Malware Analysis Report

2024-11-30 23:34

Sample ID 240430-c5zjrsac22
Target 08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118
SHA256 af8cb812180974a437226dc550eac673f0687626255289db2017c7f4f47177e7
Tags
lokibot collection spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af8cb812180974a437226dc550eac673f0687626255289db2017c7f4f47177e7

Threat Level: Known bad

The file 08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

lokibot collection spyware stealer trojan

Lokibot

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-30 02:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 02:40

Reported

2024-04-30 02:42

Platform

win7-20240221-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2492 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2500 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2500 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2500 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2500 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2492 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ysqo11v4\ysqo11v4.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EA2.tmp" "c:\Users\Admin\AppData\Local\Temp\ysqo11v4\CSC4C1B85FD9CC84362894F2AAB524E9976.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipqbook.com udp

Files

memory/2492-0-0x00000000012B0000-0x0000000001326000-memory.dmp

memory/2492-1-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/2492-2-0x00000000047B0000-0x00000000047F0000-memory.dmp

memory/2492-3-0x0000000000320000-0x0000000000328000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ysqo11v4\ysqo11v4.cmdline

MD5 d5b3a524ba7aae0cab302db06461dd29
SHA1 6942d16d9501cfa26cf90861d76f4bea51cfa265
SHA256 8d9b6c6ccb8eec19a747c4e06a267ac16dcda1e13c45f7fa3b6bbb3828c4dd70
SHA512 e3e73280df1eddb0c34628928e52037f15eb68b6bc03104126022baf3e66cd2b2d80ba975fac8a2f4df70001c62198d4c4ad63ba7a3cb350d27406f81d85e7f6

\??\c:\Users\Admin\AppData\Local\Temp\ysqo11v4\ysqo11v4.0.cs

MD5 bd87362c479e754ac84645b038de30d4
SHA1 a097cca2477961cc19297ed9d645fbc6a8702c90
SHA256 cffed596ec89a04ca60edd36165132b88ef440a7e34a45e9558521384b72da59
SHA512 5b785a293177d83b5e0194ef38201ccf9c9a24c00f46b4cbc613592baf014ec3c5b82e845cb89d41c8575c3c4d0e899bd03ec3262dd63ebbc7b558d7b9ecb1f2

\??\c:\Users\Admin\AppData\Local\Temp\ysqo11v4\CSC4C1B85FD9CC84362894F2AAB524E9976.TMP

MD5 d7a2466a8294f5f563550d3808e089fc
SHA1 127dd2ba91b8910d32195b877bdff29eafb03893
SHA256 44fe460d59ed8d16caa2bc9298d3fd757a67d495385bcfbb0b29f24bd4c31e0e
SHA512 1d164eb35a14cc123e1c4bac12666e40a2c60e0144416ee34e88f74db75ed3f7c804e1a9f9defe459797b7df64670709f91bbdabfb50bb0ae6672b3f19253656

C:\Users\Admin\AppData\Local\Temp\RES7EA2.tmp

MD5 e9652d5e549cb70842a5909999db09e9
SHA1 6065686e29b8a21bc58ea497ae6793da17a97779
SHA256 e3db670625c4d4e83b94902202be80c7a7000fa1e23d33ed8b56126cdf7a2cef
SHA512 d2d6fa2e14f3d69921732187050b936ac574ad82641033a166b4e3813039a11e9600877810d612b69545ff04c2ff810c832dd058ec99aa7483a5660ea4de6642

C:\Users\Admin\AppData\Local\Temp\ysqo11v4\ysqo11v4.dll

MD5 237e11423ffca42b3b1165df119243f0
SHA1 63284fb77f8cae8a05e0de4043158e8ded0b40a3
SHA256 56bba2b8f1bf17739aaab03cb06f4259ed3430402f965fc6b8ec0d10adfac0c0
SHA512 d09aa066efbfde9ed90cd63faa80358c6a9257bbde9f73200f3a901a2f14d9d14cf146d9e24a1a87d4742232fa50959231d94d0f9c322fa8dc2f18a22342c184

memory/2492-18-0x00000000003A0000-0x00000000003A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ysqo11v4\ysqo11v4.pdb

MD5 34d28e682e8a9ee408d2d8a115fcd76f
SHA1 aa36db3572b42a02bd5e1b4fd4aa8bbbd57f9d81
SHA256 6cf6e855109bf5f17102ab213acdd656fb11085c76cdeffe39e3333f615e91a2
SHA512 7c1b7b2a2061cfce17cd0f2089cff6e1d178721eff328223e11cbfb233a3ec9477727c172c09f4c5340ed0bb278a24c8923521d0f581bfb4957a33a9eeea856f

memory/2492-20-0x0000000000A60000-0x0000000000A8A000-memory.dmp

memory/2492-21-0x00000000003B0000-0x00000000003BC000-memory.dmp

memory/2492-22-0x0000000000870000-0x0000000000912000-memory.dmp

memory/2608-23-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-35-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-33-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2608-29-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-27-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-25-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-24-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2492-36-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/2608-40-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/2608-61-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-82-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 02:40

