Analysis Overview
SHA256
881e957933aeee0526de8ff3220f5d8f825a0232fd26281a699442b316603f76
Threat Level: Known bad
The file 47ac41f976f4168195ecb01e69275d65 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 01:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 01:28
Reported
2024-01-07 01:31
Platform
win10v2004-20231215-en
Max time kernel
4s
Max time network
152s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\geA\FileHistory.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\geA\FileHistory.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\b5BL1K0T\\FileHistory.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\geA\FileHistory.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3412 wrote to memory of 1744 | N/A | N/A | C:\Windows\system32\mfpmp.exe |
| PID 3412 wrote to memory of 1744 | N/A | N/A | C:\Windows\system32\mfpmp.exe |
| PID 3412 wrote to memory of 4920 | N/A | N/A | C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe |
| PID 3412 wrote to memory of 4920 | N/A | N/A | C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe |
| PID 3412 wrote to memory of 3896 | N/A | N/A | C:\Windows\system32\FileHistory.exe |
| PID 3412 wrote to memory of 3896 | N/A | N/A | C:\Windows\system32\FileHistory.exe |
| PID 3412 wrote to memory of 4864 | N/A | N/A | C:\Users\Admin\AppData\Local\geA\FileHistory.exe |
| PID 3412 wrote to memory of 4864 | N/A | N/A | C:\Users\Admin\AppData\Local\geA\FileHistory.exe |
| PID 3412 wrote to memory of 3168 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
| PID 3412 wrote to memory of 3168 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47ac41f976f4168195ecb01e69275d65.dll,#1
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\FileHistory.exe
C:\Windows\system32\FileHistory.exe
C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
C:\Users\Admin\AppData\Local\geA\FileHistory.exe
C:\Users\Admin\AppData\Local\geA\FileHistory.exe
C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe
C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe
C:\Users\Admin\AppData\Local\hWmwcsz0O\dpapimig.exe
C:\Users\Admin\AppData\Local\hWmwcsz0O\dpapimig.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.134.221.88.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| IE | 20.223.36.55:443 | tcp | |
| IE | 20.223.36.55:443 | tcp | |
| IE | 20.223.36.55:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1624-0-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1624-2-0x000001F79B2F0000-0x000001F79B2F7000-memory.dmp
memory/3412-14-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-21-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-27-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-35-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-40-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-46-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-52-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-51-0x0000000008530000-0x0000000008537000-memory.dmp
memory/3412-59-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-60-0x00007FFEEA8C0000-0x00007FFEEA8D0000-memory.dmp
memory/3412-71-0x0000000140000000-0x0000000140204000-memory.dmp
memory/4920-80-0x0000020DF97A0000-0x0000020DF97A7000-memory.dmp
memory/4920-81-0x0000000140000000-0x0000000140206000-memory.dmp
memory/4864-98-0x0000020F37220000-0x0000020F37227000-memory.dmp
memory/4876-116-0x00000251646B0000-0x00000251646B7000-memory.dmp
memory/3412-69-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-50-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-49-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-48-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-47-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-45-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-44-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-43-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-42-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-41-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-39-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-38-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-37-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-36-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-33-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-34-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-32-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-31-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-30-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-29-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-28-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-26-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-25-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-24-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-23-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-22-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-20-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-19-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-18-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-17-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-16-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-15-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-13-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-12-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-11-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-10-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-9-0x00007FFEE910A000-0x00007FFEE910B000-memory.dmp
