Analysis Overview
SHA256
cdb5e75841cdd400ef88879799480357211372e7ea884fcb228efc941cec8b58
Threat Level: Known bad
The file 0ecd6fbf320e70c4a34a5c3ec82a418c.exe was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-04 20:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-04 20:10
Reported
2024-01-04 20:16
Platform
win7-20231215-en
Max time kernel
151s
Max time network
131s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\hVK5\\EHSTOR~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ecd6fbf320e70c4a34a5c3ec82a418c.dll
C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe
C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe
C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe
Network
Files
memory/2252-0-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/2252-1-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-4-0x0000000076F46000-0x0000000076F47000-memory.dmp
memory/1376-5-0x0000000002590000-0x0000000002591000-memory.dmp
memory/1376-7-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-13-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-18-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-20-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-22-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-23-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-25-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-30-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-32-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-41-0x00000000771B0000-0x00000000771B2000-memory.dmp
memory/1376-40-0x0000000077051000-0x0000000077052000-memory.dmp
memory/1376-39-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-31-0x0000000002570000-0x0000000002577000-memory.dmp
memory/1376-29-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-27-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-28-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-50-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-26-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-56-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-24-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-21-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-19-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-17-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-15-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-16-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-14-0x0000000140000000-0x0000000140124000-memory.dmp
C:\Users\Admin\AppData\Local\uOAV\BitLockerWizardElev.exe
| MD5 | 73f13d791e36d3486743244f16875239 |
| SHA1 | ed5ec55dbc6b3bda505f0a4c699c257c90c02020 |
| SHA256 | 2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8 |
| SHA512 | 911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af |
\Users\Admin\AppData\Local\uOAV\FVEWIZ.dll
| MD5 | bc2328391caeac2aeb82a3fb75777fed |
| SHA1 | 9aeb0ca334bc92700855de33257886b8c545be3f |
| SHA256 | c3e4959de2cca846296a925512cbb4ec7b1239098c4e73cc52290f7771559fab |
| SHA512 | a3ca9263d8e932d6f7793d15ee465119509edc608f45facecce200ddae5421292908838479f2e9b03a360cb43f5d652127a2043b6ba3ce60dd5783596ac01697 |
memory/2168-69-0x0000000140000000-0x0000000140125000-memory.dmp
memory/2168-73-0x0000000140000000-0x0000000140125000-memory.dmp
memory/2168-68-0x00000000000F0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\uOAV\FVEWIZ.dll
| MD5 | 2b879d8fc0324b1b28d6fb825412a1aa |
| SHA1 | f1d8c31ca2f454cc450cc121293b5933bcd35072 |
| SHA256 | d3dfda3b4395040157209336a16f9a3aaecee9e82aa62b8bffe5e9c7eab7eeb3 |
| SHA512 | 8dcb665698606b9c1ffa7e31b427705896d6136862c28c9cf6906e5a681386b4b96bffe84b9dc139a52acedbaeb59142c8fb55bed278e5a6e5dcd881146a8762 |
