Analysis Overview
SHA256
6174e8dd79ab1efad1a87d1a47e33a5a24c2354e3747c90f740e9bfa34b5ab62
Threat Level: Known bad
The file 387e6d00ac40f6f48e4dc8e37a07de01 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Dridex payload
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 13:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 13:44
Reported
2024-01-05 09:34
Platform
win10v2004-20231222-en
Max time kernel
3s
Max time network
73s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\387e6d00ac40f6f48e4dc8e37a07de01.dll,#1
C:\Users\Admin\AppData\Local\d0hY\mblctr.exe
C:\Users\Admin\AppData\Local\d0hY\mblctr.exe
C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
C:\Users\Admin\AppData\Local\Jfzl\Magnify.exe
C:\Users\Admin\AppData\Local\Jfzl\Magnify.exe
C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
C:\Users\Admin\AppData\Local\BUpRCjT\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\BUpRCjT\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| GB | 88.221.134.18:80 | tcp | |
| GB | 96.17.178.174:80 | tcp |
Files
memory/2240-0-0x000001BFBFBF0000-0x000001BFBFBF7000-memory.dmp
memory/2240-1-0x00007FFBBD930000-0x00007FFBBDA3C000-memory.dmp
memory/3424-6-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-9-0x00007FFBCAA1A000-0x00007FFBCAA1B000-memory.dmp
memory/3424-16-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-21-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-24-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-33-0x00007FFBCC110000-0x00007FFBCC120000-memory.dmp
memory/3424-42-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-32-0x00007FFBCC120000-0x00007FFBCC130000-memory.dmp
memory/3424-31-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-23-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-22-0x0000000000FA0000-0x0000000000FA7000-memory.dmp
memory/3424-20-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-19-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-18-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-17-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-15-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-14-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-13-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-12-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-11-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-10-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-8-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-7-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-5-0x0000000140000000-0x000000014010C000-memory.dmp
memory/3424-3-0x0000000002CA0000-0x0000000002CA1000-memory.dmp
memory/2240-45-0x00007FFBBD930000-0x00007FFBBDA3C000-memory.dmp
memory/3784-52-0x00007FFBADEF0000-0x00007FFBADFFD000-memory.dmp
memory/3784-57-0x00007FFBADEF0000-0x00007FFBADFFD000-memory.dmp
memory/3784-54-0x000001E9CDDA0000-0x000001E9CDDA7000-memory.dmp
memory/4516-74-0x00007FFBADEF0000-0x00007FFBADFFD000-memory.dmp
memory/4516-71-0x000001A4C4600000-0x000001A4C4607000-memory.dmp
memory/4516-66-0x00007FFBCB73E000-0x00007FFBCB740000-memory.dmp
memory/4128-85-0x00000120ED420000-0x00000120ED427000-memory.dmp
memory/4128-90-0x00007FFBADE30000-0x00007FFBADF3D000-memory.dmp
memory/4128-86-0x00007FFBADE30000-0x00007FFBADF3D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 13:44
Reported
2024-01-05 09:35
Platform
win7-20231215-en
Max time kernel
151s
Max time network
