Analysis Overview
SHA256
2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0
Threat Level: Known bad
The file 2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Boot or Logon Autostart Execution: Active Setup
Event Triggered Execution: Image File Execution Options Injection
Windows security modification
Executes dropped EXE
Loads dropped DLL
Indicator Removal: Clear Persistence
Modifies WinLogon
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 08:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 08:54
Reported
2024-11-13 08:56
Platform
win7-20241010-en
Max time kernel
120s
Max time network
18s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45} | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\IsInstalled = "1" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42435852-4a46-4b45-4243-58524A464b45}\StubPath = "C:\\Windows\\system32\\acberab.exe" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouctisuc.exe" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\atvofeak.dll" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ouctisuc.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\acberab.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File created | C:\Windows\SysWOW64\acberab.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File created | C:\Windows\SysWOW64\atvofeak.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmoopeg.exe | C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe | N/A |
| File created | C:\Windows\SysWOW64\tmoopeg.exe | C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ouctisuc.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\atvofeak.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmoopeg.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe
"C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe"
C:\Windows\SysWOW64\tmoopeg.exe
"C:\Windows\system32\tmoopeg.exe"
C:\Windows\SysWOW64\tmoopeg.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amokecyc.tk | udp |
| US | 8.8.8.8:53 | amokecyc.tk | udp |
Files
\Windows\SysWOW64\tmoopeg.exe
| MD5 | 23aff24137265f0833ba18f1d369548a |
| SHA1 | c61daa240c4da4577eb923059b26d6f109fe55a0 |
| SHA256 | 2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0 |
| SHA512 | 03760bdac7e033d411b52b3a15423adc02f699367af30219f876e9478f2bf3bdf5cbda3f9ee691adcb8963604c024e7a1807d580d5cbb3d39d436b69806c1595 |
memory/2172-9-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\atvofeak.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
C:\Windows\SysWOW64\ouctisuc.exe
| MD5 | fa3e46fc3242bbfcca9fee22e3779001 |
| SHA1 | 0965ec7861e6b17949c150f7df370f4f0a274809 |
| SHA256 | cbaa90c7ab6ae8fc941086488aad56c6975d51aad44723270516b1f8667854cc |
| SHA512 | 9a45c4211520ea8a9554f9a8b71c616e69519bef980d866b8717bc86d6a8048cddd02b47480cff10f14cc961552de8ab2090b341fddaaa19e6c7b60bed44f108 |
C:\Windows\SysWOW64\acberab.exe
| MD5 | 1ef57dc4f2340bb3c7c2d9412255f41c |
| SHA1 | 5a7a0aa6bd85dd3322af039bfc82dbda4d2ef2e9 |
| SHA256 | 6a2b4834fb675fb64881e6f1de0c34441eaf4febb555efa7665063ea46546784 |
| SHA512 | 95cd53d510884ec14ec7ed1c2dc6b8969d849f3fb5d0b9dc0eaddf09f50910071c9e7b961013a3ee9ce022bbe8d5bbad87d7318773b796df8fddcc823f6dee94 |
memory/2236-52-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2980-53-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 08:54
Reported
2024-11-13 08:56
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
93s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B424B57-4745-424b-4B42-4B574745424b} | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B424B57-4745-424b-4B42-4B574745424b}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B424B57-4745-424b-4B42-4B574745424b}\IsInstalled = "1" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B424B57-4745-424b-4B42-4B574745424b}\StubPath = "C:\\Windows\\system32\\acberab.exe" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouctisuc.exe" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\atvofeak.dll" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\tmoopeg.exe | C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe | N/A |
| File created | C:\Windows\SysWOW64\atvofeak.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\acberab.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File created | C:\Windows\SysWOW64\acberab.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\atvofeak.dll | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmoopeg.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmoopeg.exe | C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ouctisuc.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| File created | C:\Windows\SysWOW64\ouctisuc.exe | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tmoopeg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe
"C:\Users\Admin\AppData\Local\Temp\2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0.exe"
C:\Windows\SysWOW64\tmoopeg.exe
"C:\Windows\system32\tmoopeg.exe"
C:\Windows\SysWOW64\tmoopeg.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kmwuwoerttsmaz.kr | udp |
| US | 8.8.8.8:53 | kmwuwoerttsmaz.kr | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\tmoopeg.exe
| MD5 | 23aff24137265f0833ba18f1d369548a |
| SHA1 | c61daa240c4da4577eb923059b26d6f109fe55a0 |
| SHA256 | 2c6021bd59a677e30bda13be9bb37021917eb3c40d2b59d5b88156fe8cda20d0 |
| SHA512 | 03760bdac7e033d411b52b3a15423adc02f699367af30219f876e9478f2bf3bdf5cbda3f9ee691adcb8963604c024e7a1807d580d5cbb3d39d436b69806c1595 |
memory/780-5-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\ouctisuc.exe
| MD5 | 678fa512a3db5b61842b832ce7549698 |
| SHA1 | 570787db530da492a0775e62ffd7956aaa570027 |
| SHA256 | 4a21b42a4333b49b03fd8a8516fe5de83c447dcd29299e4624ce84a5c8508064 |
| SHA512 | 083f47ca27504638563d8db7b0393025f8645468d9ed9458aa7e1d98a59d90a4bdaf5633374a1621931acd7ec3563b3a35cac5d48bfe875830f3dc30babca3bd |
C:\Windows\SysWOW64\atvofeak.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
C:\Windows\SysWOW64\acberab.exe
| MD5 | b20cb5ad4587b8804c2c9e87774ecbb3 |
| SHA1 | 028f9c434f13ff6e3021dfc7ed006d5581e69ef5 |
| SHA256 | c768c6aca3dcd80532aeeb0a2337bc5d37852261f5da75f37b4263ad4266c54f |
| SHA512 | 049296ae6c2ca5c532b48d93d183c0d1f98aeb2790a25be881ee46a9a518a27ec22b60016d0a27911cd6c4cd9c80a3e6944893f7fc5923e001114051f3f50789 |
memory/4720-46-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4152-47-0x0000000000400000-0x0000000000414000-memory.dmp