memory/1376-12-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-11-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-10-0x0000000140000000-0x0000000140124000-memory.dmp
memory/1376-9-0x0000000140000000-0x0000000140124000-memory.dmp
memory/2252-8-0x0000000140000000-0x0000000140124000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\papwAL\BitLockerWizardElev.exe
| MD5 | 3dc03c9e6fa6cbca801060de6def5a95 |
| SHA1 | 75cc801082cb868a34ee68e068f19ba5ba6f7f8a |
| SHA256 | 7f9793beced6eda291be9f9a080400922ad8510c0be6e67dd1b6151b4d2943c6 |
| SHA512 | 45b8c71e9c8ee9b3ef0424290587d8aecb06f4e5bdeda43e8c7216700d43995876c141d7c63ad4e1ffc155dd74138997b0ae78df80a5e7d08be2bc0014725bfd |
\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe
| MD5 | 3abe95d92c80dc79707d8e168d79a994 |
| SHA1 | 64b10c17f602d3f21c84954541e7092bc55bb5ab |
| SHA256 | 2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad |
| SHA512 | 70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c |
C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe
| MD5 | 43030409ed34426b7922f5a84d52f181 |
| SHA1 | a4655a13c716f8f28c9173ffbe137d2ad14f76e7 |
| SHA256 | c0c838842df520cd417a8052e5792e90aa6d6f65aee147e5e3fc6b24a6e04d12 |
| SHA512 | 8432f56ec215c9a624dca897ef360ba3554a1fd6a123f97dafbcc96e897881c7f928d3bbafd6ec90bbc2da2d54a3268d70d28eb3b10aaf6b035560bf80f9773a |
\Users\Admin\AppData\Local\K1Iec5F\WTSAPI32.dll
| MD5 | 3b3ce388656359f6a1bb281a4db5979f |
| SHA1 | 878ee468aeb7db10913b76c8c1d98ad7a01c5fcb |
| SHA256 | 7bc799ac45c0a76a30da737ba3d21c859a2c327c82666f85b7018d944a3e8310 |
| SHA512 | 0e9faa10cf459924879becbee17758f8902535fab93fe191b98bedf037c229ddf81c926f0aadbb6cab7869e95ee44d5a9c35668a178682e1eeb5067ebeb7ed1a |
memory/696-90-0x0000000140000000-0x0000000140125000-memory.dmp
memory/696-86-0x0000000000080000-0x0000000000087000-memory.dmp
C:\Users\Admin\AppData\Local\K1Iec5F\WTSAPI32.dll
| MD5 | dcf95c9d786dd5800699d3a5721921a0 |
| SHA1 | 0458d55efca864257f15eb7c3c2b382a8f4f0123 |
| SHA256 | c5a0f5039d10fb4522d755cda5e1e87ad2e0050b97778b75718f5ccb93bfee46 |
| SHA512 | 575ec9f41c6a1e7cfae4534c614c07f3f9939f0b2f54213247205bd70fe0daa1918dbaacc965754f4f69abeedbdc6bafe0e4467d12e3601e6a49342726c9b681 |
C:\Users\Admin\AppData\Local\K1Iec5F\EhStorAuthn.exe
| MD5 | 7dab86e4566f94e7b7fcf8988a94d9a8 |
| SHA1 | 3d03e26c83d9a4ccb4b64e998ac8c6fe5a5bdcda |
| SHA256 | 0999dc8a6de77deeb00668039686b83342320593387b02be5f30b2a9713dcc49 |
| SHA512 | f2462a460775b4398a4064b813f6c36cdd85535c23898073d0957b61b687b45809c0cd76dbcd38615f6b92507c459bc824614dc14bced8fa262c1e34b180365b |
C:\Users\Admin\AppData\Local\C10L6\DUI70.dll
| MD5 | 836a3004f0587e59e2e6812e2b500407 |
| SHA1 | 7c16ad6e60e6ad3af6cef9f3575f33f9deac445e |
| SHA256 | f7c32d086d515f3e00975a468f5a3eb64661a939706a1f6b0f1638332c02308d |
| SHA512 | efd27743b46120311e3ac53e8db43abda895985395bccc54158289c66861b766fe26f1d6ddab7e7b64749120fb1806d5a8fd7bd506dc365082d47cd66734c238 |
C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe
| MD5 | f26502e8a03b6f04a230364ffde0b28d |
| SHA1 | c6470dd60e15c313876654340fb4cb91b83bb70c |
| SHA256 | 38341ff1e418179952ea863fb46e35e5c10a20dfb5573024e7d0cde493cff831 |
| SHA512 | 90dae2512f566992c858938a75769b04eef84716522b76e90024e671f01a163622502aa6a0852c701f1c0c51584a02c1e1397a5bb2d42ddd0243575f90ce0495 |
\Users\Admin\AppData\Local\C10L6\DUI70.dll
| MD5 | c9dbcd26e505121ab8fba7368c4a2e14 |
| SHA1 | d8552f0ed8090b07b76481a317556b1cb8432a69 |
| SHA256 | 6c9aca6116232c9dbec492a410f0ffa4da9c3b9aea33fa030e2f7912e5fe9a45 |
| SHA512 | f61c06006c3e3ec26db7387a2bafdd5316bcf7461225aec5c7ca461b4efea02d4e13669b596224510c265457a58de402be5610ddc455be05747c7ba8b9ed026e |
