Malware Analysis Report

2024-11-30 21:27

Sample ID 240107-bv6pnabgfr
Target 47ac41f976f4168195ecb01e69275d65
SHA256 881e957933aeee0526de8ff3220f5d8f825a0232fd26281a699442b316603f76
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

881e957933aeee0526de8ff3220f5d8f825a0232fd26281a699442b316603f76

Threat Level: Known bad

The file 47ac41f976f4168195ecb01e69275d65 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 01:28

Reported

2024-01-07 01:31

Platform

win10v2004-20231215-en

Max time kernel

4s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47ac41f976f4168195ecb01e69275d65.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\geA\FileHistory.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\geA\FileHistory.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\b5BL1K0T\\FileHistory.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\geA\FileHistory.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 1744 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3412 wrote to memory of 1744 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3412 wrote to memory of 4920 N/A N/A C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe
PID 3412 wrote to memory of 4920 N/A N/A C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe
PID 3412 wrote to memory of 3896 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3412 wrote to memory of 3896 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3412 wrote to memory of 4864 N/A N/A C:\Users\Admin\AppData\Local\geA\FileHistory.exe
PID 3412 wrote to memory of 4864 N/A N/A C:\Users\Admin\AppData\Local\geA\FileHistory.exe
PID 3412 wrote to memory of 3168 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3412 wrote to memory of 3168 N/A N/A C:\Windows\system32\dpapimig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47ac41f976f4168195ecb01e69275d65.dll,#1

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\geA\FileHistory.exe

C:\Users\Admin\AppData\Local\geA\FileHistory.exe

C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe

C:\Users\Admin\AppData\Local\yf29B6\mfpmp.exe

C:\Users\Admin\AppData\Local\hWmwcsz0O\dpapimig.exe

C:\Users\Admin\AppData\Local\hWmwcsz0O\dpapimig.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 52.111.227.14:443 tcp
IE 20.223.36.55:443 tcp
IE 20.223.36.55:443 tcp
IE 20.223.36.55:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1624-0-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1624-2-0x000001F79B2F0000-0x000001F79B2F7000-memory.dmp

memory/3412-14-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-21-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-27-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-35-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-40-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-46-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-52-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-51-0x0000000008530000-0x0000000008537000-memory.dmp

memory/3412-59-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-60-0x00007FFEEA8C0000-0x00007FFEEA8D0000-memory.dmp

memory/3412-71-0x0000000140000000-0x0000000140204000-memory.dmp

memory/4920-80-0x0000020DF97A0000-0x0000020DF97A7000-memory.dmp

memory/4920-81-0x0000000140000000-0x0000000140206000-memory.dmp

memory/4864-98-0x0000020F37220000-0x0000020F37227000-memory.dmp

memory/4876-116-0x00000251646B0000-0x00000251646B7000-memory.dmp

memory/3412-69-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-50-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-49-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-48-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-47-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-45-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-44-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-43-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-42-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-41-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-39-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-38-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-37-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-36-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-33-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-34-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-32-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-31-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-30-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-29-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-28-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-26-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-25-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-24-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-23-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-22-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-20-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-19-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-18-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-17-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-16-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-15-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-13-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-12-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-11-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-10-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-9-0x00007FFEE910A000-0x00007FFEE910B000-memory.dmp

memory/3412-8-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1624-7-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-6-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3412-4-0x0000000008520000-0x0000000008521000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 01:28

Reported

2024-01-07 01:31

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47ac41f976f4168195ecb01e69275d65.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\8X\\raserver.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2020 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1196 wrote to memory of 2020 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1196 wrote to memory of 2020 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1196 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe
PID 1196 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe
PID 1196 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe
PID 1196 wrote to memory of 2856 N/A N/A C:\Windows\system32\raserver.exe
PID 1196 wrote to memory of 2856 N/A N/A C:\Windows\system32\raserver.exe
PID 1196 wrote to memory of 2856 N/A N/A C:\Windows\system32\raserver.exe
PID 1196 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe
PID 1196 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe
PID 1196 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe
PID 1196 wrote to memory of 1192 N/A N/A C:\Windows\system32\raserver.exe
PID 1196 wrote to memory of 1192 N/A N/A C:\Windows\system32\raserver.exe
PID 1196 wrote to memory of 1192 N/A N/A C:\Windows\system32\raserver.exe
PID 1196 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe
PID 1196 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe
PID 1196 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47ac41f976f4168195ecb01e69275d65.dll,#1

C:\Windows\system32\ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe

C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe

C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe

C:\Users\Admin\AppData\Local\UMHFmAD\raserver.exe

Network

N/A

Files

memory/2124-1-0x0000000001BE0000-0x0000000001BE7000-memory.dmp

memory/2124-0-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-4-0x0000000077496000-0x0000000077497000-memory.dmp

memory/1196-5-0x0000000002210000-0x0000000002211000-memory.dmp

memory/1196-7-0x0000000140000000-0x0000000140204000-memory.dmp

memory/2124-8-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-9-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-10-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-12-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-11-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-13-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-14-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-16-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-15-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-17-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-18-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-20-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-19-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-21-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-22-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-24-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-25-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-23-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-31-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-30-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-29-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-28-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-27-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-26-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-32-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-33-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-34-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-35-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-36-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-37-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-38-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-39-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-40-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-41-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-42-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-44-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-43-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-46-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-48-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-47-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-45-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-50-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-49-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-52-0x00000000021E0000-0x00000000021E7000-memory.dmp

memory/1196-51-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-59-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-60-0x00000000775A1000-0x00000000775A2000-memory.dmp

memory/1196-61-0x0000000077700000-0x0000000077702000-memory.dmp

memory/1196-70-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1196-76-0x0000000140000000-0x0000000140204000-memory.dmp

