Analysis Overview
SHA256
913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8
Threat Level: Known bad
The file 913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Event Triggered Execution: Image File Execution Options Injection
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Windows security modification
Executes dropped EXE
Modifies WinLogon
Indicator Removal: Clear Persistence
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 00:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 00:26
Reported
2024-11-14 00:29
Platform
win7-20240903-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D585146-4e58-4c54-4D58-51464E584c54} | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D585146-4e58-4c54-4D58-51464E584c54}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D585146-4e58-4c54-4D58-51464E584c54}\IsInstalled = "1" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D585146-4e58-4c54-4D58-51464E584c54}\StubPath = "C:\\Windows\\system32\\agsootaf.exe" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\afleateat.exe" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ubgookam-icom.dll" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\amfoafoor.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\afleateat.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\afleateat.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\agsootaf.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\agsootaf.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ubgookam-icom.dll | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\ubgookam-icom.dll | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\amfoafoor.exe | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| File created | C:\Windows\SysWOW64\amfoafoor.exe | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe
"C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe"
C:\Windows\SysWOW64\amfoafoor.exe
"C:\Windows\system32\amfoafoor.exe"
C:\Windows\SysWOW64\amfoafoor.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ocghniswecyya.rw | udp |
| US | 8.8.8.8:53 | ocghniswecyya.rw | udp |
Files
C:\Windows\SysWOW64\amfoafoor.exe
| MD5 | b97dad59ad749963438ba6e88828ce06 |
| SHA1 | 6074280b4965f7da2851c01db5522341663ece6a |
| SHA256 | 913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8 |
| SHA512 | fe965f398ea79d8706bdcbb05b751bf77e0146858628bd26ca46c8a721c7e4ce3ed585adff4799f79caaf34174820eb95dfc054640e569914604fa259d3d7da6 |
memory/2380-10-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\agsootaf.exe
| MD5 | eb364ae807773932aded87967f18817d |
| SHA1 | cf40c9c323968389d8b28bef12be03e26c53e23e |
| SHA256 | a6664bce1b2902b9c4c5b9c3998af70e7a49b1c798012e8455e3ef86267a5484 |
| SHA512 | 3c3d909f3e715a126e0dc4751a997b0d7320d950e5e3c218b3f3bc1cafa3d385c83b3c1eab6064b0855524794d0f26cb63d8a2bdf21b494ef6118fc42ad595dc |
C:\Windows\SysWOW64\afleateat.exe
| MD5 | df236f7a16e7e8318cec11404968402c |
| SHA1 | 3d9467c66a2383128d4197f782cc674bb807cfc7 |
| SHA256 | d3918edd7850da824998a2ebb90ba285e993d371c20fe7032dac02263a23f6ea |
| SHA512 | c569f23216c7244662135de26e86e845db645592fe18a6df2fb8e5281bbbb2bdd0ad0077b87ede2a773065579cc76668bfd056fe1669aeec0fac8bbc3aa05cc8 |
C:\Windows\SysWOW64\ubgookam-icom.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
memory/2096-52-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1932-53-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 00:26
Reported
2024-11-14 00:29
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345} | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345}\IsInstalled = "1" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345}\StubPath = "C:\\Windows\\system32\\agsootaf.exe" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\afleateat.exe" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ubgookam-icom.dll" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\afleateat.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\agsootaf.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\ubgookam-icom.dll | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\amfoafoor.exe | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\afleateat.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ubgookam-icom.dll | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\amfoafoor.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\amfoafoor.exe | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\agsootaf.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe
"C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe"
C:\Windows\SysWOW64\amfoafoor.exe
"C:\Windows\system32\amfoafoor.exe"
C:\Windows\SysWOW64\amfoafoor.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | omtciudgegink.tk | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | omtciudgegink.tk | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\amfoafoor.exe
| MD5 | b97dad59ad749963438ba6e88828ce06 |
| SHA1 | 6074280b4965f7da2851c01db5522341663ece6a |
| SHA256 | 913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8 |
| SHA512 | fe965f398ea79d8706bdcbb05b751bf77e0146858628bd26ca46c8a721c7e4ce3ed585adff4799f79caaf34174820eb95dfc054640e569914604fa259d3d7da6 |
memory/2356-5-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\agsootaf.exe
| MD5 | bfb49a460be207573bbbbc4443b16971 |
| SHA1 | 39650194501d10c57127725052ca54b41d9a770d |
| SHA256 | b0585dc5c691fcbc898e5e48fd580823584fae69ccd8086052d60fffdb0ff789 |
| SHA512 | c87d6324864c6be1fb99b6fbb5cb577cbc44bb8bc4960a3669afd91c6e5a964b230fd859e9278d32835f1af3b07161a21a9c249fe747d0258642cfd663defa45 |
C:\Windows\SysWOW64\afleateat.exe
| MD5 | 18c85f5a7c6f20c0fd7f67d03ca9cf83 |
| SHA1 | 1f588bc2b84066c9687c2001f2da81299f34dfc7 |
| SHA256 | 6951cd8ba9a4852c8b3497504c54aed609300eabeab74ed3b65cf26218f9de1b |
| SHA512 | 4387679e4d50d282309af179807327b6056e7da676115b34c5e7396c53c95e54cfcc55e3cc7fd099431e21f767e4c35ff07d4d875dffea350580e47e36d9850c |
C:\Windows\SysWOW64\ubgookam-icom.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
memory/2172-46-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4564-47-0x0000000000400000-0x0000000000414000-memory.dmp