Malware Analysis Report

2025-08-05 21:11

Sample ID 231231-n5p6waead3
Target 35571756db6a05c766ae0db158457790
SHA256 06aa7af64996fbcdc485c56a41c2bcf169445bbc2d12a3674c943e15e66f61f1
Tags
persistence upx vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

06aa7af64996fbcdc485c56a41c2bcf169445bbc2d12a3674c943e15e66f61f1

Threat Level: Shows suspicious behavior

The file 35571756db6a05c766ae0db158457790 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx vmprotect

VMProtect packed file

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 11:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 11:59

Reported

2024-01-10 13:00

Platform

win7-20231215-en

Max time kernel

150s

Max time network

229s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe" C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dvd.ocx C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dw.ocx C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_bind.au C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\services.exe C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Au_ing_Code.ini C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Tj.ocx C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\services.exe C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.ocx C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2728 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2728 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2728 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2728 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2728 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 2728 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 3016 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
PID 3016 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
PID 3016 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
PID 3016 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
PID 3016 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
PID 3016 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
PID 3016 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
PID 2728 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2728 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2728 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2728 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2728 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2728 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2728 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2728 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2728 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2728 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2728 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2728 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2728 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2728 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 2376 wrote to memory of 544 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2376 wrote to memory of 544 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2376 wrote to memory of 544 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2376 wrote to memory of 544 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2376 wrote to memory of 544 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2376 wrote to memory of 544 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 2376 wrote to memory of 544 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe

"C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe"

C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"

C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe

"C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe"

C:\Program Files\Common Files\Microsoft Shared\services.exe

"C:\Program Files\Common Files\Microsoft Shared\services.exe"

C:\Program Files\Common Files\Microsoft Shared\services.exe

"C:\Program Files\Common Files\Microsoft Shared\services.exe"

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"

C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 track.qvod.com udp
US 8.8.8.8:53 stun.qvod.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 stun01.sipphone.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 agent.qvod.com udp
CN 61.139.219.200:80 udp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 y0.jbmgsd00.info udp
US 8.8.8.8:53 xx.jbggmm1.info udp
US 8.8.8.8:53 bakg.jbg2.info udp
US 8.8.8.8:53 tg.jb3tg.info udp
US 8.8.8.8:53 yxyx.jbgan4.com udp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp

Files

\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll

MD5 3b09dabee3e7c7f0847b7a22b11a5d36
SHA1 b0d7b82feaf1958e867e5c1831ce13ba34c1caf8
SHA256 d41e7c6491903cf9cb8ccdfc7abb6664d6e3b46e1f8dabb2cf48bf8d330e6ade
SHA512 06ea932226deab80aa41798df4fe9d32b203556d944534a07310a9b9fabb0ebd7b9e44828f5c0fedd009461c4a89d1ab75010d5cacf1afa30d860cb710fb0114

C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll

MD5 6b1075240d921a23b263dc96702d4b7a
SHA1 b27bca7a6225011b80075cc251cca2ccdee785b3
SHA256 d6203e3187b77f81ccdc2ffdf7ec746676604659b405d1b7b108ad1ea763514c
SHA512 ab1068394c04391af6444a96c9d7ef0e40e1f36bf1f7166956e20514427977a16e6f01b0657f1c1b66becaaa5b56631ec3e8997929a6c8556b37c4bb216fa393

\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe

MD5 98a47a067a396d52c8f33cd82d1df5e4
SHA1 2c8e3743283615f6f54afd60806f5476d3e52f06
SHA256 cc6e0f9ea16b535ab144868ca0b0b0d41a4953326a3b2bb3bb68a263bb3da83c
SHA512 380b32900159deb9a3caad5522414a8d77613fe4b832a63717809efaba65606a4526a4e5e32309c2168e22ce231b1294ee8cb95e633f60f3733f642510ea1f15

