Analysis Overview
SHA256
18b45bd4552f4f6ada10aaef4f131e845f9e39e20312f3fe6f67f243ce241eb3
Threat Level: Known bad
The file 4c620a9384a551d18ef1006fa2b89f15 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-08 20:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-08 20:27
Reported
2024-01-08 20:37
Platform
win7-20231215-en
Max time kernel
4s
Max time network
125s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c620a9384a551d18ef1006fa2b89f15.dll,#1
C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
C:\Users\Admin\AppData\Local\ZUZmp\rdpshell.exe
C:\Users\Admin\AppData\Local\ZUZmp\rdpshell.exe
C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
C:\Users\Admin\AppData\Local\4N7SF\wisptis.exe
C:\Users\Admin\AppData\Local\4N7SF\wisptis.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
C:\Users\Admin\AppData\Local\Bw70O5\notepad.exe
C:\Users\Admin\AppData\Local\Bw70O5\notepad.exe
Network
Files
memory/3012-1-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3012-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1284-4-0x00000000777A6000-0x00000000777A7000-memory.dmp
memory/1284-14-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-19-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-26-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-29-0x0000000002970000-0x0000000002977000-memory.dmp
memory/1284-34-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-36-0x0000000077A10000-0x0000000077A12000-memory.dmp
memory/1284-35-0x00000000778B1000-0x00000000778B2000-memory.dmp
memory/1284-25-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-24-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-23-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-21-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-22-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-45-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-20-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-51-0x0000000140000000-0x0000000140190000-memory.dmp
C:\Users\Admin\AppData\Local\ZUZmp\WINSTA.dll
| MD5 | cc9c6337458158cf95d98bf2e1d0e21f |
| SHA1 | 1aac09db106d1e5c2505fa48df8665f0157019d7 |
| SHA256 | a3213e6b73abe4062891ce5694ac53ee06906e443f90138029278675a4fa57f7 |
| SHA512 | c324796e9150957b8990ef8e5f83c77ebd704d1fb3b9b59c07b2537097b45064cb073a614c1e315aa341d830448685680f1aedfe0cf42873b7c1284b6fa1791a |
\Users\Admin\AppData\Local\ZUZmp\WINSTA.dll
| MD5 | be41b9e0bf60f79a105ca90d00175ba3 |
| SHA1 | 2bff60266cf99e6516b740706aaeef78d35eebb7 |
| SHA256 | 630be0aed962864314d4c0c2accdc76bb4daaf70245d7b3a16616e4049c5dfba |
| SHA512 | f57e479b6c80a023dd19a64afe8a33a8fd2c5335bbd1d6684c23f9d6de74b56ddef0ec100f809b5d08ce995bc0a0ea037a35a113ed28b5f78b6924410ee56c5c |
memory/2756-63-0x0000000000190000-0x0000000000197000-memory.dmp
memory/2756-68-0x0000000140000000-0x0000000140192000-memory.dmp
memory/2756-64-0x0000000140000000-0x0000000140192000-memory.dmp
C:\Users\Admin\AppData\Local\ZUZmp\rdpshell.exe
| MD5 | 391c60b8f59a866152859f65d951fd1f |
| SHA1 | 3716381152e8d65e2ce0b09cb0ec4498f78b0d9f |
| SHA256 | d19bec9ea0cefa64aee2585ecf3a9410096ef57b91841b0e2b66ca650bc8479c |
| SHA512 | 96e11dbb59ee20c516a319d9c5a1a1498687ae8fa4b9c4c637679aedb86acc599c1f432c481b8efae937e6a3e091c8f2c69d5d41f632d14f67a41cdd1830681a |
\Users\Admin\AppData\Local\ZUZmp\rdpshell.exe
| MD5 | 2e0dcfbebb7fe4d7b6c430bbc48b1a67 |
| SHA1 | e9d06359ac711afeb1f8ca2cfb8faab7647a6396 |
| SHA256 | a3116e26ac07636e3c9726f58413550df83247823f6938831fd505a53bea0549 |
