Analysis Overview
SHA256
ddc17a3234f8b037cef7a2121b611cfd17b9d8d23b86671b8031f03001b3dd4c
Threat Level: Known bad
The file 1c3020b882d26c1a009d1a5fa1048d39 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 20:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 20:50
Reported
2024-01-04 06:45
Platform
win7-20231215-en
Max time kernel
151s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\8617V\xpsrchvw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\twyiXIz\DWWIN.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iWq3Se\DWWIN.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8617V\xpsrchvw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\twyiXIz\DWWIN.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iWq3Se\DWWIN.EXE | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\RDx9z\\DWWIN.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\8617V\xpsrchvw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\twyiXIz\DWWIN.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\iWq3Se\DWWIN.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1364 wrote to memory of 2096 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1364 wrote to memory of 2096 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1364 wrote to memory of 2096 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1364 wrote to memory of 1304 | N/A | N/A | C:\Users\Admin\AppData\Local\8617V\xpsrchvw.exe |
| PID 1364 wrote to memory of 1304 | N/A | N/A | C:\Users\Admin\AppData\Local\8617V\xpsrchvw.exe |
| PID 1364 wrote to memory of 1304 | N/A | N/A | C:\Users\Admin\AppData\Local\8617V\xpsrchvw.exe |
| PID 1364 wrote to memory of 2892 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1364 wrote to memory of 2892 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1364 wrote to memory of 2892 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1364 wrote to memory of 2004 | N/A | N/A | C:\Users\Admin\AppData\Local\twyiXIz\DWWIN.EXE |
| PID 1364 wrote to memory of 2004 | N/A | N/A | C:\Users\Admin\AppData\Local\twyiXIz\DWWIN.EXE |
| PID 1364 wrote to memory of 2004 | N/A | N/A | C:\Users\Admin\AppData\Local\twyiXIz\DWWIN.EXE |
| PID 1364 wrote to memory of 2724 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1364 wrote to memory of 2724 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1364 wrote to memory of 2724 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1364 wrote to memory of 2812 | N/A | N/A | C:\Users\Admin\AppData\Local\iWq3Se\DWWIN.EXE |
| PID 1364 wrote to memory of 2812 | N/A | N/A | C:\Users\Admin\AppData\Local\iWq3Se\DWWIN.EXE |
| PID 1364 wrote to memory of 2812 | N/A | N/A | C:\Users\Admin\AppData\Local\iWq3Se\DWWIN.EXE |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c3020b882d26c1a009d1a5fa1048d39.dll,#1
C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
C:\Users\Admin\AppData\Local\8617V\xpsrchvw.exe
C:\Users\Admin\AppData\Local\8617V\xpsrchvw.exe
C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Users\Admin\AppData\Local\twyiXIz\DWWIN.EXE
C:\Users\Admin\AppData\Local\twyiXIz\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Users\Admin\AppData\Local\iWq3Se\DWWIN.EXE
C:\Users\Admin\AppData\Local\iWq3Se\DWWIN.EXE
Network
Files
memory/2476-1-0x0000000140000000-0x0000000140212000-memory.dmp
memory/2476-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1364-4-0x0000000076F16000-0x0000000076F17000-memory.dmp
memory/1364-5-0x0000000002700000-0x0000000002701000-memory.dmp
memory/2476-7-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-10-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-11-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-9-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-18-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-23-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-27-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-29-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-34-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-36-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-37-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-42-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-41-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-48-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-52-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-51-0x00000000026E0000-0x00000000026E7000-memory.dmp
memory/1364-50-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-61-0x0000000077280000-0x0000000077282000-memory.dmp
memory/1364-60-0x0000000077121000-0x0000000077122000-memory.dmp
memory/1364-59-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-49-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-47-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-70-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-46-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-74-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-45-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-43-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-44-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-40-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-39-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-38-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-35-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-32-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-33-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-30-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-31-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-28-