memory/3016-14-0x0000000000230000-0x000000000027E000-memory.dmp

memory/3016-16-0x0000000000240000-0x0000000000242000-memory.dmp

memory/3016-12-0x0000000000400000-0x000000000044E000-memory.dmp

\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll

MD5 bddb4dd8279654fa35613cef6e2a1b39
SHA1 9b97d95e35d1c1b33012c39041fc0ed1ea55d638
SHA256 eb1d9025585c8e205ce9535e1ee13c4c5b7c0dda9c650be239085b8968e2b2f3
SHA512 a5f6e4fcdc682d4d4e50dfdcb30f9b76e981cf8ac49f37c8c3e503d62ab2cbe5e7beb1d22e2074adc99a31c133f0c12ea6948a23385ef588d78c3d878d3e3e76

memory/3016-23-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1068-25-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1068-31-0x0000000002DD0000-0x0000000002FD4000-memory.dmp

memory/2728-6-0x0000000000240000-0x000000000028E000-memory.dmp

\Program Files\Common Files\Microsoft Shared\services.exe

MD5 690977da6a8634e61e2ef315d143f448
SHA1 143d74c30c949455f23e77195f554b48bde32641
SHA256 a445d1699c5ca9dbd0d818b9e118635561d5178f73d312e48eb93e29092a9863
SHA512 bfe69c03d003bba70d9063eff57a2667f19af87ccb32876b2be8acbca36fa474ae3ab8fb1306dfa8082abad4830662b73c165cf7f560a2fc90ffde93677f2bdb

C:\Program Files\Common Files\Microsoft Shared\services.exe

MD5 9c8630c43ef332c342fc230ca8b801f9
SHA1 79465f293bb470bc03e34a444dfec1025c345b5d
SHA256 96c4b7b3a92e8ee7cfdc9d15d6fd6535fe4d78df93c305b1252889361de30906
SHA512 2c99a3018affc844df6369f582ffac1a72f81def85827f6f18a2e4329dc54e1538a4f96ef13f0480b3a27528e7bd8ea5c1cdf59513f7e467160699875aa855e6

C:\Program Files\Common Files\Microsoft Shared\services.exe

MD5 64fab4545b5fb2f15fe9f18d6714683d
SHA1 272e03579291a3fd593b8250c43a96edc24e523a
SHA256 65c8b20e0e9a8ccf63963dcf3a584abf8498ff5660b6dd9bc0ba28ee4c8dd8f5
SHA512 47106fe71f744fcda34baa2d0a19df3042d1acdf14d5ad81f2fef399b2a0c1d69c314f055291cd4b124806f103c982a884c65a6108bb106a4b9e7e5243072422

\Program Files\Common Files\Microsoft Shared\services.exe

MD5 e382f2678d8bdc558cd424a87a9106ff
SHA1 88ec4e06107eb4ee916e14658ff98197da12ad6d
SHA256 c4d00cd7e0e218d786776975dcda6225cd1e6e6613cecf1fe122e81a070ecfa9
SHA512 2141a437271cad33c12c7781233a0157d0a24ba62e78ad2a5cb7be86450e1a937c7ff6d9b7eb7f8a9eac22558714a3c33295a152f32fb2e02c5cf5c0e131b59b

\Program Files\Common Files\Microsoft Shared\services.exe

MD5 42e0ff448eb8c38a104446866846d7e9
SHA1 1f749944e431f91e1ea1521727fff06f9973871b
SHA256 ce489705f6aae308000b7a6d06221352402076b68a96f6985a96a5535b8ec7f1
SHA512 efbb767b11b92ba86abba32f30f69581f14f4cab734de52ae58be4f6aaaf5d395787cccaf672a4152f39fd17896937daddd508c8ef1d3413a330854af894f507

\Program Files\Common Files\Microsoft Shared\services.exe

MD5 1e47d64fb648680ca539dfd9a15b6084
SHA1 164449fcf129b93840e9b172573e1ae0cbeb8909
SHA256 1349a7f2d9f176d47986bd0e5988aa590159188c487c5e488c00d7a07479d5b4
SHA512 50e01cae12499e4cf91845d696a9d9741c139119d6a3d63dc88b0ae36f28faee9184f15a2ed875fc88ba520457e0e01519645b744a6b73cbbd619a8276b268e4

