Analysis Overview
SHA256
857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
Threat Level: Known bad
The file zxcvb.exeqpaaijwv was found to be: Known bad.
Malicious Activity Summary
Raccoon
Oski
Azorult
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-11 03:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-11 03:39
Reported
2022-04-11 04:58
Platform
win7-20220331-en
Max time kernel
43s
Max time network
45s
Command Line
Signatures
Azorult
Oski
Raccoon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1360 set thread context of 1216 | N/A | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe |
| PID 1632 set thread context of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe |
| PID 824 set thread context of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"
C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 772
Network
| Country | Destination | Domain | Proto |
| RO | 5.252.178.180:80 | tcp | |
| RO | 5.252.178.180:80 | tcp | |
| US | 8.8.8.8:53 | pretorian.ug | udp |
| US | 8.8.8.8:53 | underdohag.ac.ug | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| SC | 185.215.113.77:80 | underdohag.ac.ug | tcp |
| SC | 185.215.113.77:80 | underdohag.ac.ug | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
Files
memory/1360-56-0x00000000754A1000-0x00000000754A3000-memory.dmp
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
memory/1632-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
memory/824-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
memory/1724-73-0x0000000000417A8B-mapping.dmp
memory/1216-74-0x0000000000440D8F-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
memory/2036-79-0x000000000041A684-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
memory/1632-80-0x0000000000260000-0x0000000000266000-memory.dmp
memory/1216-86-0x0000000000400000-0x0000000000493000-memory.dmp
memory/2036-85-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1724-84-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1708-87-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-11 03:39
Reported
2022-04-11 04:59
Platform
win10v2004-20220331-en
Max time kernel
124s
Max time network
139s
Command Line
Signatures
Azorult
Oski
Raccoon
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4700 set thread context of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe |
| PID 1032 set thread context of 4824 | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe |
| PID 4928 set thread context of 4136 | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zxcvb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"
C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2952 -ip 2952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1340
Network
| Country | Destination | Domain | Proto |
| RU | 23.196.236.146:80 | tcp | |
| NL | 20.50.201.200:443 | tcp | |
| RO | 5.252.178.180:80 | tcp | |
| US | 8.8.8.8:53 | underdohag.ac.ug | udp |
| SC | 185.215.113.77:80 | underdohag.ac.ug | tcp |
| US | 8.8.8.8:53 | pretorian.ug | udp |
| SC | 185.215.113.77:80 | pretorian.ug | tcp |
| RO | 5.252.178.180:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 172.104.232.134:80 | 172.104.232.134 | tcp |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| SC | 185.215.113.77:80 | pretorian.ug | tcp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| NL | 8.238.23.254:13222 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:7544 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:41547 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:40772 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:61570 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:55953 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:29074 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:33585 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:15469 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:60170 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:45069 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:2666 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:52317 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:45554 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:39754 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:42329 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:19803 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:21874 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:41961 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:20518 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:31468 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:56852 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:51379 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:22553 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:7615 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:3087 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:44689 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:17940 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:63048 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:32062 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:38751 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:56763 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:43804 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:56271 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:46951 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:45938 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:20459 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:43759 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:45188 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:10527 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:52870 | ctldl.windowsupdate.com | tcp |
| NL | 8.238.23.254:62867 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:13222 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:7544 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:41547 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:40772 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:61570 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:55953 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:29074 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:33585 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:15469 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:60170 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:45069 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:2666 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:52317 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:45554 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:39754 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:42329 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:19803 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:21874 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:41961 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:20518 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:31468 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:56852 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:51379 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:22553 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:7615 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:3087 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:44689 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:17940 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:63048 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:32062 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:38751 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:56763 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:43804 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:56271 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:46951 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:45938 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:20459 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:43759 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:45188 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:10527 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:52870 | ctldl.windowsupdate.com | tcp |
| US | 8.253.208.121:62867 | ctldl.windowsupdate.com | tcp |
Files
memory/4928-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
memory/1032-129-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
memory/2952-136-0x0000000000000000-mapping.dmp
memory/4824-137-0x0000000000000000-mapping.dmp
memory/1032-138-0x00000000006E0000-0x00000000006E6000-memory.dmp
memory/2952-140-0x0000000000400000-0x0000000000493000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
| MD5 | bead6aca8d274c82140361874ca95b59 |
| SHA1 | 33d6cade432ebc63043170e1a8b049f51b093e59 |
| SHA256 | 5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388 |
| SHA512 | 293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8 |
memory/4824-141-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4136-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
| MD5 | 3466dbd3779c31dc2fccfe73e6d6a44e |
| SHA1 | 9e3b082853d4b3b1dd1a0e4877ee4763a02c3171 |
| SHA256 | 58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4 |
| SHA512 | 4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3 |
memory/4136-144-0x0000000000400000-0x0000000000434000-memory.dmp