Analysis Overview
SHA256
a8f8057aa9fd339815baffe9221e0f59f92947f45ee1d4a7c42770f5d0744170
Threat Level: Known bad
The file 4ad438c7cc3df936568e20850bc2daad was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-08 07:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-08 07:36
Reported
2024-01-08 07:38
Platform
win7-20231215-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\uCkyR0Z\\rstrui.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1212 wrote to memory of 1996 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1212 wrote to memory of 1996 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1212 wrote to memory of 1996 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1212 wrote to memory of 2428 | N/A | N/A | C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe |
| PID 1212 wrote to memory of 2428 | N/A | N/A | C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe |
| PID 1212 wrote to memory of 2428 | N/A | N/A | C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe |
| PID 1212 wrote to memory of 704 | N/A | N/A | C:\Windows\system32\rstrui.exe |
| PID 1212 wrote to memory of 704 | N/A | N/A | C:\Windows\system32\rstrui.exe |
| PID 1212 wrote to memory of 704 | N/A | N/A | C:\Windows\system32\rstrui.exe |
| PID 1212 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe |
| PID 1212 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe |
| PID 1212 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe |
| PID 1212 wrote to memory of 872 | N/A | N/A | C:\Windows\system32\mstsc.exe |
| PID 1212 wrote to memory of 872 | N/A | N/A | C:\Windows\system32\mstsc.exe |
| PID 1212 wrote to memory of 872 | N/A | N/A | C:\Windows\system32\mstsc.exe |
| PID 1212 wrote to memory of 1964 | N/A | N/A | C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe |
| PID 1212 wrote to memory of 1964 | N/A | N/A | C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe |
| PID 1212 wrote to memory of 1964 | N/A | N/A | C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ad438c7cc3df936568e20850bc2daad.dll,#1
C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe
C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe
C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe
C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe
C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe
C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe
Network
Files
memory/760-1-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/760-0-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-4-0x0000000076F66000-0x0000000076F67000-memory.dmp
memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/1212-7-0x0000000140000000-0x0000000140182000-memory.dmp
memory/760-8-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-9-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-10-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-13-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-14-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-11-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-12-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-15-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-16-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-19-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-17-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-18-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-20-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-21-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-24-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-28-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-29-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-27-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-32-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-35-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-36-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-38-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-37-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-33-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-39-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-40-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-41-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-44-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-47-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-46-0x00000000029C0000-0x00000000029C7000-memory.dmp