memory/2860-103-0x0000000140000000-0x0000000140158000-memory.dmp
memory/2860-109-0x0000000140000000-0x0000000140158000-memory.dmp
memory/2860-105-0x0000000000200000-0x0000000000207000-memory.dmp
C:\Users\Admin\AppData\Local\C10L6\dpapimig.exe
| MD5 | 7d9e3895ed4a46741c91568460b78942 |
| SHA1 | 03d19bd19005d21ce981c77c15cb3af5f3ca6009 |
| SHA256 | c5dce4cda7c43cf97f9243cdc06373647467f73fa1c8c839fb17f4723e1e134d |
| SHA512 | 161d6c1e290a2d5495878127e9e80182cf693be71d8660ffd630526f2066025c091fac2393829cfb166dfc7af35b2517124c7b868d472374dc2f08d65e6e0ddb |
\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\j2Rp2jVc\dpapimig.exe
| MD5 | 0e8b8abea4e23ddc9a70614f3f651303 |
| SHA1 | 6d332ba4e7a78039f75b211845514ab35ab467b2 |
| SHA256 | 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1 |
| SHA512 | 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | 872bebfc297f3ca277482e3697a69acb |
| SHA1 | 246a7706f91323ea82c9871b4b3016ae24dc7858 |
| SHA256 | 3425fc1e3f782cf3754b0c9137596ead4b05cc7d28989bad368d4c169a5750ff |
| SHA512 | 9c3ff580f20d11f14e4c037e66eb7d48bb5277348c27d34b363904f7804eb1eb3cc5ee5cd967ff96a5236b3ff72d33567cb84a7e2ecb3d8af17eea1111e8b62c |
memory/1376-128-0x0000000076F46000-0x0000000076F47000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\papwAL\FVEWIZ.dll
| MD5 | cf23abc8937f23bb5febcd2236810e6c |
| SHA1 | b18f9dc7d9634d5b5625d2359bb37f948b8e34ee |
| SHA256 | 261530f4cce1cf4a4bbef33b64df797595856b2493321eb749d22701ba3e48ae |
| SHA512 | 99df532754757de376c0984831f6ea1ecfd878cf441b8aec6e92b074a06f7ba101353635aa2ca760da9b300de758cb450c8c1239d6ef1888eafc0df458b884f0 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\hVK5\WTSAPI32.dll
| MD5 | a798a0f9e3dc476d43dca891b44be237 |
| SHA1 | 93178b00b2f3b1802e144f02317112582cb09738 |
| SHA256 | 1e50c1b46bc55e10957139af315f23dec9149057f03753eb8bc92a30a15c04ee |
| SHA512 | 8675c783894506a828a22b0f51712d82f97ba7f0f7b601060708207e87ecec70d4e6cc854a1f7e033f2e8fef6c3a947e5ed5cbe07b1eac9703fce784ea675527 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\j2Rp2jVc\DUI70.dll
| MD5 | fa32ca22e18ac4c0db5d4579ac4118e0 |
| SHA1 | a02140e35126802f06dfa570cd7632893d780523 |
| SHA256 | 310631bd4e760c666074632ccc213f6b722ddbcd995a2a18c7a2dabb8bfcf3af |
| SHA512 | 3e42845fd548972e2751cff9049a6e0c01ed3332dbf57b1f94f7316027d62b37c586c5c3ba900c06ca21c70bb36498fbab5db0c9058b190db6eb8d4a36104560 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-04 20:10
Reported
2024-01-04 20:14
Platform
win10v2004-20231215-en
Max time kernel
3s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ecd6fbf320e70c4a34a5c3ec82a418c.dll
C:\Users\Admin\AppData\Local\DnH2aDC\tcmsetup.exe
C:\Users\Admin\AppData\Local\DnH2aDC\tcmsetup.exe
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
C:\Users\Admin\AppData\Local\OlCCLu\lpksetup.exe
C:\Users\Admin\AppData\Local\OlCCLu\lpksetup.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\dZdH\sppsvc.exe
C:\Users\Admin\AppData\Local\dZdH\sppsvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2288-0-0x0000000140000000-0x0000000140124000-memory.dmp
memory/2288-1-0x0000000001440000-0x0000000001447000-memory.dmp
memory/3456-4-0x00000000007D0000-0x00000000007D1000-memory.dmp
memory/2288-7-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-9-0x00007FF83678A000-0x00007FF83678B000-memory.dmp
