Malware Analysis Report

2024-11-13 16:41

Sample ID 240126-fwl4vsgadp
Target 76793acc5d4fbc8010e234153b47c147
SHA256 51148fdd8214cd04462c3c1e06dea7736dcbc85cacf0e7ed50a028df5812136c
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51148fdd8214cd04462c3c1e06dea7736dcbc85cacf0e7ed50a028df5812136c

Threat Level: Known bad

The file 76793acc5d4fbc8010e234153b47c147 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 05:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 05:13

Reported

2024-01-26 05:16

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76793acc5d4fbc8010e234153b47c147.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\LZXIZL~1\\PRINTF~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 1004 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 3540 wrote to memory of 1004 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 3540 wrote to memory of 2052 N/A N/A C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe
PID 3540 wrote to memory of 2052 N/A N/A C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe
PID 3540 wrote to memory of 224 N/A N/A C:\Windows\system32\printfilterpipelinesvc.exe
PID 3540 wrote to memory of 224 N/A N/A C:\Windows\system32\printfilterpipelinesvc.exe
PID 3540 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe
PID 3540 wrote to memory of 2348 N/A N/A C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe
PID 3540 wrote to memory of 1628 N/A N/A C:\Windows\system32\bdeunlock.exe
PID 3540 wrote to memory of 1628 N/A N/A C:\Windows\system32\bdeunlock.exe
PID 3540 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe
PID 3540 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76793acc5d4fbc8010e234153b47c147.dll,#1

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe

C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe

C:\Windows\system32\bdeunlock.exe

C:\Windows\system32\bdeunlock.exe

C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe

C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/5088-0-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/5088-2-0x0000028CD0070000-0x0000028CD0077000-memory.dmp

memory/5088-7-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-6-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-9-0x00007FFEA3A1A000-0x00007FFEA3A1B000-memory.dmp

memory/3540-4-0x0000000008740000-0x0000000008741000-memory.dmp

memory/3540-8-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-10-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-14-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-15-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-18-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-17-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-19-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-20-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-24-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-27-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-29-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-33-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-34-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-37-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-38-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-43-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-47-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-49-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-48-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-50-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-46-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-51-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-45-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-44-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-42-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-41-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-40-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-53-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-56-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-60-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-61-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-59-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-62-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-65-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-64-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-69-0x0000000002DF0000-0x0000000002DF7000-memory.dmp

memory/3540-63-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-58-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-57-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-55-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-54-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-52-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-39-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-36-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-77-0x00007FFEA4580000-0x00007FFEA4590000-memory.dmp

memory/3540-35-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-32-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-31-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-30-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-28-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-26-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-25-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-23-0x0000000140000000-0x00000001402DF000-memory.dmp

C:\Users\Admin\AppData\Local\tlgeDC63\SYSDM.CPL

MD5 d3a6b64eece3b1d9c19f62c378753eef
SHA1 a9314018d9415b6866afb512e8f06e31fd861a11
SHA256 baae41684023bd330c3fa8f79b8c1413bdf7109370e0feb9b583e9c243a4301b
SHA512 39d7f4eb16322f02ab91e1c0edc9d71db23844b6b28a268249ca90ddb892e29959f960bd9bf6ce767730802fa14eca23815b09c78aba627f42c4d129f8efbdbb

memory/2052-97-0x0000022871FB0000-0x0000022871FB7000-memory.dmp

C:\Users\Admin\AppData\Local\tlgeDC63\SYSDM.CPL

MD5 ecef734e5c803f2bdbc04100ecf7d187
SHA1 139d9da50692d3ecf3ca40ebc6bc4d17cdac3140
SHA256 48d45c8729b4a41e6cb7c307dfc5bb51138fa2837550ec1201a662e0772c7c9a
SHA512 4a9bf7b986bb4ec6b46b3f808ec7875f08d8bbc145e16bc8bbe9e72e36968d3ca1532c26df460704a70e7d495a1b7d2fe3cc6736a70aefa9ec4fe73ba492fe50

C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe

MD5 e67a9f30b41780d4edd0ca7d4f030090
SHA1 c4f21c0eb614e49ba1e1bc9143802932defcd659
SHA256 42d0c2833f23e10f645232aef679f0e79a2576a7f2d43c8406569cafd91bad85
SHA512 63d566ca25eb3d75c3e5b37c80c3d8648a3142f0a08b5c9ed51be9f924829617aa42aee1ed79bb3f21b2a64287706b00495209a491b41c624307a246c2f49b67

