Analysis Overview
SHA256
0244e314ec929575d050f32ef42e74e572b141b849802f6929ca22fc1401553e
Threat Level: Known bad
The file 870eeef933351d3ca6e6f77f6f1b0506 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-01 13:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-01 13:56
Reported
2024-02-01 13:59
Platform
win7-20231215-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\zzYUDHK8\\xpsrchvw.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1184 wrote to memory of 2172 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1184 wrote to memory of 2172 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1184 wrote to memory of 2172 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 1184 wrote to memory of 888 | N/A | N/A | C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe |
| PID 1184 wrote to memory of 888 | N/A | N/A | C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe |
| PID 1184 wrote to memory of 888 | N/A | N/A | C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe |
| PID 1184 wrote to memory of 2688 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1184 wrote to memory of 2688 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1184 wrote to memory of 2688 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1184 wrote to memory of 2192 | N/A | N/A | C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe |
| PID 1184 wrote to memory of 2192 | N/A | N/A | C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe |
| PID 1184 wrote to memory of 2192 | N/A | N/A | C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe |
| PID 1184 wrote to memory of 1832 | N/A | N/A | C:\Windows\system32\perfmon.exe |
| PID 1184 wrote to memory of 1832 | N/A | N/A | C:\Windows\system32\perfmon.exe |
| PID 1184 wrote to memory of 1832 | N/A | N/A | C:\Windows\system32\perfmon.exe |
| PID 1184 wrote to memory of 1436 | N/A | N/A | C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe |
| PID 1184 wrote to memory of 1436 | N/A | N/A | C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe |
| PID 1184 wrote to memory of 1436 | N/A | N/A | C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\870eeef933351d3ca6e6f77f6f1b0506.dll,#1
C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe
C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe
C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe
C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe
C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe
C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe
Network
Files
memory/1428-0-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1428-1-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-4-0x0000000077456000-0x0000000077457000-memory.dmp
memory/1184-5-0x00000000025F0000-0x00000000025F1000-memory.dmp
memory/1428-8-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-11-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-18-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-24-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-27-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-32-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-35-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-40-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-41-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-43-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-45-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-47-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-50-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-53-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-56-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-57-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-60-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-62-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-63-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-65-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-64-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-70-0x00000000025D0000-0x00000000025D7000-memory.dmp
