Malware Analysis Report

2024-11-30 21:36

Sample ID 231231-ny6kaaacek
Target 35074d79a34cd964a2e31d39fd7a40b8
SHA256 325fa79a384585c0d5b4337c0f4a84dc3fb7cb1ec7f50f386478a7831ef120fc
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

325fa79a384585c0d5b4337c0f4a84dc3fb7cb1ec7f50f386478a7831ef120fc

Threat Level: Known bad

The file 35074d79a34cd964a2e31d39fd7a40b8 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 11:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 11:49

Reported

2024-01-04 11:43

Platform

win7-20231215-en

Max time kernel

150s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\35074d79a34cd964a2e31d39fd7a40b8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5n4BH\dpapimig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\jeC\rrinstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\DhXV9Sl\p2phost.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\sCfg55sPRl\\rrinstaller.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jeC\rrinstaller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DhXV9Sl\p2phost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5n4BH\dpapimig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 2576 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1180 wrote to memory of 2576 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1180 wrote to memory of 2576 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1180 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\5n4BH\dpapimig.exe
PID 1180 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\5n4BH\dpapimig.exe
PID 1180 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\5n4BH\dpapimig.exe
PID 1180 wrote to memory of 696 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1180 wrote to memory of 696 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1180 wrote to memory of 696 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1180 wrote to memory of 580 N/A N/A C:\Users\Admin\AppData\Local\jeC\rrinstaller.exe
PID 1180 wrote to memory of 580 N/A N/A C:\Users\Admin\AppData\Local\jeC\rrinstaller.exe
PID 1180 wrote to memory of 580 N/A N/A C:\Users\Admin\AppData\Local\jeC\rrinstaller.exe
PID 1180 wrote to memory of 2900 N/A N/A C:\Windows\system32\p2phost.exe
PID 1180 wrote to memory of 2900 N/A N/A C:\Windows\system32\p2phost.exe
PID 1180 wrote to memory of 2900 N/A N/A C:\Windows\system32\p2phost.exe
PID 1180 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\DhXV9Sl\p2phost.exe
PID 1180 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\DhXV9Sl\p2phost.exe
PID 1180 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\DhXV9Sl\p2phost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\35074d79a34cd964a2e31d39fd7a40b8.dll,#1

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\5n4BH\dpapimig.exe

C:\Users\Admin\AppData\Local\5n4BH\dpapimig.exe

C:\Windows\system32\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

C:\Users\Admin\AppData\Local\jeC\rrinstaller.exe

C:\Users\Admin\AppData\Local\jeC\rrinstaller.exe

C:\Windows\system32\p2phost.exe

C:\Windows\system32\p2phost.exe

C:\Users\Admin\AppData\Local\DhXV9Sl\p2phost.exe

C:\Users\Admin\AppData\Local\DhXV9Sl\p2phost.exe

Network

N/A

Files

memory/1308-1-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1308-0-0x0000000001B60000-0x0000000001B67000-memory.dmp

memory/1180-4-0x0000000076E86000-0x0000000076E87000-memory.dmp

memory/1180-5-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/1180-13-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-14-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-12-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-11-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-10-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-16-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-29-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-33-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-43-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-46-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

memory/1180-45-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-44-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-42-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-54-0x0000000077091000-0x0000000077092000-memory.dmp

memory/1180-55-0x00000000771F0000-0x00000000771F2000-memory.dmp

memory/1180-53-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-41-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-40-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-64-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-39-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-38-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-70-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-37-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-36-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-35-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-34-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-32-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-31-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-30-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-28-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1852-83-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1852-82-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1180-27-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-26-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-25-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-24-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-23-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-22-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-21-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-20-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-19-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-18-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-17-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-15-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-9-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1308-8-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1180-7-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/580-100-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1180-145-0x0000000076E86000-0x0000000076E87000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 11:49

