Analysis Overview
SHA256
edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9
Threat Level: Known bad
The file OlympicDestroyer.exe was found to be: Known bad.
Malicious Activity Summary
Mimikatz
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
mimikatz is an open source tool to dump credentials on Windows
Deletes backup catalog
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Unsigned PE
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-12 03:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-12 03:57
Reported
2023-07-12 04:00
Platform
win7-20230703-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Mimikatz
Clears Windows event logs
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\empdm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezpxh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_fmo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezpxh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezpxh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezpxh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezpxh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezpxh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe
"C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe"
C:\Users\Admin\AppData\Local\Temp\empdm.exe
123 \\.\pipe\ADF9E666-4CF5-47C8-80F4-A0171C458118
C:\Users\Admin\AppData\Local\Temp\ezpxh.exe
123 \\.\pipe\0E528AF2-1EA2-4931-842B-1876ED3202D8
C:\Users\Admin\AppData\Local\Temp\_fmo.exe
"C:\Users\Admin\AppData\Local\Temp\_fmo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
\??\c:\Windows\system32\vssadmin.exe
c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.102.235.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| DE | 167.235.102.93:135 | tcp | |
| N/A | 10.127.0.1:135 | tcp | |
| DE | 167.235.102.93:135 | tcp | |
| N/A | 10.127.0.1:135 | tcp | |
| DE | 167.235.102.93:135 | tcp | |
| N/A | 10.127.0.1:135 | tcp | |
| DE | 167.235.102.93:135 | tcp | |
| DE | 167.235.102.93:135 | tcp | |
| N/A | 10.127.0.1:135 | tcp | |
| DE | 167.235.102.93:135 | tcp | |
| N/A | 10.127.0.1:135 | tcp | |
| DE | 167.235.102.93:135 | tcp |
Files
\Users\Admin\AppData\Local\Temp\empdm.exe
| MD5 | 4f43f03783f9789f804dcf9b9474fa6d |
| SHA1 | 492d4a4a74099074e26b5dffd0d15434009ccfd9 |
| SHA256 | 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea |
| SHA512 | 645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d |
C:\Users\Admin\AppData\Local\Temp\empdm.exe
| MD5 | 4f43f03783f9789f804dcf9b9474fa6d |
| SHA1 | 492d4a4a74099074e26b5dffd0d15434009ccfd9 |
| SHA256 | 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea |
| SHA512 | 645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d |
memory/1572-59-0x0000000010000000-0x00000000100AA000-memory.dmp
\Users\Admin\AppData\Local\Temp\ezpxh.exe
| MD5 | d9c37b937ffde812ae15de885913e101 |
| SHA1 | ed1cd9e086923797fe2e5fe8ff19685bd2a40072 |
| SHA256 | f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936 |
| SHA512 | 164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877 |
C:\Users\Admin\AppData\Local\Temp\ezpxh.exe
| MD5 | d9c37b937ffde812ae15de885913e101 |
| SHA1 | ed1cd9e086923797fe2e5fe8ff19685bd2a40072 |
| SHA256 | f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936 |
| SHA512 | 164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877 |
memory/2368-72-0x0000000180000000-0x000000018002B000-memory.dmp
\Users\Admin\AppData\Local\Temp\_fmo.exe
| MD5 | 3c0d740347b0362331c882c2dee96dbf |
| SHA1 | 8350e06f52e5c660bb416b03edb6a5ddc50c3a59 |
| SHA256 | ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85 |
| SHA512 | a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f |
C:\Users\Admin\AppData\Local\Temp\_fmo.exe
| MD5 | 3c0d740347b0362331c882c2dee96dbf |
| SHA1 | 8350e06f52e5c660bb416b03edb6a5ddc50c3a59 |
| SHA256 | ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85 |
| SHA512 | a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-12 03:57
Reported
2023-07-12 04:00
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Mimikatz
Clears Windows event logs