\Program Files\Common Files\Microsoft Shared\services.exe

MD5 f4987ac2989a7300738109645ebe529e
SHA1 2818cb415ab12bc50d7b95f0c5db747b52041814
SHA256 2eac50277288f0ee8a792161f3bc0db80aa564e6a2e1169294a981a4d4a28c46
SHA512 2447039d2a3827c52773bff461d1dc98c64dd9dedd1baf72d6c8d61343e4af6c621047bc23994b103b153a3d7075a03fadf060e1b5b1f735c07c6f5335799648

C:\Program Files\Common Files\Microsoft Shared\services.exe

MD5 e35aea3dc7421d3439704102c5e5fc25
SHA1 3ea82f43def9255aeefc9ee548a1f7ebe290e981
SHA256 1e6480fa7a44253ce7278d574749417af987fa71a53a8a085b7e4880f5fcec69
SHA512 a1968a43c9c1a2c1d838a6b3c89030d404829ba98e67ff00c7d217d181d90109296f13c3c5715d1aa6f238a1156311d7cc243896a87ab09201d50dc0623be814

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

MD5 0facda865e848f1b95fafcaa5b06432a
SHA1 6cf1823352247df6984168984c3c589b5c6fd5e3
SHA256 851009197966a6c5650edceefe9a755d69b1b820fbeb2cc885ea937e2d531501
SHA512 e4163dfb78819238fc04cc32f41521a164cf8a842b32a6fec809bf9ac41621f7c3c176be29f604c073d645a554a5d7c6cdd610b09d4c330849dce8790d7271bf

\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

MD5 dc0fe2e7ead72a44dc10c67e4a43143d
SHA1 6cb11fd3e2f29ac0ba32eef0f04fda7449f38dc6
SHA256 8792f3cf2eff7053e169d98b5a355b7b2cc8275dc8d956eeceafa978e7f9958d
SHA512 22dab75c0988245c84650b0f0ae8e5e667d83ef69f522b0748254c3a99cdfc0a73f09fd9495e77f8c43fe19f241ac1286fb3fd038aa72399d0445fd18fdf3fd1

memory/2376-79-0x0000000000020000-0x0000000000033000-memory.dmp

memory/2376-78-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2376-77-0x0000000000020000-0x0000000000033000-memory.dmp

\Program Files\Common Files\Microsoft Shared\services.exe

MD5 fa237d70c2d0d3be3f13bdfb934a08ed
SHA1 513c6b799507370258e19a422802b2f3b7bbc35a
SHA256 23fc0b6596f691403d9db0623ecb85110aa44f470ffbbe7331b0c6dbd0790b69
SHA512 89e19cec9af67c831cee048f89dda7ab9e4889e6174a0233b0ad2f79fee6bbc17d718e0814a2d0ffa2fe1e3dffe31aa732234b7eb4ea4d77feb405cd38b67ae0

\Program Files\Common Files\Microsoft Shared\services.exe

MD5 7828594a6ea3c6a54034249be30fb74f
SHA1 6965fb5bc7a097ad2f9a55e0f2f2b0a9dba4ccec
SHA256 5d1468fa29f9aacf10c983bad03b8214abd751de0c66f66998874752374d2896
SHA512 be17c362032ed99a74b49f5d262cf2b291569bb1418e26d283c75e14f1610628cecf44fab86690fb2a92ad4e5b9852d53fc663160966592f5babd2858676adc6

\Program Files\Common Files\Microsoft Shared\services.exe

MD5 9de925d4189c6a2e510299a58e6ae796
SHA1 6d78b7e6b1a3ea88229ccc69368b519f13636e02
SHA256 83748e5819d9161322a734f91bc33517df1817a39d134fa93f5c5a6471170385
SHA512 69f9baaa8ac701be4b4efbde62cb7087cff4ef7a5c6ce0329462692d70fbebb7e7d9b2492e30a7d101630b412bb644363decd817a4283f49985416bed69d76e5

