Analysis Overview
SHA256
c5c78eabafaaa221a918f4d7705abdf19bd3af2540ce416b2f82c5aa85d35f25
Threat Level: Known bad
The file 0be77175d5db7bce6d960349865754a2 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 02:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 02:37
Reported
2023-12-31 11:01
Platform
win7-20231215-en
Max time kernel
5s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0be77175d5db7bce6d960349865754a2.dll,#1
C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
C:\Users\Admin\AppData\Local\TIX\dpnsvr.exe
C:\Users\Admin\AppData\Local\TIX\dpnsvr.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
C:\Users\Admin\AppData\Local\8N5kzAslg\mmc.exe
C:\Users\Admin\AppData\Local\8N5kzAslg\mmc.exe
C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\1tR\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\1tR\rdrleakdiag.exe
Network
Files
memory/2168-1-0x0000000140000000-0x0000000140166000-memory.dmp
memory/2168-0-0x0000000000390000-0x0000000000397000-memory.dmp
memory/1204-4-0x0000000077676000-0x0000000077677000-memory.dmp
memory/1204-5-0x0000000002B50000-0x0000000002B51000-memory.dmp
memory/1204-10-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-16-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-20-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-29-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-31-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-30-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-33-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-32-0x0000000001D90000-0x0000000001D97000-memory.dmp
memory/1204-28-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-27-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-26-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-25-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-41-0x0000000077781000-0x0000000077782000-memory.dmp
memory/1204-42-0x00000000778E0000-0x00000000778E2000-memory.dmp
memory/1204-40-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-24-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-23-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-22-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-21-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-19-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-18-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-51-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-17-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-57-0x0000000140000000-0x0000000140166000-memory.dmp
C:\Users\Admin\AppData\Local\TIX\WINMM.dll
| MD5 | 1a51ce83255e3c5c3981addc70fc7c54 |
| SHA1 | c2b0a33b888aa9bb028d3c31dad4cc6c5a07457d |
| SHA256 | 1498b2b43c92e5fde8ba79c32dcaca4aff05cdf692c43556ada2ae2e78cb2b25 |
| SHA512 | 473fc3ec7fb8985da9801777cc5ec714a915ea16728a38bc727a854f9787e3b8ecc563b5172698e900df1723da2652ead2790002d1411830f8f2ec4f18112176 |
\Users\Admin\AppData\Local\TIX\WINMM.dll
| MD5 | 7a84e3258e09ca9d643787f8ac0e3d37 |
| SHA1 | f2d5815aaa1a278d80ce50274bb1713efb773123 |
| SHA256 | a4ce7b994a1541453da1407717505e419239651f68225a1bf28b69504c3e45cd |
| SHA512 | 64733a9f6b28c88d16ad244e49a7c2adf781af9adff0dba58cd8e992f9660daee9a76710f0bef1f63e616dcb9fd700ffee1eb1e6cf0850e7b7fcec173a41d79a |
