Analysis Overview
SHA256
b1492690bba76715a0b60aacfe75bfb7876f3b7d8f03a5a32172b084be81ba7d
Threat Level: Known bad
The file cb9dc4606ac85050ceec95e649100000N was found to be: Known bad.
Malicious Activity Summary
Floxif, Floodfix
Xred family
Floxif family
Xred
Detects Floxif payload
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Enumerates connected drives
Adds Run key to start application
UPX packed file
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-13 21:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-13 21:23
Reported
2024-09-13 21:25
Platform
win7-20240903-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Xred
Xred family
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll.tmp | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll.dat | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | C:\ProgramData\Synaptics\Synaptics.exe |
| PID 2380 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | C:\ProgramData\Synaptics\Synaptics.exe |
| PID 2380 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | C:\ProgramData\Synaptics\Synaptics.exe |
| PID 2380 wrote to memory of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | C:\ProgramData\Synaptics\Synaptics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe
"C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 72.14.185.43:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| US | 72.14.185.43:80 | www.aieov.com | tcp |
| US | 72.14.185.43:80 | www.aieov.com | tcp |
| US | 72.14.185.43:80 | www.aieov.com | tcp |
| US | 72.14.185.43:80 | www.aieov.com | tcp |
| US | 72.14.185.43:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 142.250.187.238:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.179.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
Files
memory/2380-3-0x0000000010000000-0x0000000010030000-memory.dmp
\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | cb9dc4606ac85050ceec95e649100000 |
| SHA1 | 9398495b08379335b9166ed0a941b0cff6ca429f |
| SHA256 | b1492690bba76715a0b60aacfe75bfb7876f3b7d8f03a5a32172b084be81ba7d |
| SHA512 | 4f2d7905205a0fafc09f5f9b8f072baa07d2f3c91d4e176dd785db2089e80d225fe58fb548c58bf01d144cf410b392fa14b50bc4890fab287a3d07e8b65709b2 |
\Users\Admin\AppData\Local\Temp\A1D26E2\F5F3A8C94C.tmp
| MD5 | d9167c0e9e27b90a13965cdcdcf05e0c |
| SHA1 | cae0b273832c2ae23d4aad128de5f7ac1bfb896f |
| SHA256 | 93262f54fb78e6b875c2b196dc376fec7f38d1064df02cec5cbade3c55255987 |
| SHA512 | ae0e9fb3c903e1754a3b23b8d3de48816993a44e2be6cacc87799a59e133d20017d667ca476ccc2e67f228322e815cf87ce1b3f1918114f630f29e98cb6c521e |
memory/2560-31-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2380-29-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2380-25-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2668-32-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm
| MD5 | e566fc53051035e1e6fd0ed1823de0f9 |
| SHA1 | 00bc96c48b98676ecd67e81a6f1d7754e4156044 |
| SHA256 | 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15 |
| SHA512 | a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04 |
C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm
| MD5 | 99a18dfb742a40016fdc37fbc599e0cf |
| SHA1 | f5502769f8e9f694404aaf5a9b9d830dced2dd5e |
| SHA256 | 0820f783a2899d73a48fb5b5daa5470e19d4bd3252ebfb34b65ec661ca525a3e |
| SHA512 | 79ecb9878fc403d5156aa04e254680311bfc54d15ad872b7c8ee918fde1245236e877f7078a068b9ff2b02fda411504acd34960f3067d247d767f45bc3db0b91 |
\Program Files (x86)\Microsoft Office\Office14\gfx.dll.tmp
| MD5 | 929da7b631e3883432c8a9cc3800b2ef |
| SHA1 | 439d90e32f1a95a18667fb054eee707d8da171c6 |
| SHA256 | 9877f6b53fbdd0977697aacced41d856bca4fb80bda072a9d77f9f84dadb2217 |
| SHA512 | 010d08bdba82f5901cb52560f9f595650cb1920f02aa5244ef42c58a8e98b3450731b5ab53fddc3211c8497a49e31747a8e21858df294321ff8737b196728b45 |
C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm
| MD5 | 8851c4a9f95491db21856be6adeae1a0 |
| SHA1 | f649482cff91a044b40ec09f9569c26b4bbeba2b |
| SHA256 | 548d9266f0c70ef1df63742f4c32316ac7e544ef8cd67b818f269449dbca3d52 |
| SHA512 | 7d77760962f803128b5fdbf25615d6f5436201cc22ec4c6fc11368ec40164d00f2994b62cf2eef4b3dafd6f213eaf28b28dcaf62fd9151d53561644e5ebde429 |