145s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\NquE1zZIP\RDVGHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xaP\recdisc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\NquE1zZIP\RDVGHelper.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xaP\recdisc.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2444714103-3190537498-3629098939-1000\\jNGE\\xpsrchvw.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\NquE1zZIP\RDVGHelper.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xaP\recdisc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 564 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1260 wrote to memory of 564 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1260 wrote to memory of 564 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1260 wrote to memory of 700 | N/A | N/A | C:\Users\Admin\AppData\Local\NquE1zZIP\RDVGHelper.exe |
| PID 1260 wrote to memory of 700 | N/A | N/A | C:\Users\Admin\AppData\Local\NquE1zZIP\RDVGHelper.exe |
| PID 1260 wrote to memory of 700 | N/A | N/A | C:\Users\Admin\AppData\Local\NquE1zZIP\RDVGHelper.exe |
| PID 1260 wrote to memory of 588 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1260 wrote to memory of 588 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1260 wrote to memory of 588 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1260 wrote to memory of 1500 | N/A | N/A | C:\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe |
| PID 1260 wrote to memory of 1500 | N/A | N/A | C:\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe |
| PID 1260 wrote to memory of 1500 | N/A | N/A | C:\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe |
| PID 1260 wrote to memory of 2896 | N/A | N/A | C:\Windows\system32\recdisc.exe |
| PID 1260 wrote to memory of 2896 | N/A | N/A | C:\Windows\system32\recdisc.exe |
| PID 1260 wrote to memory of 2896 | N/A | N/A | C:\Windows\system32\recdisc.exe |
| PID 1260 wrote to memory of 320 | N/A | N/A | C:\Users\Admin\AppData\Local\xaP\recdisc.exe |
| PID 1260 wrote to memory of 320 | N/A | N/A | C:\Users\Admin\AppData\Local\xaP\recdisc.exe |
| PID 1260 wrote to memory of 320 | N/A | N/A | C:\Users\Admin\AppData\Local\xaP\recdisc.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\387e6d00ac40f6f48e4dc8e37a07de01.dll,#1
C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
C:\Users\Admin\AppData\Local\NquE1zZIP\RDVGHelper.exe
C:\Users\Admin\AppData\Local\NquE1zZIP\RDVGHelper.exe
C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
C:\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe
C:\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe
C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
C:\Users\Admin\AppData\Local\xaP\recdisc.exe
C:\Users\Admin\AppData\Local\xaP\recdisc.exe
Network
Files
memory/2116-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2116-0-0x000007FEF5F30000-0x000007FEF603C000-memory.dmp
memory/1260-3-0x0000000076C76000-0x0000000076C77000-memory.dmp
memory/1260-4-0x00000000029C0000-0x00000000029C1000-memory.dmp
memory/1260-9-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-16-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-19-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-21-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-23-0x00000000029A0000-0x00000000029A7000-memory.dmp
memory/1260-24-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-22-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-20-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-18-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-17-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-15-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-14-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-13-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-12-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-11-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-10-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-8-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-7-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-31-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-33-0x0000000077010000-0x0000000077012000-memory.dmp