memory/1212-45-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-43-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-42-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-34-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-31-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-30-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-26-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-25-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-22-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-23-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-54-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-56-0x00000000771D0000-0x00000000771D2000-memory.dmp
memory/1212-55-0x0000000077071000-0x0000000077072000-memory.dmp
memory/1212-65-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-69-0x0000000140000000-0x0000000140182000-memory.dmp
memory/1212-75-0x0000000140000000-0x0000000140182000-memory.dmp
C:\Users\Admin\AppData\Local\H5Wh4T\VERSION.dll
| MD5 | 19b775adf33cea3ff4abb89931960bd9 |
| SHA1 | bc874ab26743412fe43b712bd145242c1134c252 |
| SHA256 | bec0191f2554dfc417cd585081ce62019985a985db71a537d8325263c9eb30b7 |
| SHA512 | 33a403bb8af7246102fbc28fabea1f9e106eb852755120d483b6109b9ef989429549a2a92bac9cf48fcfc3eced1a25ef3579f95362b86ef9d917d0ee0ba9e24a |
\Users\Admin\AppData\Local\H5Wh4T\VERSION.dll
| MD5 | 9e667b7965a7581430b1ca6e98c977ef |
| SHA1 | 4b7feeab29b39d56102e9891c21f46a79b6572ea |
| SHA256 | 5f2d1aa290ee0faf95d64116e0bf635acb99f8a671e8847dc0f5c6c9450ad4f4 |
| SHA512 | 36ab5cdf34a8acfae94217df62f598c432e8fe3f61c511c0bb5b961343f8422d3830928bea265e7289ce76ca620210f8e91da6c1f8d0c34a4ea14177d448588e |
memory/2428-84-0x0000000140000000-0x0000000140183000-memory.dmp
memory/2428-83-0x0000000000220000-0x0000000000227000-memory.dmp
C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe
| MD5 | c21611aed7faea7da784e205c4a799c5 |
| SHA1 | f6f1c62c9aa52dafd47fd0805fb6e1191a9ceba6 |
| SHA256 | 04aaa6cf10841549a41cdf6dd028bfdcbed163e2a559078086099afc7a1a8240 |
| SHA512 | 9421ae2de44d85181e814fc29713e689b9a68647f662528c9975fd18f1f81dc9781c0290491d85c044516e2500954a1a3b2b4260856dbddfb6024bb9b9de8445 |
C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe
| MD5 | 8390b8ac0b6632803f5faa9c930acdc7 |
| SHA1 | 3798ca50c6069fe2e0a6c873c1e4ddae7eca6b2e |
| SHA256 | 89887a4fe44a64698a044f154c21ad5f71a7f18cbeddbe00a2bec0d7da89862e |
| SHA512 | 6516e11a4774b6a4684ccb543b5671a9e92421a2aee64751131a563558c7fbe23e9d67809354f13653cb16c26a3309d03845cb97462a4a531ff29f001a81594d |
\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe
| MD5 | e8e95ae5534553fc055051cee99a7f55 |
| SHA1 | 4e0f668849fd546edd083d5981ed685d02a68df4 |
| SHA256 | 9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec |
| SHA512 | 5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6 |
C:\Users\Admin\AppData\Local\4d6SnF2Jt\SRCORE.dll
| MD5 | 11e11ca22d92810abac16e965e372b8d |
| SHA1 | de01f798af963512a69f6ee9d1e3685644c17acf |
| SHA256 | d0191718bac1bef333b58e749aacdce6bed971898f6e3d3b3d931aed24c0c4ea |
| SHA512 | 8a9e5c38f3ec0047fd9ba5812708503b7c37fe8e043dba17908a13077f9d9b6bfda55af37915e857e8193075c172f1bdab638c75e0fb99eb641696ea37dd6552 |
\Users\Admin\AppData\Local\4d6SnF2Jt\SRCORE.dll
| MD5 | d40941522200ff8c76041c048476f663 |
| SHA1 | 56d84e74ba97989dfab91d2df20db596b4322949 |
| SHA256 | 01c53b49b2a22c271c77f0643e39f16efac45446c5eccdb5e2ddac1c88061684 |
| SHA512 | 5edb56502505291877c59f48507ed9ff55c1c89fce672ab210101917b591295afd531d178e88d3380e0efb5ae3917ea7fa55d74309306b6e83892d84639c0e32 |
