Analysis Overview
SHA256
a108ae8bd69ac84bc8dd5fa7bdbb6eff9cd65a70c16567e0f36dae1f15d090fd
Threat Level: Known bad
The file Purchase order.exe was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Remcos
NirSoft MailPassView
ModiLoader Second Stage
NirSoft WebBrowserPassView
Nirsoft
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Script User-Agent
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 15:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 15:56
Reported
2024-04-03 15:59
Platform
win7-20240221-en
Max time kernel
134s
Max time network
150s
Command Line
Signatures
ModiLoader, DBatLoader
Remcos
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\8372159.exe | N/A |
| N/A | N/A | C:\Windows \System32\8372159.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hmzvinyr = "C:\\Users\\Public\\Hmzvinyr.url" | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2692 set thread context of 812 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe |
| PID 2692 set thread context of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe |
| PID 2692 set thread context of 308 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe |
| PID 2692 set thread context of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe |
| PID 2692 set thread context of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe |
| PID 2692 set thread context of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows "
C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows \System32"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Windows \System32\8372159.exe"
C:\Windows \System32\8372159.exe
"C:\Windows \System32\8372159.exe"
C:\Windows \System32\8372159.exe
"C:\Windows \System32\8372159.exe"
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Purchase order.exe C:\\Users\\Public\\Libraries\\Hmzvinyr.PIF
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yjybygsgtmdpxeu"
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jddmzydzhuvuzkqydw"
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lfjeajobvcnzkqekuhupr"
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qokpxitgehjfy"
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe" /stext "C:\Users\Admin\AppData\Local\Temp\aiphyadispckimty"
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dlusytobgxuplspcfrce"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3002.filemail.com | udp |
| NO | 193.30.119.102:443 | 3002.filemail.com | tcp |
| NO | 193.30.119.102:443 | 3002.filemail.com | tcp |
| US | 8.8.8.8:53 | africarem.duckdns.org | udp |
| US | 23.95.235.30:54991 | africarem.duckdns.org | tcp |
| US | 23.95.235.30:54991 | africarem.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| N/A | 127.0.0.1:44999 | tcp | |
| N/A | 127.0.0.1:54991 | tcp |
Files
memory/2692-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2692-1-0x0000000002E80000-0x0000000003E80000-memory.dmp
memory/2692-2-0x0000000002E80000-0x0000000003E80000-memory.dmp
memory/2692-4-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2692-5-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar98FC.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Windows \System32\8372159.exe
| MD5 | 231ce1e1d7d98b44371ffff407d68b59 |
| SHA1 | 25510d0f6353dbf0c9f72fc880de7585e34b28ff |
| SHA256 | 30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96 |
| SHA512 | 520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612 |
memory/3024-67-0x0000000000600000-0x0000000000601000-memory.dmp
memory/2692-81-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-80-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-82-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-84-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-85-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-86-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-88-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-89-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-87-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-92-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/812-93-0x0000000000400000-0x0000000000478000-memory.dmp
memory/308-101-0x0000000000400000-0x0000000000424000-memory.dmp
memory/308-103-0x0000000000400000-0x0000000000424000-memory.dmp
memory/308-105-0x0000000000400000-0x0000000000424000-memory.dmp
memory/812-99-0x0000000000400000-0x0000000000478000-memory.dmp
memory/308-104-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1096-97-0x0000000000400000-0x0000000000462000-memory.dmp
memory/812-96-0x0000000000400000-0x0000000000478000-memory.dmp
memory/308-108-0x0000000000400000-0x0000000000424000-memory.dmp
memory/308-106-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2112-122-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2112-120-0x0000000000400000-0x0000000000462000-memory.dmp
memory/812-125-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2112-128-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2112-127-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2920-123-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1728-132-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2920-137-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qokpxitgehjfy
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2692-140-0x0000000033B20000-0x0000000033B39000-memory.dmp
memory/2692-144-0x0000000033B20000-0x0000000033B39000-memory.dmp
memory/2692-145-0x0000000033B20000-0x0000000033B39000-memory.dmp
memory/2692-146-0x0000000033B20000-0x0000000033B39000-memory.dmp
memory/2692-143-0x0000000033B20000-0x0000000033B39000-memory.dmp
memory/812-148-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2692-149-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-152-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-153-0x00000000158E0000-0x00000000168E0000-memory.dmp
memory/2692-155-0x0000000033B20000-0x0000000033B39000-memory.dmp
memory/2692-160-0x00000000158E0000-0x00000000168E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 15:56
Reported
2024-04-03 15:59
Platform
win10v2004-20240319-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
ModiLoader, DBatLoader
Remcos
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\2720943.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\2720943.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hmzvinyr = "C:\\Users\\Public\\Hmzvinyr.url" | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3380 set thread context of 5076 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe |
| PID 3380 set thread context of 3704 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe |
| PID 3380 set thread context of 3968 | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows "
C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows \System32"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Windows \System32\2720943.exe"
C:\Windows \System32\2720943.exe
"C:\Windows \System32\2720943.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
C:\Windows\system32\cmd.exe
cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Purchase order.exe C:\\Users\\Public\\Libraries\\Hmzvinyr.PIF
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe" /stext "C:\Users\Admin\AppData\Local\Temp\oskmxlbzqlnzvpndn"
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zupfydmtetfeyvjhwzvg"
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jouxywxvsbyjabxtokhhstr"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.34.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3002.filemail.com | udp |
| NO | 193.30.119.102:443 | 3002.filemail.com | tcp |
| NO | 193.30.119.102:443 | 3002.filemail.com | tcp |
| US | 8.8.8.8:53 | 102.119.30.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:44999 | tcp | |
| US | 8.8.8.8:53 | 145.110.86.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:54991 | tcp | |
| US | 8.8.8.8:53 | 224.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | africarem.duckdns.org | udp |
| US | 23.95.235.30:54991 | africarem.duckdns.org | tcp |
| US | 8.8.8.8:53 | 30.235.95.23.in-addr.arpa | udp |
| GB | 13.105.221.16:443 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 23.95.235.30:54991 | africarem.duckdns.org | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/3380-0-0x0000000000770000-0x0000000000771000-memory.dmp
memory/3380-1-0x00000000028D0000-0x00000000038D0000-memory.dmp
memory/3380-2-0x00000000028D0000-0x00000000038D0000-memory.dmp
memory/3380-4-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Windows \System32\2720943.exe
| MD5 | 231ce1e1d7d98b44371ffff407d68b59 |
| SHA1 | 25510d0f6353dbf0c9f72fc880de7585e34b28ff |
| SHA256 | 30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96 |
| SHA512 | 520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612 |
C:\Windows \System32\netutils.dll
| MD5 | 8541304aadba4ae8620bb2699f6e0437 |
| SHA1 | e0b28a6ecd32d3789433217364c1006de9892df8 |
| SHA256 | 50573c81e5773c13a5411e8446d7fb17956865675782239818f7affd40a2fecb |
| SHA512 | c18b1233c138229705242e1cdc00970e45e414d8da9c643b1196ec9de261ae18076e22bed6fcc48c07d1f0e851469db9147f083f3c3c76a26b75994419392455 |
memory/3164-16-0x00000000613C0000-0x00000000613E3000-memory.dmp
C:\windows \system32\KDECO.bat
| MD5 | c545650595b479c81ad6b9d8882aae39 |
| SHA1 | 7a98aa2e6eee23b3c1bba876955d525bc618b3f0 |
| SHA256 | a3a80983cb33159f0455fa0135789402558baa1460db94d0071318512b8cb5f9 |
| SHA512 | 85ac596a7da9072a28c4178e4fdedc98f1b49c8e3fe5612cfe464833297b13f65d2dc59b52d7fc9970cff8f98d954111229aec0ed9dded454e03b0cf4ebb6ff3 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a55r3axn.myc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1004-27-0x000002C5C9250000-0x000002C5C9272000-memory.dmp
memory/1004-28-0x00007FFC426B0000-0x00007FFC43171000-memory.dmp
memory/1004-30-0x000002C5B1070000-0x000002C5B1080000-memory.dmp
memory/1004-29-0x000002C5B1070000-0x000002C5B1080000-memory.dmp
memory/1004-31-0x000002C5B1070000-0x000002C5B1080000-memory.dmp
memory/1004-34-0x00007FFC426B0000-0x00007FFC43171000-memory.dmp
memory/3380-37-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-38-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-39-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-42-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-43-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-44-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-45-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-46-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-48-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/5076-50-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3704-51-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3968-54-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3704-55-0x0000000000400000-0x0000000000462000-memory.dmp
memory/5076-56-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3704-59-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3704-66-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3968-62-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3968-67-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3968-71-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3968-69-0x0000000000400000-0x0000000000424000-memory.dmp
memory/5076-60-0x0000000000400000-0x0000000000478000-memory.dmp
memory/5076-57-0x0000000000400000-0x0000000000478000-memory.dmp
memory/5076-80-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3380-83-0x000000002DAB0000-0x000000002DAC9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oskmxlbzqlnzvpndn
| MD5 | 51bdd8d5f186fd32bf22b3988240e19d |
| SHA1 | 37a83c9c1f636bd0e5a1b806804fc5323c80791d |
| SHA256 | 4dd5d2764bba141c582357273d5d7a869888908b4a1b52423a489d58bba597be |
| SHA512 | a477cb0dd68901641cea43100c952d1c253c32388492204b2387a333ad1d5bed0155f08f430f010ef53fe9592945def73c3d28e77293c58d951b652410e8c6f7 |
memory/3380-86-0x000000002DAB0000-0x000000002DAC9000-memory.dmp
memory/3380-87-0x000000002DAB0000-0x000000002DAC9000-memory.dmp
memory/3380-88-0x000000002DAB0000-0x000000002DAC9000-memory.dmp
memory/3380-89-0x000000002DAB0000-0x000000002DAC9000-memory.dmp
memory/3380-90-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-91-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-92-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3968-95-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3380-96-0x000000002DAB0000-0x000000002DAC9000-memory.dmp
memory/3380-99-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-100-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-103-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-104-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-109-0x00000000152D0000-0x00000000162D0000-memory.dmp
memory/3380-110-0x00000000152D0000-0x00000000162D0000-memory.dmp