memory/1184-61-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-58-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-59-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-55-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-54-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-52-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-51-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-78-0x0000000077661000-0x0000000077662000-memory.dmp
memory/1184-79-0x00000000777C0000-0x00000000777C2000-memory.dmp
memory/1184-49-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-48-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-46-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-44-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-42-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-39-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-38-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-37-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-36-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-34-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-33-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-31-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-30-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-29-0x0000000140000000-0x0000000140380000-memory.dmp
C:\Users\Admin\AppData\Local\5vWUO\VERSION.dll
| MD5 | 8129b65d8cf55f3bde74c84910041179 |
| SHA1 | 4ab1c6193a6a3749e3f0cae24afd6b865e689793 |
| SHA256 | 9474e536fcb23cc075c9a63433c0fdde5d4dafdda3efd82e2bd5a613e651ee88 |
| SHA512 | 4fa0026a6b9827e5128e80040c4bc1ed1515b8e102bf7c1f0c6374d2eae06ebf2316b0d96e0e378f3e26357c8c1344900c2790325bbbb5410a9631bc8a403a62 |
C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe
| MD5 | e8e95ae5534553fc055051cee99a7f55 |
| SHA1 | 4e0f668849fd546edd083d5981ed685d02a68df4 |
| SHA256 | 9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec |
| SHA512 | 5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6 |
\Users\Admin\AppData\Local\5vWUO\VERSION.dll
| MD5 | 9941768515410a14403f003cd7c28b60 |
| SHA1 | 0106560f6cac2345d1dd99c40a99c683f323baa2 |
| SHA256 | 1dea8e692150da355da3fa14921e6a13460482b29169f80a127bfded2ade0312 |
| SHA512 | a010d87285d6c1234497c45edc4971e480e62a58cf5da76f407e1c6d9686d7042f29ea20261deeed51d1045d2b87f31ed064c1c4edb33b38518a41c5e6fe1d59 |
memory/888-106-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1184-28-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-26-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-25-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-23-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-22-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-21-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-20-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-19-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-17-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-16-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-15-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-14-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-13-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-12-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-10-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-9-0x0000000140000000-0x0000000140380000-memory.dmp
memory/1184-7-0x0000000140000000-0x0000000140380000-memory.dmp
C:\Users\Admin\AppData\Local\agLuwjaQg\WINMM.dll
| MD5 | 3a87b94c2f374966d12237093b5828cb |
| SHA1 | 23ef1d49a795eae36ac8266e9880c294340a863c |
| SHA256 | f014e17f1ceae69fc24614b1e2b5e668f83caf395df924c2ef0c8a7319a7661a |
| SHA512 | 8d4f854b8d964ec5e3a5260f0b011d6bac9ad55e0acce2b577703656588d48b25e73c1cc9736f296818385f7c14e10f07f6770716ffbd61b4259fd20b5abb4ec |
C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe
| MD5 | 9c88d46f1b7d4b411b9c4294e0b907a7 |
| SHA1 | 3327e0c9bf2b0780a455ed9c40ded06e1701520c |
| SHA256 | bf5c385b0c30ac2e5e138aa7a1cf5b2d87208fca2585cc3ff66941216697f10c |
| SHA512 | 78496edbad17bb329992975c7ae3cea9ed785f6340d07e761771fe60a5eade50302d4ed4acb332a8516d392012afe6ca0eb098f30bca7540b6f92d647bce1be9 |
memory/2192-125-0x0000000000180000-0x0000000000187000-memory.dmp
\Users\Admin\AppData\Local\agLuwjaQg\WINMM.dll
| MD5 | 3cf51abf1230046e2c689a167c057be1 |