memory/2872-101-0x0000000000180000-0x0000000000187000-memory.dmp
C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe
| MD5 | c8bf27bb959ec55b95ab68ef62873a07 |
| SHA1 | 43fdfd994440dafe611164e502ff72f2d066ec9f |
| SHA256 | 360ce6f28d7b2e58a86096e3d6472ae4a5f69ae6247e8b7161716f9b614b32c1 |
| SHA512 | 6d1cc6aea12f28e44f2d1dd5ad2fe712621797b79d8b2182ed985cc4e86e78dbec1a19304145373f94b5d78ae5c420266a3483f92d8f786666378ad664c1b145 |
\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe
| MD5 | 3b5516a9a6400f725dc584a2a2866288 |
| SHA1 | de8f21273b31f978ae6cebae35ee2a0be37a280d |
| SHA256 | e1fa55ccf1d232a550aa40977324925ef4acdba7c1a9fb9a267cbf9191785da6 |
| SHA512 | d3c938be92318742f5db5e149be2189b150396c035dfc1080e0340d059713e868f232b2a5473ed5db3eeb2228123066e88588a5f2320d9ff03557bba7b724983 |
C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe
| MD5 | 54f7a8d30d651733cb4d7faa3440d50a |
| SHA1 | 5ed7f892fb11c9d75d52cf995c6cfdecbe77173b |
| SHA256 | d9fdf31360158092588076a2e59fd4bd6405a512853584922730951c922e938f |
| SHA512 | e3670e0ce704220df96b15dd8257efe9069fa910315aefc68d35657453a0670b689666bcbab8071ded234951f1344d23216d89113d76a5114107c5077f04e426 |
C:\Users\Admin\AppData\Local\8NXxjtKJP\credui.dll
| MD5 | 40c88ef5c0323999cac405a511d57712 |
| SHA1 | d9429a0b08104bfe815f63b9f53e6849d991bcd5 |
| SHA256 | 87f8049cbe541b58dc6e2123fe6a05f8548631e464b89291f2201706d27caf5a |
| SHA512 | 8ae0a0675469c83e2c75003900fb3f2c0806ae4e66c03361150292765a974054d9a342c358ae6648ccae0e0c76375b12afc27f21a0296d072d9d59d4dedef27e |
memory/1964-123-0x0000000000390000-0x0000000000397000-memory.dmp
\Users\Admin\AppData\Local\8NXxjtKJP\credui.dll
| MD5 | 6735cc0c30d1da2b5d7d7e7f05ac5b31 |
| SHA1 | 7cda787307252f9cd866cebd8836bcf13c6164fc |
| SHA256 | 2dccf107f295523cf9e8d39ade2336d3b3a8ed8bf395491630f81f607a3406da |
| SHA512 | e38ead07a63c4b221ce26c3bef6717ed1747b40b69935e0083cf6e4c042ff9a74e03ad370ae53a55e799c8543b5a6ba39fd97bc21ec38aafbbfd77a97d1bbac9 |
C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe
| MD5 | b74fd9655f325c39d355283a5483b2c6 |
| SHA1 | 25d98ead7633ae705cfbb2e3eb489922bed64c75 |
| SHA256 | 84839c7150e3edfd9ee320ff1a407d46b66c2753773a36d6505d0ff02c20ee3c |
| SHA512 | f41467bb57199334e93cbe7f668c98338e507ed450a121cd2a2cca175b120aa6ce44158e8fd6ae31ff1af0e9f424a6bf2e4d176c7fd30650ce0281178535c6aa |
\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe
| MD5 | 25487566fbc9130567d2d5627b102e59 |
| SHA1 | 3c6ebc48bf81e576f12ae5bfae0205736ec6be33 |
| SHA256 | c7e8e42c20d5ecf82b1a2a05a2acd57f5168f5b1b5a83a92c62d7fa5ce9ea5ea |
| SHA512 | 22b90c056d4527a0aa0246a89117fd96c6068b1859c6ab99b03544cde1210cdfa01e8ce875bbf8a6a6b203f3f335272c122370ec9c7faab2dd1b5d3446e9459d |
C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe
| MD5 | 1b20f7c3cb3617e5b35a2f4bf961877b |
| SHA1 | 97c18b1d85efbb7ecbe216e5e0c68f4bf2a7fae3 |
| SHA256 | 06e2ca18341a3c92b14033094f66dd8821e96a7521f87afe9efb0d9bd7c32630 |
| SHA512 | 1839de9d576c093407434ed1102ea58e78204c0ad134528b777f1bf530c709384036aa2e6747d30242ff9fdf514fb617e65fb4e53b43c0121f9eea148e08c7e2 |
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\HNXMTQXM\KX2XT\mstsc.exe
| MD5 | 9db6b983c0cfa8495cd6d488ab2f00e0 |
| SHA1 | c1d3ea31a2454c5621af0b1c5e1f183530955bb7 |
| SHA256 | 8ceab0906997130dacebca54c9994656d486420b0391e077daf3a8d90cd776d5 |
| SHA512 | 9c43b382bddfb94375cfa78a1288fc721cc7874d0403fc4aed1e2e2843673be24eaeef662794eda59d2fbf0a56586692055e44e52300b8b1a51ba0027133aeba |
memory/1212-151-0x0000000076F66000-0x0000000076F67000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk
| MD5 | 981f715fa467e38f939b3c2383476870 |
| SHA1 | 645beabf38aab15606cc9a3b5be306d38f54ae66 |
| SHA256 | 16164a19686758f2060166a7ccd44f424456a7479aac00eb85cb6fccc06fe37e |
| SHA512 | e4ff5bc92f0e3c4ccfb3254c257ee5ccd6049b536e0eb184b2a745da8eb634c63118611eb661f105356be760e48a5c8b878cb89d61fbb7cf20300b524911fde6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\rzux\VERSION.dll