memory/2644-70-0x0000000140000000-0x0000000140168000-memory.dmp
memory/2644-69-0x0000000001B40000-0x0000000001B47000-memory.dmp
memory/2644-75-0x0000000140000000-0x0000000140168000-memory.dmp
C:\Users\Admin\AppData\Local\TIX\dpnsvr.exe
| MD5 | 6806b72978f6bd27aef57899be68b93b |
| SHA1 | 713c246d0b0b8dcc298afaed4f62aed82789951c |
| SHA256 | 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c |
| SHA512 | 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b |
memory/1204-15-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-14-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-13-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-12-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-11-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-9-0x0000000140000000-0x0000000140166000-memory.dmp
memory/2168-8-0x0000000140000000-0x0000000140166000-memory.dmp
memory/1204-7-0x0000000140000000-0x0000000140166000-memory.dmp
\Users\Admin\AppData\Local\8N5kzAslg\mmc.exe
| MD5 | 2586242578c401d46d7df55e44246650 |
| SHA1 | e9789092fb05a1fff4d1cbf5c48424c9201ff26f |
| SHA256 | e1f603dd2b71b281d4600ca3990bed937ad5c3b82b9a98688943cdc97e4bbf12 |
| SHA512 | cfd432411c07498e5dbe9c9e4ab0d831d7289186161c46b93060a1f84bc220d815859e1ba094956b5e7ba339e3370d345c2959c906728ec7ecc378657839e3b8 |
\Users\Admin\AppData\Local\8N5kzAslg\MFC42u.dll
| MD5 | bca39c64a1e7df9d45f39482686e8dee |
| SHA1 | 69d460d9a77fbdb8d8996aea572be113165a1d8c |
| SHA256 | fd804311bca1a7725fb215c8b405b903b67225529da85485c2237b510f8dfac5 |
| SHA512 | 8d2440324658280c7ad697958ee119dde12aa7ca0ea6be67640de95d0314e911d3fe9297e6317046201642bde74f96f7daff54da6af00b10fb9ab13c88c2a6f5 |
C:\Users\Admin\AppData\Local\8N5kzAslg\MFC42u.dll
| MD5 | c96b8348e0015996673a4a0b3222100d |
| SHA1 | 264cd4a5cd5cb3d5150f87aae9727ca1300f18d6 |
| SHA256 | 7f77fca788a06e0e629c6a3bf03c964429a4a0b7b885d006a0cd2d4f3f6a90f1 |
| SHA512 | 3e690edac2a54b0c7031519fedf19ec9a249263a5ee4bb80c2fcfde21ec38ad664e9de554c408f0a7de178c5b44965adf6f3cb0ad9093ce649c9f788e114a330 |
C:\Users\Admin\AppData\Local\8N5kzAslg\mmc.exe
| MD5 | b1c9b57c152c88bac9b9a054e2dcb139 |
| SHA1 | 38b53f7f53db5cd4ae4801f0f14bd20e2e5f1bcb |
| SHA256 | 839211ec7f456e5f82e4b3f5c56e57cac5a35465e81fb56434493fbb0b00b08f |
| SHA512 | 16a952b644a173bb02cbb9408215bc640e587f9a5a66b13df832f1810f026c24d0a5b6311560ffb74ff42f6e9dae65fed02c185f2fe5a1f762fa4b0e715a5151 |
memory/976-89-0x0000000000170000-0x0000000000177000-memory.dmp
memory/976-92-0x0000000140000000-0x000000014016D000-memory.dmp
memory/976-87-0x0000000140000000-0x000000014016D000-memory.dmp
C:\Users\Admin\AppData\Local\8N5kzAslg\mmc.exe
| MD5 | bb41ff971854d8618ece465860ceba66 |
| SHA1 | 5f804faa4cb77282741f581bf2f6f471f74d8617 |
| SHA256 | 01a68f95e209c5cd857d0abf5f628fde2c0db9245687093f1ded146e45158c27 |
| SHA512 | c7e017e4f428547d75c148a0214e8febe2942bf59be45b6b18474d19b3dabd976fa6c727c0787446d12611d81541b7703270edc115831c0cccab8ce8e4f9e02b |
\Users\Admin\AppData\Local\1tR\rdrleakdiag.exe
| MD5 | 53f6bf79a92eb8b6ad16cdc0137fd69e |
| SHA1 | 85d75f04a95369c5d5cc70b4a27df7f17bcc739e |
