Analysis Overview
SHA256
fee679a74d93c6adee409515fdf168e955e056dae2949cbf848a48e03a8ac97d
Threat Level: Known bad
The file 736f4c09867897af390e3e0bf50a0b23 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 01:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 01:58
Reported
2024-01-25 02:00
Platform
win7-20231215-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\YFXLWlp\\Dxpserver.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1208 wrote to memory of 1384 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1208 wrote to memory of 1384 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1208 wrote to memory of 1384 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1208 wrote to memory of 1484 | N/A | N/A | C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe |
| PID 1208 wrote to memory of 1484 | N/A | N/A | C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe |
| PID 1208 wrote to memory of 1484 | N/A | N/A | C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe |
| PID 1208 wrote to memory of 2956 | N/A | N/A | C:\Windows\system32\SnippingTool.exe |
| PID 1208 wrote to memory of 2956 | N/A | N/A | C:\Windows\system32\SnippingTool.exe |
| PID 1208 wrote to memory of 2956 | N/A | N/A | C:\Windows\system32\SnippingTool.exe |
| PID 1208 wrote to memory of 1568 | N/A | N/A | C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe |
| PID 1208 wrote to memory of 1568 | N/A | N/A | C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe |
| PID 1208 wrote to memory of 1568 | N/A | N/A | C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe |
| PID 1208 wrote to memory of 1968 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 1208 wrote to memory of 1968 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 1208 wrote to memory of 1968 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 1208 wrote to memory of 1736 | N/A | N/A | C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe |
| PID 1208 wrote to memory of 1736 | N/A | N/A | C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe |
| PID 1208 wrote to memory of 1736 | N/A | N/A | C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe |
| PID 1208 wrote to memory of 2032 | N/A | N/A | C:\Windows\system32\DisplaySwitch.exe |
| PID 1208 wrote to memory of 2032 | N/A | N/A | C:\Windows\system32\DisplaySwitch.exe |
| PID 1208 wrote to memory of 2032 | N/A | N/A | C:\Windows\system32\DisplaySwitch.exe |
| PID 1208 wrote to memory of 1620 | N/A | N/A | C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe |
| PID 1208 wrote to memory of 1620 | N/A | N/A | C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe |
| PID 1208 wrote to memory of 1620 | N/A | N/A | C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\736f4c09867897af390e3e0bf50a0b23.dll,#1
C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe
C:\Users\Admin\AppData\Local\k16Ck\spinstall.exe
C:\Windows\system32\SnippingTool.exe
C:\Windows\system32\SnippingTool.exe
C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe
C:\Users\Admin\AppData\Local\QvEm\SnippingTool.exe
C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe
C:\Users\Admin\AppData\Local\6Jn\Dxpserver.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe
Network
Files
memory/2208-0-0x0000000001BE0000-0x0000000001BE7000-memory.dmp
memory/2208-1-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-4-0x0000000077996000-0x0000000077997000-memory.dmp
memory/1208-5-0x0000000002170000-0x0000000002171000-memory.dmp
memory/1208-12-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-11-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-10-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-9-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-14-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-13-0x0000000140000000-0x000000014037A000-memory.dmp