| MD5 | edb746fa6802359b5d23cc7d4efaaca6 |
| SHA1 | 5ac6df76b72898bd4abb0f666647d2db6d3b5219 |
| SHA256 | cb58419366e42b08eb81973eb82816af37e575d6d9831a2523d90759a9a11da6 |
| SHA512 | e37e0ef24bc6a9684c4d2f931e5be3c8fe2cd4206f535394867e9e1d6835dfa01bd444d5d0b4a6020cf2cceb95d2d6fc12f10560578a20017cc628f1efada665 |
C:\Users\Admin\AppData\Roaming\Mozilla\uCkyR0Z\SRCORE.dll
| MD5 | dd18f0c8cf80a7cc05df9c09ab408d21 |
| SHA1 | 2f14113869f3c4248199ea87021db015218d7b58 |
| SHA256 | ebdb5b329a2cdac97e4d82d8102ab1cc2bdb36b421ae5f433f5a441bc88d9758 |
| SHA512 | 51e175a96ea122766c5bdbf89920f0df6e099dedb88ead3b458b5215fb6497164f3463801cce52e0b3e94317eac1e2d8a56e498eb485d03a306f68572e83c3d3 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\HNXMTQXM\KX2XT\credui.dll
| MD5 | c8bbdda711ae5d11a3338490e107ad04 |
| SHA1 | 161e6fa7e84aec0a8c0a81bdc94d168836b30e1a |
| SHA256 | a88dd8aff24974409236ef6e7b652e0e707ec6287f34f17f3bf7f9d2b6aa82f2 |
| SHA512 | e563e4d27aa46028217489589c15842a1174e1e6370e774bdf1232a6bb25f7ae87f13a58bcf3b3405d06d63a63478583401bc1af1eda1a2c783902e3f2f9ef50 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-08 07:36
Reported
2024-01-08 07:38
Platform
win10v2004-20231215-en
Max time kernel
131s
Max time network
151s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\mGXSbkbSe\\Taskmgr.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3520 wrote to memory of 4828 | N/A | N/A | C:\Windows\system32\GamePanel.exe |
| PID 3520 wrote to memory of 4828 | N/A | N/A | C:\Windows\system32\GamePanel.exe |
| PID 3520 wrote to memory of 4860 | N/A | N/A | C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe |
| PID 3520 wrote to memory of 4860 | N/A | N/A | C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe |
| PID 3520 wrote to memory of 1992 | N/A | N/A | C:\Windows\system32\Taskmgr.exe |
| PID 3520 wrote to memory of 1992 | N/A | N/A | C:\Windows\system32\Taskmgr.exe |
| PID 3520 wrote to memory of 3124 | N/A | N/A | C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe |
| PID 3520 wrote to memory of 3124 | N/A | N/A | C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe |
| PID 3520 wrote to memory of 4020 | N/A | N/A | C:\Windows\system32\ProximityUxHost.exe |
| PID 3520 wrote to memory of 4020 | N/A | N/A | C:\Windows\system32\ProximityUxHost.exe |
| PID 3520 wrote to memory of 2508 | N/A | N/A | C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe |
| PID 3520 wrote to memory of 2508 | N/A | N/A | C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ad438c7cc3df936568e20850bc2daad.dll,#1
C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe
C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe
C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe
C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
memory/4980-1-0x000001E07F0A0000-0x000001E07F0A7000-memory.dmp
memory/4980-0-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-5-0x00007FFCBB41A000-0x00007FFCBB41B000-memory.dmp
memory/3520-4-0x0000000003410000-0x0000000003411000-memory.dmp
memory/3520-7-0x0000000140000000-0x0000000140182000-memory.dmp
memory/4980-8-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-9-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-10-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-12-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-11-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-14-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-15-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-18-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-16-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-19-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-20-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-21-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-22-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-23-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-17-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-13-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-25-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-28-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-33-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-35-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-37-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-39-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-43-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-46-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-47-0x0000000001420000-0x0000000001427000-memory.dmp
