Malware Analysis Report

2024-11-30 21:28

Sample ID 231228-mdtvbaebg4
Target d88b4dbd32261694a02d4dce3b01794c
SHA256 c08654f1641ce48a41c5dc6c559314418389fa009f365548ec740fd80879cb61
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c08654f1641ce48a41c5dc6c559314418389fa009f365548ec740fd80879cb61

Threat Level: Known bad

The file d88b4dbd32261694a02d4dce3b01794c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 10:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 10:21

Reported

2024-01-08 13:39

Platform

win7-20231215-en

Max time kernel

149s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d88b4dbd32261694a02d4dce3b01794c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\nOX\FXSCOVER.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\dXbqqL\mblctr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\j7ZvbCW2u\tcmsetup.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\Tj1qCuk\\mblctr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\j7ZvbCW2u\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nOX\FXSCOVER.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dXbqqL\mblctr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2020 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1192 wrote to memory of 2020 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1192 wrote to memory of 2020 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1192 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\nOX\FXSCOVER.exe
PID 1192 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\nOX\FXSCOVER.exe
PID 1192 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\nOX\FXSCOVER.exe
PID 1192 wrote to memory of 2392 N/A N/A C:\Windows\system32\mblctr.exe
PID 1192 wrote to memory of 2392 N/A N/A C:\Windows\system32\mblctr.exe
PID 1192 wrote to memory of 2392 N/A N/A C:\Windows\system32\mblctr.exe
PID 1192 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\dXbqqL\mblctr.exe
PID 1192 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\dXbqqL\mblctr.exe
PID 1192 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\dXbqqL\mblctr.exe
PID 1192 wrote to memory of 2092 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1192 wrote to memory of 2092 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1192 wrote to memory of 2092 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1192 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\j7ZvbCW2u\tcmsetup.exe
PID 1192 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\j7ZvbCW2u\tcmsetup.exe
PID 1192 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\j7ZvbCW2u\tcmsetup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d88b4dbd32261694a02d4dce3b01794c.dll,#1

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\nOX\FXSCOVER.exe

C:\Users\Admin\AppData\Local\nOX\FXSCOVER.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\dXbqqL\mblctr.exe

C:\Users\Admin\AppData\Local\dXbqqL\mblctr.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\j7ZvbCW2u\tcmsetup.exe

C:\Users\Admin\AppData\Local\j7ZvbCW2u\tcmsetup.exe

Network

N/A

Files

memory/2464-1-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2464-0-0x000007FEF6B10000-0x000007FEF6BF8000-memory.dmp

memory/1192-3-0x0000000077A16000-0x0000000077A17000-memory.dmp

memory/1192-4-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/1192-8-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-9-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-10-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-14-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-16-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-19-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-18-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-17-0x0000000002AD0000-0x0000000002AD7000-memory.dmp

memory/1192-15-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-13-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-12-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-28-0x0000000077DB0000-0x0000000077DB2000-memory.dmp

memory/1192-27-0x0000000077D80000-0x0000000077D82000-memory.dmp

memory/1192-26-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-11-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-7-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-6-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-37-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/1192-39-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/2464-40-0x000007FEF6B10000-0x000007FEF6BF8000-memory.dmp

\Users\Admin\AppData\Local\nOX\FXSCOVER.exe

MD5 5e2c61be8e093dbfe7fc37585be42869
SHA1 ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA256 3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA512 90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

C:\Users\Admin\AppData\Local\nOX\MFC42u.dll

MD5 f83450953d5314e7d5ffa02d02590463
SHA1 c3e9f0c5d6dd1825c24039fbcfcfa73db6aa26b4
SHA256 9afe10ef04eee2688e918f0bc17bf6bd687d1f91a04c5a6dd6784f9b3747bb78
SHA512 e52062956e5a09760f85c16853bd6eb7f22531731d8e40535a3142f3448d9442030f1d282c8ffb40f7684e99e41f925456573b5c155523d56b644f36fa7910fd

memory/2136-54-0x0000000000170000-0x0000000000177000-memory.dmp

memory/2136-55-0x000007FEF72F0000-0x000007FEF73DF000-memory.dmp

memory/2136-59-0x000007FEF72F0000-0x000007FEF73DF000-memory.dmp

memory/1192-64-0x0000000077A16000-0x0000000077A17000-memory.dmp

\Users\Admin\AppData\Local\dXbqqL\mblctr.exe

MD5 fa4c36b574bf387d9582ed2c54a347a8
SHA1 149077715ee56c668567e3a9cb9842284f4fe678
SHA256 b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f
SHA512 1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

C:\Users\Admin\AppData\Local\dXbqqL\slc.dll

MD5 b8b120fdbeb0604d6c627ffe3830c2ef
SHA1 2dbac7eb4005060abe8055236fc14d55a5317a9a
SHA256 c25812466cc3f7dfcae76f3944faedffc40bff8b4111ca50b47a91f78f8fc65b
SHA512 620a747133fac6f43ac6354488be54347142482945603e17c6221efc193c4b706f15f7c6c7ce31dfe486ed6688483b15b3b3d69993848d2d6969b4a71d58081f

memory/2396-72-0x000007FEF6B10000-0x000007FEF6BF9000-memory.dmp

memory/2396-76-0x000007FEF6B10000-0x000007FEF6BF9000-memory.dmp

\Users\Admin\AppData\Local\j7ZvbCW2u\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

