Analysis Overview
SHA256
da7afec9f350f42f012d199c0e67f5772322193f9a414f1cc417bce68318f2ef
Threat Level: Known bad
The file s.bin.zip was found to be: Known bad.
Malicious Activity Summary
PlugX
Detects PlugX payload
Loads dropped DLL
UPX packed file
Unexpected DNS network traffic destination
Executes dropped EXE
Deletes itself
Blocklisted process makes network request
Drops file in System32 directory
Program crash
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-02-01 15:34
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-01 15:34
Reported
2024-02-01 15:45
Platform
win10v2004-20231222-en
Max time kernel
599s
Max time network
599s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
Blocklisted process makes network request
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\Windows\SysWOW64\dllhost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 37003400450046003600460031003100350036004100320044004100310045000000 | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\s.exe
"C:\Users\Admin\AppData\Local\Temp\s.exe"
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe
"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 100 4304
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe
"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 200 0
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\system32\dllhost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1052
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | 133.178.38.92.in-addr.arpa | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
Files
memory/1188-0-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1188-1-0x0000000010000000-0x000000001005D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
| MD5 | 0ba73a0db3913ba14be521f82c1b2c6c |
| SHA1 | 15920f9b5c190b70f927d18fa9d03793cb1f6332 |
| SHA256 | 212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f |
| SHA512 | 51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a |
C:\Users\Admin\AppData\Local\Temp\OUT\RoboForm.DLL
| MD5 | ee1887696c8445caaaad13bdb39d5dba |
| SHA1 | bc09e8530d2497befaeacbf4d50022181ffc59cc |
| SHA256 | 2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b |
| SHA512 | 94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db |
C:\Users\Admin\AppData\Local\Temp\OUT\update.log
| MD5 | 8c49d603e67e5933ff07216c80b0ed4b |
| SHA1 | a31aaff7adccb8563a2f798816f9b211b774bf08 |
| SHA256 | 6e9f83f1c98551bf184a008b44511ffebc5aa415d4620cbd158bb9be13eee20c |
| SHA512 | 48397e74b3c6b5fe9f4235acae7087404cb2e9e605d39caa315fcb5e17a873324d375fd7a141f383e8546e4f8ccf5d9102bf83eb7b21a49680b3538c8dbc6ce4 |
memory/4304-13-0x00000000029E0000-0x0000000002AE0000-memory.dmp
memory/4304-14-0x0000000002B30000-0x0000000002B5E000-memory.dmp
memory/4304-16-0x0000000002B30000-0x0000000002B5E000-memory.dmp
memory/1188-15-0x0000000000400000-0x000000000047F000-memory.dmp
memory/1516-35-0x0000000002830000-0x000000000285E000-memory.dmp
memory/1516-36-0x0000000002830000-0x000000000285E000-memory.dmp
memory/1516-38-0x0000000002830000-0x000000000285E000-memory.dmp
memory/3192-42-0x0000000000F90000-0x0000000000FBE000-memory.dmp
memory/3192-44-0x0000000000F90000-0x0000000000FBE000-memory.dmp
memory/3192-43-0x0000000000F90000-0x0000000000FBE000-memory.dmp
memory/1052-46-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1052-48-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-50-0x0000000000600000-0x000000000062E000-memory.dmp
memory/3192-49-0x0000000000F90000-0x0000000000FBE000-memory.dmp
memory/1052-51-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-55-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-57-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-62-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-66-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-65-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-69-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1052-70-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-71-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-72-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-74-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-76-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1052-79-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1516-80-0x0000000002830000-0x000000000285E000-memory.dmp
memory/1052-83-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1204-85-0x0000000001200000-0x0000000001201000-memory.dmp
memory/1204-87-0x0000000002DC0000-0x0000000002DEE000-memory.dmp
memory/1204-88-0x0000000002DC0000-0x0000000002DEE000-memory.dmp
memory/1204-89-0x0000000000F50000-0x0000000000F51000-memory.dmp
memory/1204-93-0x0000000002DC0000-0x0000000002DEE000-memory.dmp
memory/1204-92-0x0000000002DC0000-0x0000000002DEE000-memory.dmp
memory/1204-94-0x0000000002DC0000-0x0000000002DEE000-memory.dmp
memory/1204-95-0x0000000002DC0000-0x0000000002DEE000-memory.dmp
memory/1052-97-0x0000000000600000-0x000000000062E000-memory.dmp
memory/1204-106-0x0000000002DC0000-0x0000000002DEE000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-01 15:34
Reported
2024-02-01 15:46
Platform
win7-20231215-en
Max time kernel
358s
Max time network
362s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\out.exe
"C:\Users\Admin\AppData\Local\Temp\out.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-01 15:34
Reported
2024-02-01 15:47
Platform
win10v2004-20231215-en
Max time kernel
562s
Max time network
569s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\out.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\out.exe
"C:\Users\Admin\AppData\Local\Temp\out.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4144 -ip 4144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 224
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-01 15:34
Reported
2024-02-01 15:45
Platform
win7-20231129-en
Max time kernel
599s
Max time network
600s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 202.98.96.68 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 61.139.2.69 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 205.252.144.228 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
| Destination IP | 92.38.178.133 | N/A | N/A |
Blocklisted process makes network request
