Malware Analysis Report

2024-11-30 21:36

Sample ID 231231-ck4mzsefc9
Target 23f9722883a35d597e3c81e25467946e
SHA256 574f1ff94f0541c9f61e481da5571b871f08cc353dfd3e7ac3f26db7c48092bd
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

574f1ff94f0541c9f61e481da5571b871f08cc353dfd3e7ac3f26db7c48092bd

Threat Level: Known bad

The file 23f9722883a35d597e3c81e25467946e was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 02:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 02:09

Reported

2024-01-05 04:03

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9722883a35d597e3c81e25467946e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\tPVJ3\osk.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\tnhZ1T\\osk.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tPVJ3\osk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 1256 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 1256 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 1256 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 3056 N/A N/A C:\Windows\system32\osk.exe
PID 1204 wrote to memory of 3056 N/A N/A C:\Windows\system32\osk.exe
PID 1204 wrote to memory of 3056 N/A N/A C:\Windows\system32\osk.exe
PID 1204 wrote to memory of 1868 N/A N/A C:\Users\Admin\AppData\Local\tPVJ3\osk.exe
PID 1204 wrote to memory of 1868 N/A N/A C:\Users\Admin\AppData\Local\tPVJ3\osk.exe
PID 1204 wrote to memory of 1868 N/A N/A C:\Users\Admin\AppData\Local\tPVJ3\osk.exe
PID 1204 wrote to memory of 1196 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1204 wrote to memory of 1196 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1204 wrote to memory of 1196 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1204 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe
PID 1204 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe
PID 1204 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9722883a35d597e3c81e25467946e.dll,#1

C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\tPVJ3\osk.exe

C:\Users\Admin\AppData\Local\tPVJ3\osk.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe

Network

N/A

Files

memory/1684-0-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1684-1-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-4-0x0000000077576000-0x0000000077577000-memory.dmp

memory/1204-5-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

memory/1684-8-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-15-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-22-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-29-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-37-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-46-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-47-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-49-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-58-0x00000000777E0000-0x00000000777E2000-memory.dmp

memory/1204-57-0x0000000077681000-0x0000000077682000-memory.dmp

memory/1204-67-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-72-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/2696-87-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1204-76-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-56-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-48-0x0000000003B30000-0x0000000003B37000-memory.dmp

memory/1204-45-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-44-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-43-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-42-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-41-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-40-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-39-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-38-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-36-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-35-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-34-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-33-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-32-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-31-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-30-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-28-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-27-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1868-109-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1204-26-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-25-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-24-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-23-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-21-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-20-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-19-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-18-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-17-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-16-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-14-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-13-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1556-133-0x0000000000230000-0x0000000000237000-memory.dmp

memory/1204-157-0x0000000077576000-0x0000000077577000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 02:09

Reported

2024-01-05 04:03

Platform

win10v2004-20231222-en

Max time kernel

3s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9722883a35d597e3c81e25467946e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9722883a35d597e3c81e25467946e.dll,#1

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\8cUn95O9O\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\8cUn95O9O\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\jXHH\BdeUISrv.exe

C:\Users\Admin\AppData\Local\jXHH\BdeUISrv.exe

C:\Users\Admin\AppData\Local\2Ex9d5\wlrmdr.exe

C:\Users\Admin\AppData\Local\2Ex9d5\wlrmdr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 204.79.197.200:443 tcp