memory/3456-10-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-11-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-6-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-8-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-12-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-19-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-22-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-26-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-29-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-31-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-32-0x0000000000400000-0x0000000000407000-memory.dmp
memory/3456-39-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-30-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-40-0x00007FF837C00000-0x00007FF837C10000-memory.dmp
memory/3456-28-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-51-0x0000000140000000-0x0000000140124000-memory.dmp
C:\Users\Admin\AppData\Local\DnH2aDC\TAPI32.dll
| MD5 | 7040c293315814674fb636518da218c7 |
| SHA1 | a42be9067b774714e3d54ec5b3eba7492ef647c8 |
| SHA256 | ebabfc376a09d7cbaeceea687472ac6167703f4d9cf9bcd9349e6ecc75fc3970 |
| SHA512 | 89820e295160e862df7f31e0e652d1d7168beeefb1942f38f10dc19e37a0e26fc4067459f7a14635f460cdcf8d84a1754c8591405bf0bed08c441111c0ccfac8 |
memory/3892-60-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3892-66-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3892-61-0x000001F2423A0000-0x000001F2423A7000-memory.dmp
C:\Users\Admin\AppData\Local\DnH2aDC\TAPI32.dll
| MD5 | 372f101c459540c0cba5bccc00677470 |
| SHA1 | 13710b9b12d7bbd0225ae74876cb5b415f00cd0d |
| SHA256 | a3817c223a724efbcb89f02b2957b8cc3fd21d6f70d6554598f23c3076eca224 |
| SHA512 | 8d632304fa4c09a2569fa7623f00f96adeffa914d4de9bb3c8e7b425709bcf1c64c105ae830d61d6cd2c0af68ca1dda4cb56167e5a69e45ba660e126455e79a2 |
C:\Users\Admin\AppData\Local\DnH2aDC\tcmsetup.exe
| MD5 | 58f3b915b9ae7d63431772c2616b0945 |
| SHA1 | 6346e837da3b0f551becb7cac6d160e3063696e9 |
| SHA256 | e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39 |
| SHA512 | 7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5 |
memory/4700-77-0x0000000140000000-0x0000000140125000-memory.dmp
memory/4700-83-0x0000000140000000-0x0000000140125000-memory.dmp
C:\Users\Admin\AppData\Local\OlCCLu\lpksetup.exe
| MD5 | a1744e9cca51b2907ef62ea8edf746d9 |
| SHA1 | 0ca2c89e6f4a0ea076cd620e8e1bbe0e9d25b3d1 |
| SHA256 | 1e3ec0f2fa9b935a5fb8859f37924234cb0b0c55eab6290ece0586ed281a85a0 |
| SHA512 | 29a1b758befe7aaa927f53bf833203b88fd76dea1a60e50b386cb210a2cb51a61fca8bba25c2d5fa6be25d8116b56e21297bf13191e2f0422f70930f94067c2d |
C:\Users\Admin\AppData\Local\dZdH\sppsvc.exe
| MD5 | fe0401f6a742da34052d4e1e660125b9 |
| SHA1 | a2d27a8209f9cda5fef5269beafd3d86840a1103 |
| SHA256 | 6d38a17f7bae0fb41e4a02fd93276a95685c50f026bfc7b01308e51c8dfbbeaf |
| SHA512 | 5cb439edbaeec065de5ed3ecb304b3cc677e3fe9a87fd3eb01fae3d75d4b0b7867a3ee399eddb60057610379283f8239dc9bb829fb5f0423877e4b59ccb4e4dc |
C:\Users\Admin\AppData\Local\dZdH\XmlLite.dll
| MD5 | 082ca1e032e84292bd126ba35f0f26f8 |
| SHA1 | 7ab3071f1e43f04b985e0be33cee51708da9d5a3 |
| SHA256 | 87596aac5a9104a1e0b608c343d262b547a2c24d7fec4dde2210b093f5592953 |
| SHA512 | 7dcad8cabbace0740bbb50552b1e3318348ce7f402be864a7a3ffb6eb1d959e8e6fe2fe5e455e616954b4d642a582bebe681d836f19154b43b8e2de32e970aa1 |
memory/4936-100-0x0000000140000000-0x0000000140125000-memory.dmp
memory/4936-96-0x000001B3D59B0000-0x000001B3D59B7000-memory.dmp
C:\Users\Admin\AppData\Local\dZdH\sppsvc.exe
| MD5 | 4df9c93280a9582d5e9d857d91f81f65 |
| SHA1 | 372ced29add7b923f91e65cf88e08c0c6f22e3bb |
| SHA256 | 34a34c8b2af3581a0864d39e96f4af8ddb15d3d1e525b1ec1015e8dabae756a6 |
| SHA512 | 3a9bce2581e11be4d5b57468e9f1c473bdf8ec86cceac54f4522c38820fca3b2ef8754b3dc0ad05df18f0a59afefafb95924439d6f320543360363c11cda191c |
C:\Users\Admin\AppData\Local\dZdH\XmlLite.dll
| MD5 | 52ed0da3a5e05de8e4287229c6622f25 |
