Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-negf2sgffn
Target a856e5350e746c93706bb1ab5ea9ecf205fa1ac10c4363a248cd8b9ef456e66c
SHA256 a856e5350e746c93706bb1ab5ea9ecf205fa1ac10c4363a248cd8b9ef456e66c
Tags
masslogger collection evasion ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a856e5350e746c93706bb1ab5ea9ecf205fa1ac10c4363a248cd8b9ef456e66c

Threat Level: Known bad

The file a856e5350e746c93706bb1ab5ea9ecf205fa1ac10c4363a248cd8b9ef456e66c was found to be: Known bad.

Malicious Activity Summary

masslogger collection evasion ransomware spyware stealer

Modifies visibility of file extensions in Explorer

MassLogger log file

MassLogger

MassLogger Main Payload

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 11:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 11:18

Reported

2022-05-21 11:38

Platform

win7-20220414-en

Max time kernel

80s

Max time network

84s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Modifies visibility of file extensions in Explorer

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1488 set thread context of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Windows\SysWOW64\schtasks.exe
PID 1488 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Windows\SysWOW64\schtasks.exe
PID 1488 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Windows\SysWOW64\schtasks.exe
PID 1488 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Windows\SysWOW64\schtasks.exe
PID 1488 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 1488 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 1488 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 1488 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 1488 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 1488 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 1488 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 1488 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 1488 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe

"C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lgzxpd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADEC.tmp"

C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 mail.samlogistics.pk udp
CA 167.114.30.174:587 mail.samlogistics.pk tcp

Files

memory/1488-54-0x0000000000250000-0x0000000000334000-memory.dmp

memory/1488-55-0x0000000000240000-0x000000000024A000-memory.dmp

memory/1488-56-0x00000000057A0000-0x0000000005866000-memory.dmp

memory/1488-57-0x00000000080E0000-0x0000000008192000-memory.dmp

memory/1940-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpADEC.tmp

MD5 e99475e8f5672579410a8fbf6cf2c29f
SHA1 79d033c47a0e1499944108f3fdf0ddfecb027e99
SHA256 482ba606c5fdc50532630a6f0448ae171ac4837d10a7728552daa32dcf166aac
SHA512 9aeae3f333083f5a28f3cc5bfc6f322250067497926ac736a78b5d31f1768cc4f7a23860ce92feaaadc30242ff9359f359ab16a38be4c6cc9d54d13d6fd87a2c

memory/1812-60-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-63-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-61-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-64-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-65-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-66-0x00000000004ACD3E-mapping.dmp

memory/1812-68-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-70-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-72-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-74-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-76-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-78-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-80-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-82-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-84-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-86-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-88-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-90-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-92-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-94-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-96-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-98-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-100-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-102-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-104-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-108-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-106-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-110-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-112-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-114-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-116-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-120-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-118-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-122-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-124-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1812-587-0x0000000000720000-0x0000000000764000-memory.dmp

memory/1812-589-0x0000000004D55000-0x0000000004D66000-memory.dmp

memory/1812-590-0x00000000043A0000-0x00000000043B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 11:18

Reported

2022-05-21 11:38

Platform

win10v2004-20220414-en

Max time kernel

106s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2380 set thread context of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Windows\SysWOW64\schtasks.exe
PID 2380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Windows\SysWOW64\schtasks.exe
PID 2380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Windows\SysWOW64\schtasks.exe
PID 2380 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 2380 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 2380 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 2380 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 2380 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 2380 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 2380 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 2380 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe
PID 1068 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe

"C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lgzxpd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB882.tmp"

C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order inquiry skmt042.exe'

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 20.42.72.131:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

memory/2380-130-0x0000000000740000-0x0000000000824000-memory.dmp

memory/2380-131-0x0000000005580000-0x000000000561C000-memory.dmp

memory/2380-132-0x0000000005620000-0x00000000056B2000-memory.dmp

memory/3440-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB882.tmp

MD5 04498c80c01890f24b0cbd89c54cad62
SHA1 3335ac6b88441e0c095e61f655c8cf06fb0347d2
SHA256 b29d81b395c5afdecf3c3cfdf30a921fce865880b3fc549900f52b24fdf3357e
SHA512 c3fa7262d7a3b93b8395dcbb869f3cd7589cfaac90ff621823f47bc4dbd7f9a0f5b6e6b36bcbc53bb4ea00d6dd9aed5e34a357540118ce36f3ad368570c53e5b

memory/1068-135-0x0000000000000000-mapping.dmp

memory/1068-136-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-138-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-140-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-142-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-144-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-146-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-148-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-150-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-152-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-154-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-156-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-158-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-160-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-162-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-164-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-166-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-168-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-170-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-172-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-174-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-176-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-178-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-180-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-182-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-184-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-186-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-188-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-190-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-192-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-194-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-196-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-198-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1068-653-0x0000000005BE0000-0x0000000006184000-memory.dmp

memory/1068-654-0x0000000005930000-0x0000000005996000-memory.dmp

memory/2944-655-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order inquiry skmt042.exe.log

MD5 ad1c7f6525cfeb54c0487efd38b0e26c
SHA1 ed3da94723ac7e3828a9e93d68418bb810592f3b
SHA256 0a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276
SHA512 48d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c

memory/4596-657-0x0000000000000000-mapping.dmp

memory/4596-658-0x0000000005360000-0x0000000005396000-memory.dmp

memory/4596-659-0x00000000059E0000-0x0000000006008000-memory.dmp

memory/4596-660-0x0000000005990000-0x00000000059B2000-memory.dmp

memory/4596-661-0x0000000006180000-0x00000000061E6000-memory.dmp

memory/4596-662-0x0000000006920000-0x000000000693E000-memory.dmp

memory/4596-663-0x0000000008020000-0x000000000869A000-memory.dmp

memory/4596-664-0x0000000006E00000-0x0000000006E1A000-memory.dmp

memory/4596-665-0x0000000007BA0000-0x0000000007C36000-memory.dmp

memory/4596-666-0x0000000006ED0000-0x0000000006EF2000-memory.dmp