Malware Analysis Report

2024-11-30 21:24

Sample ID 231222-t2xz7sbbd5
Target f31c9ea6eaecfbc1d3581dd755a4944f
SHA256 c52b166abcd2b1f2055342f5e28d79527a621c723f52a0a2b0ea9e55d3e46136
Tags
dridex botnet payload evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c52b166abcd2b1f2055342f5e28d79527a621c723f52a0a2b0ea9e55d3e46136

Threat Level: Known bad

The file f31c9ea6eaecfbc1d3581dd755a4944f was found to be: Known bad.

Malicious Activity Summary

dridex botnet payload evasion persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 16:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 16:33

Reported

2023-12-24 07:11

Platform

win10v2004-20231222-en

Max time kernel

4s

Max time network

146s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f31c9ea6eaecfbc1d3581dd755a4944f.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f31c9ea6eaecfbc1d3581dd755a4944f.dll

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\bUdEA7\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\bUdEA7\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\DLuP\dialer.exe

C:\Users\Admin\AppData\Local\DLuP\dialer.exe

C:\Users\Admin\AppData\Local\XVb42Xa\phoneactivate.exe

C:\Users\Admin\AppData\Local\XVb42Xa\phoneactivate.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/740-0-0x0000000140000000-0x000000014024B000-memory.dmp

memory/740-2-0x0000000001EF0000-0x0000000001EF7000-memory.dmp

memory/3520-4-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/3520-8-0x0000000140000000-0x000000014024B000-memory.dmp

memory/740-7-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-10-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-9-0x00007FFBCEFDA000-0x00007FFBCEFDB000-memory.dmp

memory/3520-11-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-12-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-14-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-15-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-17-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-16-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-20-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-21-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-19-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-18-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-13-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-6-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-22-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-23-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-24-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-26-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-25-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-27-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-30-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-29-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-34-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-38-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-41-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-43-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-46-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-45-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-44-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-42-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-40-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-47-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-50-0x0000000001090000-0x0000000001097000-memory.dmp

memory/3520-39-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-37-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-36-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-55-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-35-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-33-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-32-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-31-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-28-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-65-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3520-60-0x00007FFBD0060000-0x00007FFBD0070000-memory.dmp

memory/3520-67-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Users\Admin\AppData\Local\XVb42Xa\DUI70.dll

MD5 4abee8c87c1e7fc843a2149ff6aa1615
SHA1 b60c49491d2ceb9181105d05ac7fdc85cad36440
SHA256 2ff0916dfd3df7b2514a39016509e0169dc4e42a9f9d7f47fc5f09d0f82bc4f5
SHA512 20fece26935017d8dda6f3b90fc43908970c263b2198e814606a74ac2c31d3daf732433ec7e835dea5675b3c419589e98265f1adab7a97544eecb726d788a7f8

memory/4152-76-0x0000000140000000-0x0000000140291000-memory.dmp

memory/4152-82-0x0000000140000000-0x0000000140291000-memory.dmp

memory/4152-78-0x0000020E349E0000-0x0000020E349E7000-memory.dmp

C:\Users\Admin\AppData\Local\XVb42Xa\DUI70.dll

MD5 52ee211a7dba63b6ce95af7c5ea124e1
SHA1 a118c424907bdbf961d594376d665e9df10bb08c
SHA256 8db044d66470135abc0ff51f4066369597c8fbd567b7fbc8a1646b892f9bbf67
SHA512 225b2e2139e53a719b1e33796e1cb022d9afd94e11f9a77b92726848430defa59c5895873c12c5f9d632ae21cbf5cc796256f686aec817b02953c0c9a9b0c17a

C:\Users\Admin\AppData\Local\XVb42Xa\phoneactivate.exe

MD5 1bd362d2de4ab862d1c386a22f1f294d
SHA1 bafe54677e1ad55323865fba584e1570f89e3e66
SHA256 6a00dead2676608dc1a25551f4dbb8b1b529e3cd47dfe9b649909aed42d79e5f
SHA512 a2cf09dbbc5ac45d85e02caeb9f40428dd20030a6fa5dc46f7d567da9527d66dfff0df62877627cd6e8390f269612fcd5df2f972921b059081ee1b87dea2c281

