Analysis Overview
SHA256
f5ea651a5287874fc2f8eaa98420e32524d62b93f42ebbf148854f80d967add4
Threat Level: Known bad
The file 3bde98475e14c43335fee53f75665d56 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-01 04:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-01 04:17
Reported
2024-01-06 02:47
Platform
win7-20231129-en
Max time kernel
3s
Max time network
121s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bde98475e14c43335fee53f75665d56.dll,#1
C:\Users\Admin\AppData\Local\schmv\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\schmv\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\fKrEZN\calc.exe
C:\Users\Admin\AppData\Local\fKrEZN\calc.exe
C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
C:\Users\Admin\AppData\Local\FS1ry\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\FS1ry\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
Network
Files
memory/836-0-0x0000000140000000-0x0000000140165000-memory.dmp
memory/836-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1372-4-0x0000000077186000-0x0000000077187000-memory.dmp
memory/1372-15-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-30-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-32-0x0000000002E60000-0x0000000002E67000-memory.dmp
memory/1372-41-0x00000000773F0000-0x00000000773F2000-memory.dmp
memory/1372-40-0x0000000077291000-0x0000000077292000-memory.dmp
memory/1372-50-0x0000000140000000-0x0000000140165000-memory.dmp
\Users\Admin\AppData\Local\schmv\FVEWIZ.dll
| MD5 | 7d13527948dcd18e5ddbbffb1d53e73e |
| SHA1 | 3157ba50594022536836acd6a5e954f94eb25d6b |
| SHA256 | 8ebf9dea097a8cb0d9eebfe811093b66a382970e30a0311d27b1be5509c65a9a |
| SHA512 | 1828a547b6bb45f728a9fec7419cc989af54c8b9536c9ec8a8a5778d38b367bc49954aae48946e90da1f343fe2ff7bf29a3b03496522d34750ef5a22e9cf10f5 |
memory/2624-73-0x0000000140000000-0x0000000140166000-memory.dmp
memory/2624-71-0x0000000000100000-0x0000000000107000-memory.dmp
memory/2624-68-0x0000000140000000-0x0000000140166000-memory.dmp
C:\Users\Admin\AppData\Local\schmv\FVEWIZ.dll
| MD5 | 419c1699b071d2047487f1f0a449ee0c |
| SHA1 | 50cf2675a8cb695d2f75dd6baafdb439dbc93456 |
| SHA256 | 9ea7581c03516952d110c66a2c318465b32cfccb5d8e23fe91e993d67a9656eb |
| SHA512 | f26412cfa569d3a90737d76baa1a632ff7dcdf80ef738f516eff357ec0e5e2271d30129ddc1a4b97d92c1096c1ccdd198ce622d93a0ab1550eca1aa3f9bfa12f |
C:\Users\Admin\AppData\Local\schmv\BitLockerWizard.exe
| MD5 | 2c284257e311ce094842f4aa427f1a87 |
| SHA1 | 408317bd40c22a2eb0a1a6ea38da4eab8b9e9d80 |
| SHA256 | e77855af33e709eb6566b64832bafd33f3186406b08a863b0adcd1f01a4522f2 |
| SHA512 | 83263a5aec6a59609a23850178c4ab6896bafc55d8b9a5df21f551d12d7769adea964b09ae49f3977ee33ecb8fdd3954a06634b171c5fda9b497f977628bd98b |
C:\Users\Admin\AppData\Local\schmv\BitLockerWizard.exe
| MD5 | f362d86ddd66a65e2133b21182ae4026 |
| SHA1 | 72e12659cc362a2af262b550e63b3bcff8ed4967 |
| SHA256 | f0b7f72866ae8b554611f57e72b51c61a698d23a8404eb15fd723fc69863553d |
| SHA512 | be4ce65a896265d26047a0dd2b7d0d52a57c683b6e68937f759230348486da89928fbe3f6bda085f031dba1d39c960678b1083559dca7327e406fb6a5e33df99 |
\Users\Admin\AppData\Local\schmv\BitLockerWizard.exe
| MD5 | 1937408fe42688f553a55af1406e2d24 |
