Malware Analysis Report

2025-05-05 22:24

Sample ID 231014-cdjdgaah2w
Target 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e
SHA256 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e
Tags
agilenet discovery upx vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e

Threat Level: Shows suspicious behavior

The file 9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet discovery upx vmprotect

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Obfuscated with Agile.Net obfuscator

Checks installed software on the system

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-14 01:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 01:57

Reported

2023-10-14 16:00

Platform

win7-20230831-en

Max time kernel

145s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\DC\is-LRR53.tmp C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File opened for modification C:\Program Files (x86)\DC\MyProg.exe C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\is-LRR53.tmp C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File opened for modification C:\Program Files (x86)\DC\SkinH_EL.dll C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe N/A
File created C:\Program Files (x86)\DC\is-PMA9H.tmp C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\SkinH_EL.dll C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe N/A
File opened for modification C:\Program Files (x86)\DC\兼容补丁.exe C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File opened for modification C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File opened for modification C:\Program Files (x86)\DC\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\is-J1NMF.tmp C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\is-6L2M4.tmp C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\is-URDNA.tmp C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
PID 1964 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp
PID 2196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe
PID 2196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe
PID 2196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe
PID 2196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe

"C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"

C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp" /SL5="$40150,9392307,727552,C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"

C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe

"C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe"

Network

N/A

Files

memory/1964-1-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp

MD5 1cc42c79271f65dffe819b5c35b63764
SHA1 1899685db0f918255b2bad3a0dd54103519b90ad
SHA256 d177a918f12a581b0327c13b9222d2213154dba20ab0551bbbf2ef6671b9e630
SHA512 d38dcd50959f5d5dadac6252cba2df8089aa24af92bd09bd3b6cf9afef584fe108f9cd50dbe9083ec1673cbd5be29c682eef7b0ef1da714cf0fa55a5a5ee5c2c

\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp

MD5 1cc42c79271f65dffe819b5c35b63764
SHA1 1899685db0f918255b2bad3a0dd54103519b90ad
SHA256 d177a918f12a581b0327c13b9222d2213154dba20ab0551bbbf2ef6671b9e630
SHA512 d38dcd50959f5d5dadac6252cba2df8089aa24af92bd09bd3b6cf9afef584fe108f9cd50dbe9083ec1673cbd5be29c682eef7b0ef1da714cf0fa55a5a5ee5c2c

memory/2196-8-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KHU0E.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp

MD5 1cc42c79271f65dffe819b5c35b63764
SHA1 1899685db0f918255b2bad3a0dd54103519b90ad
SHA256 d177a918f12a581b0327c13b9222d2213154dba20ab0551bbbf2ef6671b9e630
SHA512 d38dcd50959f5d5dadac6252cba2df8089aa24af92bd09bd3b6cf9afef584fe108f9cd50dbe9083ec1673cbd5be29c682eef7b0ef1da714cf0fa55a5a5ee5c2c

\Program Files (x86)\DC\旗舰7.0安全锁注册.exe

MD5 dec9991c3d3ce3fb3aa4aba139deda6e
SHA1 257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256 fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA512 3c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0

\Program Files (x86)\DC\旗舰7.0安全锁注册.exe

MD5 dec9991c3d3ce3fb3aa4aba139deda6e
SHA1 257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256 fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA512 3c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0

C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe

MD5 dec9991c3d3ce3fb3aa4aba139deda6e
SHA1 257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256 fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA512 3c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0

C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe

MD5 dec9991c3d3ce3fb3aa4aba139deda6e
SHA1 257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256 fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA512 3c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0

C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe

MD5 dec9991c3d3ce3fb3aa4aba139deda6e
SHA1 257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256 fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA512 3c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0

memory/2740-34-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2740-37-0x0000000000400000-0x000000000143F000-memory.dmp

memory/2740-36-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2740-40-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2740-39-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2740-42-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2740-44-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2740-47-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2740-49-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2740-52-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2740-54-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2740-57-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2740-59-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2740-64-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2740-62-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2740-65-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2740-67-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2740-69-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2740-70-0x00000000778E0000-0x00000000778E1000-memory.dmp

memory/1964-72-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2196-79-0x0000000000240000-0x0000000000241000-memory.dmp

\Program Files (x86)\DC\SkinH_EL.dll

MD5 147127382e001f495d1842ee7a9e7912
SHA1 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256 edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA512 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

memory/2740-80-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2740-82-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2740-83-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2740-84-0x0000000010000000-0x000000001003D000-memory.dmp

memory/2196-86-0x0000000000400000-0x00000000006FD000-memory.dmp

memory/2740-87-0x0000000000400000-0x000000000143F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 01:57

