Analysis Overview
SHA256
b77d2a8495358e831a2060b1dadf1c74e056b489970f8a3e0fecf48693368dce
Threat Level: Known bad
The file c80898f305c03178e6fb02cf47377dc3 was found to be: Known bad.
Malicious Activity Summary
Azorult
Netwire
NetWire RAT payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 07:20
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 07:20
Reported
2024-03-14 07:22
Platform
win7-20240221-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Azorult
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2536 set thread context of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 2292 set thread context of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c80898f305c03178e6fb02cf47377dc3.exe
"C:\Users\Admin\AppData\Local\Temp\c80898f305c03178e6fb02cf47377dc3.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
Network
| Country | Destination | Domain | Proto |
| US | 174.127.99.159:7882 | tcp | |
| US | 8.8.8.8:53 | gemateknindoperkasa.co.id | udp |
| US | 8.8.8.8:53 | gemateknindoperkasa.co.id | udp |
| US | 174.127.99.159:7882 | tcp |
Files
memory/1768-1-0x0000000000400000-0x0000000000B9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | 836cda1d8a9718485cc9f9653530c2d9 |
| SHA1 | fca85ff9aa624547d9a315962d82388c300edac1 |
| SHA256 | d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72 |
| SHA512 | 07ca078d79f622706d08a534f6b5e2c896152fb0d0e452781fa6be5dc90028fdf074b3b78acac438f2acf5b3f5522e70afb7db4551874a3083860213e2790481 |
memory/2292-5-0x0000000000100000-0x00000000001EE000-memory.dmp
memory/2292-6-0x0000000073CF0000-0x00000000743DE000-memory.dmp
memory/2292-7-0x0000000000460000-0x00000000004A0000-memory.dmp
memory/2292-8-0x00000000041F0000-0x0000000004276000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\File.exe
| MD5 | 37c82e15058e2f8f5e9525b956e6440d |
| SHA1 | 3bf20d00bd7a7943c4066d534f5b276cac5ae39f |
| SHA256 | 80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7 |
| SHA512 | 5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a |
memory/2536-16-0x0000000000AE0000-0x0000000000B3C000-memory.dmp
memory/2536-17-0x0000000073CF0000-0x00000000743DE000-memory.dmp
memory/2536-18-0x00000000004C0000-0x0000000000500000-memory.dmp
memory/2536-19-0x0000000000500000-0x0000000000524000-memory.dmp
\Users\Admin\AppData\Roaming\tmp.exe
| MD5 | bae2b04e1160950e570661f55d7cd6f8 |
| SHA1 | f4abc073a091292547dda85d0ba044cab231c8da |
| SHA256 | ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59 |
| SHA512 | 1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6 |
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 1f7bccc57d21a4bfeddaafe514cfd74d |
| SHA1 | 4dab09179a12468cb1757cb7ca26e06d616b0a8d |
| SHA256 | d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061 |
| SHA512 | 9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8 |
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | dec3e3277d05a3b54d98116075960914 |
| SHA1 | c7c01eec2bd223463adfa28ba3572cc4c7845335 |
| SHA256 | 39dfd654463d76d1ab2f1746a47f0192c92155269f605055cd51d3d03d9e8f4d |
| SHA512 | f73c5a731c77e012b8458a87f20a831cadd78fdf5c385270af447904d34dda41f7d0fc2aa17f41f6bc38b7bddd37fac9d875bc394bea8df62906f95a5a784647 |
\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 03100217c5e2fe5047fa0c5b04aaa953 |
| SHA1 | fb4157a0320be5aa6df9b075e982953dd20a2f93 |
| SHA256 | ef358f8b2464d274e166ca9c26a2a05c112c4dd4db1b9b8de990ade17bc03302 |
| SHA512 | 1c948671004432e6f7ee0016865e9e7994037f9c8c021b6a804351b3a9793c575d8a74e1d55739cceb95919a75f5a1c9924572b77ca5e24b69c5452b8f2b8656 |
memory/2416-37-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2432-39-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2416-41-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2432-42-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2416-45-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2432-46-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2432-50-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2416-49-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2432-54-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2416-53-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2432-58-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2416-60-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2416-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 1a163d2c1681fa9fc6559e82f48c8b2f |
| SHA1 | f0b32efa65823a68d92f634579f1ba1c9f1b69e0 |
| SHA256 | ef4c9879ed37cad30a1663bbb4f0468f9a9a7e91a249b6e6fbddf480c962d956 |
| SHA512 | ec823e782a6dee4e7e62bb1715e9a81e4b899b6b8f11ae45b093ae279256341e379bdc835116f4eb5735dc385d448c122586ae836b4ed23ae3fb127621df6986 |
memory/2432-61-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2416-65-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2416-71-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2416-68-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2432-67-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2432-72-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1768-73-0x0000000000400000-0x0000000000B9E000-memory.dmp