| SHA1 | 4dd494b23404adaeefaac28e110191abe8abe41a |
| SHA256 | f1a4658f91be10fc448b096a44deeaef77381da0df92c1497aee6c41f71a7c66 |
| SHA512 | 77af32437e8095c1f4d71f251dbbc8dfdb82c464fdae78f6b0e5e0a1ca51a714dc8e6dcbbaeff5015c02c8a92b26f56200b445c2c29d8ac03713b8bc98ec17f7 |
\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe
| MD5 | f1580a3683f07d6467fc9ac9aee3a361 |
| SHA1 | d83fe8112744ce4df59529cfb876d2bce5c67294 |
| SHA256 | 74bdd8b7e677f73e6b8f0bd819942e460f025f4fb9b40ca94aee1344e005f9fa |
| SHA512 | d68930de906e3494121b19f53bd21442793e7f2fed844b1b4373e8ed4de7579c0e40f19f1d5107ea88939269e46b1d53f9b6e4c037ad193424fb27437e10078d |
C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe
| MD5 | 693609ddf32481586c1856505ca38898 |
| SHA1 | f0db7aefb797d702352945747b8514abad9859a2 |
| SHA256 | e09910756072703e8afb3115d3c7fad75205c502b967d960eccc9d252ced5572 |
| SHA512 | 2f2f4cebfe4a8ef9f6bbb7b735943f7a9a34b42b8d2eb7a22df99cbf086711686bd085086637ebb8a715b60c2e9af61f0ca5efa8b424e691d8b29d45739081cb |
\Users\Admin\AppData\Local\RdaDc\credui.dll
| MD5 | 176dd928ef85f23cb1c3de429a5b11cb |
| SHA1 | 9abb53bd6d749862b837ba38d87c77bd7624943f |
| SHA256 | eda14e8e2fb3c1fd4615677fed092eee91ffad0cc3869a7665a66848b35fb59b |
| SHA512 | d1c80875167310285a3885cb0d9792b657daafe2ba28b2bd877cdd68b54b838c5745ab1dc0a0c1a3b467c7300ca77f0000892b5ccb5a5c3e915c52ee8291636a |
memory/1436-147-0x0000000000280000-0x0000000000287000-memory.dmp
C:\Users\Admin\AppData\Local\RdaDc\credui.dll
| MD5 | c6c9b550fa9915920b1042cbebc5c0ce |
| SHA1 | e5a03c6694b578101af5dade9e6ef9b101fb641d |
| SHA256 | c011d07b8dcd581efacb8bd562412af1401f6c924d6d8fc469c1b8a4270dc455 |
| SHA512 | ff087b63c4b1f6f1016df3d72d2c21a974b2820e2422ea53904c58a7de8523869fd02db264bf5c6bea802adcd623f1c17624e386ee4c25d202f3b86c33c3b48e |
C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe
| MD5 | 64df089147fbfcdfdd7ee5a3f501c593 |
| SHA1 | a46f4ab09b5557bb1467bbb8bf2fc31d4fb17a09 |
| SHA256 | 8843c777d1f4f7fb6d79c0956c6c21a25509bd6fb196b1ce6df800ea72c91c65 |
| SHA512 | cf8cd2e263e32bb3860bec777490d758516b52c86806f015f70e10624fbe48cd6444c820380ca9f54c1633082916ed9d392d532fbb66b033fdef26565a922b0b |
\Users\Admin\AppData\Local\RdaDc\perfmon.exe
| MD5 | b6cdc7d02e7ba1f00688ff5d6c647c4c |
| SHA1 | 27427dd8e2680595e85aa54a8e3901701a0452e2 |
| SHA256 | c0566e6c0115254cce1325680cc5927bf77a403903146ad1eb2167f8348ad64a |
| SHA512 | 8fe59342754ae00b262a80b91b3581c699e16fc0c869787a1bf5b98644b60e138cf8a9734ad80972c3a3b7788fb926aa947c3fb2541a82619a3992d6ffefba85 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\q2Ma7Uj\perfmon.exe
| MD5 | 3eb98cff1c242167df5fdbc6441ce3c5 |
| SHA1 | 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69 |
| SHA256 | 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081 |
| SHA512 | f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk
| MD5 | 55baa3c40c648375593671026c4d105d |
| SHA1 | eadcfd3f797be8c00957e7245fde74553b9fd852 |
| SHA256 | be2acee9dc58f30153fa016f027dc86ff120693697f52ad378af41ac2c4648fb |
| SHA512 | 28721cef5ae0a0bfe86f0c8352f27ec3ccb5ca11bbd2465c150bf6c093d9d62bafcd5a8838e97d78c1e0df4b271828942ce0d7b880e39cc7c5347f9c8d236446 |
memory/1184-171-0x0000000077456000-0x0000000077457000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\S1CyFpmc\VERSION.dll
| MD5 | e6142c9a25ba8dda6028814648ee2600 |
| SHA1 | 0ced623238f72f2651173e888ff701a44f506905 |
| SHA256 | 85a5a441b5ec3b9a798f5998ad0d2de1f3d8fdd2b701ad41bcaef41fea2b6e25 |
| SHA512 | 129d191a53bb50d8cec7b32ce5145e711bf4a1a2fffb3887ce3314f5455aaf083b54ba2a63b03ea2117f7ec5db0f1b232f1a5bf3d0ba3b60accffba09889e454 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\zzYUDHK8\WINMM.dll
| MD5 | 9d01e0ede99eaf4408b0ba20c2a8f37b |
| SHA1 | 8212daa51a41395c937c064266045ff5fe2e0310 |
| SHA256 | d6700a8997f099a2caba3ab3a8d9e481fdc7a468222bb0ea8424205e61fe336c |
| SHA512 | 2d2514db9cee6f21864709df5ed7db258e217674daaa12c19dcde22f30f764d6917e1d574fe6b3fb5a9b557dd2fd7e06ad3f353900618f4b120d999e7e721b0b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\q2Ma7Uj\credui.dll
| MD5 | 25309d4f50efdc6cbc6e582141554160 |
| SHA1 | 94079cce08f6a68628aef995fdc497912b56406f |