C:\Users\Admin\AppData\Local\tlgeDC63\SystemPropertiesAdvanced.exe

MD5 d5727a90b4d438997974d785da8e0a3a
SHA1 574d2e20b1596a846a6849968856b255ff8ef4d9
SHA256 db3f2a3d117e9eba69bf07780b313008d9129118559368daaef0ba3056f15273
SHA512 af0dc3dcbc96ec77c632f166f83b2760634cc6d48428794b4b4b8a816f1ec84e21c7fba27366e015d14f6781855548a4e8e618d7afc90d548c7827669caa773d

memory/3540-22-0x0000000140000000-0x00000001402DF000-memory.dmp

C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe

MD5 e831aa98e3d242f3f39aae4324a3e8ca
SHA1 279d6dc99e1612a16cb29efe420e89738741f418
SHA256 2cb7389275733145d5f21babc6548036aedeab6b572dd811af7efa47f39c686a
SHA512 3af8076e6d54fe5ee1450071a2658a3cf9fb6d2dc4fad237185a780db92ed09034dad90caa0a462fae7f8d46824a023a2a1c128f9c09277269c8ed1618f5f2b5

C:\Users\Admin\AppData\Local\nNMrQGskp\XmlLite.dll

MD5 ed4aaeb37f1d477538ebfe5309cc1bdb
SHA1 07cf8d4ce5c549ac0a575394ab78068a668a1b7d
SHA256 716b0a044fd914f992936944394e1ecd2e3dc167559358f4973b2ac93c057781
SHA512 b1d180fa0ac15bdb0395eea4fbef1d6cea6f7c9cfd5daabc8fdbcb6fee5f09b815227c7ddb7cac16b18823c8ea93f75a4da44a87d7cd2d2b9f3685416b0dd78d

C:\Users\Admin\AppData\Local\nNMrQGskp\XmlLite.dll

MD5 144f51a1af5c41117ea79d195989574a
SHA1 28614c6d528b585b7eb479e95dc85df9cb967823
SHA256 daa3cf6c34eeef0aa71f26346f8a7ee48cc92b4942155f691e497df95e341023
SHA512 82fcb9fde6ba493d6ca975839aa7605f3c568fbd5d3d1d961501e2f6afbe76b0532048647cd12f9b8e57ba4b7f1a1c4bbe28e8dcb715e3faf791e12b5a2d2bbf

C:\Users\Admin\AppData\Local\nNMrQGskp\XmlLite.dll

MD5 9db5c005f69e70cdabf121d7d66b2a65
SHA1 b5eb0de62831a9270ace0b5c1836f593f9039a8e
SHA256 d617da00f457ccc168193eef738fe6101cab94ab5e59f3c936bb373805bba354
SHA512 bbe681f2e80355a3f75bb94f5ff416dd0a9aabb51b1184e1e119c0c465c90bdc5a2c4de978689bcebc4b3abbf0829051599b1b529083d000babdfe8755d90749

memory/2348-117-0x000001DC55BE0000-0x000001DC55BE7000-memory.dmp

C:\Users\Admin\AppData\Local\nNMrQGskp\XmlLite.dll

MD5 cb9ab12e4567f0b1784fd441248b1fd6
SHA1 1bee91b559a3fa57fa48347142cbf54473779c99
SHA256 362894302e95a54271c7fb05d73d4617f4e9ddde1cae90fe140928be2e7f4b10
SHA512 989c0dde65eb30be4857f680f7b0b71222dc19d6f5a8516ea158d17db78061629b784b724d834a67abb5974486052653aa60580395b16a361364bb5e2eef7775

memory/3540-21-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-16-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-13-0x0000000140000000-0x00000001402DF000-memory.dmp

C:\Users\Admin\AppData\Local\nNMrQGskp\printfilterpipelinesvc.exe

MD5 b27fe2847d7aec11eaa37b39fd59f48a
SHA1 a27e5bef02fd327643034c66f78e86f40134c51e
SHA256 9837ca7c841c6dc0ceca8a2f15877327f9c40071a8783afe1e05a7f30bc1c44b
SHA512 95b565353f9b6f12903d89ae7fb68e7a39d43d0d16750ce1d807bb52f2130250916634c76307dc21d75a85d34da92802b3cae3eb0db740dac5e99720ba2fa75e

memory/3540-12-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/3540-11-0x0000000140000000-0x00000001402DF000-memory.dmp