| SHA512 | b5d014e5c3b7a9c158a03c0f4c8b5f603b51785283d508570e6eb6ea78356bf3901926833cb46b9c3ca237bf66b310dd4334949ab5401b13bdba64d566dea660 |
C:\Users\Admin\AppData\Local\ZUZmp\rdpshell.exe
| MD5 | 38f86aae13a9f3854a62cb5caca8f6d0 |
| SHA1 | 2f387427799364cd4f49d336587b173e752e6b00 |
| SHA256 | 429a7157f8aa9e856ef22bd60855d89e4ef5a50c3a29f21d6c78d0bcda8910b9 |
| SHA512 | 732af99e01331d26cba1e46680944957995caf690cd544553b498b0ba93edbb07f4d2dad2ddf72231a6161dbb46dd24f2ca8ff3c156b296cbc2a96db64dde2bc |
memory/1284-57-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-18-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-17-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-15-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-16-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-13-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-12-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-11-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-9-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-10-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3012-7-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-8-0x0000000140000000-0x0000000140190000-memory.dmp
memory/1284-5-0x0000000002990000-0x0000000002991000-memory.dmp
\Users\Admin\AppData\Local\4N7SF\MAGNIFICATION.dll
| MD5 | b7509ac5b8748e4ce864034f9de44110 |
| SHA1 | 0c48930e07dc5192a97347e33355a8416f31797a |
| SHA256 | d8e79f93ac6a2de8a7751ea27b2184f3508888d1ba3b2c40e341ccdadb328e39 |
| SHA512 | 93d2f585a5735c737873b18cd34790360f6d4ce7e4bba311e81c74640d93d47b034dd5bcd9f1f475e4612cf5a1facc70cf64d92c7937a965ad22f2d2b89ce832 |
memory/2848-87-0x0000000000320000-0x0000000000327000-memory.dmp
memory/2848-91-0x0000000140000000-0x0000000140191000-memory.dmp
memory/2848-86-0x0000000140000000-0x0000000140191000-memory.dmp
C:\Users\Admin\AppData\Local\4N7SF\MAGNIFICATION.dll
| MD5 | 8a7d9993166f00cff86519e029730897 |
| SHA1 | 6bf611baa2f73287022a07e7d683401e5dbd9408 |
| SHA256 | 437ec5d754babca8d1cefe366c39c17fdedae4e6b50b9a30968868d2fdece8db |
| SHA512 | b5560866af0e05ebca9ebfe30976adaf26c04d8ad676893801c105cd465d4b10a521d2b15a00313b2509246f454a1e279065342d602f8f284de374a41be49f7a |
C:\Users\Admin\AppData\Local\4N7SF\wisptis.exe
| MD5 | c5c55c8e34d18d0b680bfe8a8d342553 |
| SHA1 | d31019e7e40f55453ec4283824ba6c9e4cf93629 |
| SHA256 | bb7a9d1cbd9ef3d89f9776250c37e32f2a250c1637e5c9f8360047d86da0f70e |
| SHA512 | 88a31faabf0e6e4bc6aa68a2f3c978535e85cc3909598d5e2b06f8109be972d966ff01118080c3c574ce482a5f73663faa6bdc25c7559609df9a98d003e6bde3 |
C:\Users\Admin\AppData\Local\4N7SF\wisptis.exe
| MD5 | a3b2a8821e62e537ef910c305ccfa0ae |
| SHA1 | e30999733e952a7bc26d084533a6fc97dfd93732 |
| SHA256 | 9d4ad6a9f1e5b3901cc633a23bdf7d1ffc17459da89799b1db3298ff5d79c95b |
| SHA512 | f6b7f89b5a6bb187f99efb6d03f75981d0eb4b845f3292a047a8c84ab0c033eaa0bec3da501078f751e5cf8d03a6f12c71a6db427af25c16089c9f35ca5b793d |
\Users\Admin\AppData\Local\4N7SF\wisptis.exe
| MD5 | 7b00ad2f65389ea1c76b270bb5a7ec91 |
| SHA1 | 03b2796eb42b5c881cf429353b0d620f11e09f50 |
| SHA256 | 8792fb3a9d0ca0d6e3fa1a1494fc1e9746d035073eee3bdffde9be1c38f45c09 |
| SHA512 | 531941566eb1578aa1ee90043e84c008c521e3805c6b6fbccbb2de0311534cf7363fc114b51f4af99a6359bb96d17d1235a63c1d2747a48f46f796f61f3f0f4e |
C:\Users\Admin\AppData\Local\Bw70O5\VERSION.dll
| MD5 | 248fdee8035d899c836bbdac411a53f8 |
| SHA1 | 6c3192740aad06a05ecc94d6a405eb1d3c7c365f |
| SHA256 | 09d82468230a334ad5d919a0b9bfe4fc856e1951d6f94fc748a419e37e3fd939 |