| SHA256 | ce100fd50627c4db73eb8c85f7ba21d99b6c10200554420e136d8061b9e2345c |
| SHA512 | 39ea2c6eee78c57384287eaacbf0860b4f5b9da2ebacd00df4488493e6212ad970a874b4d9ad6e1f3ddd0351b16c57806c069233f6b4171fc9f26b07bea92967 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-01 13:56
Reported
2024-02-01 13:59
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ADK\WFS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\gvap\consent.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ADK\WFS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\gvap\consent.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\jFZztRz\\WFS.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ADK\WFS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3568 wrote to memory of 1216 | N/A | N/A | C:\Windows\system32\SystemPropertiesProtection.exe |
| PID 3568 wrote to memory of 1216 | N/A | N/A | C:\Windows\system32\SystemPropertiesProtection.exe |
| PID 3568 wrote to memory of 3228 | N/A | N/A | C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe |
| PID 3568 wrote to memory of 3228 | N/A | N/A | C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe |
| PID 3568 wrote to memory of 3552 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 3568 wrote to memory of 3552 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 3568 wrote to memory of 4060 | N/A | N/A | C:\Users\Admin\AppData\Local\ADK\WFS.exe |
| PID 3568 wrote to memory of 4060 | N/A | N/A | C:\Users\Admin\AppData\Local\ADK\WFS.exe |
| PID 3568 wrote to memory of 2180 | N/A | N/A | C:\Windows\system32\consent.exe |
| PID 3568 wrote to memory of 2180 | N/A | N/A | C:\Windows\system32\consent.exe |
| PID 3568 wrote to memory of 4500 | N/A | N/A | C:\Users\Admin\AppData\Local\gvap\consent.exe |
| PID 3568 wrote to memory of 4500 | N/A | N/A | C:\Users\Admin\AppData\Local\gvap\consent.exe |
| PID 3568 wrote to memory of 1368 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 3568 wrote to memory of 1368 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 3568 wrote to memory of 2508 | N/A | N/A | C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe |
| PID 3568 wrote to memory of 2508 | N/A | N/A | C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\870eeef933351d3ca6e6f77f6f1b0506.dll,#1
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe
C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
C:\Users\Admin\AppData\Local\gvap\consent.exe
C:\Users\Admin\AppData\Local\gvap\consent.exe
C:\Users\Admin\AppData\Local\ADK\WFS.exe
C:\Users\Admin\AppData\Local\ADK\WFS.exe
C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe
C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
Files
memory/460-0-0x0000023B1A4B0000-0x0000023B1A4B7000-memory.dmp
memory/460-1-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
memory/3568-7-0x0000000140000000-0x0000000140380000-memory.dmp
memory/460-6-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-9-0x00007FFA3DC8A000-0x00007FFA3DC8B000-memory.dmp
memory/3568-8-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-11-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-10-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-12-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-13-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-14-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-15-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-16-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-17-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-18-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-19-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-20-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-21-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-22-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-23-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-24-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-26-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-27-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-28-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-25-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-30-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