Analysis Overview
SHA256
04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800
Threat Level: Shows suspicious behavior
The file 04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 10:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 10:26
Reported
2024-11-09 10:28
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrayOnly.lnk | C:\Windows\system32\cscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\pifloader32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\pifloader32.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\pifloader32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe
"C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\879.tmp\87A.bat C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"
C:\Windows\system32\cmd.exe
cmd /c /MIN C:\Users\Admin\AppData\Local\Temp\tmp.cmd
C:\ProgramData\pifloader32.exe
C:\ProgramData\pifloader32.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\906.tmp\907.bat C:\ProgramData\pifloader32.exe"
C:\Windows\system32\cscript.exe
cscript /b /nologo "C:\Users\Admin\AppData\Local\Temp\log25.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Path Win32_LocalTime Get Day,Hour,Minute,Month,Second,Year /Format:table
C:\Windows\System32\Wbem\WMIC.exe
WMIC Path Win32_LocalTime Get Day,Hour,Minute,Month,Second,Year /Format:table
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
Network
Files
C:\Users\Admin\AppData\Local\Temp\879.tmp\87A.bat
| MD5 | 0ea5fa94a89146f88854b46e18284141 |
| SHA1 | db3a53ad07943f4ec37f38eada72bb2195eca619 |
| SHA256 | 3d8f4ced477de197df507677c349bf9d1dd1cfdb91327f58bd66e8a28f2e74cd |
| SHA512 | 6495561c529fa880b7e5327b469565dae60dc2850585c021ba93eafa4b37657b19ea9105cd6c48ed9cce7dc790f636498e2e02407b66d4d088080c9c935c0675 |
C:\ProgramData\pifloader32.exe
| MD5 | 21d8fd98ffce4604c9f6ed5a50250ace |
| SHA1 | 0365d85d56699cc96fe2f3ca619082119130f5ab |
| SHA256 | 50687f86ec7378ee5f6952e548251cfd22d803276cd70d91ab70fbe363c4cff5 |
| SHA512 | 66df58cced3341bdb12a946976287663595b2d458ae57e4060adc88eee5e563196bbb9ead2ff0d1bf13f8b9ad8b460660d88ef01ebc02135efd808e0310f856c |
C:\Users\Admin\AppData\Local\Temp\log25.vbs
| MD5 | dca5253415cc37e4404cbea4eadc77c7 |
| SHA1 | be82b2554fa49fabd3e427d0fce82b2c490456b5 |
| SHA256 | 6271ad49562396c26eca6b4826b13f93b4d84ee4b54c83db3d157d8b68312692 |
| SHA512 | 75de408bd218f2e5a639d86104cde7219f54b97af1d1d6f416fef58f58254a6df83c022153bfe50d7e00c5fde3622b48c6e48ebe1a7c3142929bd59518aa5a68 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 10:26
Reported
2024-11-09 10:28
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\ProgramData\pifloader32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrayOnly.lnk | C:\Windows\system32\cscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\pifloader32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\pifloader32.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe
"C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\83C6.tmp\83C7.bat C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"
C:\Windows\system32\cmd.exe
cmd /c /MIN C:\Users\Admin\AppData\Local\Temp\tmp.cmd
C:\ProgramData\pifloader32.exe
C:\ProgramData\pifloader32.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\857C.tmp\857D.bat C:\ProgramData\pifloader32.exe"
C:\Windows\system32\cscript.exe
cscript /b /nologo "C:\Users\Admin\AppData\Local\Temp\log28.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Path Win32_LocalTime Get Day,Hour,Minute,Month,Second,Year /Format:table
C:\Windows\System32\Wbem\WMIC.exe
WMIC Path Win32_LocalTime Get Day,Hour,Minute,Month,Second,Year /Format:table
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
C:\Windows\system32\timeout.exe
timeout /T 7 /nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.82.67.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\83C6.tmp\83C7.bat
| MD5 | 0ea5fa94a89146f88854b46e18284141 |
| SHA1 | db3a53ad07943f4ec37f38eada72bb2195eca619 |
| SHA256 | 3d8f4ced477de197df507677c349bf9d1dd1cfdb91327f58bd66e8a28f2e74cd |
| SHA512 | 6495561c529fa880b7e5327b469565dae60dc2850585c021ba93eafa4b37657b19ea9105cd6c48ed9cce7dc790f636498e2e02407b66d4d088080c9c935c0675 |
C:\ProgramData\pifloader32.exe
| MD5 | 5ed3eb46b8099e71f24492462272671c |
| SHA1 | 7fa040f4dd3cdab6ec47d2db50f5c26c06becb98 |
| SHA256 | b9b66f98c1f164a461ad6f2c2087eb98cee4f556a805195871a69064435a757f |
| SHA512 | 9715465b0f950c4a83d4862428410f657bdac692aa253c5f40c1fb25aaa881dc851e6326f18fa82a5ad4d2db06c0e761a774d97e541d328bc7ab000166b9d3a6 |
C:\Users\Admin\AppData\Local\Temp\log28.vbs
| MD5 | dca5253415cc37e4404cbea4eadc77c7 |
| SHA1 | be82b2554fa49fabd3e427d0fce82b2c490456b5 |
| SHA256 | 6271ad49562396c26eca6b4826b13f93b4d84ee4b54c83db3d157d8b68312692 |
| SHA512 | 75de408bd218f2e5a639d86104cde7219f54b97af1d1d6f416fef58f58254a6df83c022153bfe50d7e00c5fde3622b48c6e48ebe1a7c3142929bd59518aa5a68 |