Analysis Overview
SHA256
2622cd891ff6151e1c9bb5af31b691c6e91d58d30e2d0446ecd9aabbb0f12d0d
Threat Level: Known bad
The file 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.zip was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
DiamondFox
UAC bypass
Adds policy Run key to start application
Drops startup file
Executes dropped EXE
Deletes itself
Reads user/profile data of web browsers
Loads dropped DLL
Windows security modification
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-08-28 09:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-28 09:54
Reported
2023-08-28 09:57
Platform
win7-20230824-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
DiamondFox
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xingd.exe | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xingd.exe | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
"C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe"
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\B7E0F5F2.cmd
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wscript.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM chrome.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM firefox.exe /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc ONLOGON /tn xingd.exe /tr "C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 100.85.19.23:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | onion1.bid | udp |
| N/A | 100.78.211.140:80 | onion1.bid | tcp |
| N/A | 100.85.19.23:80 | www.microsoft.com | tcp |
| N/A | 100.78.211.140:80 | onion1.bid | tcp |
| N/A | 100.85.19.23:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | onion1.download | udp |
| N/A | 100.91.52.109:80 | onion1.download | tcp |
Files
memory/2344-0-0x00000000021A0000-0x00000000021E0000-memory.dmp
memory/2344-2-0x00000000002E0000-0x0000000000319000-memory.dmp
memory/2344-1-0x00000000002E0000-0x0000000000319000-memory.dmp
memory/2344-4-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2344-3-0x0000000000400000-0x0000000000411000-memory.dmp
\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
| MD5 | b856ee00318bbdbafcc4895350424456 |
| SHA1 | e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d |
| SHA256 | 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce |
| SHA512 | 4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0 |
\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
| MD5 | b856ee00318bbdbafcc4895350424456 |
| SHA1 | e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d |
| SHA256 | 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce |
| SHA512 | 4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0 |
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
| MD5 | b856ee00318bbdbafcc4895350424456 |
| SHA1 | e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d |
| SHA256 | 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce |
| SHA512 | 4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0 |
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
| MD5 | b856ee00318bbdbafcc4895350424456 |
| SHA1 | e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d |
| SHA256 | 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce |
| SHA512 | 4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0 |
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
| MD5 | b856ee00318bbdbafcc4895350424456 |
| SHA1 | e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d |
| SHA256 | 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce |
| SHA512 | 4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0 |
memory/2200-17-0x0000000002270000-0x00000000022B0000-memory.dmp
memory/2200-19-0x00000000002C0000-0x00000000002F9000-memory.dmp
memory/2200-18-0x00000000002C0000-0x00000000002F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B7E0F5F2.cmd
| MD5 | 4cff075234709e3b723684f94e362797 |
| SHA1 | 8b8c27f14528f8eb79b8e6b4d683f90684840589 |
| SHA256 | 6f65b03504efb7974395bd1de09facbb4f5d15789040d8a3b36a50902f9135ce |
| SHA512 | 6cc457dbe168a5c76fb462f97b7f2a4e81e0a5bdc0aaba564caf2a0db2be1fce5c68ceec9f1c1d5df4e498ddda7c74cd7583f725a85c931de83bd7d5069f09f7 |
memory/2344-30-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B7E0F5F2.cmd
| MD5 | 4cff075234709e3b723684f94e362797 |
| SHA1 | 8b8c27f14528f8eb79b8e6b4d683f90684840589 |
| SHA256 | 6f65b03504efb7974395bd1de09facbb4f5d15789040d8a3b36a50902f9135ce |
| SHA512 | 6cc457dbe168a5c76fb462f97b7f2a4e81e0a5bdc0aaba564caf2a0db2be1fce5c68ceec9f1c1d5df4e498ddda7c74cd7583f725a85c931de83bd7d5069f09f7 |
memory/2200-35-0x0000000004000000-0x0000000004ABA000-memory.dmp
memory/2200-39-0x0000000000400000-0x0000000000411000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-28 09:54
Reported
2023-08-28 09:57
Platform
win10v2004-20230703-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
DiamondFox
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xingd.exe | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xingd.exe | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xingd = "C:\\Users\\Admin\\AppData\\Roaming\\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\\xingd.exe" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe
"C:\Users\Admin\AppData\Local\Temp\53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce.exe"
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2F2DB8CF.cmd
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wscript.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM firefox.exe /F
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM chrome.exe /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc ONLOGON /tn xingd.exe /tr "C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 195.214.84.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.196.118.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.78.69.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 100.69.115.70:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | onion1.bid | udp |
| N/A | 100.100.124.63:80 | onion1.bid | tcp |
| N/A | 100.69.115.70:80 | www.microsoft.com | tcp |
| N/A | 100.100.124.63:80 | onion1.bid | tcp |
| N/A | 100.69.115.70:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | onion1.download | udp |
| N/A | 100.87.30.73:80 | onion1.download | tcp |
| US | 8.8.8.8:53 | 63.124.100.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.115.69.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.30.87.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.214.107.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.244.102.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.252.96.100.in-addr.arpa | udp |
Files
memory/3080-0-0x0000000002770000-0x0000000002780000-memory.dmp
memory/3080-2-0x00000000022A0000-0x00000000022D9000-memory.dmp
memory/3080-1-0x00000000022A0000-0x00000000022D9000-memory.dmp
memory/3080-4-0x0000000000400000-0x0000000000411000-memory.dmp
memory/3080-3-0x0000000000400000-0x0000000000411000-memory.dmp
memory/3080-6-0x0000000000430000-0x000000000043A000-memory.dmp
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
| MD5 | b856ee00318bbdbafcc4895350424456 |
| SHA1 | e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d |
| SHA256 | 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce |
| SHA512 | 4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0 |
C:\Users\Admin\AppData\Roaming\com9.{1206F5F1-0569-412C-8FEC-3204630DFB70}\xingd.exe
| MD5 | b856ee00318bbdbafcc4895350424456 |
| SHA1 | e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d |
| SHA256 | 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce |
| SHA512 | 4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0 |
memory/4572-13-0x0000000002070000-0x00000000020A9000-memory.dmp
memory/4572-14-0x0000000002070000-0x00000000020A9000-memory.dmp
memory/4572-12-0x00000000026E0000-0x00000000026F0000-memory.dmp
memory/3080-20-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2F2DB8CF.cmd
| MD5 | 3a91a0f7a53a8187461bd6c4936898fa |
| SHA1 | 189db2c6fc682cc627a7877f3ec732f19d573287 |
| SHA256 | 21cf8e9446edd362f11bdc1169f8fb973eacd6fa76fd903db3c8607bdb5c3ac3 |
| SHA512 | 7b7fda9c61f8148c19b984fa9d67df27919baf7442fb70dea259a0c0c5454760b69856a241ba69417cf710f1fa730c2b76d33d9f7c18fdf7c8b4e63cb2cb3786 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xingd.exe
| MD5 | b856ee00318bbdbafcc4895350424456 |
| SHA1 | e06f26b9f4fe365b85b3ae3b6f0fb4ca3425d98d |
| SHA256 | 53b5d0397777ff7b544a1f75739588fe449a2d6d2f4d4f4bb4d51228caa060ce |
| SHA512 | 4a355ccd050e6842eb5baac108e3253ce259a8148b06e0b7e1ed21ae8da0ab396b9241072f4c17501545b33ccfdae7b7f0a881ee2ac4fce6c68fdf48047abec0 |
memory/4572-29-0x0000000000400000-0x0000000000411000-memory.dmp