| SHA1 | 9ebed436746e042201ad35802a46463996534a5f |
| SHA256 | 25baf98d01e78a467c603784ccc0721bbed2f805ff33a91407f9dba1b39dfd70 |
| SHA512 | 44dd741dd4326f29792ec43251fa9f9efb0666d950931f79b5d7ca669cea3d20d7b9bb177f7a2d0e716c05fc5da146bb4a3731e9bf42519d56c59319e5132ad3 |
memory/1372-59-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-55-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-39-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-31-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-29-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-28-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-27-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-26-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-25-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-24-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-23-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-22-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-21-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-20-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-19-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-18-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-17-0x0000000140000000-0x0000000140165000-memory.dmp
C:\Users\Admin\AppData\Local\fKrEZN\calc.exe
| MD5 | 23bc3ef6125285306658ae83eea2801a |
| SHA1 | e8ba4abee6906e8f14078b5c26695aa69d662521 |
| SHA256 | a9e426de146b3a82e15fb8d258f9de3ff67aa4d5504fec5e535b87b00630db1e |
| SHA512 | 36b89f3db390c9f3739327f3b5ba5932f35aa66ac866ae0a1949f57777ed09b59d82a175bee62ace0eb15591a5d16105b3d1259fdec94720d97dfef9cb1cd70a |
memory/1060-92-0x0000000140000000-0x0000000140167000-memory.dmp
memory/1060-97-0x0000000140000000-0x0000000140167000-memory.dmp
memory/1060-95-0x0000000000190000-0x0000000000197000-memory.dmp
\Users\Admin\AppData\Local\fKrEZN\WINMM.dll
| MD5 | 7c9549dc890d36138b36272ca53adcb9 |
| SHA1 | 1ba7cd6cc47d2b4145887811541551fb0f83d249 |
| SHA256 | 559ea36c82590faa6a0a9b130e2745b43af79d71873f4a760f72a7a4cd024475 |
| SHA512 | d74d8a034f5d46af64e5eab8a0b16cc5bc3791d45dad0ec7c4e5e3f7cae2f13c496efeaceabc6b96261607575b1394c36b18ea7bd1579395c25ca1ee5a283fb0 |
C:\Users\Admin\AppData\Local\fKrEZN\calc.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\fKrEZN\WINMM.dll
| MD5 | a386cb57e4196748fa55421bfce7dadd |
| SHA1 | 2b5babda1e5275a6828f84208a1a331359aa993c |
| SHA256 | 18cca07409ac6091a920e57a889546acb47dc0d653c9c681bfb71646339fe07f |
| SHA512 | a589738a1023e68661ec6750f9e7f4b840e90498cb2253f7036dad83612fa3faf60cda5cc196925e56302cb5a2d466016871df467f774ac9f48e71edd20f39d3 |
\Users\Admin\AppData\Local\fKrEZN\calc.exe
| MD5 | 52fba9fdcbda1aed9ff58eeb0a44314d |
| SHA1 | 3bde97a3715b9758e5cb0cea73b60bd1268d8601 |
| SHA256 | 4a986d0164ec778fbe45cae68b30ee8262d59022b9110e1883f642b1a246bdc2 |
| SHA512 | fc75544759de2e466d68908a2a97f48ae35c04c2c7be93bbb33abdc2b4e9574668ddaa22c5c02cdfc1bfb072ac28a225f1af6b6d9fabae6bf11d2e57c1b755a0 |