| SHA512 | a2205a7c411bc61c7ef66aa1e4e3b1300afd85fde24b74c3eed4d4a4404354abeb201479b0122d3b642f15dbeac4df14049d30bb252cc76372e58f9d28e116dd |
\Users\Admin\AppData\Local\Bw70O5\VERSION.dll
| MD5 | cab6d51f25dff658002c45025ed75040 |
| SHA1 | 227e8a46d5fc10238b18bb5525d93cf0326b0124 |
| SHA256 | 8b13ed0d1465efa7f81565b9c56505bea0ed3f1e39aed454aee03218e103b48c |
| SHA512 | 5ce459a1ee4a2823bb3feda2ef355709b72faf5314f88be2a034fe7df4cca03cdf9ab6f82599905be7556183deb759b6a97478bd5bab7f3c9cf9f62aa4047960 |
memory/1084-110-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1084-115-0x0000000140000000-0x0000000140191000-memory.dmp
C:\Users\Admin\AppData\Local\Bw70O5\notepad.exe
| MD5 | f2c7bb8acc97f92e987a2d4087d021b1 |
| SHA1 | 7eb0139d2175739b3ccb0d1110067820be6abd29 |
| SHA256 | 142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2 |
| SHA512 | 2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8 |
C:\Users\Admin\AppData\Local\Bw70O5\notepad.exe
| MD5 | e7774b4f294c7fcf1ef0da7c0d2ea4c4 |
| SHA1 | f328d3226121cadf96d461d8b703ed37098979fa |
| SHA256 | a79bfb1a19174ed413ce42932bd6b4280bfc0dc938691bf40b7f3db4417e61ef |
| SHA512 | 030c3a609eca5c914ee150a019ef84940b772f2482f73c47368c8b2bcafe3b2e4e73d8d097952ef83c96fd9f6038237b6240330bd73b244be6cd8ce3f176665f |
memory/1284-136-0x00000000777A6000-0x00000000777A7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk
| MD5 | a38b14ffb6709e550fcf2e89deb15596 |
| SHA1 | 2528df3a06570893cf0e34087675552d6b2e0011 |
| SHA256 | a8c9d5bd5f16a4019b85bf852dff20d414616fa49ce8e1873a10eb76234548aa |
| SHA512 | 1a1b02b74cf614dc5c8f55a6c04331f94d8382bbc57d3cd4b014d138741c9e6151054b33e7886b531243939ec00addfc7d0e60e0d4a3d37f5d8178cd9984bb35 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\5HrhNDsM\WINSTA.dll
| MD5 | a56a8e6edaf21ecf134fce832cc44292 |
| SHA1 | ffc93b9415190115a66d65ecdd7a69b3785c8834 |
| SHA256 | 1f41c739775c0b45938648fc53786ed4bdba5c94fb1811de70f7125e59f09782 |
| SHA512 | f60abf044b5f6a79c6f489ee8e5f2060bd633efb22754716742045f973d1b9b54e7a416ebbdb1ab54b03534180daea355c8861208b65c1b20c175e3d67bc02cc |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2444714103-3190537498-3629098939-1000\p7gELJ\MAGNIFICATION.dll
| MD5 | d871231ed3d7a96fd8da6cc0e083f92a |
| SHA1 | 580fa967109a7ce53b81ef9a3048cfb9680e84c9 |
| SHA256 | 0916b0337c51baccec3fe2d47355a878f91775742156638efeb68033954c40a2 |
| SHA512 | 7b4e00ce148316cc296c493bb1dbc81083174ec46c485830d758ca8236a2d92c58ca25d5f76f40a5707be751c280d727b8850d6d2786e8b260eb2693db56aa2e |
C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\dKmCV\VERSION.dll
| MD5 | ebfe97ef118835146ab472c994b70c32 |
| SHA1 | a95dd3db10e565d1593d5818ea30ca23fbd747c3 |
| SHA256 | 7d04e52596975f4a0f21151a7712aa996eefe37b194caaa3745e03e2d1f904b9 |
| SHA512 | 9ba331b8889234a059f81c2cac5c527d0c488b393567e89f4b1dc5f4d5aec930466a12de7613585c5038eff2a9de8f33b29bc68d9e5d72a9001861f5103ff05a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-08 20:27
Reported
2024-01-08 20:37
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
46s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c620a9384a551d18ef1006fa2b89f15.dll,#1
C:\Users\Admin\AppData\Local\4zbzZ\mfpmp.exe
C:\Users\Admin\AppData\Local\4zbzZ\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Users\Admin\AppData\Local\ICwkGHu\mfpmp.exe
C:\Users\Admin\AppData\Local\ICwkGHu\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Users\Admin\AppData\Local\9Ucgyb\osk.exe
C:\Users\Admin\AppData\Local\9Ucgyb\osk.exe