C:\Program Files\Common Files\Microsoft Shared\services.exe

MD5 77092ad6e1433e27e08d4aa5b2400d4a
SHA1 eb32ab08c0fd8e0c00fa9daba4be3ba201793b1e
SHA256 a1dfb21c9c488fd01da65706bae76e17831c25efa835e284d83bdf10eb4ec5df
SHA512 b741442dbc40c251ad4677647dfbb628c293912a11a6c61dd3ce87d42215bce20ac8703da8efb4d51dcfccd9c3b2ef6bd67840736266432b307d99056e8abbc2

\Program Files\Common Files\Microsoft Shared\services.exe

MD5 dfa76695eac71490ff0178b7980a4f39
SHA1 174627406979b0c6a976f105d14fc042fed12c08
SHA256 55f5f5661e4b367e2e604931e538ac7879a2d409f71c399ec86d81fa17d885a3
SHA512 2c67c917e7861b2f2369946ce404252a3e1e035646ec443b54f3d67c6000302b7b413f2a8c78d962d05eee33cdac71352d922e0b7918b53ebb138b3dd54b3361

\Program Files\Common Files\Microsoft Shared\services.exe

MD5 598b94473dcc4d6d54c8da84ad5446f0
SHA1 36512344a8fdcd66f9d45c9fdc8ab2a3715239d1
SHA256 bb60f39e37bdefcc9730595dfae5554a3fc45702cf19381cdaa7782f613e7002
SHA512 1687b167ff6cf5d4b7a9270a34e57323fd09ed5f8ec2a002ef28205a002fbf3f808b5b823e1c4eb332914477210ec473406502115d0c12d775e99cbd14ac5526

\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

MD5 59666de59f1f809b5e9d66b6aa891791
SHA1 6c1b089a6fc6f36b0bb2106a21fe58d6a497b3b7
SHA256 0e3aee9e150023eb7c50ae429fe157bcdca1c98411a3058cd25e5a5df90a6cfa
SHA512 f0d18b0a0dc20177b8a65deae3e62e6cb9c1c70e0564cb35b9fa598926e32404a20bf7be2c88ea9adad7a2c2987cdbee94a83dfc90a17a0d57a9fa43cd190bfc

\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

MD5 44562c10a30a1a0ea21f76262c7bcea5
SHA1 38f5583a64a32d8e9790f4b79c5f1b0d44655791
SHA256 eb776eb4ab48b093ef7d151ba429d06a3d7dc314cf3e85e579783dd47ea48ad4
SHA512 a189138f94bfcef42bfca7951e8bae3294dc03fa4b2754ec87f385e91c890117ed3de102a1bfbbed9a05312fbeb1c7e151b33c026378f1b6480b4b4c3603e026

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

MD5 f9fe4d6e25077a077a3dc1f599a6fcd5
SHA1 83bedc3a377ba5aec009aaeadd4b207cc2901f2d
SHA256 f04ed810fbead6a2320de25606ec1cf49b3a19cac11e85ed57ee999d590f8e26
SHA512 0526b02848eb55f958eed06f4297f1dece5c895fff493415b88794afb52ea3a3172d7b6f5e0b18941801014fcc094858844eef6240885c1bb4a85335d852be0d

memory/2728-65-0x0000000000240000-0x0000000000253000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

MD5 770147eb111f0f73de5e53ff901165d4
SHA1 30556bcc0f1b674ca01df8518be0f68d8cc45fde
SHA256 bb1c1a9e81f1edab211c34b7ecaa7dde513d9a981790c02888647711505dec8b
SHA512 9d48feebe07723351ebd7280c76637002ceaec1228a416aaf1baccacd7b5ac4a07af689ad2facdcb8974add4d1b8767b868dc41e67fb2b7b561880f4dd150528