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bvcsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\djumn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_sfv.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\djumn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\djumn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\djumn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\djumn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\djumn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\djumn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe
"C:\Users\Admin\AppData\Local\Temp\OlympicDestroyer.exe"
C:\Users\Admin\AppData\Local\Temp\bvcsm.exe
123 \\.\pipe\A5698C4D-44D1-4D02-9EA4-75B20272FE74
C:\Users\Admin\AppData\Local\Temp\djumn.exe
123 \\.\pipe\A5C145AD-A612-4CB6-9284-DC8A2B7AA55B
C:\Users\Admin\AppData\Local\Temp\_sfv.exe
"C:\Users\Admin\AppData\Local\Temp\_sfv.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
\??\c:\Windows\system32\vssadmin.exe
c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.71.61.154.in-addr.arpa | udp |
| NL | 154.61.71.13:135 | tcp | |
| N/A | 10.127.0.1:135 | tcp | |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.71.61.154.in-addr.arpa | udp |
| NL | 154.61.71.13:135 | tcp | |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.1:135 | tcp | |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.71.61.154.in-addr.arpa | udp |
| NL | 154.61.71.13:135 | tcp | |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.1:135 | tcp | |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.71.61.154.in-addr.arpa | udp |
| NL | 154.61.71.13:135 | tcp | |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.1:135 | tcp | |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.71.61.154.in-addr.arpa | udp |
| NL | 154.61.71.13:135 | tcp | |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.71.61.154.in-addr.arpa | udp |
| NL | 154.61.71.13:135 | tcp | |
| N/A | 10.127.0.1:135 | tcp | |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.0.224.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.71.61.154.in-addr.arpa | udp |
| NL | 154.61.71.13:135 | tcp | |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| N/A | 10.127.0.1:135 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\bvcsm.exe
| MD5 | 4f43f03783f9789f804dcf9b9474fa6d |
| SHA1 | 492d4a4a74099074e26b5dffd0d15434009ccfd9 |
| SHA256 | 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea |
| SHA512 | 645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d |
C:\Users\Admin\AppData\Local\Temp\bvcsm.exe
| MD5 | 4f43f03783f9789f804dcf9b9474fa6d |
| SHA1 | 492d4a4a74099074e26b5dffd0d15434009ccfd9 |
| SHA256 | 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea |
| SHA512 | 645c2f0a1342732b86a45403fb8b1343bcc18c015c9918d2edf118bbb210fead98aa21f1b66ac5faabd0542583d74e158fbac6d5f0d49827f4eeb58c8ebafd6d |
memory/4072-137-0x0000000010000000-0x00000000100AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\djumn.exe
| MD5 | d9c37b937ffde812ae15de885913e101 |
| SHA1 | ed1cd9e086923797fe2e5fe8ff19685bd2a40072 |
| SHA256 | f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936 |
| SHA512 | 164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877 |
C:\Users\Admin\AppData\Local\Temp\djumn.exe
| MD5 | d9c37b937ffde812ae15de885913e101 |
| SHA1 | ed1cd9e086923797fe2e5fe8ff19685bd2a40072 |
| SHA256 | f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936 |
| SHA512 | 164f45f3f8336ab450e119c716c30168c8115d5bdac7d220ea6f98a6889eee045092d163e54c2851a378a5d4877e913a342333c8bd0ab5615e34c40ca75e2877 |
memory/5004-150-0x0000000180000000-0x000000018002B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sfv.exe
| MD5 | 3c0d740347b0362331c882c2dee96dbf |
| SHA1 | 8350e06f52e5c660bb416b03edb6a5ddc50c3a59 |
| SHA256 | ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85 |
| SHA512 | a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f |
C:\Users\Admin\AppData\Local\Temp\_sfv.exe
| MD5 | 3c0d740347b0362331c882c2dee96dbf |
| SHA1 | 8350e06f52e5c660bb416b03edb6a5ddc50c3a59 |
| SHA256 | ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85 |
| SHA512 | a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f |