{"URL": "http://gvlay6u4g53rxdi5.onion/", "RSA key": "BgIAAACkAABSU0ExAAgAAAEAAQBtv9E5cdLPoTK8PwG0VTbxxURbhYM00jmY1b22v+Nwoe6+Vi6zHYcP5JmmueP4FBZBwANscT6dGxHpP4f4l9L9b/VLT6npX7+821EksPXaUJ8piYp8TCQPKRLJt6v7foVnI7jRW//K0wX9YmF7JWbBQROHPQTX7g3CQqZM7xGT4PfMa8g7+UBbstiEThpJo8PE1pgHfZrUFyiMwAv1hoXvaWVeAHKGOvoV+pKZ6Qi2fBCyJFmfL3hChhDWzIjp5oWd3l/RuSgET1sNAV8lkQPpf80OwlxFls5C8OnoG2d7eZJXDhcelK6K67Pp1Y6nC/B5mGpMhERMGnzSg9JKcrOn\n"}
| Source: svhost.exe.1740.26.memstr | Malware Configuration Extractor: MedusaLocker {"URL": "http://gvlay6u4g53rxdi5.onion/", "RSA key": "BgIAAACkAABSU0ExAAgAAAEAAQBtv9E5cdLPoTK8PwG0VTbxxURbhYM00jmY1b22v+Nwoe6+Vi6zHYcP5JmmueP4FBZBwANscT6dGxHpP4f4l9L9b/VLT6npX7+821EksPXaUJ8piYp8TCQPKRLJt6v7foVnI7jRW//K0wX9YmF7JWbBQROHPQTX7g3CQqZM7xGT4PfMa8g7+UBbstiEThpJo8PE1pgHfZrUFyiMwAv1hoXvaWVeAHKGOvoV+pKZ6Qi2fBCyJFmfL3hChhDWzIjp5oWd3l/RuSgET1sNAV8lkQPpf80OwlxFls5C8OnoG2d7eZJXDhcelK6K67Pp1Y6nC/B5mGpMhERMGnzSg9JKcrOn\n"} |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Metadefender: Detection: 65% | Perma Link |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | ReversingLabs: Detection: 100% |
| Source: f6ifQ0POml.exe | Virustotal: Detection: 83% | Perma Link |
| Source: f6ifQ0POml.exe | Metadefender: Detection: 65% | Perma Link |
| Source: f6ifQ0POml.exe | ReversingLabs: Detection: 100% |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB60D0 CryptDestroyKey,CryptReleaseContext,CryptReleaseContext, | 1_2_00AB60D0 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB61C0 std::ios_base::good,CryptDuplicateKey,GetFileAttributesW,SetFileAttributesW,CreateFileW,CloseHandle,MoveFileExW,CloseHandle,CryptDestroyKey, | 1_2_00AB61C0 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB67E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW, | 1_2_00AB67E0 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB68D0 std::ios_base::good,CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree, | 1_2_00AB68D0 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB6860 CryptAcquireContextW,GetLastError,CryptAcquireContextW, | 1_2_00AB6860 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB6BB0 CryptGenKey, | 1_2_00AB6BB0 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB6BF0 CryptDestroyKey, | 1_2_00AB6BF0 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB6CC0 CryptEncrypt, | 1_2_00AB6CC0 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB6C10 CryptEncrypt, | 1_2_00AB6C10 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB6C70 CryptExportKey, | 1_2_00AB6C70 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AB6D30 CryptExportKey, | 1_2_00AB6D30 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AC18D0 CoInitialize,CLSIDFromString,IIDFromString,CoGetObject,CoUninitialize, | 1_2_00AC18D0 |
| Source: f6ifQ0POml.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
| Source: f6ifQ0POml.exe | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File created: Z:\$RECYCLE.BIN | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File created: Z:\Recovery\WindowsRE\Recovery_Instructions.html | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: z: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: x: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: v: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: t: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: r: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: p: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: n: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: l: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: j: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: h: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: f: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: b: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: y: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: w: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: u: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: s: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: q: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: o: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: m: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: k: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: i: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: g: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: e: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: c: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | File opened: a: | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