memory/1372-16-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-14-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-13-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-12-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-11-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-10-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-9-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-8-0x0000000140000000-0x0000000140165000-memory.dmp
memory/836-7-0x0000000140000000-0x0000000140165000-memory.dmp
memory/1372-5-0x0000000002E80000-0x0000000002E81000-memory.dmp
\Users\Admin\AppData\Local\FS1ry\SystemPropertiesComputerName.exe
| MD5 | 3442c9353291d10148f50dd7c4d50bb5 |
| SHA1 | e10e1e80783c7b6ef6c7eb8614ba3d427d43400f |
| SHA256 | be08e473a905bae470e86e78ce2c7f84b521ab1fbce06ac4b0611a369e75917d |
| SHA512 | cc307891a62e917d0d721d2e62d62b41c982f5786a24c39fa12a97cf35f23d03389bf89decdd004f29d49a9ae2c937c7b19b3fecb6bd21a4bba04a72cbc01096 |
\Users\Admin\AppData\Local\FS1ry\SYSDM.CPL
| MD5 | b0c6dea91187b39f5270749b001d9242 |
| SHA1 | 5f563bb74124ffddcbcc247e006368ac50f8fd2e |
| SHA256 | 701c7587b71da55a0808d8608a5d5ba50be637fc98e08951614c3b7f795a8d09 |
| SHA512 | 160e388f16bf11868ed917f689ca730599e4300ce4e479ea2979add3246cc555885c4bd2d9968b0759594617329f78fd564eacbc4e9e34a9c96d9d124778a1c6 |
memory/1692-120-0x0000000140000000-0x0000000140166000-memory.dmp
C:\Users\Admin\AppData\Local\FS1ry\SYSDM.CPL
| MD5 | 5f175afb20a45691d4a9b154abfd2c21 |
| SHA1 | 7ef9b09f9392623c60119989ee97720ff687c21d |
| SHA256 | f551bd1c3374c7264ab5ef5b38284530bcdcbebaa2d14e3101e890313e44ca1c |
| SHA512 | 1bb031d39a66c93322519f7fbeab324b32b6174ad93a2625d1b0514c189a45e7bced11a245e0432256c9b2d01d9c3feb141b19b115259f00d0ab9cd6dbfd75bf |
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\0FOpkt9N1P\SystemPropertiesComputerName.exe
| MD5 | be1be27c8e713ad62d40841c2f445b3d |
| SHA1 | d02c0e98c19993e232605e99cd905c493c6e50ca |
| SHA256 | 5ff78e23d75d47681db07e7a2139201b030d42d4119e32d1fe95261d94f979c8 |
| SHA512 | f1f30eef24744e99017bf9359b8b1882388170153b10a7676ec1653e84e46c9112fcd1208c91b39fc4819b6a7869422a920d623b993457fa18f4f6a5f19719d1 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\0FOpkt9N1P\SystemPropertiesComputerName.exe
| MD5 | 04ae8061c1ddefcf78b4ada8467a00b1 |
| SHA1 | 151d915fbef21cedcfcaea05aa1ef2bec0aae732 |
| SHA256 | fc672497472caab5f82252b67fd361959776bd0ede44c28a3e5ea4a5bd26f1f5 |
| SHA512 | ee19fe58366da401c4b3084149f546141ffb9d2916299d62d917c7364f29122a7be28be8975ebdf1d55b0c271f3e1a1bdbaf67ca515368fe9d6c2798dd43af50 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
| MD5 | 94db66db5cba9cbb1d7d19fdcc4c2db7 |
| SHA1 | 8b6236a7172e11acd35819f897a1508bc729fed7 |
| SHA256 | 769182fff73c31fdd9481bc6d66ee87aba59fb3579e9decd1984ccc409725f2c |
| SHA512 | 611824ea9be775bc4b70db3b05ac08ce2f1330de436ecb78b5ed648d5ab2af2dbb0b9bfec5dc01fe0e244c4cc9e49174dc1e4b08a78706262bbbe8258d7a8972 |
memory/1372-139-0x0000000077186000-0x0000000077187000-memory.dmp
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\76RVLVYY\oTXc3\FVEWIZ.dll
| MD5 | 985c98c608c0645557b4d54565c5fdc4 |
| SHA1 | 8fc029f0b21b2e72412e0f28156fae7d3ea03751 |
| SHA256 | cf7a553dd807bf5b0b6fc457472a348d7836a40e848b64a265e12d12ddb6fe7b |
| SHA512 | da2d6f4da39b55fc59c149d170125a88d1a56d93055857c324fee3c1b1612566c60fc35abc5aae338bf8c105f8083e9a22400564268c418a5056ca4f995cc19b |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\WGKxYFIp2\WINMM.dll