Files

memory/4696-0-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/4696-2-0x0000020EEBEA0000-0x0000020EEBEA7000-memory.dmp

memory/3436-11-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-17-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-21-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-25-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-29-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-33-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-32-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-38-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-42-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-45-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-47-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-48-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-50-0x0000000000F60000-0x0000000000F67000-memory.dmp

memory/3436-46-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-56-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-57-0x00007FFE990E0000-0x00007FFE990F0000-memory.dmp

memory/3436-44-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-68-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/2344-77-0x0000000140000000-0x00000001401CA000-memory.dmp

memory/2344-78-0x00000172A5F00000-0x00000172A5F07000-memory.dmp

C:\Users\Admin\AppData\Local\8cUn95O9O\SYSDM.CPL

MD5 9e808ed225d34e28d10df34ec73d7b0e
SHA1 12c05a360e40475b5ff611795129a4d5ba1096d4
SHA256 cc115559b99e76c3d6a2428b314c176b7dfdba1a2bc1d98a054bbdb59f1407e5
SHA512 edd72bd01efda4d0dc79c365d2051f126f48225948086767df7fba4f01a5ab8f62d9eb797c4c164f4d81dde466da8b135c8a0feb147df4ee5fe977183114e8d1

C:\Users\Admin\AppData\Local\8cUn95O9O\SystemPropertiesDataExecutionPrevention.exe

MD5 de58532954c2704f2b2309ffc320651d
SHA1 0a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA256 1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512 d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

memory/3436-66-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-43-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-41-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/2344-83-0x0000000140000000-0x00000001401CA000-memory.dmp

memory/3436-40-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-39-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-37-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-36-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-35-0x0000000140000000-0x00000001401C9000-memory.dmp

C:\Users\Admin\AppData\Local\jXHH\WTSAPI32.dll

MD5 63f58594c3fc344df441728f8954142b
SHA1 5392b49d41c2feb6cc7146b6375602872e2c3754
SHA256 ae051b68bf8b35c23e0e009e30b7d4bd374964434a8aa694eb517ca917462aeb
SHA512 bea2b9db9280c155008be31643daba115e5d5580e5a5c34fc18c267b30602040fb198d29a0c04cf0edb33d168bcbb67f09c44b24c5baa1f7ec312767b0798940

memory/2792-96-0x0000014045B20000-0x0000014045B27000-memory.dmp

C:\Users\Admin\AppData\Local\jXHH\BdeUISrv.exe

MD5 8595075667ff2c9a9f9e2eebc62d8f53
SHA1 c48b54e571f05d4e21d015bb3926c2129f19191a
SHA256 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

memory/3436-34-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-31-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-30-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-28-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-27-0x0000000140000000-0x00000001401C9000-memory.dmp

C:\Users\Admin\AppData\Local\2Ex9d5\DUI70.dll

MD5 5778498d28bdd0992e7f14021f31f431
SHA1 2e6aa54a115f9bc52337f85db5257c4ff8175969
SHA256 087775601141028da6c411938419ab2213b35138ce5e3aca66b3601386b8ae07
SHA512 4cd5bc909b3fadeb14be3dbca3c939a63f76e3fd4a40368b943c89e708f858537d3b9f3314edc70a38ba24869bb270548ee8fd3beb3d8f817c972bde4bc5d4bf

memory/1864-113-0x0000013365AF0000-0x0000013365AF7000-memory.dmp

C:\Users\Admin\AppData\Local\2Ex9d5\wlrmdr.exe

MD5 ef9bba7a637a11b224a90bf90a8943ac
SHA1 4747ec6efd2d41e049159249c2d888189bb33d1d
SHA256 2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA512 4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

memory/3436-26-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-24-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-23-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-22-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-20-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-19-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-18-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-16-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-15-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-14-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-13-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-12-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-10-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-9-0x00007FFE98C3A000-0x00007FFE98C3B000-memory.dmp

memory/3436-8-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/4696-7-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-6-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3436-4-0x0000000002D80000-0x0000000002D81000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 a7b703ce61296ecad7855ba80484317a
SHA1 8ed17a4c94b0f4812d50b2273c602bed42dfd71b
SHA256 75cde7b27755679086aaa4bfb5e08833da5ce90d82aee92d145e1eced70addac
SHA512 ec2130dc0e193141bd9b0a7fb97816cc2c5b192aa2ffd0dc74933de4142197187bcb32f6715f1e391078f28eb96e24025c3458f3f60a3f4033deb3a3c50e7563