Analysis Overview
SHA256
8ee1f2fa3582a791cdfc6bae5a3282b82ac28ab60683d968041a4f39584e4d57
Threat Level: Known bad
The file 3526a594f157e00abe6d9baf2c84e361 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-25 18:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-25 18:39
Reported
2023-12-29 05:54
Platform
win7-20231129-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\COiTo\\DXPSER~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\7QG8\lpksetup.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\7QG8\lpksetup.exe | C:\Windows\system32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1380 wrote to memory of 1760 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 1380 wrote to memory of 1760 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 1380 wrote to memory of 1760 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 1380 wrote to memory of 1832 | N/A | N/A | C:\Windows\system32\cmd.exe |
| PID 1380 wrote to memory of 1832 | N/A | N/A | C:\Windows\system32\cmd.exe |
| PID 1380 wrote to memory of 1832 | N/A | N/A | C:\Windows\system32\cmd.exe |
| PID 1380 wrote to memory of 2148 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1380 wrote to memory of 2148 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1380 wrote to memory of 2148 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1380 wrote to memory of 2132 | N/A | N/A | C:\Windows\system32\cmd.exe |
| PID 1380 wrote to memory of 2132 | N/A | N/A | C:\Windows\system32\cmd.exe |
| PID 1380 wrote to memory of 2132 | N/A | N/A | C:\Windows\system32\cmd.exe |
| PID 1380 wrote to memory of 2880 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 2880 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 2880 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 2816 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 2816 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 2816 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 1700 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 1700 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 1700 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 2400 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 2400 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 2400 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 328 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 328 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 1380 wrote to memory of 328 | N/A | N/A | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3526a594f157e00abe6d9baf2c84e361.dll,#1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\okXs.cmd
C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\qjdS.cmd
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /F /TN "Mppxofurfby" /TR "C:\Windows\system32\7QG8\lpksetup.exe" /SC minute /MO 60 /RL highest
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Mppxofurfby"
Network
Files
memory/780-1-0x0000000001D70000-0x0000000001D77000-memory.dmp
memory/780-0-0x000007FEF64C0000-0x000007FEF6563000-memory.dmp
memory/1380-3-0x0000000076BA6000-0x0000000076BA7000-memory.dmp
memory/1380-11-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-24-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-31-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-33-0x0000000076F10000-0x0000000076F12000-memory.dmp
memory/1380-42-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-32-0x0000000076DB1000-0x0000000076DB2000-memory.dmp
memory/1380-47-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-30-0x0000000003E10000-0x0000000003E17000-memory.dmp
memory/1380-23-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-22-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-21-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-20-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-19-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-18-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-17-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-16-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-15-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-14-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-13-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-12-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-10-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-9-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-8-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/780-7-0x000007FEF64C0000-0x000007FEF6563000-memory.dmp
memory/1380-6-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/1380-4-0x0000000003E30000-0x0000000003E31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uwE3C55.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\okXs.cmd
| MD5 | 472f38b504a240d744ec16dc0c052ec9 |
| SHA1 | 2144bd911591df1e53fcbe6f8611ac13b7b1baef |
| SHA256 | 5845f910b51a62db0d9a073763c28558c868c348b841d7f460ca23755890dc2c |
| SHA512 | 7ad69a33668dec93fc6a98daab4c69065d7dea83d9a1e6f56064ac93de1bffac39d91c12a314cf66e4ce3085db14f963aa0cf0cd428711c537dc40529fe2504a |
memory/1380-59-0x0000000076BA6000-0x0000000076BA7000-memory.dmp
\Users\Admin\AppData\Roaming\COiTo\Dxpserver.exe
| MD5 | 4d38389fb92e43c77a524fd96dbafd21 |
| SHA1 | 08014e52f6894cad4f1d1e6fc1a703732e9acd19 |
| SHA256 | 070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73 |
| SHA512 | 02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Groztcac.lnk
| MD5 | c5b20ee47f6ced44a54711c5723bfcf8 |
| SHA1 | 2b444df11fa9b084a2c3a20ff2e89517614394e1 |
| SHA256 | 5e5da1a12b54afceaa6221be22df49ff084728fb9197ef794df54f2464caac07 |
| SHA512 | 725d88bee73fb2f9b94ae3ea5c5f07a1ec5eefd973caf50e63d56dbbf61c17e74b6b1d280257deea284ca9493f89eca3f213830a7bb5337136ab2921a9345bcf |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-25 18:39
Reported
2023-12-29 05:54