memory/2208-8-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-7-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-15-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-16-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-17-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-18-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-20-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-19-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-22-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-21-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-23-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-25-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-24-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-26-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-28-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-27-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-29-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-31-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-32-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-30-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-35-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-34-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-33-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-40-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-41-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-39-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-38-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-37-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-36-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-47-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-46-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-45-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-44-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-43-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-42-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-50-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-49-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-48-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-54-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-53-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-52-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-51-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-56-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-55-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-61-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-62-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-60-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-59-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-58-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-57-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-63-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-64-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-65-0x0000000140000000-0x000000014037A000-memory.dmp
memory/1208-69-0x0000000002140000-0x0000000002147000-memory.dmp
memory/1208-77-0x0000000077AA1000-0x0000000077AA2000-memory.dmp
memory/1208-78-0x0000000077C00000-0x0000000077C02000-memory.dmp
\Users\Admin\AppData\Local\k16Ck\spinstall.exe
| MD5 | 29c1d5b330b802efa1a8357373bc97fe |
| SHA1 | 90797aaa2c56fc2a667c74475996ea1841bc368f |
| SHA256 | 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f |
| SHA512 | 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee |
C:\Users\Admin\AppData\Local\k16Ck\VERSION.dll
| MD5 | 959843c47eaa9bf47c245f7a7c54cc2d |
| SHA1 | 2dcdd7573d2610e191c93dd9258bd34b4ff9db84 |
| SHA256 | 43aa786c45ea377bc4a94866a73c928a1c837847886d2beac226fb0bd4545a47 |
| SHA512 | c4a708ad81d4b74199789314fa6b9271b3dac8bd5d860468fd5e20f4170ea0385e031925e895f9bb218e1d050008686725aacc1672ef18ec7222590066d1fcc0 |
memory/1484-105-0x00000000000F0000-0x00000000000F7000-memory.dmp
\Users\Admin\AppData\Local\QvEm\SnippingTool.exe
| MD5 | 7633f554eeafde7f144b41c2fcaf5f63 |
| SHA1 | 44497c3d6fada0066598a6170b90c53e28ddf96c |
| SHA256 | 890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78 |
| SHA512 | 7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203 |
\Users\Admin\AppData\Local\QvEm\slc.dll
| MD5 | 58787c8a3f1b7b4b511aa735b79d2cd5 |
| SHA1 | 96bcbd2c9cf87ede17a25e95eda96ba1171a09bf |
| SHA256 | 1ff2979a16cb202124f72d196d276453a5234e52f1d157f638df0a5c40fae66e |
| SHA512 | e4c07af389b06ec61367efd8a8149b8ad8b13161a55baa042a0a56b9fe1f9cf97b53b408f67c0dc482643f220e81385e0d29dbeed3811234ef3c6637d1614c10 |
memory/1208-123-0x0000000077996000-0x0000000077997000-memory.dmp