-29-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-31-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-32-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-34-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-35-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-39-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-40-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-41-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-42-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-38-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-37-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-36-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-33-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-43-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-46-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-50-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-52-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-55-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-56-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-57-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-59-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-61-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-62-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-63-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-64-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-65-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-60-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-58-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-53-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-54-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-70-0x00000000010D0000-0x00000000010D7000-memory.dmp
memory/3568-51-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-49-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-48-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-47-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-78-0x00007FFA3F800000-0x00007FFA3F810000-memory.dmp
memory/3568-45-0x0000000140000000-0x0000000140380000-memory.dmp
memory/3568-44-0x0000000140000000-0x0000000140380000-memory.dmp
C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe
| MD5 | 26640d2d4fa912fc9a354ef6cfe500ff |
| SHA1 | a343fd82659ce2d8de3beb587088867cf2ab8857 |
| SHA256 | a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37 |
| SHA512 | 26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc |
C:\Users\Admin\AppData\Local\mtcGu\SYSDM.CPL
| MD5 | 8cfacb5c8d1497eddaf2d46b3dc2f99d |
| SHA1 | 8d51d5fc8e72fe63f7e976d5addba68a2dc1b8a9 |
| SHA256 | ed0bee0074bf9b003470c5763314c0c788b4e39632cdb269728f558f7456580d |
| SHA512 | 371379be397cb435629473fb2eb1ff881c36580ca82a95716689f5bec83a2a30bb99c627757ddc8d9dc542fc8cc92c61245a6e2e4cab83294015d98badf51c39 |
C:\Users\Admin\AppData\Local\mtcGu\SYSDM.CPL
| MD5 | b4adef0fdc696c64168afc2b5aa74c2a |
| SHA1 | e6fcd4a17b2bd50738036ac62faad8e803d76d7d |
| SHA256 | 4eaa94e941140ce791ccf3cf314ca9a33ee2f6d2bf81f8d88e0be7544d43c151 |
| SHA512 | c79f188af494f6a80c922beff72f6f2f82850668bcaad050560810ae3662ea8e7c576a00eae0790c12057fb5262659763da84c4e63561a2af31a6c3a3d245582 |
memory/3228-98-0x0000021E6CB90000-0x0000021E6CB97000-memory.dmp
C:\Users\Admin\AppData\Local\ADK\MFC42u.dll
| MD5 | bb1317768fe31286457f39467bf2752d |
| SHA1 | 4c9e326001306fe436197670ad75e5c430086e05 |
| SHA256 | 685bd7ce4a7e3ca87c46107d78fcef99393987eede3de909c4e1320030488a0a |
| SHA512 | 75844ceee768a464f7153a1b791f0d97fcbb153ad9d0c98265563394d73944fdfc05f3643179787d09d8b1abd68755d9de3e6291cb0df54b5f0ac2a308b8e2eb |
memory/4060-117-0x00000207AF720000-0x00000207AF727000-memory.dmp
C:\Users\Admin\AppData\Local\ADK\MFC42u.dll
| MD5 | f874e7f70ba7e648e6364f4519836820 |
| SHA1 | aa29ac2a691c06d36caed0f779846bcdd864a273 |
| SHA256 | 6a088ca7339d67c77901613491ff748001b45083d9d665a568bd925a34403cd3 |
| SHA512 | 747730284889f497acd3275a23d6a6e9ac46a3a90be2de5889cbeafa940b44d4e10743f59a6eba54d0109aa49e7a3e3b0105486b6c51f5a9ff30ad69c1cb7b9a |
C:\Users\Admin\AppData\Local\ADK\WFS.exe
| MD5 | 58e102b977551521d268d5841c102882 |