C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm
| MD5 | ff427854f7475fccd73e99d8c02a47a4 |
| SHA1 | a7aa9fbc26e3c34a08769b2cf24dcac782904c51 |
| SHA256 | 5e984d418b7379ec263da7bec3c2dd79a8bbc98dce35d39e96db957082315c80 |
| SHA512 | 4d99c09fc84645a45d3c8372e3e39e09e3627397f372cef60c8d23654cf04cb3b50eb79f7fee6f44edbfa9201c719c1fb6787570c033b838b4570ed069ab166d |
C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm
| MD5 | 73f10c5c93825ba78bb8dd5e3844ebc3 |
| SHA1 | ed8eda737eeb28e54e861e12e9280d7adc832a28 |
| SHA256 | 525db427b076f8bbc1bf82ccd37a75b3ffafe6ff25c0cc450f853be9d21e7198 |
| SHA512 | 039aabb025faf6f0f6b334883f79802afc6cbf93f1cd926ad98af968ffc6e6ce8206204417d09627d84d31b008f6e2150ad94af5f1ff40f5210e376160d8c868 |
C:\Users\Admin\Documents\~$UsePush.xlsx
| MD5 | ff09371174f7c701e75f357a187c06e8 |
| SHA1 | 57f9a638fd652922d7eb23236c80055a91724503 |
| SHA256 | e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8 |
| SHA512 | e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882 |
memory/2560-113-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2560-112-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2560-117-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2560-116-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2560-121-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2560-125-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll.000
| MD5 | 1130c911bf5db4b8f7cf9b6f4b457623 |
| SHA1 | 48e734c4bc1a8b5399bff4954e54b268bde9d54c |
| SHA256 | eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1 |
| SHA512 | 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0 |
memory/2560-129-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2560-133-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2560-162-0x0000000000400000-0x00000000004C2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-13 21:23
Reported
2024-09-13 21:25
Platform
win10v2004-20240802-en
Max time kernel
111s
Max time network
120s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Xred
Xred family
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4992 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | C:\ProgramData\Synaptics\Synaptics.exe |
| PID 4992 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | C:\ProgramData\Synaptics\Synaptics.exe |
| PID 4992 wrote to memory of 1476 | N/A | C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe | C:\ProgramData\Synaptics\Synaptics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe
"C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 142.250.187.238:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.179.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/4992-4-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A1D26E2\8A4E1701380.tmp
| MD5 | d9167c0e9e27b90a13965cdcdcf05e0c |
| SHA1 | cae0b273832c2ae23d4aad128de5f7ac1bfb896f |
| SHA256 | 93262f54fb78e6b875c2b196dc376fec7f38d1064df02cec5cbade3c55255987 |
| SHA512 | ae0e9fb3c903e1754a3b23b8d3de48816993a44e2be6cacc87799a59e133d20017d667ca476ccc2e67f228322e815cf87ce1b3f1918114f630f29e98cb6c521e |
memory/4992-72-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/4992-75-0x0000000010000000-0x0000000010030000-memory.dmp
memory/4976-76-0x00007FF9FCF50000-0x00007FF9FCF60000-memory.dmp
memory/4976-78-0x00007FF9FCF50000-0x00007FF9FCF60000-memory.dmp
memory/4976-77-0x00007FF9FCF50000-0x00007FF9FCF60000-memory.dmp
memory/4976-79-0x00007FF9FCF50000-0x00007FF9FCF60000-memory.dmp
memory/4976-80-0x00007FF9FCF50000-0x00007FF9FCF60000-memory.dmp
memory/4976-81-0x00007FF9FAB30000-0x00007FF9FAB40000-memory.dmp
memory/4976-82-0x00007FF9FAB30000-0x00007FF9FAB40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Jg7aTbaM.xlsm
| MD5 | e566fc53051035e1e6fd0ed1823de0f9 |
| SHA1 | 00bc96c48b98676ecd67e81a6f1d7754e4156044 |
| SHA256 | 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15 |
| SHA512 | a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04 |
memory/1476-96-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1476-100-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1476-124-0x0000000000400000-0x00000000004C2000-memory.dmp