memory/1568-125-0x0000000000120000-0x0000000000127000-memory.dmp
\Users\Admin\AppData\Local\6Jn\Dxpserver.exe
| MD5 | 4d38389fb92e43c77a524fd96dbafd21 |
| SHA1 | 08014e52f6894cad4f1d1e6fc1a703732e9acd19 |
| SHA256 | 070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73 |
| SHA512 | 02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba |
C:\Users\Admin\AppData\Local\6Jn\XmlLite.dll
| MD5 | d13998e695b9a489ec9c72a26b77359d |
| SHA1 | d4ada77aeda6845e5a8323244549e2f0dc30e9d6 |
| SHA256 | d4499394031f6e3cd4de47266131e071246a4db2f58877dc98bf1b85726f45e4 |
| SHA512 | 3872e97f9f12de1af0bbaf53a912a3ab9acc57de1fdb804f4433c6a9b0f4daaf1e43bc3287b80bb1ab2d390a9e34e887be05321abcba534803fc07c15993cbaf |
memory/1736-138-0x00000000001F0000-0x00000000001F7000-memory.dmp
\Users\Admin\AppData\Local\qLT6b\DisplaySwitch.exe
| MD5 | b795e6138e29a37508285fc31e92bd78 |
| SHA1 | d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a |
| SHA256 | 01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659 |
| SHA512 | 8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1 |
C:\Users\Admin\AppData\Local\qLT6b\slc.dll
| MD5 | dddf0650057a9829b318e04ca649712b |
| SHA1 | 2a7536c1a41714a4a414c59cddf3dadceb051069 |
| SHA256 | 6bf59a4cf6b430b08be2e0d8040d021479a24f5a54ca7ab4452694bb3e1625ca |
| SHA512 | 2cfe9b1cc4721dd359a24494b70d9bc25cb6ba3460e70dc957942ef99c5aa4d79c440ca92c509f7f0c1b0d1951b99d57fb975c19c3607f74cf298092e3f15df8 |
memory/1620-157-0x0000000000180000-0x0000000000187000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | 446aee12d83216e14a6be88e30f14504 |
| SHA1 | 89cfac8fd71c730139b0ee4442532b1a97d20278 |
| SHA256 | 5188e885664b6a89a8316d23e0b2adf0b7fa6b483fafb850ceb424bad7167428 |
| SHA512 | 244cbe4a354281cae1c50544b08e2b657c38393cf3b5979150a64ff9887d8da43fbb70ac528b677a7b5aca0853634532add97d537bd793e56cd93925a2e2a8b2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 01:58
Reported
2024-01-25 02:00
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
148s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\736f4c09867897af390e3e0bf50a0b23.dll,#1
C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Users\Admin\AppData\Local\I1dV\tabcal.exe
C:\Users\Admin\AppData\Local\I1dV\tabcal.exe
C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe
C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe
C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe
C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4752-1-0x0000000140000000-0x000000014037A000-memory.dmp
memory/4752-0-0x0000000140000000-0x000000014037A000-memory.dmp
memory/4752-2-0x0000022958F00000-0x0000022958F07000-memory.dmp
memory/3560-6-0x00007FF93FD3A000-0x00007FF93FD3B000-memory.dmp
memory/3560-5-0x00000000026E0000-0x00000000026E1000-memory.dmp
memory/3560-9-0x0000000140000000-0x000000014037A000-memory.dmp
memory/4752-8-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-10-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-11-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-12-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-13-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-14-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-15-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-16-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-18-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-19-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-20-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-21-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-17-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-22-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-23-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-24-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-25-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-26-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-27-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-28-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-31-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-33-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-35-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-34-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-36-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