Analysis Overview
SHA256
1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437
Threat Level: Shows suspicious behavior
The file 1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
ASPack v2.12-2.42
Adds Run key to start application
Drops autorun.inf file
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:02
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:02
Reported
2024-11-09 22:04
Platform
win7-20241023-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-eudcedit_31bf3856ad364e35_6.1.7601.17514_none_b7be8a14d61db17a\eudcedit.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-diantz_31bf3856ad364e35_6.1.7600.16385_none_02bb0612dc529329\diantz.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7601.17514_none_4458ac8eafdacbdd\isoburn.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_fa8534ab236134c4\mfpmp.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-security-secedit_31bf3856ad364e35_6.1.7600.16385_none_0adc1fc1cb6f944b\SecEdit.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..l-inboxgames-hearts_31bf3856ad364e35_6.1.7600.16385_none_4ffeefd67d89d45b\Hearts.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ShapeCollector.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7601.17514_none_e46b048a01806891\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.1.7600.16385_none_ae2743278c281682\net.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_6.1.7600.16385_none_f8a40495785334a9\PrintIsolationHost.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.7601.17514_none_3eb101caec1acc2c\ie4uinit.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\iisreset.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ocsetup_31bf3856ad364e35_6.1.7601.17514_none_41a3376575e751b4\ocsetup.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30\MSBuild.ni.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\sdbinst.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\migwiz.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\reset.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5023a70bf589ad3e\regedit.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_6.1.7600.16385_none_d3720895f8f22acd\TpmInit.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Speech\Common\sapisvr.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-telnet-client_31bf3856ad364e35_6.1.7600.16385_none_1426830c3ebb712d\telnet.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.2.9600.16428_none_e8cd1f348648ebd1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-convert_31bf3856ad364e35_6.1.7601.17514_none_fafb502abef1be40\autoconv.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.1.7601.17514_none_d6fc8d83d55eb77c\dpnsvr.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-netcfg_31bf3856ad364e35_6.1.7600.16385_none_6c23cd5f6b2a8dbc\netcfg.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_052696aea98bcefc\PATHPING.EXE | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_bd4644e077251730\cmstp.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-tasklist_31bf3856ad364e35_6.1.7600.16385_none_843823d87402ab36\tasklist.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_6.1.7600.16385_none_31db018394805d6b\TSTheme.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-icm-ui_31bf3856ad364e35_6.1.7600.16385_none_964da911ba806d45\colorcpl.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..up-drivepreparation_31bf3856ad364e35_6.1.7601.17514_none_ff178cca7f9d03eb\BdeHdCfg.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_1ddd261c4e350476\upnpcont.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\ehome\Mcx2Prov.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.1.7601.17514_none_ab379671230b963f\bitsadmin.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehrecvr_31bf3856ad364e35_6.1.7601.17514_none_1b8f8373383de46a\ehrecvr.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_6.1.7600.16385_none_c50af05b1be3aa2b\powershell.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-snmp-evntcmd_31bf3856ad364e35_6.1.7600.16385_none_14f9b9481db6293b\evntcmd.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe
"C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe"
Network
Files
memory/2124-0-0x0000000000400000-0x000000000040D000-memory.dmp
C:\905c0769f9a06c95a24ddf945\patcher.exe$
| MD5 | 0b98265acb96312a21cc9f6cd08ed0d0 |
| SHA1 | f834054fdd8a6ccd7a91adcdb6e3b287f9effa30 |
| SHA256 | 1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437 |
| SHA512 | f370b46c27af4ced2e7d74f9a05f09e02fda64ce2127bccfcabccdfb4b0286fad26f3202dd11c268f1733e29dfe3717cf62e78a9d079abe437b4a3071b547482 |
memory/2124-846-0x0000000000400000-0x000000000040D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:02
Reported
2024-11-09 22:04
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\servicing\TrustedInstaller.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe$ | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe
"C:\Users\Admin\AppData\Local\Temp\1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/1592-0-0x0000000000400000-0x000000000040D000-memory.dmp
C:\905c0769f9a06c95a24ddf945\patcher.exe$
| MD5 | 0b98265acb96312a21cc9f6cd08ed0d0 |
| SHA1 | f834054fdd8a6ccd7a91adcdb6e3b287f9effa30 |
| SHA256 | 1800c6dd4b34e1d537864f2c44f00ae110bdc33b3f35168bbc5596eb19321437 |
| SHA512 | f370b46c27af4ced2e7d74f9a05f09e02fda64ce2127bccfcabccdfb4b0286fad26f3202dd11c268f1733e29dfe3717cf62e78a9d079abe437b4a3071b547482 |
memory/1592-27-0x0000000000400000-0x000000000040D000-memory.dmp