\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

MD5 2b69dcc815cd2fdc38d881a80a52930a
SHA1 b0f9f9dcb038c7e51f0af6b51940985024a5e369
SHA256 7af101bfb82a323b20378c8218a45086466bad4b4083235e253c3b97bb576706
SHA512 28f4a9a53239bc548fc9e57d0e8cc424ac7d35a5f95184d306569059417195f45ac1085b3f235e601f3030cc659e9cefa908405634dee182c47a52fdbcb801f6

memory/2728-60-0x0000000000240000-0x0000000000253000-memory.dmp

\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

MD5 7f1bc17b47f08b5fe0a6af75f21e726b
SHA1 48f3db99a374f5fbf747cf227b3d2b42a24c34ae
SHA256 936a0459cf04ea6b5e1dd0c9037049000d394f43d45a546cc20b8ca69439d542
SHA512 f7caf3a69c4235cdf7e005cb1b12b5888c4a4a00345a6d91bb92132bafd04326d46bef12879694f58f0e2757df173a8f20194d200c457c60c7a890219c7508bd

memory/2728-86-0x0000000000240000-0x0000000000253000-memory.dmp

memory/2728-87-0x0000000000240000-0x0000000000253000-memory.dmp

memory/2376-88-0x0000000000020000-0x0000000000033000-memory.dmp

\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

MD5 470cac94cf07f233446e8ed03bca6242
SHA1 db84e191133876c9344e5bc150c6dba58d069481
SHA256 dadb8070c8dfc8f069b21fb830d537f1ab9503d2026d14a045dd9d14eae6e667
SHA512 6aff0c710e1fa71705ee8c8484d5b380aa77f4d6588b3fcc320edfa8e14339a1218497c1f7c5213c2523071120d643904a0cdf6e021f4e16b2acfcd75c982573

memory/3052-109-0x0000000000020000-0x0000000000037000-memory.dmp

memory/3052-108-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2728-107-0x0000000000240000-0x0000000000257000-memory.dmp

memory/3052-106-0x0000000000400000-0x0000000000417000-memory.dmp

\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

MD5 9ee9776042f92c0bccea863290220b68
SHA1 1e6e28b70b1ca551fef85f704a323fd66ef035c6
SHA256 b3ce52328ec82d30f7095676b6d13f6bd3d6d18da5029fa8bffa1a4d1860302a
SHA512 be8ac0b872bcb7719a2c01a49ae873b2023db61b89bff35c14b1cb60ce6aa39f12e1e17c2dde5818aeb44126d2d611f3a38a8aac79c807d7e9a2fa05cb7d44e8

\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

MD5 4d7fa6cd659fdbcb93bb6f917e1371b7
SHA1 9a9f52483553a2407de8fcfda38b137efc120743
SHA256 6cab576875febf89765cb2004ba8bb1dfb36bed2c273bd4a9ef7f6adcf6cb55c
SHA512 cd60cc71e06be8d3184747e44967c849b9169c7cce0104bea6460da58fbc78e4a18b1100487eb02a8bad3efb5938cb0888ea159876e0a4767e9eeec3baf2b577

\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

MD5 fffaba06cdb60a27a9fd3a04ad934153
SHA1 e8664932e3c4ed27eba13e43d5058b13a0101925
SHA256 6c30316b627809c322cb740e3e63caaa587f199bb586fb4c6c87e4860f547b87
SHA512 64d4389186312a7eef2a57c12edce296f4203cad4a5d44acae4626b76393e312a40ff132dadaa5592da82ef9d12fce970af10a0ce2be763ba91dd850a45ffcdd

C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

MD5 062c03872d213a8a0de29f500ede4289
SHA1 e48a81ac8bf55bde17dcb8471f13aa082350219c
SHA256 f8155d67baa938f4d1d2d4ba0e36ced70ad38f52448675569c105c8ddf769452
SHA512 f3d712c27c301ba6b4856d29d78c0860a3a2da94021d8f0b35de9038224e8699ddfb0924bbff05ebb22cbf0800764d4fa75fc6c6678435419266b5621e49aad3

memory/2728-101-0x0000000000240000-0x0000000000257000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