| MD5 | 4c6df402a6ceb980cb85fa3fe823df9c |
| SHA1 | 89db36a399c29d10a0bb95e7ff69c0318beb4d38 |
| SHA256 | 0857cdd68a2de2f9905264633df7e277701f5aa456ec349164e6e9e9be6f8c08 |
| SHA512 | 74a10e8c9236ddb5c50f1dbc957dcccfe7124a8c62714bbcc6b6f2dee94808cc8ef4b7f70132f03bde184d7122be04421b1e26da38cf78726c28213d1c579d97 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-01 04:17
Reported
2024-01-06 02:46
Platform
win10v2004-20231215-en
Max time kernel
116s
Max time network
155s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4qi385\quickassist.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4qi385\quickassist.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\ePLj7WkNXJ\\SystemPropertiesRemote.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\4qi385\quickassist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bde98475e14c43335fee53f75665d56.dll,#1
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe
C:\Windows\system32\quickassist.exe
C:\Windows\system32\quickassist.exe
C:\Users\Admin\AppData\Local\4qi385\quickassist.exe
C:\Users\Admin\AppData\Local\4qi385\quickassist.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/3828-1-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3828-0-0x0000018C39DA0000-0x0000018C39DA7000-memory.dmp
memory/3304-4-0x0000000002760000-0x0000000002761000-memory.dmp
memory/3304-6-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-10-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-17-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-24-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-30-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-31-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-32-0x0000000002740000-0x0000000002747000-memory.dmp
memory/3304-29-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-39-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-40-0x00007FFB70240000-0x00007FFB70250000-memory.dmp
memory/3304-28-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-27-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-26-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-49-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-51-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-25-0x0000000140000000-0x0000000140165000-memory.dmp
C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe
| MD5 | 618e9398b1448072e3b2b8656bc47d5b |
| SHA1 | a027aa406c10116bab6974ad724e9a10bef8bdf0 |
| SHA256 | 1caf017abb647a5148d8b5cce396e163f16dd8fe5414ba4c54e38eb5a197e4f5 |
| SHA512 | 7f87d3bac33be13968e2412260f3a206510a18a46bcedb03ec43c4efb628a27a079eb3ff4817bfde92cca706e2f64587051ff7a1d0381113e2248d7ab61e1e20 |
C:\Users\Admin\AppData\Local\cPgaJ9f\SYSDM.CPL
| MD5 | 7e289a19c7da9385409335462ee22f57 |
| SHA1 | 79ee9a01545ffb6b46112fb946435d2d48e6ea4e |
| SHA256 | 63aa97f972b8c85c1752d371cf93e8225c8809a75b2f61c05871d312ae6c4fd6 |
| SHA512 | 9d7474d123b7a6492842b04989816d06287a1f7188c822546e64c66c9afe49e3bd2c9349f92a4ea16fd6c80f34c0d338fde4d3dbc681822a2a8567393f0ae7b1 |
memory/4592-61-0x00000134A5AE0000-0x00000134A5AE7000-memory.dmp
C:\Users\Admin\AppData\Local\cPgaJ9f\SYSDM.CPL