memory/3412-8-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1624-7-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-6-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3412-4-0x0000000008520000-0x0000000008521000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 01:28
Reported
2024-01-07 01:31
Platform
win7-20231215-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\8X\\raserver.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 2020 | N/A | N/A | C:\Windows\system32\ComputerDefaults.exe |
| PID 1196 wrote to memory of 2020 | N/A | N/A | C:\Windows\system32\ComputerDefaults.exe |
| PID 1196 wrote to memory of 2020 | N/A | N/A | C:\Windows\system32\ComputerDefaults.exe |
| PID 1196 wrote to memory of 1772 | N/A | N/A | C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe |
| PID 1196 wrote to memory of 1772 | N/A | N/A | C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe |
| PID 1196 wrote to memory of 1772 | N/A | N/A | C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe |
| PID 1196 wrote to memory of 2856 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1196 wrote to memory of 2856 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1196 wrote to memory of 2856 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1196 wrote to memory of 2892 | N/A | N/A | C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe |
| PID 1196 wrote to memory of 2892 | N/A | N/A | C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe |
| PID 1196 wrote to memory of 2892 | N/A | N/A | C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe |
| PID 1196 wrote to memory of 1192 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1196 wrote to memory of 1192 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1196 wrote to memory of 1192 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1196 wrote to memory of 1224 | N/A | N/A | C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe |
| PID 1196 wrote to memory of 1224 | N/A | N/A | C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe |
| PID 1196 wrote to memory of 1224 | N/A | N/A | C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47ac41f976f4168195ecb01e69275d65.dll,#1
C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe
C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe
C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe
C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe
C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe
Network
Files
memory/2124-1-0x0000000001BE0000-0x0000000001BE7000-memory.dmp
memory/2124-0-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-4-0x0000000077496000-0x0000000077497000-memory.dmp
memory/1196-5-0x0000000002210000-0x0000000002211000-memory.dmp
memory/1196-7-0x0000000140000000-0x0000000140204000-memory.dmp
memory/2124-8-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-9-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-10-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-12-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-11-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-13-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-14-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-16-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-15-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-17-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-18-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-20-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-19-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-21-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-22-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-24-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-25-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-23-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-31-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-30-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-29-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-28-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-27-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-26-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-32-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-33-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-34-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-35-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-36-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-37-