| Source: C:\Users\user\Desktop\f6ifQ0POml.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs | Jump to behavior |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00B0E180 FindFirstFileExW,_free, | 1_2_00B0E180 |
| Source: C:\Users\user\AppData\Roaming\svhost.exe | Code function: 1_2_00AC7842 FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy, | 1_2_00AC7842 |
| Source: f6ifQ0POml.exe, 00000000.00000000.638582478.0000000000F86000.00000002.00020000.sdmp | String found in binary or memory: http://gvlay6u4g53rxdi5.onion/ |
| Source: f6ifQ0POml.exe, 00000000.00000000.638582478.0000000000F86000.00000002.00020000.sdmp | String found in binary or memory: <br><br>SYSTEMDRIVEhttp://gvlay6u4g53rxdi5.onion/\intelSYSTEMDRIVE.Microsoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0\nvidiaSYSTEMDRIVESYSTEMDRIVESYSTEMDRIVE\Program Files\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files (x86)\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files\Microsoft SQL ServerSYSTEMDRIVE\Program Files (x86)\Microsoft SQL ServerSYSTEMDRIVE[LOCKER] Assign device letter |
| Source: svhost.exe | String found in binary or memory: http://gvlay6u4g53rxdi5.onion/ |
| Source: svhost.exe, 00000001.00000002.642372735.0000000000B36000.00000002.00020000.sdmp | String found in binary or memory: <br><br>SYSTEMDRIVEhttp://gvlay6u4g53rxdi5.onion/\intelSYSTEMDRIVE.Microsoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0\nvidiaSYSTEMDRIVESYSTEMDRIVESYSTEMDRIVE\Program Files\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files (x86)\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files\Microsoft SQL ServerSYSTEMDRIVE\Program Files (x86)\Microsoft SQL ServerSYSTEMDRIVE[LOCKER] Assign device letter |
| Source: svhost.exe, 00000014.00000002.767816684.0000000000B36000.00000002.00020000.sdmp | String found in binary or memory: http://gvlay6u4g53rxdi5.onion/ |
| Source: svhost.exe, 00000014.00000002.767816684.0000000000B36000.00000002.00020000.sdmp | String found in binary or memory: <br><br>SYSTEMDRIVEhttp://gvlay6u4g53rxdi5.onion/\intelSYSTEMDRIVE.Microsoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0\nvidiaSYSTEMDRIVESYSTEMDRIVESYSTEMDRIVE\Program Files\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files (x86)\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files\Microsoft SQL ServerSYSTEMDRIVE\Program Files (x86)\Microsoft SQL ServerSYSTEMDRIVE[LOCKER] Assign device letter |
| Source: svhost.exe, 00000014.00000002.768636909.00000000011F7000.00000004.00000020.sdmp | String found in binary or memory: http://gvlay6u4g53rxdi5.onion/21- |
| Source: svhost.exe, 0000001A.00000002.901483213.0000000000B36000.00000002.00020000.sdmp | String found in binary or memory: http://gvlay6u4g53rxdi5.onion/ |
| Source: svhost.exe, 0000001A.00000002.901483213.0000000000B36000.00000002.00020000.sdmp | String found in binary or memory: <br><br>SYSTEMDRIVEhttp://gvlay6u4g53rxdi5.onion/\intelSYSTEMDRIVE.Microsoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0\nvidiaSYSTEMDRIVESYSTEMDRIVESYSTEMDRIVE\Program Files\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files (x86)\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files\Microsoft SQL ServerSYSTEMDRIVE\Program Files (x86)\Microsoft SQL ServerSYSTEMDRIVE[LOCKER] Assign device letter |
| Source: f6ifQ0POml.exe | String found in binary or memory: http://gvlay6u4g53rxdi5.onion/ |
| Source: f6ifQ0POml.exe | String found in binary or memory: ProgramData\Application DataIGN_NOTE_CODE2WINDIRSYSTEMDRIVE\Users\All UsersIGN_NOTE_CODE3\Program FilesSYSTEMDRIVE\WindowsIGN_NOTE_CODE4<br><br>SYSTEMDRIVEhttp://gvlay6u4g53rxdi5.onion/\intelSYSTEMDRIVE.Microsoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0\nvidiaSYSTEMDRIVESYSTEMDRIVESYSTEMDRIVE\Program Files\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files (x86)\Microsoft\Exchange ServerSYSTEMDRIVE\Program Files\Microsoft SQL ServerSYSTEMDRIVE\Program Files (x86)\Microsoft SQL ServerSYSTEMDRIVE[LOCKER] Assign device letter |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.159.138 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 204.79.197.200 |