| MD5 | c14fe11878d81025a50ef667f039453f |
| SHA1 | a9bf68f393af6f22c3cd56064a03ef8e9d861ce8 |
| SHA256 | a3df0bdbd561da98161c2f9a6550f67503d066b045f200c9b812510a92fcf0f7 |
| SHA512 | f6f6e6d6db59051a4dda1503fc1e5310c90493e60db7db3ab4dcc10beabbae22076de20507f06959550182e81e2a37e735e560309e9a0c361e17443c7523bb2b |
memory/4592-66-0x0000000140000000-0x0000000140166000-memory.dmp
C:\Users\Admin\AppData\Local\cPgaJ9f\SystemPropertiesComputerName.exe
| MD5 | 5d8949297ad42ee1157524894a4a5eb1 |
| SHA1 | ccb53d4e5f9d6db98eeaf079ec8323578106475e |
| SHA256 | 49e5392e30c9c3c3e6c1c63f5da7a6b843cd23fe2ffc657b4c1ce1b321fe6167 |
| SHA512 | b8c3f22f048d5a5b4ba94c8e32262ab20f692a16e630b306c8a0557dcfbd32dd11c25726d606beeeef24eb2fe5db4a034ab7eac362969754351cb05ea0c22b12 |
memory/4592-60-0x0000000140000000-0x0000000140166000-memory.dmp
memory/3304-23-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-22-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-21-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-20-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-19-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-18-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-16-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-15-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-14-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-13-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-12-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-11-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3828-9-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-8-0x0000000140000000-0x0000000140165000-memory.dmp
memory/3304-7-0x00007FFB6EC4A000-0x00007FFB6EC4B000-memory.dmp
C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe
| MD5 | 8536e90bcaef78af556a71c3310244c9 |
| SHA1 | 24324c5e839609ba276e06a67e27abfef9e4936a |
| SHA256 | 350f328402040e8b3dcdce71331d5b941c08e3a7cff060e5f14c4cd2b5028922 |
| SHA512 | 719b8c436b0721ddc566f34652899b31aa27a133c326541f9a4d612c6814125d960fc30b095bc2d7c854d53f55cd9279c2c9a78775e59dd7572ef5284621d58f |
C:\Users\Admin\AppData\Local\77aSs\SYSDM.CPL
| MD5 | 8220e24a4d9c6199b99bd38310839817 |
| SHA1 | 5dee5b472ce70fc8317c89e412e9660a81034e75 |
| SHA256 | 21d5ae44b9294615e8befb8b6acdcc7e08884d1093bbb53b1a8e231649d82aad |
| SHA512 | 7bb101806ddeac561c978206098b31fde156686e3533eeb9113bf24bc061db7c45ab322b4a12d6ca45463c3d5dc4a741417fb25bc77bc6ee64f852cca60b4a93 |
C:\Users\Admin\AppData\Local\77aSs\SYSDM.CPL
| MD5 | 5f175afb20a45691d4a9b154abfd2c21 |
| SHA1 | 7ef9b09f9392623c60119989ee97720ff687c21d |
| SHA256 | f551bd1c3374c7264ab5ef5b38284530bcdcbebaa2d14e3101e890313e44ca1c |
| SHA512 | 1bb031d39a66c93322519f7fbeab324b32b6174ad93a2625d1b0514c189a45e7bced11a245e0432256c9b2d01d9c3feb141b19b115259f00d0ab9cd6dbfd75bf |
memory/460-78-0x000002360D4F0000-0x000002360D4F7000-memory.dmp
memory/460-83-0x0000000140000000-0x0000000140166000-memory.dmp
C:\Users\Admin\AppData\Local\77aSs\SystemPropertiesRemote.exe
| MD5 | cdce1ee7f316f249a3c20cc7a0197da9 |
| SHA1 | dadb23af07827758005ec0235ac1573ffcea0da6 |
| SHA256 | 7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932 |