| SHA1 | 75077e1a12432b8814bc8da37f399f1e9d95020c |
| SHA256 | 4b8f2e449253b4442937de9ec3fff0a1da181fb20ea8bd6166d2a13efe82d057 |
| SHA512 | 119378c5371721376bc4876e8a11c6e9cc8183373f34239e5fb802adc7738df92a07c34e04717c473ef6c10469dfa69f5dc6112f1def21aa9cd75a6a789095ff |
memory/4700-80-0x00000205852D0000-0x00000205852D7000-memory.dmp
C:\Users\Admin\AppData\Local\OlCCLu\dpx.dll
| MD5 | f5ef62e798eb554af9f4103510a8e585 |
| SHA1 | 2aa97b94f6049145070f542a3c4a7dab096dfcca |
| SHA256 | 35b60a90bb88921b62872f92c8ffda57ba29d0006904149729dfe374503ad50a |
| SHA512 | 4edf629b9d0c71c5c3a161bbac48d0ad5b2c3119b08aa32c4fc583d9bfc64f3e796c3d0b225db060e2bdec1995723a73eed8fb77015937f1920894a882daa960 |
C:\Users\Admin\AppData\Local\OlCCLu\dpx.dll
| MD5 | 96b2aebcd0de8cfd357baff261f29df3 |
| SHA1 | 9d0bfd1190f4cc8c264249e4948a61f72d8741c4 |
| SHA256 | 3a04de4b8c4132cd0e6a1b076226c311b228d12707d64614b7ca716623854883 |
| SHA512 | 9f9d89d5a376431b419a775ef94978bfba6b56af3346878c1ea0cf7bfd21e7e91b5d3e63c3cf8c5eb0f413d274582e9ee1a7d95a29bf028743fac3888e1e7e07 |
C:\Users\Admin\AppData\Local\OlCCLu\lpksetup.exe
| MD5 | 8d3dd1a565d3a7fdc8c0768f8cd2c335 |
| SHA1 | 30f3c23693bc6332207703c7dbbeb08c4d526190 |
| SHA256 | 6f5a87fa3ce81dce0fee22ab787fd73910e0a690af33e3ebf20918a1029b0466 |
| SHA512 | ffa49898fc442c8795b8d55957e03b9d604b644ddca039a7e55038c907872d93a2bb2a3c5282535654fc10e5e9455113f1bf1fe51d30dec049f1d7e9b9e09067 |
memory/3456-49-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-27-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-25-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-24-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-23-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-21-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-20-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-18-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-17-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-16-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-15-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-13-0x0000000140000000-0x0000000140124000-memory.dmp
memory/3456-14-0x0000000140000000-0x0000000140124000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk
| MD5 | 9a6e3fd838aa70c4a0ca6694dde6babe |
| SHA1 | 843b0917686189cbc12a351e7877146eeeaaf0ca |
| SHA256 | d7c0fd1f2ad2369894a553d9e9bd74751d8508b6f4de9bff7606da41e7933cd9 |
| SHA512 | 6d322877616f8903ed53ede4fd5dd6866c35ddecd814d121b688034adeeeda11a4e618d5169f0a829411b54c677b7c2dd7c26f576f0cf5e3871df23a860754f6 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Khm\TAPI32.dll
| MD5 | ab408ee234639e5eaabc43f18ca9ec76 |
| SHA1 | 8b23897c2366f759f82990a49bd8ad49872c829a |
| SHA256 | d4f0f4cd15d54e2c93b3af6ff508206b8db5d759b0ea803146ee6a5d8049e8e5 |
| SHA512 | 0d27409aaff06c4eda05b64da2a9684ba37e8b7aec070e87321626744653d883e0b347aa6480e3fce51c299fd68271292a9a1b2f5313e12a843ee60017b1b374 |
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\8vp9Dpn\dpx.dll
| MD5 | f414f46c15077cb4b33b84d64957379c |
| SHA1 | 7537eed2724b5f6b8d086534dac5957fe3d8f0f7 |
| SHA256 | 484ac003f23a2c1ba0bf3fcc86a7f29ffce8a891069831b1f5d68b297bd17a96 |
| SHA512 | 3b6a6b3674eb37ec004ee9d1dee8550708783c34ce388a983766d7fb118fc7edfb6e124b351230b723fa4d02a688e59f037c44af534cafca1e00d42b9149cbb4 |
C:\Users\Admin\AppData\Roaming\Adobe\onM\XmlLite.dll
| MD5 | f95018509e619d771f03abb48675187f |
| SHA1 | 27a671b791bc00c7aa6d9c09a63522fdac1ac09d |
| SHA256 | 4638288827c96d6d09099d71d58830d90859ad9e3648155d73cd169282a51b39 |
| SHA512 | ab6b941d075ad555a983562fcf71219ef7a79b0a4eb1770ec81713b55296135d7a1e048147e0b6a5c31c0d547bf1e79d7554838a600d9f59ac66823df34d7d6b |