Reported

2024-04-30 02:42

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3404 set thread context of 3888 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3404 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3404 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3748 wrote to memory of 1796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3748 wrote to memory of 1796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3748 wrote to memory of 1796 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\08d78a1ab6259c47bb8a4b741f46513e_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\22plhnb3\22plhnb3.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A9E.tmp" "c:\Users\Admin\AppData\Local\Temp\22plhnb3\CSC129A497F0E4E6C925B85517C4587D5.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 ipqbook.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 ipqbook.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 ipqbook.com udp

Files

memory/3404-0-0x0000000000990000-0x0000000000A06000-memory.dmp

memory/3404-1-0x0000000005330000-0x00000000053C2000-memory.dmp

memory/3404-2-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/3404-3-0x0000000005560000-0x0000000005570000-memory.dmp

memory/3404-4-0x0000000002DC0000-0x0000000002DC8000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\22plhnb3\22plhnb3.cmdline

MD5 2784f095ec8ea4be4bc14878a09fb31f
SHA1 db8b523fa1809be7b4cecae098981d20e1577b2e
SHA256 b302f5c7e1e9b1a4584e04ad75442bdc60928c9bc560d296fc62006161126f2c
SHA512 43cf12597579cb967f332577aa9fab1ea75f18cc07b47c8ff9a140f3f577b86d262a308de7758f87333d8c8801554ee511cd10536be910913289582b24834da5

\??\c:\Users\Admin\AppData\Local\Temp\22plhnb3\22plhnb3.0.cs

MD5 bd87362c479e754ac84645b038de30d4
SHA1 a097cca2477961cc19297ed9d645fbc6a8702c90
SHA256 cffed596ec89a04ca60edd36165132b88ef440a7e34a45e9558521384b72da59
SHA512 5b785a293177d83b5e0194ef38201ccf9c9a24c00f46b4cbc613592baf014ec3c5b82e845cb89d41c8575c3c4d0e899bd03ec3262dd63ebbc7b558d7b9ecb1f2

\??\c:\Users\Admin\AppData\Local\Temp\22plhnb3\CSC129A497F0E4E6C925B85517C4587D5.TMP

MD5 9dc485f3c517232106c1e50fb185b481
SHA1 2a9a34ef159eb536741fc347ac02e222cc5e580a
SHA256 c3a96f9e30c0e787fdece27b00dc43b1e0546bfeac613d7b686b3538cd34b2ae
SHA512 b0c2ec482efb7b6bd1c1f924e0ea98d79c491fceee21f0707bc2a14b5d9c28e3f3e49e1f9ac08c45873f50f35b14965bd872369a1ce0de338da33f6e249c8a4b

C:\Users\Admin\AppData\Local\Temp\RES7A9E.tmp

MD5 c8b91902b91b39fdb3d5d55106d8c679
SHA1 4453818bc15042a94d70eb01879ff96d9af077a6
SHA256 83bcbffd0562ed4fba73fce6990418880c8f9c5b8c2129d7847128fd912bfee4
SHA512 9e5b17d440b2cb771a149ae3ae86a638b4b1de1a3baf82326c4abf8f80ec6093629ce4abe59415f60a2ed47f128f3c3067cfa3546d903d878b727b6b9121c23e

C:\Users\Admin\AppData\Local\Temp\22plhnb3\22plhnb3.pdb

MD5 2d2bc2f2c5d16eb560dc84135de00274
SHA1 fa56534703cfaa0788b881e069f052de40f2136f
SHA256 13315afd8f2956d32816c255235f182dbdef34f311b8da21b76d9c578ddf2337
SHA512 7f613672057e3be2c6d38da2f9a57aacb265ff1b11b69589842412fca702bb8a53a13743c20cd0e7a65d99872b9616b8b9174352596bbb84b980a7b96f36ccf3

memory/3404-19-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22plhnb3\22plhnb3.dll

MD5 dba323b02a9b61f6766bcac3ccea0326
SHA1 3616914b52f09470cf93fb29c615b7e54536e170
SHA256 452c6e726f416f5324646e95faf7297908c6fc3ca29ee5df4577c0ada97c6e18
SHA512 c163aaaea7efd4cd9b9ef2f588928d39ef2882b5882ba31d25e1f19dc63f9390ba7e4ceb5091a8f3e45a9e16ccdd660accecc4dc05285b3bb1d4f1a21bd650a5

memory/3404-21-0x0000000005300000-0x000000000532A000-memory.dmp

memory/3404-22-0x0000000002E20000-0x0000000002E2C000-memory.dmp

memory/3404-23-0x00000000053D0000-0x0000000005472000-memory.dmp

memory/3404-24-0x00000000059B0000-0x0000000005A4C000-memory.dmp

memory/3888-25-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/3888-28-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/3404-29-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/3888-30-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3906287020-2915474608-1755617787-1000\0f5007522459c86e95ffcc62f32308f1_215f2dba-ef84-4dd1-b127-5f514a0c233b

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3906287020-2915474608-1755617787-1000\0f5007522459c86e95ffcc62f32308f1_215f2dba-ef84-4dd1-b127-5f514a0c233b

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/3888-74-0x0000000000400000-0x00000000004A2000-memory.dmp