C:\Users\Admin\AppData\Local\j7ZvbCW2u\TAPI32.dll

MD5 3783169d51e85237c66587f0a9f2b63f
SHA1 6cbc382763eed62a0162dc8cf9dd58255c87c1c4
SHA256 30a782c0d8eb70892af80aa759dc9cfd6964406c7e3d9d1b6e9adc0777cac781
SHA512 7550a46678ecbfdcbd35f8699ddd91ec2b0414044889177c2eebc73e7a1ad9a8557628739effab79a800330fce326ba8952e8223802c8b292642fea78569ca81

memory/1584-89-0x000007FEF6B10000-0x000007FEF6BFA000-memory.dmp

memory/1584-88-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1584-93-0x000007FEF6B10000-0x000007FEF6BFA000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 c16dc57fe988fe2b174b22944bcbb481
SHA1 eba4a5dd5bfb16bbbc393b0cf7ccd34ee04d3496
SHA256 62202e74ae0443d2c65a2f888e111d9d484d36f9bbd8c9a92f56b947f539da85
SHA512 32b904f684de45f9b80abf3ad305b5e5cc04a93256b559fdee1409026f7e8e45e7abc26598714e105ba0dea60efaa189f593e801a3bd4a53cef2eb848fb17a5d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 10:21

Reported

2024-01-08 13:39

Platform

win10v2004-20231222-en

Max time kernel

18s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d88b4dbd32261694a02d4dce3b01794c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 1200 N/A N/A C:\Windows\system32\mblctr.exe
PID 3568 wrote to memory of 1200 N/A N/A C:\Windows\system32\mblctr.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d88b4dbd32261694a02d4dce3b01794c.dll,#1

C:\Users\Admin\AppData\Local\cA6p\mblctr.exe

C:\Users\Admin\AppData\Local\cA6p\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\BiRyUf36v\dpapimig.exe

C:\Users\Admin\AppData\Local\BiRyUf36v\dpapimig.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\yI5pA5L\msra.exe

C:\Users\Admin\AppData\Local\yI5pA5L\msra.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp

Files

memory/4336-1-0x00007FFCB0A10000-0x00007FFCB0AF8000-memory.dmp

memory/4336-0-0x0000024108530000-0x0000024108537000-memory.dmp

memory/3568-4-0x00007FFCBE9AA000-0x00007FFCBE9AB000-memory.dmp

memory/3568-19-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-18-0x0000000000AA0000-0x0000000000AA7000-memory.dmp

memory/3568-17-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-28-0x00007FFCBF190000-0x00007FFCBF1A0000-memory.dmp

memory/3568-27-0x00007FFCBF1A0000-0x00007FFCBF1B0000-memory.dmp

memory/3568-37-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-26-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-16-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-15-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-14-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-13-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-12-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-11-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-10-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-9-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-8-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-7-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-6-0x0000000140000000-0x00000001400E8000-memory.dmp

memory/3568-3-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/4336-40-0x00007FFCB0A10000-0x00007FFCB0AF8000-memory.dmp

memory/2680-47-0x00007FFCA1750000-0x00007FFCA1839000-memory.dmp

memory/2680-52-0x00007FFCA1750000-0x00007FFCA1839000-memory.dmp

memory/2680-49-0x0000025C14FA0000-0x0000025C14FA7000-memory.dmp

memory/3532-68-0x00007FFCA1330000-0x00007FFCA145E000-memory.dmp

memory/3532-65-0x000001A73E890000-0x000001A73E897000-memory.dmp

memory/3532-63-0x00007FFCA1330000-0x00007FFCA145E000-memory.dmp

memory/4732-81-0x0000014325520000-0x0000014325527000-memory.dmp

memory/4732-84-0x00007FFCA1640000-0x00007FFCA1729000-memory.dmp

memory/4732-79-0x00007FFCA1640000-0x00007FFCA1729000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\fK8\DUI70.dll

MD5 98f73c637bebbe8a88d7e8ef415d6647
SHA1 ae785740a46f484b72d7b362670cb6e0ee084b2d
SHA256 2d927843fb41ef48ec2150a533d88b3ecc4554d8010d6701aeb81cee4ee63735
SHA512 0fa12fe286b5e70dd7590576d99a27778085e9c86d4da3d4f3178172774138e986c61a2e1269d2eb90c0b600cdc5b7600f0f177ad743b27bcae4680d9c880aed

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\mg\NDFAPI.DLL

MD5 11db4f32f422abb3f599defda40cf55b
SHA1 179526fafb8c527803f2f0413d45181d80314772
SHA256 4bcf1ce7dc380b3ab18a45719ca211f1b8f6d2a9ef33f8b33c1f178ad57fbeef
SHA512 3d487b3636f62608308457747bd9edb479b4613005ad9c082f8182490d1cdf42ce9cfdd1c594afa9f6c564bb2f477022061f93616f8ad2587b5c31ad49f376c4