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-38-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-39-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-40-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-41-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-42-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-44-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-43-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-46-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-48-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-47-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-45-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-50-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-49-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-52-0x00000000021E0000-0x00000000021E7000-memory.dmp
memory/1196-51-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-59-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-60-0x00000000775A1000-0x00000000775A2000-memory.dmp
memory/1196-61-0x0000000077700000-0x0000000077702000-memory.dmp
memory/1196-70-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1196-76-0x0000000140000000-0x0000000140204000-memory.dmp
C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe
| MD5 | 86bd981f55341273753ac42ea200a81e |
| SHA1 | 14fe410efc9aeb0a905b984ac27719ff0dd10ea7 |
| SHA256 | 40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3 |
| SHA512 | 49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143 |
C:\Users\Admin\AppData\Local\xU6sJH\appwiz.cpl
| MD5 | cc60602ad53dde104c88a8beabd28317 |
| SHA1 | ea2db703e469b81186981d35bc7ac814e0ec6a42 |
| SHA256 | 0a659c1932a51f111be9e0fc37b9f160c2d15b4b08a7112fbefd9cd13d0a662c |
| SHA512 | f9f6f6f9bd2dcbb50f89ecb1e1a5eecf78212a0ada3b631664e61fb086703cd353eac211dbf76ce3e27920c8e3fc65bb9d40063b1606c6d71560d040ee43366b |
\Users\Admin\AppData\Local\xU6sJH\appwiz.cpl
| MD5 | acf7739cf23590f4257a42b925219878 |
| SHA1 | 861cca261a15fdab2f6426256827262a8166661e |
| SHA256 | a557edf707d157e74339d090300e4c2ae30f3bd947d2b929ba47d0e4831218d8 |
| SHA512 | 87455ba64539a46e08eb5d1049596cad913ff4ca32b50273fd5677ad40b7175cb9b1eb6d290e447bbcae0445c7d33177e41cab5bc93e817a069d73cfe291c3e8 |
memory/1772-89-0x0000000000190000-0x0000000000197000-memory.dmp
C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe
| MD5 | cd0bc0b6b8d219808aea3ecd4e889b19 |
| SHA1 | 9f8f4071ce2484008e36fdfd963378f4ebad703f |
| SHA256 | 16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c |
| SHA512 | 84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac |
C:\Users\Admin\AppData\Local\7SqGNvJ\WTSAPI32.dll
| MD5 | ae4ad8dbdfcf3dabf54563c7b26dbda8 |
| SHA1 | 9daaa1ca7dc3de87ffddc27bffe8cd9660f760d1 |
| SHA256 | 7538925ef5ad957b8806c7015fa3c70fc0a9690f18ae435943b0bb001ad6082e |
| SHA512 | 16c50307d4eb98052c0cf4e92386dc41537181262e2bc6316b1cf5d4657cfe98b09f599d73ed50b8e2fc2f7cebbd0d593b74a63511be19d6973b583f267e973b |
memory/2892-108-0x0000000000210000-0x0000000000217000-memory.dmp
C:\Users\Admin\AppData\Local\UMHFmAD\WTSAPI32.dll
| MD5 | 04427197a4355f990f161f38a2a11e9c |
| SHA1 | 291a38533fa199c2c3a8e6e90c79e6d15c2c44fd |
| SHA256 | 3080ba1ed4ce25a8b6b6fa7ff0c15f30f3c8489f1dd020e4625b5912518128cc |
| SHA512 | 0102890f9ae3f5679b3131323c550e0076669b313a5f72901783932607534ff4255559e0b38484161956a8299d98e65e6072c34c1f3e61f2cab13501fbec7867 |
memory/1224-124-0x0000000000370000-0x0000000000377000-memory.dmp
\Users\Admin\AppData\Local\UMHFmAD\WTSAPI32.dll
| MD5 | 69600b89402661343a3dedbeee111478 |
| SHA1 | a865a39f8c31a3d1e9c47e8c76e3b43af4a22a86 |
| SHA256 | e992c6ab8414d98fcdce193d01912c303337dd5da14ae70a2b7438cd1d5f9ca1 |
| SHA512 | 23fe5e74ae965395556c46f24b3f8c2b6eb705b19bd7613b59953de36ce942887b7fb3dbae00da7d3ef8ce9a319ea3737a08537b7a033b60d54dc4b6994bc083 |
memory/1196-148-0x0000000077496000-0x0000000077497000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | 991298ea3e698fbf5acfd92b069abcb4 |
| SHA1 | aec09571c210c83c12aea74e0f0dc691efa06b5a |
| SHA256 | c5a275bdb5763ae5e0df0c223cb69ab819f4cf94d8000929b3da4327242d2c83 |
| SHA512 | fb5553d2f61affadeea4ff0ac41070e445809e3b93af6c8484094c29efe88f2eab987213393fe8143484a953d2cc8fc764d6b17dd153ab15ef834c4aa87dad11 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Collab\Q3jKEE1\appwiz.cpl
| MD5 | 9c56d32bd56193126b902ed7997e14d6 |
| SHA1 | 22cc81be5362bc87156036aea2370187c4306d9f |
| SHA256 | e5dc49401b1ea2e24ea5890cf468d705829d24b6b814447b228ea6af15a6c573 |
| SHA512 | ae2e5412ba25555a72faaf2b305a974f490af1b59f22957e5a1fd1e5b8d5947653001dd54bc4bc8d84f47ccd1a37c3b0872017da3a998dcb9caad4842d058bd8 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\OuGt7Co0\WTSAPI32.dll
| MD5 | f4cd5f8446f2503e3418c718e865f9b6 |
| SHA1 | ec3c4fb7050d64cc945c880548238d06c8b298c5 |
| SHA256 | e13ebc90ff55e456f15c48492a87c075aa8aa886b21bec1711af8d635bb7fbba |
| SHA512 | 2ba30d59cc462de728a1b299134ad00a609b379c7284f009eaeb1dfab7cc334978c21bf369a02c95eeb1d37e7ba02f4ed7823875571f3bce97fea331fe780c43 |