memory/2432-74-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2864-80-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk
| MD5 | 78c85203ddeba64d388528c5e4e20975 |
| SHA1 | 11738d4396bb63f94147d7e265577ecbd2a7fd75 |
| SHA256 | e71a08c5282dcbe120739c84ea188a9fbdcb772801c78222b0bf44d56bd7a3ad |
| SHA512 | bb35cd6a3b847a49e0cbba8cc356a447753159207866186b6ec62d69fe6a382c33a2999aeadabfaa3a48e189b088b9f01d9cf8c1bd170386b9ea577ea8774d63 |
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2292-90-0x0000000073CF0000-0x00000000743DE000-memory.dmp
memory/2292-92-0x0000000000460000-0x00000000004A0000-memory.dmp
memory/2536-93-0x0000000073CF0000-0x00000000743DE000-memory.dmp
memory/2292-94-0x0000000073CF0000-0x00000000743DE000-memory.dmp
memory/2536-95-0x0000000073CF0000-0x00000000743DE000-memory.dmp
memory/1768-97-0x0000000000400000-0x0000000000B9E000-memory.dmp
memory/2432-98-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 07:20
Reported
2024-03-14 07:22
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Azorult
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 924 set thread context of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 792 set thread context of 512 | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c80898f305c03178e6fb02cf47377dc3.exe
"C:\Users\Admin\AppData\Local\Temp\c80898f305c03178e6fb02cf47377dc3.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 174.127.99.159:7882 | tcp | |
| US | 8.8.8.8:53 | gemateknindoperkasa.co.id | udp |
| US | 8.8.8.8:53 | gemateknindoperkasa.co.id | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 174.127.99.159:7882 | tcp |
Files
memory/1136-0-0x0000000000400000-0x0000000000B9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | 836cda1d8a9718485cc9f9653530c2d9 |
| SHA1 | fca85ff9aa624547d9a315962d82388c300edac1 |
| SHA256 | d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72 |
| SHA512 | 07ca078d79f622706d08a534f6b5e2c896152fb0d0e452781fa6be5dc90028fdf074b3b78acac438f2acf5b3f5522e70afb7db4551874a3083860213e2790481 |
memory/924-6-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/924-5-0x00000000002E0000-0x00000000003CE000-memory.dmp
memory/924-7-0x0000000004D90000-0x0000000004E2C000-memory.dmp
memory/924-8-0x0000000004E60000-0x0000000004E70000-memory.dmp
memory/924-9-0x0000000004E90000-0x0000000004F16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\File.exe
| MD5 | 37c82e15058e2f8f5e9525b956e6440d |
| SHA1 | 3bf20d00bd7a7943c4066d534f5b276cac5ae39f |
| SHA256 | 80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7 |
| SHA512 | 5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a |
memory/792-21-0x0000000000ED0000-0x0000000000F2C000-memory.dmp
memory/792-22-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/792-23-0x0000000003130000-0x0000000003140000-memory.dmp
memory/792-24-0x0000000003100000-0x0000000003124000-memory.dmp
memory/3488-27-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 8fdf47e0ff70c40ed3a17014aeea4232 |
| SHA1 | e6256a0159688f0560b015da4d967f41cbf8c9bd |
| SHA256 | ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 |
| SHA512 | bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be |
memory/3488-30-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3488-31-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Roaming\tmp.exe
| MD5 | bae2b04e1160950e570661f55d7cd6f8 |
| SHA1 | f4abc073a091292547dda85d0ba044cab231c8da |
| SHA256 | ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59 |
| SHA512 | 1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6 |
memory/512-41-0x0000000000400000-0x0000000000420000-memory.dmp
memory/512-44-0x0000000000400000-0x0000000000420000-memory.dmp
memory/512-47-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
| MD5 | 1c267a0b76fcbd7d48f0c8412acaab94 |
| SHA1 | ff67e0fceba24d8149cd98621883480c395af2cf |
| SHA256 | 10c30bdbf94a912bc580e9b92fa5a9d6384cec3d1ec8e587d0b2763af0d9b267 |
| SHA512 | 9eee460a3434b84ddb3746661dc24ef3b3391048abb1b2111bd2a3b84c62c5ed5c71b02552b608207c9cef6e123533f6bd619441f97220bed0ab04184b4e787e |
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier
| MD5 | 130a75a932a2fe57bfea6a65b88da8f6 |
| SHA1 | b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c |
| SHA256 | f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e |
| SHA512 | 6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed |
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk
| MD5 | 55ee95b381c06614451d6b598235efba |
| SHA1 | 3c3c1da621a4352f2846471a518a78b64bcc4fbf |
| SHA256 | 8437a447ef52cf43db7e01203d6763a9ca789a515a0cf945be7f81a78ac474a3 |
| SHA512 | bd93e51c27a1f01cd0f0ed6248394f980ad256e39b33fe039ea778f7ee47c92396f175da8ca7d6c8d3e521f3de8eee6fb8f9c2312fc3d7eaf4ace0d79f382e3f |
memory/3340-55-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1136-60-0x0000000000400000-0x0000000000B9E000-memory.dmp
memory/924-61-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/924-62-0x0000000004E60000-0x0000000004E70000-memory.dmp
memory/924-64-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/1136-66-0x0000000000400000-0x0000000000B9E000-memory.dmp
memory/792-68-0x0000000074900000-0x00000000750B0000-memory.dmp