| SHA1 | ccd5f076b6fc1b2738b9418980495df700ad034c |
| SHA256 | 37e8c54d0bd4463edce627cf303fc655ad9d02e5881754e94ece65c8a26733a5 |
| SHA512 | def1b7320cd2393be3bbc125ae59023d1314c0c7fe06369bc471896d8f91b4f3887b4f0634db89e4e4630958bf6b3c6da97c5186796ac7e1d9bb632dbdecfb96 |
C:\Users\Admin\AppData\Local\ADK\WFS.exe
| MD5 | a4fc10fb34de2050f1c2bc3bb57ca38b |
| SHA1 | b31204bc6ba850a65c944c8c2a19427707f59bc9 |
| SHA256 | a7ce6dd8f834a9864af1790c18d15ea9a73e0af3d573a0aae5d6226894e6a2b2 |
| SHA512 | 61ad5ee5beb4063230ad928d7bc07453918a9dfe576059462e9ea90389cdabf7069a09aad0c42d41588f49dac0cb0906150bc01cc06ec815a4091fa19b8ebcaf |
C:\Users\Admin\AppData\Local\gvap\WINSTA.dll
| MD5 | d01001e27e3a8140e652d0e7c58bf51d |
| SHA1 | f7f29d15146db5883d83ef62f007032b7974866d |
| SHA256 | 108429afda69982d1dcc1a75c728ee14c714f92f14765605c36b82f1efc280b1 |
| SHA512 | b7f06486173d60bbdfd2db50c0fdfbd079dcff261e16e46a6780034d103008e814ebc8e7887dd31a5ed1e227361dc49b8dbdb8f4ce5b88a647585e415e727819 |
C:\Users\Admin\AppData\Local\gvap\WINSTA.dll
| MD5 | 41dae782693423580eaa8c26a9772e7c |
| SHA1 | 6580bf99762ac852c9e62c4d7dcfb490e3732aa0 |
| SHA256 | 41883c7e3c6235b762e53989c93b3226c5043b0452eb899716c889f97b405877 |
| SHA512 | 92aba9cc04221d0f809b05481eac17b665e8b504c6a368d1379a0f0c64300fcef80112522f25e19acc0383c4213e6ffcc6b6fbfbba879abaaffad3aa4f400efa |
C:\Users\Admin\AppData\Local\gvap\consent.exe
| MD5 | 6646631ce4ad7128762352da81f3b030 |
| SHA1 | 1095bd4b63360fc2968d75622aa745e5523428ab |
| SHA256 | 56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64 |
| SHA512 | 1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da |
C:\Users\Admin\AppData\Local\dSVFnZs\MFC42u.dll
| MD5 | d822ac764e42024860f8bc246860f8d8 |
| SHA1 | 51d11a7b6d6d64a887e9b23441192aa04c3a04d5 |
| SHA256 | dee3d1fac3f1fb3b5b8eb978be94d37e90213c4b3fd1daaa7bb1eea82a81dfa2 |
| SHA512 | 66be7830f258344375131914e1a85e8ba1742b91c5eedb23f1d676085381aa8755be70fdad802ac39a272602194aa64a69f76406127a199a914ff48b02db7dea |
C:\Users\Admin\AppData\Local\dSVFnZs\MFC42u.dll
| MD5 | 57c644384f898efdd1069670223b6fa6 |
| SHA1 | 153a945ee8893c0d1f5c08e262a7eee0517aedea |
| SHA256 | 3a2382dee7e7aeb7f240e17b2bd53d9a47587d3fb651401350a3c510270f340c |
| SHA512 | 1f9b6ccbe698840c79e4c30429f74a3fe30198c2335713c3b92b0552157fd72892eafb49f7db41133440c3ca8ec06fafb580f4232122287e5b261d19be102c0b |
memory/2508-142-0x0000023DB8F40000-0x0000023DB8F47000-memory.dmp
C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe
| MD5 | 9910d5c62428ec5f92b04abf9428eec9 |
| SHA1 | 05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b |
| SHA256 | 6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e |
| SHA512 | 01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk
| MD5 | ffcaa9d01c3434b14f464349f67178d0 |
| SHA1 | b7154af0a606e44cacc45b39a81dd98c1eece769 |
| SHA256 | a89c9f31810c8862b7c511fdbcb969cafa16bde8cbd951096151c629b80bd995 |
| SHA512 | 6a6f46b4734d4be35e87900908b671bb0d4ced99287b29c53902726c6ae07661b0330d0ce0d79106cb9628d1eaefb18c61055beaba3a3685cdb77ecad1497869 |
C:\Users\Admin\AppData\Roaming\Sun\Seekc4vKb\SYSDM.CPL
| MD5 | e8c1d4e7df174db73428d0ba5004f090 |
| SHA1 | c16078d7046046fb6800b2b08add56edccdfa804 |
| SHA256 | 076541ff52f6c0c0464fa0bf754f8f016e562d1836353018d9cf7c86c389c4d7 |
| SHA512 | ea94e88d3fdf9f532bc01c18a70dd6065b5402edc1ebff48ea40f135fa24f3bb02715096d38f1f45e338ca307165a8cfb27cd5b7a930d6aac5459ac04a284e4b |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\jFZztRz\MFC42u.dll
| MD5 | bbe2d681c41296565c824df4b6faa504 |
| SHA1 | 2e8d7e7011c972b0a651db179b0c0112a8f2971b |
| SHA256 | fff4ffe577adeeed35308c0d925071fa06f5ce402570a77012ea7dd046423dba |
| SHA512 | 710dc54066cac025d528b3ccb9616b1bbdcdbd7d8e4ce151a10c5417f5c5f54db33c2550753edb9f0ec6709032fa633729c9a15a955d18b580806cb9976d35ca |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\it23j0u\MFC42u.dll
| MD5 | 6e1dd9f95694dedfe1321641f505e026 |
| SHA1 | e3852d37e0b7e91f6cf177387f39e12f8480bef8 |
| SHA256 | 8f1bbecd68e1f0a46b8bbffe5275a9c90066c59955b7b25d8c6e0b42105f1a0e |
| SHA512 | 944defbf6b91f4dec0a178f3cbf092120c985aef31bfe9656b7081297cb42f63c1e94458c3228711aeb0487cd8fd2569f2d7f022dd8c2a70ba769486eb0b9386 |