C:\Users\Admin\AppData\Local\uLG\DUI70.dll

MD5 3bfc227ea2ad39e7600c72e7de031911
SHA1 a41adab3991c1937e0bbf1c8852a9e2e398b2672
SHA256 28b9bbd39f6403a823006644667f47b95a336a5ce7fd1e5f49e3d8986e56c3b9
SHA512 09dc7dcdeaa332b89ef19e399df79068f2c919d49a7196a78dabc90b22c40c638b0bab827782860f936b2325ab069f53bea9aa7491349bb3247ebeb3d7472d45

memory/1728-133-0x00000144757C0000-0x00000144757C7000-memory.dmp

C:\Users\Admin\AppData\Local\uLG\DUI70.dll

MD5 eca9c89256b066ecb428d4963284cddd
SHA1 ba63fe0014bfb6a2ede543e866b6cd5ccee4091a
SHA256 34d7de7056612992d15e20614ae785a2aae080257a31476841068b63e48947b8
SHA512 203292acf050de65750da57baa627d2d15a6ac3bc7fc0064add11cd8619fabdf4a5e6e76e5f2a90560d4b09304f67c7bae917eb659df7c2ffa32955bb95bbea0

C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe

MD5 61a41c59a8dd644dabfdba5cfa334929
SHA1 0b324b6e2e5e9e8d2b69fd47b26cb16ecad280f8
SHA256 231de3a14afe28f135e836704cb6cd4d0d2db2ced456b5c92247fad78331fc0f
SHA512 3e9795d426aaf8901b51f14abfb05eb78b610e3407ae590a8fa50f6a1b02fc3fb3d3987fedd08db1d5fbc27cdad066087151e0b1d6deed26355b94754618a096

C:\Users\Admin\AppData\Local\uLG\bdeunlock.exe

MD5 430a969eaf7fb883f5ab453798c22fe1
SHA1 ec4a893a20ea50433e2fa3b81f58864894ec7ab5
SHA256 94969312da8ee28bc2bec1805f76ff5a04ed64e39440c785663c3d729129b1ae
SHA512 733456df25ecdb37226149c1231cfc9089aa3311d9deaab000d75d0f28bb4bdfc34ee3bbe18d273e0e21d3fa238f9b78cedd9d06bcff93e8691a32b2cbea9998

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 fe8b3d14d1adde97ef72313a94ed64f0
SHA1 9b1fd8a838a021c0b211dc0b5dd3059a62272d34
SHA256 670322299f6e038a61668930411e4237b92d0bd2dfd40c3e07561a7e1dd3f991
SHA512 6417e41d2095480abcefb51604fbd6376d0022078f64aefec0bb094e3733df2680b594ac35e707a379cb44e12affff38d4a80481c4710933cdc7d2b226059781

C:\Users\Admin\AppData\Roaming\Microsoft\Vault\vs\SYSDM.CPL

MD5 b522b7201b9f98a972df9d75fc6b6d84
SHA1 c2da96b48415d7571465992ee7dcb3e9a575bb9f
SHA256 956e8bb1d95529f2b0ba2b2af0ee05410a502fc7743c6bfec210b1f35a11677f
SHA512 3b20c97c37805697b890fb3c790f4b28316decd693aa8c69d529d832b0c4c2c73bc6893bef52e98ab3cae1556caa462b69d5df5ab204e91a4ff18e273ac5f8b7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\lzXIzLxPEi\XmlLite.dll

MD5 0aba01ad921a6100a9d9ca7f7c332958
SHA1 08e74a9d3caf916e868c66db383c4dbaf3ddec13
SHA256 8dcf1743185e3bef420d937af31fa9ffa5e02ae2051753f5871a3e9754b04b16
SHA512 7341b88315662057a022e0d453e2dd4ba4dea9988380783b564dbd4d08932256f90984edc09ba2ca96f86280683b4dcd2eb999c251c385f27567333f1227bd39