| SHA256 | a2f67f23f29d238e1668e7e6b11030bc0d26f6c647c46ee9f95deb6fd7b2a346 |
| SHA512 | ae1a96f0a99908c82ae758ec32fa64f03e269ad24370470437ff9d6da35d84c07c5e69a38c9b5b98f3e8d385865ad91cf2fa2f1033bb16a3113244e55eecc690 |
C:\Users\Admin\AppData\Local\1tR\VERSION.dll
| MD5 | cb3f3eeca14e06f6f41afa011e5c36dc |
| SHA1 | d39b1ab1dd9744a5676eece490df578b01dcf58a |
| SHA256 | 9ac6afbda1c5cee6dc21cb5245ee4e070aef4993d6e8ed4db08dbf8033c7dad0 |
| SHA512 | f900add373cba623364262bc1ca057910179df9ae5c8d925a784e0fc60e6d5c0613874d2f2841c9d9f00ca77b734bc2aeba7f25ae8c4b159f056858f867fe4ea |
C:\Users\Admin\AppData\Local\1tR\rdrleakdiag.exe
| MD5 | 2603b3b32d273dbcc7939f49a9237dff |
| SHA1 | 6991407dd14cf17c7fb513f3bf874e8c3af7dea3 |
| SHA256 | f94475e3ec889203cb649ce357dc6b1c153fe2934c827f65ec3e1d7e02cc1e6f |
| SHA512 | e7d831fe928de409319248378d00028a005b3211c2d457bed9cd173eb870c2a0bd3add2f1ae2357098ba401cffee930e0d2af7ceffe73fa2ce21a06be5741496 |
memory/2900-112-0x0000000140000000-0x0000000140167000-memory.dmp
memory/2900-111-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/2900-117-0x0000000140000000-0x0000000140167000-memory.dmp
C:\Users\Admin\AppData\Local\1tR\rdrleakdiag.exe
| MD5 | f9ae341d22fc0261f78055b3ccc75d01 |
| SHA1 | 3904030deef271ac6dfc9f970c3d1a6322b0b916 |
| SHA256 | 1eff398a879e06969f3d033e66226e8795fd1b7fe66f5216d53bb0709c9388fd |
| SHA512 | c2ca8ee0b7c18ec12d86ed20cfb4fc7b6df61d6466bf767961a4382901d30094e61f41dc55165a7804047820426716141dc445a10e8197cb241307c2388af853 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\EMD0HGW\rdrleakdiag.exe
| MD5 | 5d6920a0c6c1e086df1504e9e50937f3 |
| SHA1 | d1cb6e91a1c7d6b2a165df42c450e7da94ccfb25 |
| SHA256 | f372e7565dc4c1e08a05d58972e5cdd8ba89b3bfa05227132824b597983bb794 |
| SHA512 | b835a40117e4152b1db00fda375739018dfd1856656de444e659ade8193a13a52719ae5dddff3c7cb23f8b84e8fe190fcdf8048bd8a4f5fd7f9f023413a8e7a4 |
memory/1204-131-0x0000000077676000-0x0000000077677000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk
| MD5 | 44625db09f3d9614282c2ae5d1c30fbe |
| SHA1 | 146a6615c73896f97567367e205a0f684c1a616b |
| SHA256 | dd04553dca22e049da6aa0b83fcf6ea326f4e983ccbd5965c6defed0c1fd1211 |
| SHA512 | 52191a0eb439e6ef85149f2018ae499fb16a2594217a879835c8575f93bf08058172e40ed6dc264a08b17159d3bd01a1ca009e29e7493c62cbc34002957afdf6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\DF6X8\WINMM.dll
| MD5 | 067a47a0d2d1237075d56d513e75cf85 |
| SHA1 | 3f709c26e277742a9378047bb0435ef5afd5e6ce |
| SHA256 | c1c540274fadac24bb6774b119d61cde3d8c9aaca373fdac45af1e41c1be35db |
| SHA512 | c05e40348b890337969532505f89d84e964657a53acb5ddbf69fa66ecd3a4b538c60026637b53da4ee8146117d22cfbc1762ffc532cd0360312d9216978c6281 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C02Wj8jjPvo\MFC42u.dll
| MD5 | a3bc65b99e3a0f5a76e4a868d0d6f89d |
| SHA1 | 2f46fed1e866e3df717b8c745d782d0d4d403045 |
| SHA256 | b0ee30dbe2a1539639b381d7b36223e0decfe966ad98ddd5991bdde2fd5a849e |
| SHA512 | 5fcfac25de7be111dd0c0c78230b391089fd5f1fe2531bf2c997d108b02adc468e9ad9242e6f67fc65b9547c57290e7987eb91a9a5af25b5ffbde813ee2117a7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\EMD0HGW\VERSION.dll
| MD5 | fc43317708b28bb3a336fa4767c9429c |