memory/3520-45-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-54-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-55-0x00007FFCBCD80000-0x00007FFCBCD90000-memory.dmp
memory/3520-44-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-64-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-66-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-42-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-41-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-40-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-38-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-36-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-34-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-32-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-31-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-30-0x0000000140000000-0x0000000140182000-memory.dmp
C:\Users\Admin\AppData\Local\RC2s\UxTheme.dll
| MD5 | cd7f8d849598917af4e42ed268dc06f8 |
| SHA1 | 522f1498531ea50a106ac964963863d2f90a9e59 |
| SHA256 | 8aef6a98a545d89fb9c6d224f66602607a56f6d39c206bb553e4b4cae84062b6 |
| SHA512 | 7d778af82a1c5b2e6564923204c06840bde93f8a6997986d0243fe50221103708475f1af2ef4ae1eae319de953f5438140aafcff53c7b5858491bd6a17a30927 |
C:\Users\Admin\AppData\Local\RC2s\UxTheme.dll
| MD5 | 19a787a46d3b8dab2de170aac5d5da6b |
| SHA1 | 2cae8e19c40b5e586f80e3ab80270339dcb26a8c |
| SHA256 | 9ece708e55740d5fe155b458c6476703fbebbd51ad99b5ca0873ee12b7150182 |
| SHA512 | 3562663b8757b1326021faac9baabffbf7a0088e289d54068635dddc07c883abb65e080b36172f94b396dd0b43f46e5db0d19bf5f644c7558c68663e366af983 |
C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe
| MD5 | d138abf0b41cd2e341ddbddabb261c4c |
| SHA1 | 80c24615c4633f64bb9e70395556e1cdd300618e |
| SHA256 | 89f70566f1648030fe7b8ef7e76a704cb61e25fb9812b123333574b94dfbf9b1 |
| SHA512 | a9b963291895e2903bf1c3f2bdd66de361c480eea1c24e296436fd0a593892d6e7adf663664887bc2240277e79480533f7b47cff4d8018dfed03777114742a78 |
memory/4860-75-0x0000000140000000-0x0000000140183000-memory.dmp
memory/4860-77-0x000001B148E80000-0x000001B148E87000-memory.dmp
memory/3520-29-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-27-0x0000000140000000-0x0000000140182000-memory.dmp
memory/4860-81-0x0000000140000000-0x0000000140183000-memory.dmp
C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe
| MD5 | 6b4e9854fd16e6e862c808769641eecc |
| SHA1 | 377330e9c43d75d43b195fd7134192f075f7377f |
| SHA256 | e1027e08f079adbe33789c9a066eb068b1ba4a4843b37dae9e31af4042d910e5 |
| SHA512 | 6a99f038d1c96f6e37a4dd7b51a5a5ecd64c4b53f920597a47a438e4da5f22d687c2bb0e63eb9218efdd5f6e79cb20a9c78650219119024c92b4baa726152af7 |
memory/3520-26-0x0000000140000000-0x0000000140182000-memory.dmp
memory/3520-24-0x0000000140000000-0x0000000140182000-memory.dmp
C:\Users\Admin\AppData\Local\9i2C0nYd\DUI70.dll
| MD5 | df42231ebcb1530651e35dbdf7063511 |
| SHA1 | 75f181678ec565ce0e3e2d74d5a8e7dabd62582d |
| SHA256 | 816138a5772da44c40848527cb117a5396bbc26a4a641bd6615f7b899e06bd46 |
| SHA512 | cc5e9027d2600eef8ff061da1629c4c2b1d3da470db35dfebbd4dc6d8acda422cac9a285687c3169ab6cfaa77ff9f5f81931dc2604a071cc47cd1a5b778e20db |
memory/3124-92-0x0000021F6C780000-0x0000021F6C787000-memory.dmp
memory/3124-93-0x0000000140000000-0x00000001401C8000-memory.dmp
C:\Users\Admin\AppData\Local\9i2C0nYd\DUI70.dll
| MD5 | 03919bca73beb487992799f891b3cd37 |
| SHA1 | afe51b86bea124d0a7d0b763b3955910892582eb |