C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 20.3.187.198:443 | tcp | |
| GB | 96.17.178.143:80 | tcp |
Files
memory/4980-1-0x0000000140000000-0x0000000140190000-memory.dmp
memory/4980-0-0x0000020227FA0000-0x0000020227FA7000-memory.dmp
memory/3520-9-0x00007FFE5895A000-0x00007FFE5895B000-memory.dmp
memory/3520-16-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-25-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-27-0x0000000000B80000-0x0000000000B87000-memory.dmp
memory/3520-35-0x00007FFE59260000-0x00007FFE59270000-memory.dmp
memory/3520-46-0x0000000140000000-0x0000000140190000-memory.dmp
C:\Users\Admin\AppData\Local\9Ucgyb\WMsgAPI.dll
| MD5 | 5dae6a4439317b357cbc6e9d5b958030 |
| SHA1 | 826f9d4eb25f3a75eb26d5e413c30b044a9037bf |
| SHA256 | bc8a4d29d676bc10defb1549ed647e9ca84073f43e15fab3a30692bb012dcdaf |
| SHA512 | 0987d515e1547a231736c870a0cdf7a111799557a67cdfeeb78f81f3e97cecc613b4e2c377648a73c4037680e47260e6228a07e5544516f600feda81091fb8ec |
memory/3356-57-0x000001D968D80000-0x000001D968D87000-memory.dmp
memory/3356-61-0x0000000140000000-0x0000000140191000-memory.dmp
C:\Users\Admin\AppData\Local\9Ucgyb\osk.exe
| MD5 | 9eb1a083c26b73bec85b8a4ae6e6b2a3 |
| SHA1 | 3d3d30f71bf45e3ef098e4762e769d6c14e75c7d |
| SHA256 | 20510314140e163a3bf062c581ed3f3ab53b14d5ec6f6a3017d9f8e9e4e4dbee |
| SHA512 | aa23b57b2a9449e082fcdeca419d39a79a7b0667f2e4997c15a63f308e3712cf1dc9282995c5846c9c0f331e500874ecd039fa57b7367eb91d4c351c2b73a99b |
memory/3356-55-0x0000000140000000-0x0000000140191000-memory.dmp
memory/2716-72-0x0000000140000000-0x0000000140192000-memory.dmp
memory/2716-78-0x0000000140000000-0x0000000140192000-memory.dmp
memory/2716-75-0x0000016772970000-0x0000016772977000-memory.dmp
C:\Users\Admin\AppData\Local\4zbzZ\MFPlat.DLL
| MD5 | 22c03ccaad67960200392a8ce7caaab7 |
| SHA1 | fd59b048f87d75d075f50e9a2b6356f7c7c197d1 |
| SHA256 | f9ec1efc59cee1285ae91452871e3d4727fcb4e74227aa3bc679d6ede73176c5 |
| SHA512 | df656ff730fad90cc00faa14218ff987e23c019bc74fa9b77d27d849d3632f1780d44819791625cbe9e292494638d3a1e04c573ef79b22e85c06cf6a0b5260da |
memory/3268-95-0x0000000140000000-0x0000000140192000-memory.dmp
memory/3268-92-0x0000016F57330000-0x0000016F57337000-memory.dmp
C:\Users\Admin\AppData\Local\4zbzZ\MFPlat.DLL
| MD5 | 70a4c926ba746a1407053ae2ea57663d |
| SHA1 | c5c5b90671749a249415427ccdd52d83edbb8dc9 |
| SHA256 | 0d1fa4e4f41c3b094e8e638f8e93b4bf47f15b336c273408672e83e3e85c2fc5 |
| SHA512 | 22d47e5cdc3cd1dd08c159b95e052a198cc5929f88caffe8d4248b06967780d3144f034228fb4af28bf8632d1b5cff4119b5d61d4cfb2205d93b9e6422f465ed |
C:\Users\Admin\AppData\Local\4zbzZ\mfpmp.exe
| MD5 | 8f8fd1988973bac0c5244431473b96a5 |
| SHA1 | ce81ea37260d7cafe27612606cf044921ad1304c |
| SHA256 | 27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e |
| SHA512 | a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab |
C:\Users\Admin\AppData\Local\ICwkGHu\MFPlat.DLL
| MD5 | b647ffdb679c99464199939629a565d0 |
| SHA1 | 01da3476f5c2d9fdc8f4812659266315d3edc477 |
| SHA256 | a5138c8ab40d5c9463173805422b0c58eaf52b27a501f94c650cc82c93eb9145 |
| SHA512 | f7913d91f7f20abbc0b1c86031be87515df5805c16d6276269c553f14c59c3a1e5e9557bc701d4f9d1e004c4085822b4903f23e6d862de7523d2d6cb962295bd |
C:\Users\Admin\AppData\Local\ICwkGHu\MFPlat.DLL
| MD5 | 7c585c58ad07e6354cc6cdbafb40267a |
| SHA1 | 2e5de3d13e09e1266e5d50822d77751109d54f58 |
| SHA256 | b5b6086fa5c7790f0cfb507fae32c51441bb4f501ba372892c58e667215cc3b5 |