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\YjLvN\DUI70.dll

MD5 269c9e089e97b60c073c26bb14daabd7
SHA1 28b54c0bac1e54545198cbe809364c88ee34afd1
SHA256 69674e0d0fd7a75356fa0f5357cf509a96495e38f1dea29924b0850d809e69fc
SHA512 e44765e76c76e97ed6e057abab2e71132dccdf0d0818f88201971615b670eb31971590567fc4d79306a2e1f19fa6b2b059fec39015a14d09f1b2871770527745

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 05:13

Reported

2024-01-26 05:16

Platform

win7-20231215-en

Max time kernel

149s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76793acc5d4fbc8010e234153b47c147.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\XJJ1oLi\\BITLOC~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2868 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1196 wrote to memory of 2868 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1196 wrote to memory of 2868 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1196 wrote to memory of 2964 N/A N/A C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe
PID 1196 wrote to memory of 2964 N/A N/A C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe
PID 1196 wrote to memory of 2964 N/A N/A C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe
PID 1196 wrote to memory of 332 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1196 wrote to memory of 332 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1196 wrote to memory of 332 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1196 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe
PID 1196 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe
PID 1196 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe
PID 1196 wrote to memory of 604 N/A N/A C:\Windows\system32\sdclt.exe
PID 1196 wrote to memory of 604 N/A N/A C:\Windows\system32\sdclt.exe
PID 1196 wrote to memory of 604 N/A N/A C:\Windows\system32\sdclt.exe
PID 1196 wrote to memory of 692 N/A N/A C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe
PID 1196 wrote to memory of 692 N/A N/A C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe
PID 1196 wrote to memory of 692 N/A N/A C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76793acc5d4fbc8010e234153b47c147.dll,#1

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\taskmgr.exe

C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe

C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe

C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe

Network

N/A

Files

memory/2264-1-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/2264-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1196-4-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

memory/1196-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1196-7-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/2264-8-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-9-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-11-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-10-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-12-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-28-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-27-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-52-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-53-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-51-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-50-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-49-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-55-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-57-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-56-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-54-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-48-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-47-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-46-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-45-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-44-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-58-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-43-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-42-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-41-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-40-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-39-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-38-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-61-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-62-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-60-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-64-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-65-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-63-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-59-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-69-0x00000000024C0000-0x00000000024C7000-memory.dmp

memory/1196-37-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-36-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-35-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-34-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-33-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-78-0x0000000077250000-0x0000000077252000-memory.dmp

memory/1196-77-0x00000000770F1000-0x00000000770F2000-memory.dmp

memory/1196-32-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-31-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-30-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-29-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-26-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-25-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-24-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-23-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-22-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-21-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-20-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-19-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-18-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-17-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-16-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-15-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-14-0x0000000140000000-0x00000001402DF000-memory.dmp

memory/1196-13-0x0000000140000000-0x00000001402DF000-memory.dmp

C:\Users\Admin\AppData\Local\Q2Nrip\Secur32.dll

MD5 233f235b80700d2bd929b0a2484a4fb6
SHA1 9d03bff64a7499a5303e150e194887928a0b077b
SHA256 1981c7a5166a4d31605a7c7065895f26c38934edaa8f236b15c06a49b13458d8
SHA512 3a5ab956f1d6a40fb639744628f0a55f9dca1a2bfd58ab1f40ae77f432c689677b5ff90cb0585cbdfc8ba5fee6b434ea1c6a348553618ea8ea87a1eafe86611d

\Users\Admin\AppData\Local\Q2Nrip\Secur32.dll

MD5 48dfaa88e45c4cc912dcad19abb88e0a
SHA1 e0def63b9abd16cb95f9da2ec46ebdf8df2f2168
SHA256 157d36a07fee917e780e9e5f60bb0c8bb8942e49082861af2535b413d4b5972e
SHA512 84e4f88cddcff5148086d87d27e12085f54869e73c3bcc87927deb19c97c715dbf3afbc8f112683e0f5c03b2f66261973f487b73c21d0dfd081df40f311c92ae

memory/2964-106-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe

MD5 aca5f57f89df206f2ccd888e21bac6c2
SHA1 009921d2fe93c5d0d1b9bf3ae7350d9271dc4133
SHA256 3864e38685d127164dea7930c253976d8b4e7482b5d368494b12bb58c18b5a23
SHA512 4edd6ab06c6fb1757ea67af6b2c5e8dfc99aecd39261e4b3234808574af3a12b3251ede5ae5c84d8bfe14612dce897f7141fcc3f5d309e5adf4efa2e1ff5438a