MD5 e34d3317b1d43002247decf3a21c47bd
SHA1 c3251d0accc38ecc29f02a93ff21890263b3e812
SHA256 a2562813828b8e87bb2ca315acd019c1d256e97f64ef3f7c932476e5c8c92cd2
SHA512 17559d793732d9aec0ef758f7cdf91285dc431cd4600455bfb94c06a9c712faf9ac48c102710707ef31668eb920dcc557ddf325cf7518b9b0dbb9584cf04e415

C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

MD5 ea16a99c69b4160cfbba718ed7837da3
SHA1 2e91769de9e6b68f58a604cde34b55a60b96091c
SHA256 3fba00f25f353d1f1b53235f7b965f0b01a46b9fb4170b3551d7965a285fd8e7
SHA512 6f61435288e2fff01f52db0afb4f0299c26cc639392793a1bb85ddfa0e7ff66c6e9ca9deab56752b51d4280319fa9581f597b241e61ffbff6006eb4d0efc91e7

\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

MD5 4398b566eafd74b020b4f0a836efb990
SHA1 4d2279b392970c004afc415a02e57b516d8c7058
SHA256 2ea7eb14e7f81b6977b6835ffb537b2c0f2cc5e113f8c180f63a0ca130a1cde2
SHA512 b324de2109d54fe48e8771a2705955a8d9160a05478fb558aa443b8b54184443b2746bc3ef885f17f5adfb114cfedcc71f2b02c12e80a2d42e8db40bed49ee75

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 11:59

Reported

2024-01-10 12:58

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe" C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dvd.ocx C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\services.exe C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_bind.au C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Au_ing_Code.ini C:\Program Files\Common Files\Microsoft Shared\services.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.ocx C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Dw.ocx C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\services.exe C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_Tj.ocx C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft Shared\services.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 4896 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 4896 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
PID 1612 wrote to memory of 4348 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
PID 1612 wrote to memory of 4348 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
PID 1612 wrote to memory of 4348 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe
PID 4896 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 4896 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 4896 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 4896 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 4896 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 4896 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
PID 620 wrote to memory of 4184 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 620 wrote to memory of 4184 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 620 wrote to memory of 4184 N/A C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll C:\Program Files\Common Files\Microsoft Shared\services.exe
PID 4896 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
PID 4896 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll
PID 4896 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

Processes

C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe

"C:\Users\Admin\AppData\Local\Temp\35571756db6a05c766ae0db158457790.exe"

C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"

C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe

"C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe"

C:\Program Files\Common Files\Microsoft Shared\services.exe

"C:\Program Files\Common Files\Microsoft Shared\services.exe"

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"

C:\Program Files\Common Files\Microsoft Shared\services.exe

"C:\Program Files\Common Files\Microsoft Shared\services.exe"

C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll

"C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 track.qvod.com udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 stun.qvod.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 127.0.0.1.in-addr.arpa udp
US 8.8.8.8:53 stun01.sipphone.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 agent.qvod.com udp
CN 61.139.219.200:80 udp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 200.219.139.61.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 y0.jbmgsd00.info udp
US 8.8.8.8:53 xx.jbggmm1.info udp
US 8.8.8.8:53 bakg.jbg2.info udp
US 8.8.8.8:53 tg.jb3tg.info udp
US 8.8.8.8:53 yxyx.jbgan4.com udp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
GB 96.17.178.173:80 tcp
GB 96.17.178.173:80 tcp
US 8.8.8.8:53 track.qvod.com udp
US 8.8.8.8:53 agent.qvod.com udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
CN 221.194.134.216:80 tcp

Files

C:\Program Files\Common Files\microsoft shared\A_v_DVD.dll

MD5 c9f5b42a102a7eafc02edf2568b3e3fd
SHA1 bf6dfeec9ffcb1bc3f58c8883a8696d2957b775f
SHA256 668d3279064a9e63609e246178723857cedd0a415fa857f7b942f654844f19ec
SHA512 b9406c0a465d16ecbe31031e55de7c80eb06c2d4c78d418c177a33149e68afc0ad065c300c757dfe50c059436acbd9e07bd8084a5a670cf63fac489fd7bfda69

memory/1612-7-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1612-9-0x00000000001C0000-0x00000000001C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5555se.exe_4E2F607D76DEF471D6BE337F974C2EFFE7C5F73D.exe