| SHA512 | 9ba154ee0740e4b8967d9e4ed1eb3b1443b56cb195a226f978b493e0729242110cab4b56290e00daa7c3aa74ac5a73ee131c5baa47c3a9c51543e27eb9d3af57 |
C:\Users\Admin\AppData\Local\9Ucgyb\WMsgAPI.dll
| MD5 | 2319917cefbe898699dfc146b6ed2326 |
| SHA1 | b2aabaa20a25a85c86ab4512cc4eb742e9b81cb0 |
| SHA256 | 4dd502bda4a0dd7c06bc12c797456c69ffd3620e052469d1da23449413cf1920 |
| SHA512 | 8b4e77f45e8cef999445cb9430039b7ee5894b783afaddc9156b93923dcefbe6789443328ca4459642799e953f4bd596b459bd1a2efe4c910e863934edceb3ab |
C:\Users\Admin\AppData\Local\9Ucgyb\osk.exe
| MD5 | 354c4b62fbdda715cd79b633b9a15b00 |
| SHA1 | 4aae1f64aac0d37f7030090b47455e664364f507 |
| SHA256 | e677c012bd32a1c897a1da9925380a1821e6ccc41b224e255ca3d0bba3f99de6 |
| SHA512 | 284a8b4517764e5640971fcdab1d22fbef6c0147bf84aed2c6bd2367c63945140a1bc08be73501f12eab3d51c9b85bc3688823e600ae0dcf4b6963eab4b7958d |
memory/3520-44-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-34-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-26-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-24-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-23-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-22-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-21-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-20-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-19-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-18-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-17-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-15-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-14-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-13-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-12-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-11-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-10-0x0000000140000000-0x0000000140190000-memory.dmp
memory/4980-7-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-6-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-8-0x0000000140000000-0x0000000140190000-memory.dmp
memory/3520-4-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk
| MD5 | 1839cf42ea1a7a7e439395d5eb5e3eab |
| SHA1 | 937486555c78cd124ab2c53e2d81bd920be69969 |
| SHA256 | 595e02244a116bea2f693294314a99e5487126456cc441f4e2ecd98a995d21c5 |
| SHA512 | 722925d60b88fa8401d4915cab6b5390519dbc24ee17cd0c63323104a5387259fe01e45c9661313245213a5ccca50a4997db589b834fa944f8ee075b2e128a0d |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\XUkO\WMsgAPI.dll
| MD5 | ab1f86c5bc020afca8fdef3b6235923e |
| SHA1 | 1bc2470caf2a936c2e9689ba6467bc992af1ce7f |
| SHA256 | bc13f7c3f9a3e3b496fdbaf8dc738a9b356041832708daea9ef063b37ae7836f |
| SHA512 | 0ef0548aacb5f6c86db3bd12e24a64be8aacf0b14dd77f26a43dc5c7e29cafeb30b6afec3ae8291a25f10fdf7cd40bc2c91d4ea7a992db0bd8d8af7a78bddcd3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\1GJv0w3JS\MFPlat.DLL
| MD5 | fe324a36a747936ae563eb3fc93d1189 |
| SHA1 | 574aff27e67204367a8b20b57a8546d1d02da23b |
| SHA256 | 777120ec04288fed58e22c5564d2c5ee002ce86b42b848b61df190518b0cd4b1 |
| SHA512 | a50fda6ce82c7973c5d87606f8655155647eedfefc1a4bea4746dbb03d00064832fddf2ef4be686b645b3e60c0a9f72cf4ffd36649b4437618a64c666a5d4a07 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\TiYrJaX\MFPlat.DLL
| MD5 | e29c3cff150b0856b01a2f299b19bd32 |
| SHA1 | b4e0ade0e77ed84f5ef0a187c9de07b9d10e00b4 |
| SHA256 | b3503b79dd527822070846b877d55211a686b1490323d1e1d2a3107706ebb1e3 |
| SHA512 | e735c973b1e228293b671ce86dcb86d87fed0bbcfc7d870fe582dc7d3251ca8196a175e070b13f0253a8fb27c893b327e6451db72c0694543e15b6e91f01c4bb |