C:\Users\Admin\AppData\Local\DLuP\TAPI32.dll

MD5 bf9231156a26d833dd93da63d59088d1
SHA1 8f0c8c2be2902a214dc043fe7863c5d869c1e385
SHA256 e3b7473c8a2677f1d53c0943ffb9fe9aea05304084d0aa34e6b4040446fa4587
SHA512 ff63aa19fb4850182d516fb60df9aabf3d69f457954a149b1eb47fec60d9f8be640f3233a37a8e186e7173ecc9ad10b7b656866d07aa655fd36256ad0dfa1034

memory/4632-94-0x0000000140000000-0x000000014024D000-memory.dmp

memory/4632-93-0x000002825ABD0000-0x000002825ABD7000-memory.dmp

C:\Users\Admin\AppData\Local\DLuP\TAPI32.dll

MD5 a383446fac0b374962d886501a80b365
SHA1 b3587cdb7047d0e4685cfc7b67a8f6520ae60930
SHA256 8b1e6e82a91c09eb49416c8e2b1981672a412fdef8dde8872907a2c53b92fa86
SHA512 af02756dd3c4ae28ebca20402da0012c2ac56074d7c82717ab7b25cb74d65c15a9f08c96fbf1c9002644d63956a5d746f116180a0f037b2a7b43d11c419b3b00

C:\Users\Admin\AppData\Local\bUdEA7\SystemPropertiesDataExecutionPrevention.exe

MD5 0b649e8402e6c982bc69059fa4d413ab
SHA1 66e3e6be7560995cc1778ed91bda36266d8bfe3d
SHA256 122bea3edeb716d8667f843e7965245b9a8f9953210dbc71c93dbd60b6882afa
SHA512 9345d8dd9727262388a7deeed90cee25af04addd8c0296e4b909cafd10e7bc918eb9ed6eae2bf65ea9be99f3433c80f1115aa7ce1c434f33b325758a45a4b4fa

C:\Users\Admin\AppData\Local\DLuP\dialer.exe

MD5 b2626bdcf079c6516fc016ac5646df93
SHA1 838268205bd97d62a31094d53643c356ea7848a6
SHA256 e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb
SHA512 615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

C:\Users\Admin\AppData\Local\bUdEA7\SYSDM.CPL

MD5 e5e866f23b6258d5b69d98b8865b11b0
SHA1 7a670071db0bce5eb35e836ba4aaa707d6fced88
SHA256 97a4c4dc6cfd4b095162f55fb0be61b8a29a3f824c8b96c1fbeca8cffa0199dd
SHA512 83665b914d9d3366d9eaacb2507a42825f5066f9e2fa2aeed8ec9a9ebf3fa8af7ccfd8664a13eadd74bf5bde523f8e557410b43ae16d1ee377b777cecb17c3ae

memory/772-112-0x000002368E2A0000-0x000002368E2A7000-memory.dmp

C:\Users\Admin\AppData\Local\bUdEA7\SYSDM.CPL

MD5 6d1295362065c7143ccdc9a454e07467
SHA1 32df7d8c303e082e0fba5600f7cbdb3c13b51743
SHA256 a2b861a3950bed2e5ccc20b841987acd84dabd5a168fc85d0ee04eb3d3b330eb
SHA512 2b7d9f1368cee0c323d3550077b925cb7acb766268481597cf4a7cc8e01c2e662bbd494d02716dc649266820df8d98e7ad0af515d392d791abdb1f7ed3921db4

C:\Users\Admin\AppData\Local\bUdEA7\SystemPropertiesDataExecutionPrevention.exe

MD5 7fe3668b8538f54ec46fcb7b70c3883b
SHA1 3d4eec07855916ef84340d7bfd5b7a6d77ae0eec
SHA256 90b452123efacc890d9cfb8d9f25ac123ad05c19dcb56dbb472a7732264c3a7e
SHA512 e3a2f8f090f5aed85b870ddebf8ad514d9818c1beb964eb155a6f39578aaf947863b1293d44d0d6f56b53936a32a745bcf4671250fec45410390e14cabf76320

C:\Users\Admin\AppData\Local\XVb42Xa\phoneactivate.exe

MD5 cdd0bf435d0a1652be5a7a9fc4c2d5d2
SHA1 efb754e28ad96e6fe668e4bb465fd9af3b89155c
SHA256 23a0e19f78aa38b3c155e3477fceaf4d9ae78f2507a9d8861c91c95a9cdd5f55
SHA512 33447984a84dd68bb86906dd4c734682e875de0a75f2eb159197940752afe38f822878c9806ccf62dc45655bf490817259e9f4fc066b009b301ced245c95030e

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 e28fa2d2b6461dc179f2240b23fb7c82
SHA1 7e65787d64fac74faec68d1df641b4593fdeeee8
SHA256 d33f922b52e74135cdf93cbac4b2812af1713517f0afcce538061386d2b7861e
SHA512 b6dbc4e814731699703df2afeb8d2ca3f052305307a2cb9b26cca0d90eb222a8cb7d83f25c9c2cd9bf4be6c289bedd4133959344c3588669ec5f3f95a9b5c146