| SHA1 | 1dffc0e27d77c24ddd55c5a2110caf41e3a194d1 |
| SHA256 | f42360c68a5eefe1470ceee8fa702968a0759fc19704ca32ba5928148b632680 |
| SHA512 | 8e5e8a1ac02b154f5f46ecf44f64fa496177db9c415ca410147b6ecc907c6c9288db546a3da57ee9690954b71fc1b2a1e8082bdd2be6a66b6e8a6f5fc5d133db |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 02:37
Reported
2023-12-31 11:03
Platform
win10v2004-20231215-en
Max time kernel
115s
Max time network
157s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6bw\systemreset.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6bw\systemreset.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\lgD8nLG\\systemreset.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\6bw\systemreset.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0be77175d5db7bce6d960349865754a2.dll,#1
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe
C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
C:\Users\Admin\AppData\Local\6bw\systemreset.exe
C:\Users\Admin\AppData\Local\6bw\systemreset.exe
C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe
C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/2696-1-0x0000012578790000-0x0000012578797000-memory.dmp
memory/2696-0-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-4-0x0000000008160000-0x0000000008161000-memory.dmp
memory/2696-7-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-8-0x00007FF8D923A000-0x00007FF8D923B000-memory.dmp
memory/3492-9-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-6-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-10-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-11-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-13-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-12-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-14-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-15-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-16-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-17-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-18-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-20-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-19-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-22-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-21-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-23-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-24-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-26-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-25-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-27-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-28-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-30-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-31-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-29-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-33-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-32-0x0000000002760000-0x0000000002767000-memory.dmp
memory/3492-41-0x00007FF8DB120000-0x00007FF8DB130000-memory.dmp
memory/3492-40-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-52-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3492-50-0x0000000140000000-0x0000000140166000-memory.dmp