| Source: f6ifQ0POml.exe, 00000000.00000003.700397993.0000000004922000.00000004.00000001.sdmp | String found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl |
| Source: f6ifQ0POml.exe, 00000000.00000003.700397993.0000000004922000.00000004.00000001.sdmp | String found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d |
| Source: f6ifQ0POml.exe | String found in binary or memory: http://gvlay6u4g53rxdi5.onion/ |
| Source: svhost.exe, 00000014.00000002.768636909.00000000011F7000.00000004.00000020.sdmp | String found in binary or memory: http://gvlay6u4g53rxdi5.onion/21- |
| Source: Recovery_Instructions.html28.0.dr | String found in binary or memory: http://gvlay6u4g53rxdi5.onion/21-04BymBUjhm2UYsdPZC8XC25a96k28AR0-OcR1TeBYZH2ghwRnMUFReuoTWOG46gMk |
| Source: f6ifQ0POml.exe | String found in binary or memory: https://www.torproject.org |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49700 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49719 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49717 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49715 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49717 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49714 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49713 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49712 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49711 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49699 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49698 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49730 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49697 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49696 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49730 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49695 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49696 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49693 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49692 |
| Source: unknown | Network traffic detected: HTTP traffic on port 49703 -> 443 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49705 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49704 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49703 |
| Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49701 |
| Source: svhost.exe, 00000001.00000002.643151848.0000000000F9A000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
| Source: C:\Recovery\WindowsRE\Recovery_Instructions.html | Dropped file: <html> <style type="text/css"> body { background-color: #f5f5f5; }h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal;}/*---*/.tabs1{ display: block; margin: auto;}.tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px;}.tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF;}.tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; }.tabs .content .text{padding: 25px;line-height: 1.2;} </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">6DD127CDFA8605D67E23DCC6BFE3BB9D651E875FCA74C36472A7940EC3AA5BD734A743CCF38DA8695EE759EE828F972FD6DA576FB2A44EA9D7507D1A59691543<br>4085B20033721083277693F3DAE16ED704EC1AEEDDEE90296DC73D7EA1B9FF3D096823644596F2DC0F258EC9C971F744CBA60577FB1319EAF15879A6CC5E<br>41653C3FED6B4955ED012734FB873F0026FA5730E9BE2EAB4A72C686EF31508BD5D876398E7AC82F0C97E3EE2FB131499C1C84D98DFC9AF81E87938A9EC5<br>7B4F4BDDB7A6A2222D86E5E13B34442497F6D4274482601E8CC1130AA87D750777F1681E1880A0136B1B45DCCD86FC45B723994ABEA138EF05BE1B5732ED<br>23CFEAFDE825E24828C8E37DF9C631DBE18340485ACFBCDE864F24FE49EF0AA4366F7D5DFDE0BB3EB1DC10DD4FD9FEFF80F78EBAE6F4D3D341EB4C0DB759<br>813CB897C9CDE1CDBEDAB9E2ED412532BA0BAD0B3D43017971C25760D848DFCC58A1C2A556B58AF80CC11DB3A8AB7C3F024B1AEA92A33F59485A9C4B2027<br>35D32C9D7A2DD67504C1103036450B054C5AC0070711C3FBA83DDBE1F2732B7D08ABB00E8E68C5EDE6C7A246E1ACBB731DE097D822BCC473F5AFB441C016<br>55854F83F8B93A9886C84B75BC0669E68A62F46E83F54362B56BE7A315E8B31CD243B073ABCC6D8A2EBF10662E5E1F3590CDF1166917E5436DF44AE14E8B<br>9E6EC30ADBEAD5EBDA41DFA51E34</span> <br><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"><!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED / |
Play interactive tour
Edit tour