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\dllhost.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 10e5a4e72455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = f08ca91e2555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 302326cc2455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 30775fd52455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = f0f39df02455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 10a43ccd2455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b081af542555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 10bc60732455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = d05579972455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 7036d3712455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 7061baa92555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 3034ee012555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b0aa38852455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b07be4f82455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b04b654d2555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b034c7a82455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0f3a8032555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 105fd8662555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f08657942555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 90c88d5f2455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 107ebb282555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 901cbc552455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 30f39b0d2555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 50cb533f2555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b081af542555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 30c9dcaa2555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 50aa5cb12555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 70c81f842455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b0814ca92455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b07be4f82455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 309ef5722455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0b22ac32455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 9095113b2555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 1092d86f2555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = f0ff1d822555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 10ee56962455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f051f6392555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = d0076e952555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionReason = "1" | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 30c63a142555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 7011bf5e2555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 504d24742555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 7061baa92555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 30a249572455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0f8fbba2455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0ff1d822555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 901cbc552455da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = d0ae73162555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = d069d8502555da01 | C:\Windows\SysWOW64\dllhost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004500320031003600390036004200450042003300440044003300350043000000 | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\s.exe
"C:\Users\Admin\AppData\Local\Temp\s.exe"
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe
"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 100 2188
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe
"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 200 0
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\system32\dllhost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2696
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| CN | 61.139.2.69:53 | cdn.6c18.com | udp |
| CN | 202.98.96.68:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| HK | 205.252.144.228:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:22 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:80 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:443 | cdn.6c18.com | tcp |
| US | 8.8.8.8:53 | cdn.6c18.com | udp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
| JP | 92.38.178.133:53 | cdn.6c18.com | tcp |
Files
memory/2820-0-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2820-1-0x0000000010000000-0x000000001005D000-memory.dmp
\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
| MD5 | 0ba73a0db3913ba14be521f82c1b2c6c |
| SHA1 | 15920f9b5c190b70f927d18fa9d03793cb1f6332 |
| SHA256 | 212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f |
| SHA512 | 51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a |
C:\Users\Admin\AppData\Local\Temp\OUT\RoboForm.DLL
| MD5 | ee1887696c8445caaaad13bdb39d5dba |
| SHA1 | bc09e8530d2497befaeacbf4d50022181ffc59cc |
| SHA256 | 2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b |
| SHA512 | 94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db |
C:\Users\Admin\AppData\Local\Temp\OUT\update.log
| MD5 | 8c49d603e67e5933ff07216c80b0ed4b |
| SHA1 | a31aaff7adccb8563a2f798816f9b211b774bf08 |
| SHA256 | 6e9f83f1c98551bf184a008b44511ffebc5aa415d4620cbd158bb9be13eee20c |
| SHA512 | 48397e74b3c6b5fe9f4235acae7087404cb2e9e605d39caa315fcb5e17a873324d375fd7a141f383e8546e4f8ccf5d9102bf83eb7b21a49680b3538c8dbc6ce4 |
memory/2188-15-0x0000000000180000-0x0000000000280000-memory.dmp
memory/2188-16-0x00000000002D0000-0x00000000002FE000-memory.dmp
memory/2188-17-0x00000000002D0000-0x00000000002FE000-memory.dmp
memory/2820-18-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2676-37-0x00000000002B0000-0x00000000002DE000-memory.dmp
memory/2676-38-0x00000000002B0000-0x00000000002DE000-memory.dmp
memory/2676-41-0x00000000002B0000-0x00000000002DE000-memory.dmp
memory/2604-45-0x0000000000150000-0x000000000017E000-memory.dmp
memory/2604-47-0x0000000000150000-0x000000000017E000-memory.dmp
memory/2696-50-0x0000000000070000-0x0000000000071000-memory.dmp
memory/2604-49-0x0000000000150000-0x000000000017E000-memory.dmp
memory/2696-54-0x0000000000090000-0x00000000000AC000-memory.dmp
memory/2696-56-0x00000000000B0000-0x00000000000B2000-memory.dmp
memory/2696-58-0x0000000000070000-0x0000000000071000-memory.dmp
memory/2696-59-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-60-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-61-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-63-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-68-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-70-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-76-0x0000000000070000-0x0000000000071000-memory.dmp
memory/2696-77-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-78-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-79-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-80-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-83-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2696-84-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2676-85-0x00000000002B0000-0x00000000002DE000-memory.dmp
memory/2696-86-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2604-87-0x0000000000150000-0x000000000017E000-memory.dmp
memory/2188-91-0x00000000002D0000-0x00000000002FE000-memory.dmp
memory/2124-102-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2124-106-0x0000000000260000-0x000000000028E000-memory.dmp
memory/2676-117-0x00000000002B0000-0x00000000002DE000-memory.dmp
memory/2696-124-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2124-126-0x0000000000260000-0x000000000028E000-memory.dmp