0032f4d75a97ca583d920be33 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\K2q\WTSAPI32.dll
| MD5 | 5740808152cf3a03399ab7dc87084908 |
| SHA1 | 351e01543bb0e2791d5ffde975a3ab1cfbd8927f |
| SHA256 | 6dd231a62905716cc620500e5401c615c05ef6ecf42698f7310a9e9a5634f15d |
| SHA512 | b95041b358656ac9ad0f47d5ec5d323aed1d803072ba3acda205c45721cafc5e06ab66e7e70a3ed254c86a5d10ea2fc3aecb18c9ca0a8f56d165107b1f31265c |