| SHA256 | 1e64b21516d01565e16027126f417edea03639974b6da3fcd5496d951bfcbccd |
| SHA512 | df2927975d78cb60db105afdb669e6e1ed0bcea1d0066461733e4ec772c75016a28b75f4f3acf004046aa24e9eaba66a6510108fe9ed64f721a45c88a8f76549 |
C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe
| MD5 | 6a19ed3df002b862e01f55344b5e26a4 |
| SHA1 | b2d1783540a6b4e878d959f413f2d589b81432aa |
| SHA256 | 4107f97da799219ba8c2b0cae08e4d475c809dd7b8997c9f831d61a5522f3bae |
| SHA512 | 93e4e821687f1d5cbd93970ee72f27d7ed14a332edacd697240eafebf9f683638b9d3a5d024a3fcffed3b50e861b44edca142773fd0ce050aa3afa83292a3efd |
C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe
| MD5 | fea6cd6c1a19e1e692897634537f4088 |
| SHA1 | 1aa654928bb6262af4dd3d5f62efed21e6725e31 |
| SHA256 | 17e21bf3e47930fab9e73a499996a3e22fdca0599903e2bbb6133e3bb1abfa98 |
| SHA512 | 8e0d23ce70578ec7cfc031bbdae76aab638e17aaff0c8591ecafed9cdbe879ee4815db80a6a3d2b91920f72fe29792b158bb21884d04e9187adc1b6165a0315f |
C:\Users\Admin\AppData\Local\aQscxslk\DUI70.dll
| MD5 | bc96aa1b6c4a7c70153b4ef677ee54a0 |
| SHA1 | b026ccfaaf13ee5e9f015a596908f736fb31165a |
| SHA256 | 0b075dfbb042d5fc02729eaed105f4691e1bde9efee94e8a90dc3bc98bf28d56 |
| SHA512 | 98c5bd3771238ec43fc62aaea25bcc8a387c67e239e5e37a7347fe34a06015305e2464268e748a6d152bd63af1ad1544557592c4f70ad21b9a8c540f5b314972 |
C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe
| MD5 | 138d87483d0844c80599a20c5785bf49 |
| SHA1 | 74287c0af37ebb4e08fa6c0875e651e6c7b71e74 |
| SHA256 | a1914e53c524299ea848467920a6e141b83a270f4545788127b7a2bf4c387620 |
| SHA512 | 9db25e156ccd49b6297622be89a7a0844eae1983c99db6c8880f5020da939d6a673c4f255e1dbf1ecf85c9ed33b37f7cdd3ede2bdd6d60fa33bff95ebda18fde |
C:\Users\Admin\AppData\Local\aQscxslk\DUI70.dll
| MD5 | 7eb532bbaa08cf6a39f55865f7bcea5d |
| SHA1 | e4cfd6aabfad3722594af09c7d81678bb79e5a94 |
| SHA256 | 194137ee2613f513748f635c5685104adf79035066ba80c9dff45c6f66f7fa92 |
| SHA512 | a98500259cf581cda1dd2aa47e9b3b9ba6b2ad1727da662e2e6f714c11ac010e965a3d4db56333ebcfb16c204e8f31d5df39bc96fba8019a840a1e5d0c16cc9d |
memory/2508-109-0x0000022603CB0000-0x0000022603CB7000-memory.dmp
C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe
| MD5 | fafea0ffc8de3bd5837f5289b04fc2ac |
| SHA1 | 61ea07c5004e5f47eb7bdd4fe581e5b01598b275 |
| SHA256 | 79340d320370db57523a8d80369fa8efcc9a16029f410278ba62af9d45181339 |
| SHA512 | 490565cd8aacb842a61bbdc30c30f5150e3afd6889bc573ca61107b2b992487af22fdfe00db5f31b4a685a907376307b6c432ea5f233f45b0ee10a33297313fb |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk
| MD5 | 1b161be93d7a89a6327cd20356686186 |
| SHA1 | b650f475111082735ae27345724b7b3ad4745914 |
| SHA256 | fa681a73d3b9458ea37a58941217e812b4a432c853e7e17e81f81edfed450271 |
| SHA512 | c7cebea8478e1dfdc939dcbecc1c000cb77397f3178a972f6dd178a1c885d1cff0a8529550a7a6baeb9007bd323f8cf3ea60fef1cb50df9063386cddea6d6437 |
C:\Users\Admin\AppData\Roaming\Microsoft\Proof\9sAG1MrD\UxTheme.dll
| MD5 | 5092033041540b01a4c43503f3975d92 |
| SHA1 | 173f0675dfa692de50d3cd347507c515636c2d00 |
| SHA256 | 9e356ec40154103b052fe2ec3fce9b949ebbc621b3c2043b0add712c49842316 |
| SHA512 | 5f75e34c37c8cf6429e7b0599da35f19147ea8bf1332d70c7cbfb2374b0fc8a3aef4b436e8c49fccf5aa43b34652be3b58a2dc40b5136cbfbd4da887ad1d8329 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mGXSbkbSe\DUI70.dll
| MD5 | 1b3945e2f68300d9dd00580143146fbc |
| SHA1 | c985dab40eddc66c2e408e44af2e2cfb01eab57b |
| SHA256 | 0a437f12ee887efce36bdd8446a3a862699d5dd527e5743d35bbe10a22820f7f |
| SHA512 | 38bb43a43dc1a0d7267b890e192fbfa7782732d08e980c66253d546b28e88e16452a571360ffb324c1425b4d4f281ee9f90c3724344cb20117d5de19834ba3b1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\ZW\DUI70.dll
| MD5 | e8c074263ff1e8cedcefb5348c39d7b3 |
| SHA1 | 9c6950c3b8d84621ab725eff8b9dd7cf61235bc7 |
| SHA256 | 1f820dff5d171d1fd5ae4d6f7abc735cb0f9c19eae9113bd889b4079acf05e33 |
| SHA512 | e831dbeb0e4c5f405010fba8bb8fd2d86bb9dd5aa10555a13fd6efd3297752afb6c61ce90a4e59963c62a7c1db1b8b57858916670067a06692a5323c8cd24f6c |