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\gpvk7P\\sppsvc.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\Bnk0\SystemPropertiesRemote.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\Bnk0\SystemPropertiesRemote.exe | C:\Windows\system32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3528 wrote to memory of 4436 | N/A | N/A | C:\Windows\system32\cmd.exe |
| PID 3528 wrote to memory of 4436 | N/A | N/A | C:\Windows\system32\cmd.exe |
| PID 3528 wrote to memory of 5048 | N/A | N/A | C:\Windows\system32\SystemPropertiesRemote.exe |
| PID 3528 wrote to memory of 5048 | N/A | N/A | C:\Windows\system32\SystemPropertiesRemote.exe |
| PID 3528 wrote to memory of 1696 | N/A | N/A | C:\Windows\system32\cmd.exe |
| PID 3528 wrote to memory of 1696 | N/A | N/A | C:\Windows\system32\cmd.exe |
| PID 3528 wrote to memory of 5056 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 5056 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 4124 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 4124 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 4432 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 4432 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 3488 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 3488 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 3172 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 3172 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 3140 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 3140 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 920 | N/A | N/A | C:\Windows\system32\schtasks.exe |
| PID 3528 wrote to memory of 920 | N/A | N/A | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3526a594f157e00abe6d9baf2c84e361.dll,#1
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\SdINbYD.cmd
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /F /TN "Kjaztdntfug" /TR "C:\Windows\system32\Bnk0\SystemPropertiesRemote.exe" /SC minute /MO 60 /RL highest
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\62D9sJX.cmd
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
C:\Windows\system32\schtasks.exe
C:\Windows\system32\schtasks.exe /Query /TN "Kjaztdntfug"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
memory/4488-0-0x00007FF94C5B0000-0x00007FF94C653000-memory.dmp
memory/4488-2-0x000001C2FA5B0000-0x000001C2FA5B7000-memory.dmp
memory/4488-6-0x00007FF94C5B0000-0x00007FF94C653000-memory.dmp
memory/3528-7-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-11-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-21-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-26-0x00000000011F0000-0x00000000011F7000-memory.dmp
memory/3528-31-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-32-0x00007FF95A700000-0x00007FF95A710000-memory.dmp
memory/3528-43-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-41-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-24-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-23-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-22-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-20-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-19-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-18-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-17-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-16-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-15-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-14-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-13-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-12-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-10-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-9-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-8-0x00007FF95885A000-0x00007FF95885B000-memory.dmp
memory/3528-5-0x0000000140000000-0x00000001400A3000-memory.dmp
memory/3528-3-0x0000000001240000-0x0000000001241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ZNS7A9E.tmp
| MD5 | e9f50f4d6d5322e741e559d7ab7a3835 |
| SHA1 | 479eed370f7b136a46c9c729de3c6751951aa4f5 |
| SHA256 | dc4d21cdf98ab842af45a186838dcae5918fdd2cec26c98f0daccaf0d1e638e9 |
| SHA512 | 89323db0f8b73b784d422fe20c7f95e3996397b4475b4a22f40016bd2fabdc2cd31425a105feb8c4da3828f36763a43dbf968f88668ba73aa01ae6dc6b62af0d |
C:\Users\Admin\AppData\Local\Temp\SdINbYD.cmd
| MD5 | 2846fb0f6e0b1931523fd625a8ebfa3d |
| SHA1 | 84b1aff0130d18724797b49a04ec48fe2af55e74 |
| SHA256 | 958a4b41185ae1701dc7b73efecf97431343f8ec06e0bf6deeb03d9bcfb4d995 |
| SHA512 | b8b31a8ffb249183c4b44c35e8cdaf9679591da8bbac7fa8c6c1420aa260f3791d96a9c6c121bdaa0c56e53f4b2db60191496424a1f6048d44541b6fbf86b7aa |
C:\Users\Admin\AppData\Local\Temp\vLA1FE.tmp
| MD5 | bbcbb2c70ad66cd3be378276d1138309 |
| SHA1 | dd06411b0c1210710053b2e530c5c77701d61cff |
| SHA256 | 298cc817d625df06ec00caf59a156113041337b6c55f3b4bcf4e98b26e14a0cc |
| SHA512 | 22b179e52f801043042bc55d1f77840d221c8b4b69bc36d334d596220823988633853004fc8d9014944277a22b79f921ba190cff74cee156b57a88913eaed08b |
C:\Users\Admin\AppData\Local\Temp\62D9sJX.cmd
| MD5 | d76e79315d745c67bf9c705242767932 |
| SHA1 | 079ba584885d3b830cf692f589a9e35b66ee7db2 |
| SHA256 | 780169848e2d5ddef9f1944d64e1c4ec2a5caedb7ed68325b4de40eeabdb2ddb |
| SHA512 | 027f24b210a227dec32672fe138d49fd6f2eecd0b2b60df83fd037e91b1da421849ae53f567dc3956b84b00727de5ab0d41f7151bc29b39d85a29ef8e138fee0 |
C:\Users\Admin\AppData\Roaming\gpvk7P\sppsvc.exe
| MD5 | 58c5c8cf49c408f955dfc82e419ec514 |
| SHA1 | 2b00197c781ebb51c049e47a8e378464183496cf |
| SHA256 | 32e24438eec43bde7a66ede9f24e18537ae81acfe6cf783626db6509c5e572b0 |
| SHA512 | a586ccc118ee7a05c510aac0aa9ed85ee9005f4aaa4bab8921acb718846aba6b5564d339ccd5be442b4e11720e0d5d83d83c1df7bdce18c077be960eb0b0f89a |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tgnmvdx.lnk
| MD5 | 31aaae295237a98f000213ca13ad1567 |
| SHA1 | cd793fa1198f768f288fdecf88b7c60bd5660879 |
| SHA256 | 11e0961b3369f278c4ba7811c03d8b8370a1f273fe29fe049cb1b6c8d76b399d |
| SHA512 | 274a34146174ed2e2f99ff484fee85d4946dbef3a3ae5e74d856757ab87895ad65eeebbdd20300223a2e7b4abbadc9248282855bc8598e7a28e925cf3b337309 |