Reported

2024-01-04 11:44

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\35074d79a34cd964a2e31d39fd7a40b8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\xr3OCPuMZcA\\upfc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\doIBpKFFu\RecoveryDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\e2G75jN\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Gbsjr\DisplaySwitch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 1952 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3356 wrote to memory of 1952 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3356 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\doIBpKFFu\RecoveryDrive.exe
PID 3356 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\doIBpKFFu\RecoveryDrive.exe
PID 3356 wrote to memory of 3164 N/A N/A C:\Windows\system32\consent.exe
PID 3356 wrote to memory of 3164 N/A N/A C:\Windows\system32\consent.exe
PID 3356 wrote to memory of 4272 N/A N/A C:\Users\Admin\AppData\Local\YKvqYEXo\consent.exe
PID 3356 wrote to memory of 4272 N/A N/A C:\Users\Admin\AppData\Local\YKvqYEXo\consent.exe
PID 3356 wrote to memory of 2788 N/A N/A C:\Windows\system32\upfc.exe
PID 3356 wrote to memory of 2788 N/A N/A C:\Windows\system32\upfc.exe
PID 3356 wrote to memory of 1032 N/A N/A C:\Users\Admin\AppData\Local\e2G75jN\upfc.exe
PID 3356 wrote to memory of 1032 N/A N/A C:\Users\Admin\AppData\Local\e2G75jN\upfc.exe
PID 3356 wrote to memory of 1196 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3356 wrote to memory of 1196 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3356 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Gbsjr\DisplaySwitch.exe
PID 3356 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Gbsjr\DisplaySwitch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\35074d79a34cd964a2e31d39fd7a40b8.dll,#1

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\doIBpKFFu\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\doIBpKFFu\RecoveryDrive.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Users\Admin\AppData\Local\YKvqYEXo\consent.exe

C:\Users\Admin\AppData\Local\YKvqYEXo\consent.exe

C:\Windows\system32\upfc.exe

C:\Windows\system32\upfc.exe

C:\Users\Admin\AppData\Local\e2G75jN\upfc.exe

C:\Users\Admin\AppData\Local\e2G75jN\upfc.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\Gbsjr\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\Gbsjr\DisplaySwitch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4560-0-0x0000024AC70D0000-0x0000024AC70D7000-memory.dmp

memory/4560-1-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-4-0x0000000003700000-0x0000000003701000-memory.dmp

memory/3356-6-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-8-0x00007FFBF74CA000-0x00007FFBF74CB000-memory.dmp

memory/3356-10-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-12-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-15-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-18-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-19-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-23-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-22-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-21-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-25-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-28-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-29-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-31-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-30-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-36-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-40-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-42-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-46-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-45-0x0000000001460000-0x0000000001467000-memory.dmp

memory/3356-53-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-44-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-54-0x00007FFBF8BE0000-0x00007FFBF8BF0000-memory.dmp

memory/3356-43-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-41-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-39-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-38-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-37-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-35-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-34-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-33-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-32-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-27-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-26-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-24-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-20-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-16-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-17-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-14-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-13-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-11-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/4560-7-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-9-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-63-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3356-65-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/4288-76-0x000001C46C270000-0x000001C46C277000-memory.dmp

memory/4288-80-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/4288-74-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1032-99-0x000002F6233E0000-0x000002F6233E7000-memory.dmp

memory/1032-105-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3404-118-0x00000181B41C0000-0x00000181B41C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 4eb2242024afdc4ff42a20e1942ff9fb
SHA1 4d8bb957352a3940144767de66f48566c1762fc8
SHA256 32e1fddd90cc1740687f0034d255b64617f9b515033c81637c5d105e37d033e7
SHA512 541ff4ec1115e48c2d82a28ff882e357e1456f7557c18a388459f367d460231f90dee978f4d2ab4bc963a565ec5bf33be17850384d2738171f7a80aa69aecb56

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\EU7R\ReAgent.dll

MD5 6c8193d446c02a9e041c31165ea03a3e
SHA1 601c60986efcf6cb5ccf26b5762c405e71e25428
SHA256 7ca5ae1373a763438d32c7cb68596eaebff97f917d604157c6bb699238b590c7
SHA512 921415f3afeefce6864b0ceedd2af5b2b849a83e7799753abb4c87c67ecf2b98941f1aaa05a9cd1a55eb2a8b9fa74342d7a609a30f908c2d1827ba9dd1ad0d96

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\xr3OCPuMZcA\XmlLite.dll

MD5 1b2868f7f461d0f46eaca596d29451a1
SHA1 7e917c8d246b845b5eaac6aa2ff89ab7100f03e3
SHA256 b1bdd074e019f92ae5593f52f30a664e218c38618a31248c4cbb238ddb8176e3
SHA512 5057e96a2c56c7978370307a9483ef02a5403f224429753f0ff60edeb3e429a7857957891eef746ab78367c94117f9e982f8afbb5cd0f8b0c9f4fdcf4ede94de

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\43\UxTheme.dll

MD5 c7d308b3bf408405d397b2920c18fa24
SHA1 36a58030d2574c692dc886c3678d723c81a048a1
SHA256 0f6168dd6d799875ab03bd2819b942661404615f5a2742dcc3532b53bc2cb8a0
SHA512 342dac8398254d2fbb2c22ff1ee816b111c39b310a643fe1d02a2d9945ed9be1562068a775dd9d62f31504fe0509fe36a023a37e122c2fd9f870dd84be4637e5