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1304-90-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1364-26-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-24-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-25-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-22-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-21-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-20-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-19-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-17-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-16-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-15-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-14-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-13-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-12-0x0000000140000000-0x0000000140212000-memory.dmp
memory/1364-8-0x0000000140000000-0x0000000140212000-memory.dmp
memory/2812-137-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/1364-159-0x0000000076F16000-0x0000000076F17000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 20:50
Reported
2024-01-04 06:46
Platform
win10v2004-20231215-en
Max time kernel
159s
Max time network
167s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\14k\upfc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UQrRfBOJ\tabcal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\qureegG\tabcal.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\14k\upfc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UQrRfBOJ\tabcal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\qureegG\tabcal.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\oNKXd5y\\tabcal.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\14k\upfc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\UQrRfBOJ\tabcal.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\qureegG\tabcal.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3464 wrote to memory of 3212 | N/A | N/A | C:\Windows\system32\upfc.exe |
| PID 3464 wrote to memory of 3212 | N/A | N/A | C:\Windows\system32\upfc.exe |
| PID 3464 wrote to memory of 4776 | N/A | N/A | C:\Users\Admin\AppData\Local\14k\upfc.exe |
| PID 3464 wrote to memory of 4776 | N/A | N/A | C:\Users\Admin\AppData\Local\14k\upfc.exe |
| PID 3464 wrote to memory of 4528 | N/A | N/A | C:\Windows\system32\tabcal.exe |
| PID 3464 wrote to memory of 4528 | N/A | N/A | C:\Windows\system32\tabcal.exe |
| PID 3464 wrote to memory of 1628 | N/A | N/A | C:\Users\Admin\AppData\Local\UQrRfBOJ\tabcal.exe |
| PID 3464 wrote to memory of 1628 | N/A | N/A | C:\Users\Admin\AppData\Local\UQrRfBOJ\tabcal.exe |
| PID 3464 wrote to memory of 3688 | N/A | N/A | C:\Windows\system32\tabcal.exe |
| PID 3464 wrote to memory of 3688 | N/A | N/A | C:\Windows\system32\tabcal.exe |
| PID 3464 wrote to memory of 4460 | N/A | N/A | C:\Users\Admin\AppData\Local\qureegG\tabcal.exe |
| PID 3464 wrote to memory of 4460 | N/A | N/A | C:\Users\Admin\AppData\Local\qureegG\tabcal.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c3020b882d26c1a009d1a5fa1048d39.dll,#1
C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
C:\Users\Admin\AppData\Local\14k\upfc.exe
C:\Users\Admin\AppData\Local\14k\upfc.exe
C:\Users\Admin\AppData\Local\UQrRfBOJ\tabcal.exe
C:\Users\Admin\AppData\Local\UQrRfBOJ\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Users\Admin\AppData\Local\qureegG\tabcal.exe
C:\Users\Admin\AppData\Local\qureegG\tabcal.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/516-1-0x0000000140000000-0x0000000140212000-memory.dmp
memory/516-0-0x00000258E4980000-0x00000258E4987000-memory.dmp
memory/516-4-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-5-0x0000000001020000-0x0000000001021000-memory.dmp
memory/3464-9-0x00007FF84726A000-0x00007FF84726B000-memory.dmp
memory/3464-7-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-10-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-11-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-12-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-13-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-15-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-14-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-19-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-18-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-20-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-21-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-22-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-23-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-24-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-16-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-25-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-17-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-26-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-27-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-28-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-29-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-31-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-33-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-35-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-34-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-36-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-32-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-30-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-37-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-40-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-41-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-43-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-42-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-39-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-38-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-44-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-45-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-48-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-49-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-50-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-51-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-52-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-53-0x0000000000FD0000-0x0000000000FD7000-memory.dmp