memory/1260-32-0x0000000076FE0000-0x0000000076FE2000-memory.dmp
memory/1260-6-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-43-0x0000000140000000-0x000000014010C000-memory.dmp
memory/1260-42-0x0000000140000000-0x000000014010C000-memory.dmp
memory/2116-51-0x000007FEF5F30000-0x000007FEF603C000-memory.dmp
\Users\Admin\AppData\Local\NquE1zZIP\RDVGHelper.exe
| MD5 | 53fda4af81e7c4895357a50e848b7cfe |
| SHA1 | 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f |
| SHA256 | 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038 |
| SHA512 | dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051 |
C:\Users\Admin\AppData\Local\NquE1zZIP\dwmapi.dll
| MD5 | e63fb0548b74a2211b3793effd4e6f37 |
| SHA1 | c596323812a938714075eabaeda015dad4ced4cb |
| SHA256 | 97a7fca442455596a8323be7d5ceef973ce063fcfab88a4473d54f9a9d76d600 |
| SHA512 | 16c9b9a875b7101b381594b2a7f96d53a013db22752d875ec078da5b22d5a69e14909235e6f6c2e7b3c842244364c24326877f796332e7591ebd234c48debd32 |
\Users\Admin\AppData\Local\NquE1zZIP\dwmapi.dll
| MD5 | 60c21ac430d9348a3dccf8d88ed0b958 |
| SHA1 | ba2761f2d13e6b2eea088bb552be07267ccc3d86 |
| SHA256 | 3f03bb56fc6459911ededab1ad335124bbd838d050cae84dfca407b4121cb9fa |
| SHA512 | 56f4ece097ad8a88dcdec0bb9a88990f3f4afdd3544ad405a456b54e4f98333b3bebb5535a2a497dc64842845028f9d1c5784ad0ca2338f6fff6059742390db5 |
memory/700-60-0x0000000000680000-0x0000000000687000-memory.dmp
memory/700-59-0x000007FEF6580000-0x000007FEF668D000-memory.dmp
memory/700-64-0x000007FEF6580000-0x000007FEF668D000-memory.dmp
memory/1260-69-0x0000000076C76000-0x0000000076C77000-memory.dmp
\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe
| MD5 | 491c5cf8d7cfa2b9cd66d00440f9fa4e |
| SHA1 | 7a7e27d5b6d33b7c66d52ae2feca41bfce3b45dd |
| SHA256 | 0069fa0a1274ceb7f2911715945cd38b4fe4ea2f0e4080f0c9622896fd6c0775 |
| SHA512 | 85eb28ece408102015210be1c798c1a54e3f24391b08a8f0ba75616672795bc2baa7fbf870e1f7b3bf2d4bc93a129a4ed26474544336b087bc5d69d3cf716eb5 |
C:\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe
| MD5 | af6262132d66b102fde0ce8fc41f3e92 |
| SHA1 | 1e3d1e26d044ad3b150d181e4025bc239b772d8b |
| SHA256 | 6288b202cbde2439158c6df47648d4f95a1c86f88a824814df3c81d1e6ac89bd |
| SHA512 | 195725ce3e852919997204ad84be0d3a720e73f9b1983acdf0c65f52596e704f4c762c76589b24fc5628ba37318fc6d35cdf20fc6ee5f0a8d07a2f7c884be974 |
C:\Users\Admin\AppData\Local\rEXq\WINMM.dll
| MD5 | 1e0b0220959a1cad9954391e48553753 |
| SHA1 | 5a337692bbb2b9acda87dbce2f2a8b576d565254 |
| SHA256 | 50b184e032c0ffaf851470ac5ae644ba8f09ea1737fbf2d0fb8118dc51a63e1f |
| SHA512 | bcb838693db77dc066397f95aa55ca27ebcb18aa6dd2988c71729b8d1a6b5d1cc8fd0da1d1feb8bd14da15c6ecb8692fd1aafe30f25c6b3e5b1d163eec1042ab |
\Users\Admin\AppData\Local\rEXq\WINMM.dll
| MD5 | 7a43daa7aeb8086134145bc215115b40 |
| SHA1 | 838cfe90149fe3bff33e62269edd65c067f1e6da |
| SHA256 | 732c408fc9982877e6a8cb7c939f0db8b178d9422e2f7a1b2609a3ae83cd9eb6 |
| SHA512 | 399aad67b9a3a9ef6d66f5130f17b26ffee19d1296cceb54702c9de8f92af5af43597480dd1de7dec97bfc5174a519f44ff738b6e68df5cc800354b28864a7c8 |
memory/1500-77-0x0000000000360000-0x0000000000367000-memory.dmp
memory/1500-78-0x000007FEF5F30000-0x000007FEF603E000-memory.dmp
memory/1500-81-0x000007FEF5F30000-0x000007FEF603E000-memory.dmp
C:\Users\Admin\AppData\Local\rEXq\xpsrchvw.exe
| MD5 | 1bd2d1e0c0b861dca1115b373ef75f9e |
| SHA1 | c24eef31561ea2cc11464e96b70ca245f1660e7a |