C:\Users\Admin\AppData\Local\xU6sJH\ComputerDefaults.exe

MD5 86bd981f55341273753ac42ea200a81e
SHA1 14fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA256 40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA512 49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

C:\Users\Admin\AppData\Local\xU6sJH\appwiz.cpl

MD5 cc60602ad53dde104c88a8beabd28317
SHA1 ea2db703e469b81186981d35bc7ac814e0ec6a42
SHA256 0a659c1932a51f111be9e0fc37b9f160c2d15b4b08a7112fbefd9cd13d0a662c
SHA512 f9f6f6f9bd2dcbb50f89ecb1e1a5eecf78212a0ada3b631664e61fb086703cd353eac211dbf76ce3e27920c8e3fc65bb9d40063b1606c6d71560d040ee43366b

\Users\Admin\AppData\Local\xU6sJH\appwiz.cpl

MD5 acf7739cf23590f4257a42b925219878
SHA1 861cca261a15fdab2f6426256827262a8166661e
SHA256 a557edf707d157e74339d090300e4c2ae30f3bd947d2b929ba47d0e4831218d8
SHA512 87455ba64539a46e08eb5d1049596cad913ff4ca32b50273fd5677ad40b7175cb9b1eb6d290e447bbcae0445c7d33177e41cab5bc93e817a069d73cfe291c3e8

memory/1772-89-0x0000000000190000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\7SqGNvJ\raserver.exe

MD5 cd0bc0b6b8d219808aea3ecd4e889b19
SHA1 9f8f4071ce2484008e36fdfd963378f4ebad703f
SHA256 16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c
SHA512 84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

C:\Users\Admin\AppData\Local\7SqGNvJ\WTSAPI32.dll

MD5 ae4ad8dbdfcf3dabf54563c7b26dbda8
SHA1 9daaa1ca7dc3de87ffddc27bffe8cd9660f760d1
SHA256 7538925ef5ad957b8806c7015fa3c70fc0a9690f18ae435943b0bb001ad6082e
SHA512 16c50307d4eb98052c0cf4e92386dc41537181262e2bc6316b1cf5d4657cfe98b09f599d73ed50b8e2fc2f7cebbd0d593b74a63511be19d6973b583f267e973b

memory/2892-108-0x0000000000210000-0x0000000000217000-memory.dmp

C:\Users\Admin\AppData\Local\UMHFmAD\WTSAPI32.dll

MD5 04427197a4355f990f161f38a2a11e9c
SHA1 291a38533fa199c2c3a8e6e90c79e6d15c2c44fd
SHA256 3080ba1ed4ce25a8b6b6fa7ff0c15f30f3c8489f1dd020e4625b5912518128cc
SHA512 0102890f9ae3f5679b3131323c550e0076669b313a5f72901783932607534ff4255559e0b38484161956a8299d98e65e6072c34c1f3e61f2cab13501fbec7867

memory/1224-124-0x0000000000370000-0x0000000000377000-memory.dmp

\Users\Admin\AppData\Local\UMHFmAD\WTSAPI32.dll

MD5 69600b89402661343a3dedbeee111478
SHA1 a865a39f8c31a3d1e9c47e8c76e3b43af4a22a86
SHA256 e992c6ab8414d98fcdce193d01912c303337dd5da14ae70a2b7438cd1d5f9ca1
SHA512 23fe5e74ae965395556c46f24b3f8c2b6eb705b19bd7613b59953de36ce942887b7fb3dbae00da7d3ef8ce9a319ea3737a08537b7a033b60d54dc4b6994bc083

memory/1196-148-0x0000000077496000-0x0000000077497000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 991298ea3e698fbf5acfd92b069abcb4
SHA1 aec09571c210c83c12aea74e0f0dc691efa06b5a
SHA256 c5a275bdb5763ae5e0df0c223cb69ab819f4cf94d8000929b3da4327242d2c83
SHA512 fb5553d2f61affadeea4ff0ac41070e445809e3b93af6c8484094c29efe88f2eab987213393fe8143484a953d2cc8fc764d6b17dd153ab15ef834c4aa87dad11

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Collab\Q3jKEE1\appwiz.cpl

MD5 9c56d32bd56193126b902ed7997e14d6
SHA1 22cc81be5362bc87156036aea2370187c4306d9f
SHA256 e5dc49401b1ea2e24ea5890cf468d705829d24b6b814447b228ea6af15a6c573
SHA512 ae2e5412ba25555a72faaf2b305a974f490af1b59f22957e5a1fd1e5b8d5947653001dd54bc4bc8d84f47ccd1a37c3b0872017da3a998dcb9caad4842d058bd8

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\OuGt7Co0\WTSAPI32.dll

MD5 f4cd5f8446f2503e3418c718e865f9b6
SHA1 ec3c4fb7050d64cc945c880548238d06c8b298c5
SHA256 e13ebc90ff55e456f15c48492a87c075aa8aa886b21bec1711af8d635bb7fbba
SHA512 2ba30d59cc462de728a1b299134ad00a609b379c7284f009eaeb1dfab7cc334978c21bf369a02c95eeb1d37e7ba02f4ed7823875571f3bce97fea331fe780c43