Reported

2023-10-14 16:02

Platform

win10v2004-20230915-en

Max time kernel

154s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\DC\is-BRS8J.tmp C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\is-80LN0.tmp C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\is-VLF1N.tmp C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File opened for modification C:\Program Files (x86)\DC\SkinH_EL.dll C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe N/A
File created C:\Program Files (x86)\DC\is-BRS8J.tmp C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\is-69QQ4.tmp C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\SkinH_EL.dll C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe N/A
File created C:\Program Files (x86)\DC\is-ICJQH.tmp C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File opened for modification C:\Program Files (x86)\DC\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File opened for modification C:\Program Files (x86)\DC\MyProg.exe C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File opened for modification C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File opened for modification C:\Program Files (x86)\DC\兼容补丁.exe C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A
File created C:\Program Files (x86)\DC\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe

"C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"

C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp" /SL5="$90232,9392307,727552,C:\Users\Admin\AppData\Local\Temp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.exe"

C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe

"C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/1048-1-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp

MD5 1cc42c79271f65dffe819b5c35b63764
SHA1 1899685db0f918255b2bad3a0dd54103519b90ad
SHA256 d177a918f12a581b0327c13b9222d2213154dba20ab0551bbbf2ef6671b9e630
SHA512 d38dcd50959f5d5dadac6252cba2df8089aa24af92bd09bd3b6cf9afef584fe108f9cd50dbe9083ec1673cbd5be29c682eef7b0ef1da714cf0fa55a5a5ee5c2c

memory/2828-6-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/1048-8-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SRHN6.tmp\9df0ba8624e9edf0ef972d132213d403c0e34d7754a24449db2740207f2cc97e.tmp

MD5 1cc42c79271f65dffe819b5c35b63764
SHA1 1899685db0f918255b2bad3a0dd54103519b90ad
SHA256 d177a918f12a581b0327c13b9222d2213154dba20ab0551bbbf2ef6671b9e630
SHA512 d38dcd50959f5d5dadac6252cba2df8089aa24af92bd09bd3b6cf9afef584fe108f9cd50dbe9083ec1673cbd5be29c682eef7b0ef1da714cf0fa55a5a5ee5c2c

C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe

MD5 dec9991c3d3ce3fb3aa4aba139deda6e
SHA1 257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256 fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA512 3c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0

C:\Program Files (x86)\DC\旗舰7.0安全锁注册.exe

MD5 dec9991c3d3ce3fb3aa4aba139deda6e
SHA1 257a81d186fb1f7b0e6f1e27461f095a6718887e
SHA256 fa3e84ebe3bed4bd7de671e8c8ae0c92426afb4c29c23959adbde838d27b4a70
SHA512 3c4695bdee8623b512d2c88ae0a24d8d58bcb1e8c6f5c770d22a80373b46ccfbf3b0fa4d32495fd71c161cba110537107598aed89dd0831ba3f74453617ff3f0

memory/2828-28-0x0000000000400000-0x00000000006FD000-memory.dmp

memory/2828-29-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/3740-32-0x0000000001610000-0x0000000001611000-memory.dmp

memory/3740-31-0x00000000015F0000-0x00000000015F1000-memory.dmp

memory/3740-33-0x0000000001620000-0x0000000001621000-memory.dmp

memory/3740-34-0x0000000001650000-0x0000000001651000-memory.dmp

memory/3740-35-0x0000000000400000-0x000000000143F000-memory.dmp

memory/3740-36-0x0000000001660000-0x0000000001661000-memory.dmp

memory/3740-37-0x0000000001670000-0x0000000001671000-memory.dmp

memory/3740-38-0x0000000003220000-0x0000000003221000-memory.dmp

memory/3740-40-0x0000000000400000-0x000000000143F000-memory.dmp

C:\Program Files (x86)\DC\SkinH_EL.dll

MD5 147127382e001f495d1842ee7a9e7912
SHA1 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256 edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA512 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

memory/3740-49-0x0000000010000000-0x000000001003D000-memory.dmp

C:\Program Files (x86)\DC\SkinH_EL.dll

MD5 147127382e001f495d1842ee7a9e7912
SHA1 92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b
SHA256 edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc
SHA512 97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

memory/3740-50-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3740-51-0x0000000010000000-0x000000001003D000-memory.dmp

memory/3740-52-0x0000000000400000-0x000000000143F000-memory.dmp