Analysis Overview
SHA256
2f7e03402ede5005d182387ad20bde41f5eed1056df955435a2da64dab128a1b
Threat Level: Known bad
The file e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Event Triggered Execution: Image File Execution Options Injection
Boot or Logon Autostart Execution: Active Setup
Windows security modification
Loads dropped DLL
Executes dropped EXE
Indicator Removal: Clear Persistence
Modifies WinLogon
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 06:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 06:42
Reported
2024-11-13 06:44
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564F5248-5042-4142-564F-524850424142}\StubPath = "C:\\Windows\\system32\\asletir.exe" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564F5248-5042-4142-564F-524850424142} | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564F5248-5042-4142-564F-524850424142}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564F5248-5042-4142-564F-524850424142}\IsInstalled = "1" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ckoxoav-hum.exe" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oknuhic.dll" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\oknuhic.dll | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ilfoodef.exe | C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ckoxoav-hum.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\asletir.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File created | C:\Windows\SysWOW64\oknuhic.dll | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ilfoodef.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File created | C:\Windows\SysWOW64\ilfoodef.exe | C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe | N/A |
| File created | C:\Windows\SysWOW64\ckoxoav-hum.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File created | C:\Windows\SysWOW64\asletir.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe
"C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe"
C:\Windows\SysWOW64\ilfoodef.exe
"C:\Windows\system32\ilfoodef.exe"
C:\Windows\SysWOW64\ilfoodef.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | coucztmjcucuh.tk | udp |
Files
C:\Windows\SysWOW64\ilfoodef.exe
| MD5 | bf7b28919b74dc6aa82bb8167dcec3f1 |
| SHA1 | aa1398a124c3b66ec896f59af7c3a363ea282c85 |
| SHA256 | 2f7e03402ede5005d182387ad20bde41f5eed1056df955435a2da64dab128a1b |
| SHA512 | 9ed1eb113d5489640f4128ffe6a86c3fab9fcebcefe91f8afa81b70fa7cf0ef2f7adef806a9f2eec177ef7babfef09d5d75f94b8f1d033a151ca72644aaa9eea |
memory/2264-9-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\ckoxoav-hum.exe
| MD5 | 49b8cec0c57fc7e64d7af798294fd646 |
| SHA1 | cc57c0fc09565c0e77458912a2a313d3e1c93af7 |
| SHA256 | d10ecc828ed7dd2ecf0f880c49f79d7a5133e4a1588e5f812d669c829f8a45a3 |
| SHA512 | 870e8bda5317336129ce7f77e9eecdb44c867aaf71ef7b8e7d8345e259b1235355494e67fe332f0e6cb303c7ff67ffc3a274bbef1981cd9a595943f678bd652c |
C:\Windows\SysWOW64\asletir.exe
| MD5 | 87b10881743136a2f527ff1e2eb0d8c7 |
| SHA1 | 1224dbfb382b57cc029e48d1de51f1dbed4ca245 |
| SHA256 | 5ccc71ab6eab567ef4793bc1a38ef6d95b748ed2191641d42ab06da50431fe91 |
| SHA512 | 73b5af6d7df9114793815546bfe70c181f465d5114f3b456ffda735f25634c81b720fbc2dfbccf721a317b5f3d9c20c185de523e9d97c12f944e809a37ebe5b9 |
C:\Windows\SysWOW64\oknuhic.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
memory/2696-52-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2976-53-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 06:42
Reported
2024-11-13 06:44
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5A4D43-5653-5153-4F5A-4D4356535153} | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5A4D43-5653-5153-4F5A-4D4356535153}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5A4D43-5653-5153-4F5A-4D4356535153}\IsInstalled = "1" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F5A4D43-5653-5153-4F5A-4D4356535153}\StubPath = "C:\\Windows\\system32\\asletir.exe" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ckoxoav-hum.exe" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oknuhic.dll" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ilfoodef.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ilfoodef.exe | C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\asletir.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File created | C:\Windows\SysWOW64\asletir.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oknuhic.dll | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File created | C:\Windows\SysWOW64\oknuhic.dll | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File created | C:\Windows\SysWOW64\ilfoodef.exe | C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ckoxoav-hum.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| File created | C:\Windows\SysWOW64\ckoxoav-hum.exe | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\ilfoodef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe
"C:\Users\Admin\AppData\Local\Temp\e5f6704df110055a0c7111271796451f357255738792a14f9a96f415e96cb6f0N.exe"
C:\Windows\SysWOW64\ilfoodef.exe
"C:\Windows\system32\ilfoodef.exe"
C:\Windows\SysWOW64\ilfoodef.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wfgkcqttyzys.rw | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\ilfoodef.exe
| MD5 | bf7b28919b74dc6aa82bb8167dcec3f1 |
| SHA1 | aa1398a124c3b66ec896f59af7c3a363ea282c85 |
| SHA256 | 2f7e03402ede5005d182387ad20bde41f5eed1056df955435a2da64dab128a1b |
| SHA512 | 9ed1eb113d5489640f4128ffe6a86c3fab9fcebcefe91f8afa81b70fa7cf0ef2f7adef806a9f2eec177ef7babfef09d5d75f94b8f1d033a151ca72644aaa9eea |
memory/3344-5-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\ckoxoav-hum.exe
| MD5 | 625f9f2fc1627151a876b38d218f0e90 |
| SHA1 | e1d33a07b40931c63f3a5ff829f21e0d805e0788 |
| SHA256 | 632904507cfb68ea7d78b8192d7bd41459411fcb8ec02bb3a38b393db1140370 |
| SHA512 | 1a4a0521e532225dc43953fbfa0921b13d6b11d94593efb5dd8f52c0953059544f9a6e7bcb419ab9c7638ee18873aa85bc805bb2730ff07f12433898af524d8b |
C:\Windows\SysWOW64\oknuhic.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
C:\Windows\SysWOW64\asletir.exe
| MD5 | 645f22d7a6cefcf378726949ee5e2089 |
| SHA1 | e7791d16d0b1a455279e6db85325af7ef5344928 |
| SHA256 | 12340fc8b3a06ceaa8b3f85332a0cb04e518ed0ec708a43d79757716404241c1 |
| SHA512 | bdbaa6630f048534e6cd0961eff5cfe5447fee96c69a4a0ca430eb447b57366c1b680402f00f44c06101d707ea403f5171368f83762648ce2f576875acc78bf1 |
memory/3368-46-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1640-47-0x0000000000400000-0x0000000000414000-memory.dmp