\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe

MD5 5ac97dff5cf3917ecca283d708c79116
SHA1 5eaa44ebeb307dbffaa9a3a5565da6db4bfa0d2f
SHA256 561d9140543144168bfdf06a4d814eb51e15cded7a062b065532dc1564899838
SHA512 0646ff531fc69f869dc1f8723dc9e2c0de91b32061e358dde4c93d9546911cfcf5a3d506a5e0f58b69e817b7ee6b2bb3183d2d81227fdb38be596d1d3660e06d

C:\Users\Admin\AppData\Local\Q2Nrip\taskmgr.exe

MD5 4e80b245652d3b825212900e57f90041
SHA1 1614ce8ff23582772eb1651b7a0d99addfe3ab1c
SHA256 ee2fe20d00143737a22d9b880c0c40746d68bd5656d70415f577f23d10ddbab3
SHA512 f903aeedc1a8874bb698bdee96e27a5548f096f121e36dbec694222f2c63d1133d0901321ce92d0d0e3d62e65be5e3686a5f30f563ac55c31b87b38aa4e2dfc1

C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe

MD5 7cc5fbdcbc2e24e5fd00e6299ab35662
SHA1 95929323da5d9d4e04c52b85418a7e2837914487
SHA256 1b172aef62c55920399653a04c2fdccd617dd7d237cdec8a0cb9f51f2fe52233
SHA512 8915eeb2251242523058d09695458ec285c4b06e96b088869476028cf26bb8f5e777fe0735080017d702b5a53f25c4c1aec371464f44f2eee5399e2b87ddf483

C:\Users\Admin\AppData\Local\CTYBLcK\FVEWIZ.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\CTYBLcK\FVEWIZ.dll

MD5 4c1a7566df376a9c7936bfd7177cf049
SHA1 78904cca7c2996e71ee818e3888b38b877a01773
SHA256 fc9bfe4b00732458a07da5d8c893ee8a7b9f0c2d5004f8370e2f00aedd412bc8
SHA512 de2c706de985ead3c91927c223e98666888da0fd0c3a26498a3583f5443385f01ca3cbd2d9ab5fe0325275d73a81a57e9f134b8a9489e7acd926c057c6d993ce

\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe

MD5 5681edda2d25714e353b7da317de6b87
SHA1 a54852ddbb839abf76d3c9832da0fb8d567069b3
SHA256 cf741ffe182985573454818fc9dbfa6ae364b1563e71d0c3ed3089bee842cd02
SHA512 1d6498e5141ebeefcd86f8bf59beafe11f198d9d4afe5b2e01a34793a76573a3a811e4a6a65d8d14a0bc142a801667a6221b63d0a5c302f0e0c154fa3f229146

C:\Users\Admin\AppData\Local\CTYBLcK\BitLockerWizardElev.exe

MD5 73f13d791e36d3486743244f16875239
SHA1 ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA256 2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512 911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

\Users\Admin\AppData\Local\V5ejf1w9\UxTheme.dll

MD5 857bf7c51161bab2109041c57ff944b8
SHA1 d50f6ef92de75ff2aec355b41370da570d4fc9bb
SHA256 b621ebbf90ab310eb78fed418058a0ad8a12c91f7f13fd8d94b1735a75f86637
SHA512 3d7dbd62620e391a17d0e9c5f92c861f703b3a3e2405a312a18c46badf0622dc747c2427a2956f826b1497d5b6de7b6796fa13b49a77121454c025ededc02bb6

C:\Users\Admin\AppData\Local\V5ejf1w9\UxTheme.dll

MD5 63fe62055b78fd3f162302ae45c94d8d
SHA1 047375f40bddc8bed0fc438e8ff1e102728da5e4
SHA256 be1bbeaad849486fef163656683e69f6c3543036b8e2207c739d38e32baca475
SHA512 cab5f684cf3bce66fbcd1885b0261a40a716eb70eb977319e4ffc13b77d6a056124fc3ff491fa6688647a32d30a8cffee4602dff1a547948d2cdd2babc7dc4cc

memory/692-147-0x00000000001B0000-0x00000000001B7000-memory.dmp

C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe

MD5 b7af5465a895ef7f8ac9725de9030636
SHA1 b9f0a3c283e67683b3f831a52ecd0290251f4f0c
SHA256 afab6f135c32e11d975cabfd11f8de342191a517a6168c398dd9ba2ea8ac8eb0
SHA512 4348c09f1c87fbb6019725658132442997a424bab43cb0c13bc8b301663f3bdf62cfb6341203f1321f1f0985c7716b08c5a12bc59c7c6f826dc996bc1d0ac9a2