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\zFmlND\DUI70.dll

MD5 d155330072964ced2be91bce9e738613
SHA1 96630c6938dbee80698cb85c2a266b2ccfecd898
SHA256 f7563d376e5151d5a85a82ca750624b2ec63a6e8be843eddb3b26c778fef5dc1
SHA512 57724f05958351ad421194bfe4b48382365e5f1e0cd3ae209261b07ebc252c8978a19a7c052e70505b9f8629cc725de689aaf33b794f48af2ec704f67fe27772

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\eoh9LCnO\TAPI32.dll

MD5 d90686ee96902e3d037a55b82d92a670
SHA1 71bcfed3b01af393b6a1e6c1abe9ba3908a1193a
SHA256 d7960d5a956bd59853fabbfab6b157c97919a6f76885b8d0e3df34a59d7e9637
SHA512 c8603b3ffc6a68d9a363f68d065da760f82cf841c28802370ef514c356f3a980a8382be84f94cebc96f71d345461a22b0955f79838dc1510106d540423136eef

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Ty\SYSDM.CPL

MD5 ae865c04b7d13b0344840cfe03b4f680
SHA1 79615c7ba1002a7f2a7dcd4ae5bec3ee3c789149
SHA256 7a0983e06cd3b75d415d9697fde36719050818e9c74039f811741434d1750652
SHA512 3ac46945a721fffc079fae7142ba71e7661c0aa16a0c3e5539db3fa902ad34727c2f9b8a0d99e39506e8a9d963c8e5f08e433c9301fd0877c94c7afcb82e29f0

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 16:33

Reported

2023-12-24 07:11

Platform

win7-20231129-en

Max time kernel

139s

Max time network

118s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f31c9ea6eaecfbc1d3581dd755a4944f.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\7LX8P8\shrpubw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\OnV\sethc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\u8J7mTo\xpsrchvw.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\Wq\\sethc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7LX8P8\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OnV\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\u8J7mTo\xpsrchvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 2688 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1312 wrote to memory of 2688 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1312 wrote to memory of 2688 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1312 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\7LX8P8\shrpubw.exe
PID 1312 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\7LX8P8\shrpubw.exe
PID 1312 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\7LX8P8\shrpubw.exe
PID 1312 wrote to memory of 2996 N/A N/A C:\Windows\system32\sethc.exe
PID 1312 wrote to memory of 2996 N/A N/A C:\Windows\system32\sethc.exe
PID 1312 wrote to memory of 2996 N/A N/A C:\Windows\system32\sethc.exe
PID 1312 wrote to memory of 1880 N/A N/A C:\Users\Admin\AppData\Local\OnV\sethc.exe
PID 1312 wrote to memory of 1880 N/A N/A C:\Users\Admin\AppData\Local\OnV\sethc.exe
PID 1312 wrote to memory of 1880 N/A N/A C:\Users\Admin\AppData\Local\OnV\sethc.exe
PID 1312 wrote to memory of 1656 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1312 wrote to memory of 1656 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1312 wrote to memory of 1656 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1312 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\u8J7mTo\xpsrchvw.exe
PID 1312 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\u8J7mTo\xpsrchvw.exe
PID 1312 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\u8J7mTo\xpsrchvw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f31c9ea6eaecfbc1d3581dd755a4944f.dll

C:\Users\Admin\AppData\Local\7LX8P8\shrpubw.exe

C:\Users\Admin\AppData\Local\7LX8P8\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\OnV\sethc.exe

C:\Users\Admin\AppData\Local\OnV\sethc.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\u8J7mTo\xpsrchvw.exe

C:\Users\Admin\AppData\Local\u8J7mTo\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

Network

N/A

Files

memory/1044-0-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1044-1-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1312-4-0x00000000776D6000-0x00000000776D7000-memory.dmp

memory/1312-12-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-23-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-34-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-45-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-48-0x0000000002EF0000-0x0000000002EF7000-memory.dmp

memory/1312-57-0x0000000077940000-0x0000000077942000-memory.dmp

memory/1312-56-0x00000000777E1000-0x00000000777E2000-memory.dmp

memory/1312-66-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-72-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-75-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-55-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-47-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-46-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-44-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-43-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-42-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-41-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-40-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-39-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-38-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-37-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-36-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-35-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-33-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-32-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-31-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-30-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-29-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-28-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-27-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-26-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-25-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-24-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-22-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-21-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-20-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-19-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-18-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-17-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-16-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-15-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-14-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-13-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-11-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-10-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-9-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1044-8-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1664-132-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1312-7-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1312-5-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/1312-161-0x00000000776D6000-0x00000000776D7000-memory.dmp