MD5 98a47a067a396d52c8f33cd82d1df5e4
SHA1 2c8e3743283615f6f54afd60806f5476d3e52f06
SHA256 cc6e0f9ea16b535ab144868ca0b0b0d41a4953326a3b2bb3bb68a263bb3da83c
SHA512 380b32900159deb9a3caad5522414a8d77613fe4b832a63717809efaba65606a4526a4e5e32309c2168e22ce231b1294ee8cb95e633f60f3733f642510ea1f15

memory/4348-14-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1612-20-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Program Files\Common Files\microsoft shared\services.exe

MD5 c214fca229d065b799ae552901fe3f59
SHA1 3b271438996a35955602fe60b1b06a026ac124b6
SHA256 ce896f9cc54072750b52e7b5a13e740c6d3684750281492186f4e2f991c09b2d
SHA512 ec5ecc9a36ce3a0aa821d26a0881195895cb3b54a6b210bf707092f339174b4d39d38bb5c2250b4e3ea4ce9fc7bcf360c3131336d8e7130e6430b0e6b94daf1c

C:\Program Files\Common Files\Microsoft Shared\services.exe

MD5 09f98253bf84311ae590f3d826bd21fe
SHA1 8ed5f8d5b66440839ac97e8bc04d17ada1087223
SHA256 cf29d7e361cfa52092826b893fac140365e628340b7cafa0e9f9df4104a72fa5
SHA512 9106087306e87a1d4eec281917586bd3cffeeb41b50cdfc1ec1e499950e457b4d07bc7fa0322011d576bd7784ccd9304364414bf47fe658f2021ef39d33f1d5f

C:\Program Files\Common Files\microsoft shared\services.exe

MD5 e1257277b5edcf9a2b0a62c3b8567394
SHA1 abc161103edc11b622f4cd0f89fc29ed04cf7b3b
SHA256 e69353fb3c8a69c851b55681797a55d098a016783cf89ef22f77d8a299d82485
SHA512 354cf935f2c0014c7506b9e4fdbf195848614af88fd3d6ffe30d33e4557769db5f46f717d42b44d3900b7670293f4896a0e83eed62173bcb68ff3ee743c61264

memory/620-35-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

MD5 313fedb748b07089fda25cdfdccf7e48
SHA1 62a0ed3d22f2573bee2366c16d5021d1f9948284
SHA256 388d77eef7650bbffc78ce91dc225c34e2170e9aff4e77e1d83414ac7220f227
SHA512 03e819805727890b234d0e8a3b6720bb7855f2af8cbc51b358ec6a99649ef358db78ede28f4643d78c4962d1ab2ef065c21ff63a0432b62dd5fb976add15536e

memory/620-32-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Program Files\Common Files\microsoft shared\A_v_AuTo.dll

MD5 8df2f6666c334bc4ffd9f1805435ffe6
SHA1 56902be4a106d231fef4aa18172f38de8e5bd644
SHA256 96fa43a9472e69fa19dfdc52822d7113367cbfe6e5efade176bbf44b2c7e8721
SHA512 86b49ff8a4ed3440b7bf8235afadf7e940f7b5fe550f44b564cdf154caae49bb5f9699942a5411f5eb74c57bef13a6f1e323a6f39214ce89c9c16bf3850ce54a

memory/1240-46-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1240-44-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Program Files\Common Files\microsoft shared\A_v_TT.dll

MD5 08161ddde528f68cc653aa3d579f95d2
SHA1 8227a3a53483b2f339a963bc09ffb0d516117131
SHA256 9981cd2517944a114d7d5a1d71f9e93821218f665c86bc41eee5ba3c74a63c58
SHA512 479909dee6671befb7dc1e7007f6ff4c400aa5dbea51f61ea337c726e2f17c7ee57258d9d23c530e19f6b503d861238e6c3314ac97b8e3e922d0b23ff2428f3e

memory/1240-50-0x0000000000400000-0x0000000000417000-memory.dmp