C:\Users\Admin\AppData\Local\9UF\SYSDM.CPL
| MD5 | 1c0c33cb4513b1bebb4e5325e3c9c28b |
| SHA1 | c240581bf20be30bf7cafa73a7013b57513635cd |
| SHA256 | fe87e3d0e96325b61b73e609f17c03067063cd5f4ca2b3bac9cf60f62b1d3db8 |
| SHA512 | 9f2d57761f063e4c0d1ea27011d11aafd39b34ea757f009c8ff88c4f2bfa0d47d10fb8a5e355459eadd70e271fe46f82eb461181ceca79bd2406db318fba825e |
memory/2960-62-0x000001CA61A80000-0x000001CA61A87000-memory.dmp
memory/2960-67-0x0000000140000000-0x0000000140167000-memory.dmp
C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe
| MD5 | e4fbf7cab8669c7c9cef92205d2f2ffc |
| SHA1 | adbfa782b7998720fa85678cc85863b961975e28 |
| SHA256 | b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30 |
| SHA512 | c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6 |
memory/2960-61-0x0000000140000000-0x0000000140167000-memory.dmp
C:\Users\Admin\AppData\Local\9UF\SYSDM.CPL
| MD5 | e4c2edfadfb827c3a48f5eb69c00aae3 |
| SHA1 | decc1fa8a64711dbebbfdaa1e4fede1b742d433a |
| SHA256 | b948326442418f9f705beff2d38552f2a3b200b35dc626e079984b1b9a2b103e |
| SHA512 | b23d7e9a1e8150d37dcdc0b054f940fd3b35a7fcdef3abc98d0d0c7450eaee28ac5c55b050af21e6b08d9e9f264cf221f9d0a00996d3cf3079a4a5075a1db021 |
C:\Users\Admin\AppData\Local\9UF\SystemPropertiesPerformance.exe
| MD5 | 0080d4b639afe0835f38f3a9520cc8ba |
| SHA1 | 145223c003c82bb0a2234db5659573541390b13f |
| SHA256 | a4f38b0bd5ff0bf9cf1eaeb4bd76458834b5f379bbda49b307b547dce1dee0dc |
| SHA512 | 3edf989d8d6e54ff4ae0743ee32f20ce422f83aafc537a6e1e5216660f591b0ae5721ece1d07bca1b79e0820356aa3b30ca22c9e9d5c9bdfc8221565ffe67c5b |
C:\Users\Admin\AppData\Local\6bw\systemreset.exe
| MD5 | 84bf40f223b9e98c7f860600f1c065c2 |
| SHA1 | c1b7c0ce7ea3a1509da2ae2207e209a01b7ad52c |
| SHA256 | 70b6911340a24de99bb371a1e4eea5fcd1e1eed6efafac3fbd9db2560e64a918 |
| SHA512 | 794757b1ae5055b1e752be8c0e79165fdab8b70568fefb024538a765341f54f0c26f21c92eafae515cd20731338426960f6b89f3836bf2a6763143ea66992ff8 |
C:\Users\Admin\AppData\Local\6bw\ReAgent.dll
| MD5 | 5454ef9b44e37d9d99844796ecc24e4d |
| SHA1 | a38bd79b3248008563dc58d8fe3ce11e86dc0157 |
| SHA256 | 430eb867bed91fcfad5509d3faa6ccb86979eb21f5acb4de46f0415048e39160 |
| SHA512 | c789b29abeb94f51d43d06220b02afa684bb8e0fe070bb6adf85efe3522465f6911e9a19c0388ead5e6f41ed34a9de50bb8ecfc00e527c00126a14e7e41b21a6 |
memory/1380-78-0x000001373EBA0000-0x000001373EBA7000-memory.dmp
C:\Users\Admin\AppData\Local\6bw\ReAgent.dll
| MD5 | 33391ba6dd8c5d11111e514c2a0ac62e |
| SHA1 | d0814e977ffe4606822c52db145c800c5abbe914 |
| SHA256 | 97ed1db9d2ba822add67cb791b167f50b406cada786d1580189640b330eef0d7 |
| SHA512 | 6f84e3f8a5f8ebdd3ced07d7ef9f750d5e08899087e833cdc28098a36e595e1c04bb0f804bcdbe732e7f630e5af554ef63d144dc34dc1452a99c6ba58299136b |
memory/1380-84-0x0000000140000000-0x0000000140167000-memory.dmp
C:\Users\Admin\AppData\Local\6bw\systemreset.exe
| MD5 | 007142dce05a58bda84fcc27e0c624a2 |
| SHA1 | 2e9c96ea5ecc69ed52cf6da851cb38d752cdc40c |
| SHA256 | f91427b1414fddb2a699804317f7addee027f47186852bf1df23ecaaafe1df9c |
| SHA512 | 7d392186917f1e058c771454c88bacb9dec6c42f92be697596ca9c1c0a83b8375d79c009467715f7ede1ac9a04c3bc46d323fecb58e6fb5c1af4c59caf28eee2 |