-38-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-39-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-37-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-40-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-32-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-30-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-42-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-44-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-49-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-52-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-53-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-54-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-56-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-57-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-59-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-60-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-62-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-61-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-58-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-63-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-65-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-66-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-64-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-70-0x0000000002270000-0x0000000002277000-memory.dmp
memory/3560-55-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-51-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-50-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-48-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-47-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-78-0x00007FF9413E0000-0x00007FF9413F0000-memory.dmp
memory/3560-46-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-45-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-43-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-41-0x0000000140000000-0x000000014037A000-memory.dmp
memory/3560-29-0x0000000140000000-0x000000014037A000-memory.dmp
C:\Users\Admin\AppData\Local\ouTw\dwmapi.dll
| MD5 | 2b8f1bba13981c24e973a5200953697d |
| SHA1 | 9beb70b38b464c3a84a8c6a7484de7fbd9091e36 |
| SHA256 | 579096f8d85d13b16a86eebd75bcbf051702d3b945bce47789ced46471031adf |
| SHA512 | 490a1df25fb6b7ade00c1a48947b827aeed183075e75fca6aa8b4b92ed88adae5bb4041173583f7c40675cf23d117a77aa7dbd661b4b5baaa5e6c619e26e25f7 |
memory/652-99-0x0000000140000000-0x000000014037B000-memory.dmp
memory/652-106-0x0000000140000000-0x000000014037B000-memory.dmp
C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe
| MD5 | d1aa2f6b121ee1720bc96c43586d53e4 |
| SHA1 | fb9a4add8819166517ef41ea6e339a159d78a678 |
| SHA256 | f16051cc00f9a09b4edbd36c90db27ff473c0a30a98e4d140b7fa542aa5d7a2a |
| SHA512 | a8037698f8708616c2502dc14f62afa5e0d755d41ee526881fc48b5c0c6c92a4cc86861f300f210722384e4258dd4a55e2b6494b77c841dea4450f357240746d |
C:\Users\Admin\AppData\Local\I1dV\HID.DLL
| MD5 | 29e420e28b5c434713e2a26a3162c9e4 |
| SHA1 | aa9db52988713e5c884b6b5d16073ccccbf5d889 |
| SHA256 | 8c431afad454a6eef73df50bfbc95d056909e1dea35fc0b2126dbd6f44ca24e7 |
| SHA512 | 7620265e0f3606618dc83640b91e7b5e2b0fe14c8b2db5ad5920b9d3e890924bf2c64f55a954211cd52d5cda0923d424e5c61fb407c8bf7454814382dde72dcd |
C:\Users\Admin\AppData\Local\I1dV\HID.DLL
| MD5 | 134a973f4be89dff7dda8569df5c90d4 |
| SHA1 | e6141f063d896c13a43ba7961be87e085b73391d |
| SHA256 | e88491164066572aec8f0eba853d88baaa16c8cac62c5df5df179854ea5f524c |
| SHA512 | dd3d305b58877624a431202c6f58cab70817d72d6ead53238efa43735e43ebd09e7d01fa60389f68830ccbe38515d021f808d9d6f214dacec1039450417df426 |
memory/3820-121-0x000001A377FD0000-0x000001A377FD7000-memory.dmp
memory/3820-125-0x0000000140000000-0x000000014037B000-memory.dmp
C:\Users\Admin\AppData\Local\I1dV\tabcal.exe
| MD5 | 80fa3f2ef26e9907a4a563ab895270f6 |
| SHA1 | 6866489f96f66dcf3b299eb0af690987a8eccd5b |
| SHA256 | d16c9df8f5be3249379537a03f787d8a10ed5545285d7a150006c2534374c8d1 |
| SHA512 | c9cae8bc9b070bb56860597688c4426fb30009e6bf5caa13c1abd98d242344b505227c4476f5e575f740830ab2862f17fdfcbc850cae84b8cf477cde7d0de11f |
C:\Users\Admin\AppData\Local\4QvI\VERSION.dll
| MD5 | cc5ef8a99065f897429bfcbb4d006182 |
| SHA1 | 2394913f7fc638a64a2e80a61d20e00fd18db933 |
