Analysis Overview
SHA256
913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8
Threat Level: Known bad
The file 913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Event Triggered Execution: Image File Execution Options Injection
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Executes dropped EXE
Windows security modification
Modifies WinLogon
Indicator Removal: Clear Persistence
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 00:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 00:33
Reported
2024-11-14 00:36
Platform
win7-20240708-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850} | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\IsInstalled = "1" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\StubPath = "C:\\Windows\\system32\\agsootaf.exe" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\afleateat.exe" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ubgookam-icom.dll" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\amfoafoor.exe | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\afleateat.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\amfoafoor.exe | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| File created | C:\Windows\SysWOW64\afleateat.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\agsootaf.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\agsootaf.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ubgookam-icom.dll | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\ubgookam-icom.dll | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\amfoafoor.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe
"C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe"
C:\Windows\SysWOW64\amfoafoor.exe
"C:\Windows\system32\amfoafoor.exe"
C:\Windows\SysWOW64\amfoafoor.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lsgsq.nu | udp |
| US | 8.8.8.8:53 | lsgsq.nu | udp |
Files
\Windows\SysWOW64\amfoafoor.exe
| MD5 | b97dad59ad749963438ba6e88828ce06 |
| SHA1 | 6074280b4965f7da2851c01db5522341663ece6a |
| SHA256 | 913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8 |
| SHA512 | fe965f398ea79d8706bdcbb05b751bf77e0146858628bd26ca46c8a721c7e4ce3ed585adff4799f79caaf34174820eb95dfc054640e569914604fa259d3d7da6 |
memory/1976-9-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\agsootaf.exe
| MD5 | aef0b2ad757f5a70243c0a65a3902409 |
| SHA1 | 2da1120a4bc986598f4c6d77ecc3898cfb477330 |
| SHA256 | cba55fd3d1a02c8d59931b901536847fc7c2dd0f3de012f5f20259e34d8812a2 |
| SHA512 | bf2c38fd45859a328fb0749beffef42e0d357f6bde78ecac1a941a65ac6945926db2cd13a7bc78d15f476595301040f46ddfdb592af8a62adc52f8d335bcbb77 |
C:\Windows\SysWOW64\ubgookam-icom.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
C:\Windows\SysWOW64\afleateat.exe
| MD5 | 7162ad6357d83486021d2939cee42658 |
| SHA1 | 8b16c3c0420343de8c3ce8f53d2c59bc80d6348d |
| SHA256 | 033a1305c5fef5be2c228c26e142ab78ad7b630e57afae3a454d7e95db6cf993 |
| SHA512 | 6064ce925e03bf5404809195b1606d03ab2fe33bacadc758497773a2338ba23f1b383301d1a5756226c8f56feb826a8c58a224dfd3a104a779c5e478103db7fa |
memory/1912-52-0x0000000000400000-0x0000000000414000-memory.dmp
memory/476-53-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 00:33
Reported
2024-11-14 00:36
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48474E42-5742-4757-4847-4E4257424757} | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48474E42-5742-4757-4847-4E4257424757}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48474E42-5742-4757-4847-4E4257424757}\IsInstalled = "1" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48474E42-5742-4757-4847-4E4257424757}\StubPath = "C:\\Windows\\system32\\agsootaf.exe" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\afleateat.exe" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ubgookam-icom.dll" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\amfoafoor.exe | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| File created | C:\Windows\SysWOW64\afleateat.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\agsootaf.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\ubgookam-icom.dll | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\amfoafoor.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File created | C:\Windows\SysWOW64\amfoafoor.exe | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\afleateat.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\agsootaf.exe | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ubgookam-icom.dll | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\amfoafoor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe
"C:\Users\Admin\AppData\Local\Temp\913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8.exe"
C:\Windows\SysWOW64\amfoafoor.exe
"C:\Windows\system32\amfoafoor.exe"
C:\Windows\SysWOW64\amfoafoor.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cyrxpwq.rw | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cyrxpwq.rw | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\amfoafoor.exe
| MD5 | b97dad59ad749963438ba6e88828ce06 |
| SHA1 | 6074280b4965f7da2851c01db5522341663ece6a |
| SHA256 | 913175e9e0e0224e7e699f49db6ed61ded4b87b8e66c07533d17005ed04966d8 |
| SHA512 | fe965f398ea79d8706bdcbb05b751bf77e0146858628bd26ca46c8a721c7e4ce3ed585adff4799f79caaf34174820eb95dfc054640e569914604fa259d3d7da6 |
memory/4784-10-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Windows\SysWOW64\agsootaf.exe
| MD5 | d202ccf3bb49e55b3414a50acb70f82b |
| SHA1 | 6c9814871cb4f4b6f63debfe09113a849c2a51c0 |
| SHA256 | 02c903237ae6d9d9afee400e41b212c350c8fd96011a0b7f4efd3f58189bf2a1 |
| SHA512 | 25c0142e0755a5e3f02ad86870eadfa1c45d8473e75893a041d16d6e9260685b4b69a844ff5cd546ceb95945f33bc992900e7b9644c3839bb28eac1617c97ffa |
C:\Windows\SysWOW64\afleateat.exe
| MD5 | be836c5b5a93e827f89979238415917a |
| SHA1 | a1669fa5562bde32505dc79c679e374394642b9d |
| SHA256 | ed32620e9ae2bd602273693669319883fe07629936f65be107ae755100bbab45 |
| SHA512 | e93896217e9a7eb1b062f8e09fdbb9ddfa7d6d83d695c09e2fb442de03995d4f419fcef377ae339a631f54e99856e88b9b730baae342a917011890131ead78b2 |
C:\Windows\SysWOW64\ubgookam-icom.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
memory/3516-47-0x0000000000400000-0x0000000000414000-memory.dmp
memory/552-46-0x0000000000400000-0x0000000000414000-memory.dmp