| SHA256 | 7897daabdea2d09baae0d4242810a5f1d2a29a77cb0d180e5875a045d85c07cc |
| SHA512 | 2e41e4e5b26926a98c6cddb608da8c1361369e39bf687d8e0c54e82cafdeff37f16a9b5b2d77966f4a47756149fedd695350f8fe5bfe836de81d1b15385ad698 |
C:\Users\Admin\AppData\Local\xaP\SPP.dll
| MD5 | 5bfb86282d43407e00417fe4c01b8e19 |
| SHA1 | 2a66afac48f4c9d2cb24b82afeaa8a73326d62a8 |
| SHA256 | dd6f003fb2cc4e945cded128ebe5bae0ba16b1a60a14467c3dc21d806cbcb286 |
| SHA512 | 8f41a46460a212a7e9c3f671df10a51bcb68a44fb4ae929d147ab42900a29bbcef47a6f6efd1965fd4728eb527f9bd5d121197bbeae291a28f996a59bb4c5eb3 |
\Users\Admin\AppData\Local\xaP\SPP.dll
| MD5 | f69c56b3151537e40329fd6e2d52dc60 |
| SHA1 | 5787c339e05ac1b5f3326209215ceb29c173c572 |
| SHA256 | 1e4a4a5a2a171f2a102681bc1c63bb316c7e0386279a9e7601ae46441deb5475 |
| SHA512 | ff85abe08cec7905efd96d2787689d4a98d985c33c567b35313d6f21f122a3a3352919e18264c7128f24dce9bc6054098e40c0c37f2b10f3ac9789810b60e8fa |
C:\Users\Admin\AppData\Local\xaP\recdisc.exe
| MD5 | 76e59121d30a961cd7d4b078afe8832a |
| SHA1 | 78d97a0672f2f3feb956b8b0f1757369462e31a5 |
| SHA256 | e02b92b2a0dab3ce988817bff4e39be72a9692fd465a3ed671ca99c4bc53dea5 |
| SHA512 | 20e772fdb8f39536918568b98a1573242e8e3e5ec982cdd117edfad87062c99a306c18dae295af6683dcbbab7a8e8b8deb59daf196e9a7146929b3607efbbc20 |
memory/320-116-0x000007FEF5F30000-0x000007FEF603D000-memory.dmp
\Users\Admin\AppData\Local\xaP\recdisc.exe
| MD5 | ca1f2271013b98ee247be24c9ef8a9f8 |
| SHA1 | f9925c98d95cf254b03bfff1b3412dbd0a52b900 |
| SHA256 | f7b065f215c6cb87555b72237832c51bbcdc9faf42be431a09b222da1e213652 |
| SHA512 | 6abe46eba10c8c2a8a0d9786a7d2d47a275e6ccb3b54bc0774993c80de66ff29dee2bb5ee0d7868e89a5731c03d81979090077d6630b1e8e6ff71cb9be52750d |
memory/320-118-0x0000000000370000-0x0000000000377000-memory.dmp
memory/320-120-0x000007FEF5F30000-0x000007FEF603D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\191RqoH\recdisc.exe
| MD5 | f3b306179f1840c0813dc6771b018358 |
| SHA1 | dec7ce3c13f7a684cb52ae6007c99cf03afef005 |
| SHA256 | dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0 |
| SHA512 | 9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk
| MD5 | b3d17380f2f6f2f14da1a80a070ba48f |
| SHA1 | 1d45bf09062bb1d6dba2f8fed1501f93aacbd64a |
| SHA256 | 08582bbc56be6b2f4007ab16b745f737d81e9ff17276444269cf91ac14b152fc |
| SHA512 | 6ea108e4304ecede9881093ea227987c1ca2ed702f117f2faf6d76e365c64a5f9f08b191bcae116e2b241080ded6dd4580f13c9dbfe55dc28fb1f7f2ccf042f0 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\t7aa2jFR\dwmapi.dll
| MD5 | ea2b26e54e90763d46d19d4dfa2ec5be |
| SHA1 | 0c96bcd763f8a33bf8639892abd75cbf7fa6463b |
| SHA256 | 3d50ef9d2eead4ec041ebb22f5548fe8b4cabcbfc867a5f31ff52a66190b2af0 |
| SHA512 | 2753a90169fcc569cd00b67147d82b9cc913748ac5b7dec0e9596dafc506590b6b667ee2b81561033436d714fc48856f4f66ae27d52b8f16892be9b3a7c1ff8a |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2444714103-3190537498-3629098939-1000\jNGE\WINMM.dll
| MD5 | b781dec74deae69a90565d99429113a6 |
| SHA1 | f3762740a72839cb3edf80aa639b8a0453967b5f |
| SHA256 | 7742e66e06d9c47df38857f857fea27d9c02f99cb028c8799f50244c909213c4 |
| SHA512 | 226d833605cac31d70ceb4b7e8caffea25102026d305d1c5e45f26b0e83dcf61934ad2f28da9f24bb14964bfe4ad943f91246e37c25681d345eec187e2561821 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\191RqoH\SPP.dll
| MD5 | fd13597bee5b50bf796461a94dcc9a37 |
| SHA1 | 941e26f1dd419fe9cc7166d155eee333fd0ef4d2 |
| SHA256 | 3da3d69502ad0cc5241d2cb88a81ed8d0402acc8ebcae5fc8caef81230d48f66 |
| SHA512 | d81ae8d1058e9049484fe4d958e7b6785b447d06bf5ab891aa8144a864e8cede7dd28fc6bb72d9b01c2229cb500f1706fbc09329756ebd2654b11e9d87fa4fc0 |