| SHA256 | 94361032eb2f48f73c9dad85977445b7a6f309ca5b96ffd66895bcb89c2a06c4 |
| SHA512 | 8172b99525a871348d38636aedebe2a98306d7c4d7ff01aadb2d058732fd4c2e1543dfd7685ede32f3dc743e152391c71fb9c0d9cb0cd9852cc98c458a2228b5 |
C:\Users\Admin\AppData\Local\4QvI\VERSION.dll
| MD5 | 0ab3ef9eb975e98a5a16da5284e6cbeb |
| SHA1 | 232f41fb251f1afabae748d01b98af258bdd9d32 |
| SHA256 | 4613bf931ff2a64db868f799ed322faa1c91b2501a80b8a2c3794101aca7ead8 |
| SHA512 | bcbf42d3b3b81c1cd15e76389437b7cd3fc66d2e4ce3c7afde552788cac651f18d8cdad732c9f6fba3038ed96304d2af8e55800db9e5d22d283f581db88f58c2 |
memory/776-139-0x0000024F73960000-0x0000024F73967000-memory.dmp
memory/776-144-0x0000000140000000-0x000000014037B000-memory.dmp
C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe
| MD5 | 0114a6dde0ac90a0958e935f8d60d00a |
| SHA1 | ea0685a568f273d103b1f5f276939063f6926293 |
| SHA256 | a7a1b91ef43934111c1900486d446157587a592d3a4bd25389c29674ba690e10 |
| SHA512 | 24f2c7cce2dd65ad5b816ba5a117b36a62bcb38166ca40953246bd5b8329f54fbefaf1dd766f8c7213e192a792d56560f0d50d02c5032b1b32440dbd6bcc1eb4 |
memory/776-137-0x0000000140000000-0x000000014037B000-memory.dmp
C:\Users\Admin\AppData\Local\4QvI\unregmp2.exe
| MD5 | dd816d990e088461d2effcc101016437 |
| SHA1 | fd280d5678bb2457821bcae025a364f557b73ff2 |
| SHA256 | 53de8ba90bc45a2e781b110438dc54327225556e9340448bc79cf36bfa9946cd |
| SHA512 | 3c453757be6e198305d53c6edb2a5b5dffd947bdc5e09d77a053e27119f9fe7283a34541dccd655c2c894261a6270c986a01a4a4af97e2fad20dfd2df9173fa5 |
memory/3820-119-0x0000000140000000-0x000000014037B000-memory.dmp
C:\Users\Admin\AppData\Local\I1dV\tabcal.exe
| MD5 | 06e9b28a3b363ca0e48f18838f2a83a5 |
| SHA1 | 9b4a30a7ec7dfff854cec32aa80026bcf97dddd9 |
| SHA256 | 49dc58405aaaf780343ba83308d073b017e5857af73ce26e3a947a79b66ebd61 |
| SHA512 | 25b0f2e458e3b35850dc7a65a7ee45fe12c238dbb2d0ad55538d9cf858712cc2c8de4da6f9394b645dbfdf112a51fd295c6d75377df16debd96c6c3d35b8be24 |
memory/652-102-0x000001DCE2EC0000-0x000001DCE2EC7000-memory.dmp
C:\Users\Admin\AppData\Local\ouTw\dwmapi.dll
| MD5 | c5eb6e49fca25b6fe96bcef681b2d834 |
| SHA1 | 3564b4a46b51505ba014ec3e56c957be8bd8c2f2 |
| SHA256 | 2e822b974cf59d7c5cb35ae6268ac5dd4ac1b6ef66aa64ba405f5d68ca27517d |
| SHA512 | 5ad8d6356ed4bec81a8b78793ee9381d575958cf215e99f929cbfdebd9e9bc49310edf607c207776759dcf8f69573ada5a357ec4e7c0462341fc3e2a4492e6c4 |
C:\Users\Admin\AppData\Local\ouTw\rdpinit.exe
| MD5 | 8a6bd96793482deb5ba0b4480507ef68 |
| SHA1 | beacb9719b6dba6475779a78d7566408552a5e7b |
| SHA256 | 275a8bd3c97affabccc37e50e431ae473b7f5a7dab735420bc75875dc00750ed |
| SHA512 | 2034634c3c1a781fbf90f76255141ff6d4d101fedccfae165a1b56dafbfcde4dc345f2804d03addf48613f5866619a2de1c99d92c749e35d58f03eee9399e3d6 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk
| MD5 | 4a77fd1cb398a293be6fbeaa1a9fa43c |
| SHA1 | 8e9f6a2e970860f263df18914bacb182285dee86 |
| SHA256 | a7afd238100140185208f1bcde06643f9804ac002b88d634265a10bde9b96cd3 |
| SHA512 | 67a235fb2166f78bfaab0227dead3d9a5a8ea4003c59c7f10242d449205fe7f7e9e37da36f3ba954cf37328623c89bbb832ee45b065c6c4d29154a2094d32603 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\mXH1SS4Scy\dwmapi.dll
| MD5 | 374b1a87db7a944d44f90b8ea6ba0e2a |
| SHA1 | d7670aeb3878be26113f8735239937df99e4520d |
| SHA256 | e23c4e81843af1a169980dc56bf99c3decbaf07a2214695039b99c0ce8a912d7 |
| SHA512 | 3d7adad8406cdd17d3608735d500fa57822eb49d5d4d1444e8cfaa49ead730d0784de3a04e4c0cf49b70daf07a52267b85d68b8ce8c3f7dec872fde7ab2d7dbe |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NLv9\HID.DLL
| MD5 | d243039eba4df7ffc30ddea5c6c67294 |
| SHA1 | 07c66e1669705ac708452e715f5f5fee013b4740 |
| SHA256 | a1e15f2a9d6a38eecb215b09cf8a2ba7da89f6fb943f303117526f938f656393 |
| SHA512 | defe15e24d3431ceb6c5b026830378637b121398c7e70e142eb39d4a1a64907fe4600897d922ebaef98a1e68f7285c958d6d123a7102b6e80ec860ce8a00e434 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\xS7DOTg4YA\VERSION.dll
| MD5 | 9ece18e459dcc1d0244185a118600d25 |
| SHA1 | 1f519661af4f4cf8e31d76b46cf973659fcefa3f |
| SHA256 | f95677f22210a378df2a30626dae7653091a1dfbca6894573876d1d8932a6f4b |
| SHA512 | 9e31a58ac620683f223875d441e89b6be382acb8351526da62d37a1708751774956dd0820f2625525b7146bf26029a72f070251838da4d609e1d521d4f27f5a7 |