C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe
| MD5 | 6d8858f0818676f141f5bcaf122afcce |
| SHA1 | 371daa8c91de3e0fda1602f3e1b812f8abb44cb0 |
| SHA256 | beb2faed46b0b810d0ea8d0821eb08133a4d3bd3431f016a289a25780ec7aa8a |
| SHA512 | 15f194e09cd734f2838c87c72a5280502c6293e5da11155a4e49f82bf60ba15982dbd6bb36cf1da2b3b057eb4b33c06fa29bba3e704a1934f73d38797c409874 |
C:\Users\Admin\AppData\Local\vwt\MFC42u.dll
| MD5 | dc3f0925637489c956a7066a20d4a64a |
| SHA1 | 727ccd82ce0847adc744e5e53a599c56ca28249a |
| SHA256 | 877850a6e01df118e50a9714114b3b3606f7cfea4969f8e8553b33fd3f55b282 |
| SHA512 | 087e37800e12004740ef7c5c419c9b86072469f59d6ce75064b03f52bc04c8885db4c247af138dbb3a0db25521f901c876a1b94ac754f3d83540be253609aaa7 |
C:\Users\Admin\AppData\Local\vwt\MFC42u.dll
| MD5 | 625d8f5abe5cd125a4ce7cfd589fdea0 |
| SHA1 | 2ee0cf06bd5c2fc5869eeb5e7ff3c55655963baa |
| SHA256 | c98f6d45dac4db29b464a5ea9fc6d2149da426d62c7a1c92ac33b7c55a1b04ad |
| SHA512 | 6fb42c1165f69cacf3cd9e49565c7ee4b711ef304887ee4861a9ce438c4c6e9e61de0e9aa3384783b9a7f423f675cb0295d6bfa427355ba988a01bab6759f9c1 |
memory/2312-101-0x0000000140000000-0x000000014016D000-memory.dmp
memory/2312-96-0x0000000140000000-0x000000014016D000-memory.dmp
C:\Users\Admin\AppData\Local\vwt\FXSCOVER.exe
| MD5 | b8bd808f3921dcba3aefa4f3d4422b41 |
| SHA1 | 2d758db395f94513c9d8ac8e7329fc12395f272e |
| SHA256 | 76d7336fd97d98bc6229ab4c7e58efeff06410ecee3f25cd8f8d1a752f42a7b1 |
| SHA512 | e37a3c842a82599f4ba11da2275629538373f23020a50ce6d2641ba72ecb5fcf53f4e3cad9156d19e53a479240bcb285fa47ae127330398288fabbeb9836b9b8 |
memory/2312-95-0x000002BC85520000-0x000002BC85527000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk
| MD5 | 69259dafa3c12e68a47518e0c5fd436e |
| SHA1 | c280a184d500e8edfaa8aa6048ac7e8fea19760d |
| SHA256 | dc682eadc6cda36865ce4ed89521e33ab039ad55960832c0d2b71234ccce176b |
| SHA512 | 0077fc9948c796ec741a6d451d1166dedc079b25345ade427169371a0d524ef7cbdfd7d1cf2603f7e604f559f54491c7c12b76be8bb74c5fa8e94e3d900a1516 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2398549320-3657759451-817663969-1000\C3OFBs\SYSDM.CPL
| MD5 | 85c693722c93cd243b3478a9c52c5d2f |
| SHA1 | ef667ba0bfe3dfdb05832fb48b480671e7a28103 |
| SHA256 | 9381163af383ba7686fbf9cf0223059ed0c54080084fea192a340534427fe093 |
| SHA512 | 29273de9248b5eb6557d6e3dc7fd4a672539907f464332edd89b9153f677cd3a819eeb205b0da46f85b5e3b3da2c1cf2e0c7403175175d6b1962145361ce7965 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\lgD8nLG\ReAgent.dll
| MD5 | 884461bd084812090210f00f47359c4b |
| SHA1 | 236a2d9bd96a96ae2eba008a1a289fffcbe9f73d |
| SHA256 | 7da4206716e01d12fbe0217a8d7e2db11d78f044f4c392ddc356a6483abf5024 |
| SHA512 | 9aee83ea3bee14c727fdea9a20c2706563ecf3dd1c439b0f2da4959356357729f4287a49b973186ad6264cad71449a6b99c8896e66e474dee0a537e3cd8a40cd |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\wB39\MFC42u.dll
| MD5 | 585bb7925e1ff17281c7519ac4987261 |
| SHA1 | 3431aaca19d1e628745041740c3480d9498aa013 |
| SHA256 | cfb51ab6597ac44fc411a3ffadb67e2ad8e8a0741e1832ad9ddbbc9550b4a27f |
| SHA512 | 6ad406a8f60a0a7bd2aa2b198149a0758d170fe99c869c523a79394e3672db3a457908467fdbc8c4f9b8db3383bd5e39ff6dd3777f9398405e13681bc3064d0b |