\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe

MD5 d2a4f67f67de21a6963ec5acac1fc5c8
SHA1 26bcddd7809b0c97b10719e48d23b780691ec8dd
SHA256 a7bac1efa44b127b20302c5fadb6628d46f28f78a12662728cb266f0db5c38c9
SHA512 728d9bb32ab621da44d8cbb9aab17068a1dd8b6bf9697476ef09d56de2d98c4210acc43a73a13162f2da865ac47c759371a392ba01377c08d1d1b01df707b26d

C:\Users\Admin\AppData\Local\V5ejf1w9\sdclt.exe

MD5 4d84dc6d234a808aa6fd593b542ee175
SHA1 82a620f2b47dffd2a318e42ce6b335803d27f2a0
SHA256 6caf0e899d2bda618d1ec37646e61efa03febcea4cc645e96a16a1bf2491ced9
SHA512 d72830899ee62ef5fedb0c180e15a84199e01a60b969dedf880fde1d2da6bfb890ae5cb981189e1299e833090e0d6529e09a7405b53d305f58364872720e2093

\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\WhXVuDHvLOZ\sdclt.exe

MD5 6e0cfb38ba7c9018ed7f6fab2b47565e
SHA1 d663066ebc56eca1d32b73832097b72e22af8f6c
SHA256 b38d93907fe33f06a87e80d5af9c5ecaccd1d39e33d265ecffe432a3500640c0
SHA512 7fa231b89f7c912b51628f2faa93a2952a771bb2fc886de31a920d9048321689538d38540959de0de3b85c23afd367b1942e3709824f67b96b1a55dd2dad3898

memory/1196-173-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 8ef4b713ad991e73e619696b3caa6efe
SHA1 7cec0e5c6e7bc398b66205790cdec3d3684bdee3
SHA256 0160719188f0bfae5474ca172b05741c0f4791076e2aed97431a487ef5fa1352
SHA512 540be16d08e5f2a0f203956ae962b737a7b82056a11c92c2bd5d6b464add7d486bca72ac48fbed6e8e754c0b665dec7b18197d072662cd3a866deff946c78e00

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\dILYg\Secur32.dll

MD5 f2b3658c010f1dc6174ad5d97b246d90
SHA1 26665179e14121affaf47bd2fcfbf32b0878fc4e
SHA256 b9a050dc6f1ea790da0f886c3792a3be11d3e84b9a1e1d31183003262b1f8ecf
SHA512 4c8d5174e1f0c39d3549de038bb20ab7ce94cd9a93d588ce81e21b9d7aaeee98244e5b8391d2679de3ecc0c5b54f0cc1ed9cfa756cecc3de989c4c17a45e7acf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\XJJ1oLi\FVEWIZ.dll

MD5 24a32d7eb7f49646d4aaf13d4eb4f8f8
SHA1 db829b53a5cbbfb02299bc9e8d229f55d7539327
SHA256 ac7c70388a8ee537bc0f529ea1b0bc22fa0a055a975e0eac8cfadab77ed4e138
SHA512 6027af6ec78454bca83a63fa2ed04a30148efbcc7f1aacf8ce86353ff92259ad4d606b88dfd4858690c3f6a9aae4fbe2b530b00e151b1b1b44101bccf2cb202c

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\WhXVuDHvLOZ\UxTheme.dll

MD5 5251fbcd5ffd1069a917f087e292c4ad
SHA1 9b469fb5b5ccfa4ba843707e4b64cd02d8ca9ec0
SHA256 adf2a6b373c467d57e46b7bf692512f5fb7f93f17bc722c6f8327fade1f23cc8
SHA512 47d05bbbcd1a73fa8ae81d5d071d224ac5d6b54636919ef9b1d5c7391b0a004124c364e98465ed912d0edc7ebd05d3ae6b9e5c84c8204efe13aa59f16666935c