Analysis Overview
SHA256
f10f3adda4426ff71c0fbcb9f3ccdd0d46733e3661921d0048435bc9788c93f0
Threat Level: Known bad
The file Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.zip was found to be: Known bad.
Malicious Activity Summary
Lokibot
Guloader,Cloudeye
Loads dropped DLL
Reads user/profile data of web browsers
Checks QEMU agent file
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
outlook_office_path
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies registry class
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-13 14:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-13 14:04
Reported
2023-07-13 14:07
Platform
win10v2004-20230703-en
Max time kernel
138s
Max time network
144s
Command Line
Signatures
Guloader,Cloudeye
Lokibot
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3048 set thread context of 4492 | N/A | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\statshemmeligheds.zir | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.0.28109163\2008700094" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c83df7f-8438-47b8-a5de-edeeec2e5dbd} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 1920 234c4e05458 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.1.1789040711\16726713" -parentBuildID 20221007134813 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e37648-1a3b-4d7e-a373-1f5b820eacf4} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 2356 234b7272558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.2.1758971233\639175372" -childID 1 -isForBrowser -prefsHandle 1456 -prefMapHandle 3208 -prefsLen 20934 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d67cfd2-4c95-4f98-8407-a622f43ea26f} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 3300 234c7cb3658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.3.892752573\628329880" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d75c5f1e-9d06-45e1-a311-72ae53cb34e4} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 3652 234b7269f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.4.948893861\1974531752" -childID 3 -isForBrowser -prefsHandle 4612 -prefMapHandle 4608 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64744aaa-dec6-4df6-a3e6-eae281c4ebc0} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 4624 234c9caa458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.7.786229675\410069347" -childID 6 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c676987-1feb-4771-a4f7-de02972fc11c} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5440 234c9a8a158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.6.264835245\438694947" -childID 5 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f66e19a-a4ab-4ad1-a6e0-9b01cb262ef1} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5248 234c9a89e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.5.398737586\705088505" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a5216e6-dc46-4a78-86ac-070df94f12b5} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5092 234c9a89b58 tab
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.149.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| DE | 23.53.42.184:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 184.42.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 54.185.202.81:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 81.202.185.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:52481 | tcp | |
| N/A | 127.0.0.1:52487 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.240.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 172.217.168.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 126.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doc-0c-4o-docs.googleusercontent.com | udp |
| NL | 142.251.36.1:443 | doc-0c-4o-docs.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 1.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 138.68.56.139:80 | 138.68.56.139 | tcp |
| US | 8.8.8.8:53 | 139.56.68.138.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 138.68.56.139:80 | 138.68.56.139 | tcp |
| US | 138.68.56.139:80 | 138.68.56.139 | tcp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsy9C32.tmp\System.dll
| MD5 | 75ed96254fbf894e42058062b4b4f0d1 |
| SHA1 | 996503f1383b49021eb3427bc28d13b5bbd11977 |
| SHA256 | a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7 |
| SHA512 | 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json
| MD5 | 1b5d1653a82dcffee311175dcc164fbc |
| SHA1 | 1d8ed433bfe1994e3b3ee790768eeddd4319a12c |
| SHA256 | 9d249a475b876914ce5b3364a9566eb8e80d3bd7ca6386fc1ec4a59a546a4587 |
| SHA512 | 0624c4617490c1f7b312adf3553e7262c08889e27cddc91d9df614faac546e3024009bcc4f4cee51e01f680d5206e6c064f4e556d0d9ab9f61c62cc56badf80b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs.js
| MD5 | cfdd55299f3df8fb7c08ab906991ce98 |
| SHA1 | e88241d2aa2a5bdf9b2ea74e9dd53f1938534f1a |
| SHA256 | bdaf786c4a95be17fb4a90d8256125b417fe9f6e5497fd00c5004e44cabaace9 |
| SHA512 | 07517ded2840efaf1234f8bf0ce0e8ae021d749388362655d687cfd708446fa3a80ec019b93db22e5b224f0a3f1fa198351470d4d572c7286635122e7418e540 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js
| MD5 | 5fb4a5b9ed048676168272676f46f6a5 |
| SHA1 | 181ca1a3cd79bdc78ce82f642d6fc2212479dd26 |
| SHA256 | 66ca187123b1a4c969d1b7cbb2549c2cd0332b82e175a7e5a80228572e321319 |
| SHA512 | be54d646d0969d997ef33284177ad97bc3d3824c386d526eea71542030c99ad55e667319f30ee2b104c219168d87b8808ce6b4fe96fd662bf5366aef6e122ad4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore.jsonlz4
| MD5 | cc104f8c30653a539798ec66ed6d54ba |
| SHA1 | 343727512737c905016ff967a0715d8adba28336 |
| SHA256 | f65e21d967ccda300d34365e982e6b79c0567712fc667236ad50e3f60f8d93f6 |
| SHA512 | 7dc14d6d645e8825b114470646a81ec8a6bfd2d7340e73cb84c90c9fa188732630b299e7cd6a34f16905d896c11dfcaa37f654d21e63372fd560d2693fe9ed85 |
memory/3832-299-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp
memory/3832-301-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp
memory/3832-302-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-304-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-306-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-307-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-308-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp
memory/3832-309-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-305-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp
memory/3832-303-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp
memory/3832-300-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-310-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-311-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-312-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-313-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-314-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-315-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-316-0x00007FF83E1F0000-0x00007FF83E200000-memory.dmp
memory/3832-317-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-318-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-319-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-320-0x00007FF83E1F0000-0x00007FF83E200000-memory.dmp
memory/3832-321-0x00007FF880750000-0x00007FF880945000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 4566d1d70073cd75fe35acb78ff9d082 |
| SHA1 | f602ecc057a3c19aa07671b34b4fdd662aa033cc |
| SHA256 | fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0 |
| SHA512 | b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8 |
memory/3832-337-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-351-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3832-355-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp
memory/3832-356-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp
memory/3832-358-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp
memory/3832-357-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp
memory/3832-359-0x00007FF880750000-0x00007FF880945000-memory.dmp
memory/3048-360-0x0000000077811000-0x0000000077931000-memory.dmp
memory/3048-362-0x0000000074670000-0x0000000074676000-memory.dmp
memory/3048-361-0x0000000077811000-0x0000000077931000-memory.dmp
memory/4492-363-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-364-0x0000000077898000-0x0000000077899000-memory.dmp
memory/4492-377-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-378-0x0000000001660000-0x0000000005E7A000-memory.dmp
memory/4492-379-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-380-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-382-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-383-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-381-0x0000000001660000-0x0000000005E7A000-memory.dmp
memory/4492-384-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-385-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-390-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-398-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-399-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-400-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-404-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-405-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-406-0x0000000000400000-0x0000000001654000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-618519468-4027732583-1827558364-1000\0f5007522459c86e95ffcc62f32308f1_7cdcba7c-ddfa-4ddd-854f-aa7eeb433240
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-618519468-4027732583-1827558364-1000\0f5007522459c86e95ffcc62f32308f1_7cdcba7c-ddfa-4ddd-854f-aa7eeb433240
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
memory/4492-413-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-415-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-416-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-417-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-418-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-419-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-420-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-422-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-423-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-424-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-425-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-427-0x0000000077811000-0x0000000077931000-memory.dmp
memory/4492-428-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-429-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-430-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-431-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-432-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-434-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-435-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-436-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-437-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-438-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-439-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-441-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4492-442-0x0000000000400000-0x0000000001654000-memory.dmp