memory/3464-47-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-46-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-60-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-61-0x00007FF848260000-0x00007FF848270000-memory.dmp
memory/3464-70-0x0000000140000000-0x0000000140212000-memory.dmp
memory/3464-72-0x0000000140000000-0x0000000140212000-memory.dmp
C:\Users\Admin\AppData\Local\14k\XmlLite.dll
| MD5 | b702ae604ec0cb1dbe8ba4a5a717bc07 |
| SHA1 | 00fa535f55d4b8fc63a9f44593b03946e99e94e8 |
| SHA256 | f248bb99bc87fd8b8e10e2e15dd40cc01c01b1fc892df5c75103e4a5cb7bf6db |
| SHA512 | ad8e271c5f5cfd7ac147a327fe3680a917567a1412e696378b7fc381faed0a43532739ca4f107a9ed9f1cdf192bb6d5d1ceec05288e343e7026b93d840d354c3 |
memory/4776-82-0x00000207E3D80000-0x00000207E3D87000-memory.dmp
C:\Users\Admin\AppData\Local\14k\XmlLite.dll
| MD5 | 5632e1755c9f1670ccd1a025688e3f4b |
| SHA1 | 07952ed76fdb3e42008af0c3578620c58a8b1107 |
| SHA256 | 54ba569707e9ba853db705946814ef3caa74e5bbd6465233383368bfcf1e8d97 |
| SHA512 | 8c6bb61fa160739cd9bacf4600d6483453297a1dea9851bd35824e2c0f8ac41311b3ea56fd180d982da4e1621964756ca4b1e53f0cc79e94f12c68264f8fcfbb |
memory/4776-81-0x0000000140000000-0x0000000140213000-memory.dmp
C:\Users\Admin\AppData\Local\14k\upfc.exe
| MD5 | a028743c89af1ce27599cddb932a061f |
| SHA1 | 27387eb6ffd1b8636218c943a7a61bb4883aa5fc |
| SHA256 | 77e110824bc6d36d153034c108c46c84c67a4c196ee15d8e0ccca709788567cd |
| SHA512 | 25408d377af8c331e3cca80bfb22e06580f7b906bafc21ae71a504460b73925c19a6fb0ea790a2b036c7338e8ddbf9bf24bf259cbd578cb3dc00985d7ba898a3 |
C:\Users\Admin\AppData\Local\14k\upfc.exe
| MD5 | 35afa3ca799a5efa20e4eba9c8c78f7e |
| SHA1 | 895125f5369d63309b4aa9d739e0e75f702b5312 |
| SHA256 | 458283400e97e244558cc5dff7dfb81c314d3bf1ed5764482251478aaea03226 |
| SHA512 | 85c088cb315c1db5131b9a4b5437356e023c6dde4f0c69693000cf28e220894d0acad4c609898d228733d5eed4675d9c3b9961c82204f2fa4ff5325a48286e3f |
C:\Users\Admin\AppData\Local\UQrRfBOJ\HID.DLL
| MD5 | 1a2c7207c26979fa3bc465f8f4bdef31 |
| SHA1 | 2d5fb284731ae06a3a7ac89ed1eed685e4500740 |
| SHA256 | 59a1ec35d9f29bb63d6bc3796f149df90e91fdaeffa790bbcd19dec5acbf8c37 |
| SHA512 | 79805613419a826deb74241d1ddaecda1dedd79ecfd9e5f126a779fa815ee9ab8142a479b8e5f8c66631e9fcf5b8f4dfe4fe8ec31a56c8bd0a98007b9050bb0f |
C:\Users\Admin\AppData\Local\UQrRfBOJ\tabcal.exe
| MD5 | 40f4014416ff0cbf92a9509f67a69754 |
| SHA1 | 1798ff7324724a32c810e2075b11c09b41e4fede |
| SHA256 | f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c |
| SHA512 | 646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259 |
memory/1628-98-0x00000224B1CE0000-0x00000224B1CE7000-memory.dmp
C:\Users\Admin\AppData\Local\UQrRfBOJ\HID.DLL
| MD5 | be0a738415a7f094765a51e8329ccfdb |
| SHA1 | 8ca690a95a7885b0204abfa23711f804178f7ba2 |
| SHA256 | 3262c330ca9bf150f3107defd9f9f41cb1b91e8f122c70a82341d8ef5bc671eb |
| SHA512 | e5c41e7bedadd3ea7a12e9339e5c1f10dc3fa3c38d4cadb8f46b7941b3c920dcbcd223e1e2f0687e216511638b7ca80424e99d7c3bb8060a813534b768f1097a |
C:\Users\Admin\AppData\Local\qureegG\HID.DLL
| MD5 | 73ab1caf8e3da0d67413fb0e23949071 |
| SHA1 | 065f90a5fa3805fc59a459f563cf2a6ee95b66ce |
| SHA256 | c422fc47b269018226835b93fbbec6a2bf74f3f00652dd75f371dc3a2bd01e0b |
| SHA512 | ae5cb3f24ed7b477cd46f46b7ff64e862a613adb19ca80e9a40ceb4819b1036f46775e207e6dbe04ea150fcb2324ee3d98f113f5c8857e008b6cc548fda933cd |
C:\Users\Admin\AppData\Local\qureegG\HID.DLL
| MD5 | 1b8249eecc486bc10e68c0d12bb59cb3 |
| SHA1 | 7fb9c60e323f3004d1e838ab259196ed1efc86d8 |
| SHA256 | fd3995a71d5c7af53bffe787645cfbd97d227718377d8136f541caa7f42c67a5 |
| SHA512 | 81b15a7d90896f48f93caaa37f6351ba0c5d271a81998823a0c9368afb183b154c75a58936fbe9781b6362bd6567527d7287df71b4275b66c1421e90d2fafa82 |
memory/4460-116-0x000001F33F1C0000-0x000001F33F1C7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk
| MD5 | 656c7d903de097f5d871adde1cdec337 |
| SHA1 | 1b99db8f2be555714e80218b49862bf609fef14b |
| SHA256 | e74a39e8591c483a47203e5346d86d17b9f3835fd5a44e43d454ff558ea31b1a |
| SHA512 | f30a973226aacb8b6adba2d18b750a1088005f132d2e7fdde7d6b15cf4046f1525c399e38c95714d4ee1e829395cff3acd6fc651aa12e466e564d7fdacbc5520 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\LeE7hTIr\XmlLite.dll
| MD5 | 663bdf166b9f7fed9a6f420605c12899 |
| SHA1 | d8c59d38858613631e9a4698c9d418bb8739a5f5 |
| SHA256 | c874cb57a8abeef650019fae85743e3494669dd1ed81fdf9ddfee4e2ab3a5d3d |
| SHA512 | 0bb056272c041dd3ce5732fa496e1a51e8fb2f4eca843eba1be7082c5518ad759dbe8c8f5654fbeb75a921525a979dd369d6ea7241db10c22badfe9a5b4649b8 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\oNKXd5y\HID.DLL
| MD5 | 027d46688430612f41fa42f453ddacb5 |
| SHA1 | fbd4573cc48d4d4b7bbe405ba8490ccc415c11b3 |
| SHA256 | 000e226557c3c87cb9eab35ca8522ac5ef430959fbd74ffb024f3b5339557277 |
| SHA512 | 5258c87248f2ef22744655f64cd87041b598a9e3300289b7fb5197de0468bdc9c666701242b5e3ab688d4150bf85524c479008ff73ce336778b73ddf11341c0f |