| SHA512 | f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26 |
C:\Users\Admin\AppData\Local\4qi385\quickassist.exe
| MD5 | dea3f86e93707867ed687aadcca4d4fd |
| SHA1 | 9a23453c2d62f4787e9876a817caee4e29e41c32 |
| SHA256 | 61e6b9a824ae1f35187941b6427c912a0e5c13cbac3b448327a2fe08619a7bce |
| SHA512 | ed2648603ff5cc4625491b8008799fffdb8276ce2f26ee4824aba1b29fac85a1903ab32f7664cc63de1105b0772886555e3908ec64c67c2cb30d75a69e00702c |
C:\Users\Admin\AppData\Local\4qi385\UxTheme.dll
| MD5 | 02c7252d139da762c7a084bef8bafe1a |
| SHA1 | 236798f0592c0360802de7ef51e3363745fd1bcb |
| SHA256 | b7681def407e7a996aa43057fa403f7c7f53cc0c9f07ee4ebd0253565e581702 |
| SHA512 | 3658d71d56de3f0255ffaa05ed87c6ddfa32f1b4e025718f2087b44a20e4ad368e1be9050354a26048699708cfce14f08544fd4eff23f03a396ee3f1b2993d66 |
memory/3960-94-0x00000142EBB40000-0x00000142EBB47000-memory.dmp
memory/3960-100-0x0000000140000000-0x0000000140166000-memory.dmp
C:\Users\Admin\AppData\Local\4qi385\quickassist.exe
| MD5 | e98f31fa90c2d8bcd9ccb7b1059c51ac |
| SHA1 | 896a11e82015db4caf1246c0ebfb756debf3feb3 |
| SHA256 | d8ddd3ccf16c62d3854fabced0aa326a5fb4180ddd13db2640821a448ee784c7 |
| SHA512 | 3b726a539140a7aaf3adc121c26e6f2135d589be83a6b668185a4f48df3e3c1839cabe541a2bcccfb2c8f32f16494b07cbf81163046d7003a0481370f13c2f5a |
C:\Users\Admin\AppData\Local\4qi385\UxTheme.dll
| MD5 | b1d733def65a23d0059e67a17120b51f |
| SHA1 | c6c5befc49143ee20cbb839c6103d1569676c7e8 |
| SHA256 | 88b3be4d617dfac670149f5b4b08212b2a1ec08e03d65607726bb5ffc100f90c |
| SHA512 | 67a3d29366719e5c03453e2e8cc12835f8f118ddff959bfbae6be6232f256041fc3c114467d6649e4b3f20ba3f1b56c8bc649259ed54d14cd9db061001325dc8 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk
| MD5 | a4dbec6160ec21beb8d2981bdb7af5f4 |
| SHA1 | 970c1e34132b3c61dbd37fd7745854a2251e7b24 |
| SHA256 | 0cba14f3005b0e9486a3874e1b151a815dd91a4d2ac0f12a66b5180752137f42 |
| SHA512 | 101511e8302a12e98e9ddfb991cc9a1936a5fda766ae5fe2729061cd58af91b14f2d76c696e493c85e62c5bbb5d928262bc30ec1d8ebdf3881c7144af19cf796 |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\5dewJw\SYSDM.CPL
| MD5 | 70a533cf98f011ac29b44f9981af1b56 |
| SHA1 | 8aba403f76277ccfc11a09eb2b691eb97bb528a5 |
| SHA256 | 731bcc7c1b4c07d1bb597f99b737e7eecaf5a0de3b06a88a702e6037651816cf |
| SHA512 | aa865c301fca768ff6bc1f5c7e942ca7b805ca7388cda70f50fc6fd52622fd428e7f5619cf69344c2aefb08447fa164ea805bba2505d2de519e51a837ce6755a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ePLj7WkNXJ\SYSDM.CPL
| MD5 | f61b3ca17980346d95b87dbd7ac0106b |
| SHA1 | f576eb453026c1fbbd3dbc75113d0eb38073ac85 |
| SHA256 | 999f293fea5f55c7206dd7de7bd276a2f3e280185558d09dac11d9e614566b9d |
| SHA512 | e457216a0b24b60cacaf905262d873670311313e6876648580cbaf6659089c5a624e6379eadd287a99adf6344354b9efcab39d4ae4ec5c7912497a61cf5fc9a5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\rJFsKsq\UxTheme.dll
| MD5 | 9b4bcee2730846587720a51c6eaaad37 |
| SHA1 | 6863ba7ea97f5d9cc656aab65602a65c156df503 |
| SHA256 | a2d7bc00fa15f126ed56713a7da4dbd6fc87a5ed6258ddd28a193040ca558427 |
| SHA512 | 4ce20f4eae4aade4d8dd341c029458ba859fdf4058904ab08c924ebac5434ca3a348e9dfff763cf69d380bac7c8b33410706f624952571570a915cc6c4723d21 |