Malware Analysis Report

2024-07-11 07:38

Sample ID 240201-sz3bgaggb2
Target s.bin.zip
SHA256 da7afec9f350f42f012d199c0e67f5772322193f9a414f1cc417bce68318f2ef
Tags
plugx trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da7afec9f350f42f012d199c0e67f5772322193f9a414f1cc417bce68318f2ef

Threat Level: Known bad

The file s.bin.zip was found to be: Known bad.

Malicious Activity Summary

plugx trojan upx

PlugX

Detects PlugX payload

Loads dropped DLL

UPX packed file

Unexpected DNS network traffic destination

Executes dropped EXE

Deletes itself

Blocklisted process makes network request

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-01 15:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 15:34

Reported

2024-02-01 15:45

Platform

win10v2004-20231222-en

Max time kernel

599s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\s.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\dllhost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 37003400450046003600460031003100350036004100320044004100310045000000 C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
N/A N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\s.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
PID 1188 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
PID 1188 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
PID 3192 wrote to memory of 1052 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 3192 wrote to memory of 1052 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 3192 wrote to memory of 1052 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 3192 wrote to memory of 1052 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 3192 wrote to memory of 1052 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 3192 wrote to memory of 1052 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 3192 wrote to memory of 1052 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 3192 wrote to memory of 1052 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 1052 wrote to memory of 1204 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 1204 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 1204 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 1204 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 1204 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 1204 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 1204 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 1204 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\s.exe

"C:\Users\Admin\AppData\Local\Temp\s.exe"

C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe

C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe

C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe

"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 100 4304

C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe

"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 200 0

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\system32\dllhost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 1052

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cdn.6c18.com udp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 133.178.38.92.in-addr.arpa udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp

Files

memory/1188-0-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1188-1-0x0000000010000000-0x000000001005D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe

MD5 0ba73a0db3913ba14be521f82c1b2c6c
SHA1 15920f9b5c190b70f927d18fa9d03793cb1f6332
SHA256 212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f
SHA512 51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

C:\Users\Admin\AppData\Local\Temp\OUT\RoboForm.DLL

MD5 ee1887696c8445caaaad13bdb39d5dba
SHA1 bc09e8530d2497befaeacbf4d50022181ffc59cc
SHA256 2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b
SHA512 94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

C:\Users\Admin\AppData\Local\Temp\OUT\update.log

MD5 8c49d603e67e5933ff07216c80b0ed4b
SHA1 a31aaff7adccb8563a2f798816f9b211b774bf08
SHA256 6e9f83f1c98551bf184a008b44511ffebc5aa415d4620cbd158bb9be13eee20c
SHA512 48397e74b3c6b5fe9f4235acae7087404cb2e9e605d39caa315fcb5e17a873324d375fd7a141f383e8546e4f8ccf5d9102bf83eb7b21a49680b3538c8dbc6ce4

memory/4304-13-0x00000000029E0000-0x0000000002AE0000-memory.dmp

memory/4304-14-0x0000000002B30000-0x0000000002B5E000-memory.dmp

memory/4304-16-0x0000000002B30000-0x0000000002B5E000-memory.dmp

memory/1188-15-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1516-35-0x0000000002830000-0x000000000285E000-memory.dmp

memory/1516-36-0x0000000002830000-0x000000000285E000-memory.dmp

memory/1516-38-0x0000000002830000-0x000000000285E000-memory.dmp

memory/3192-42-0x0000000000F90000-0x0000000000FBE000-memory.dmp

memory/3192-44-0x0000000000F90000-0x0000000000FBE000-memory.dmp

memory/3192-43-0x0000000000F90000-0x0000000000FBE000-memory.dmp

memory/1052-46-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1052-48-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-50-0x0000000000600000-0x000000000062E000-memory.dmp

memory/3192-49-0x0000000000F90000-0x0000000000FBE000-memory.dmp

memory/1052-51-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-55-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-57-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-62-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-66-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-65-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-69-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1052-70-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-71-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-72-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-74-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-76-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1052-79-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1516-80-0x0000000002830000-0x000000000285E000-memory.dmp

memory/1052-83-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1204-85-0x0000000001200000-0x0000000001201000-memory.dmp

memory/1204-87-0x0000000002DC0000-0x0000000002DEE000-memory.dmp

memory/1204-88-0x0000000002DC0000-0x0000000002DEE000-memory.dmp

memory/1204-89-0x0000000000F50000-0x0000000000F51000-memory.dmp

memory/1204-93-0x0000000002DC0000-0x0000000002DEE000-memory.dmp

memory/1204-92-0x0000000002DC0000-0x0000000002DEE000-memory.dmp

memory/1204-94-0x0000000002DC0000-0x0000000002DEE000-memory.dmp

memory/1204-95-0x0000000002DC0000-0x0000000002DEE000-memory.dmp

memory/1052-97-0x0000000000600000-0x000000000062E000-memory.dmp

memory/1204-106-0x0000000002DC0000-0x0000000002DEE000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-01 15:34

Reported

2024-02-01 15:46

Platform

win7-20231215-en

Max time kernel

358s

Max time network

362s

Command Line

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\out.exe

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-01 15:34

Reported

2024-02-01 15:47

Platform

win10v2004-20231215-en

Max time kernel

562s

Max time network

569s

Command Line

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\out.exe

Processes

C:\Users\Admin\AppData\Local\Temp\out.exe

"C:\Users\Admin\AppData\Local\Temp\out.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4144 -ip 4144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 224

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 15:34

Reported

2024-02-01 15:45

Platform

win7-20231129-en

Max time kernel

599s

Max time network

600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\s.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 202.98.96.68 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 61.139.2.69 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 205.252.144.228 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A
Destination IP 92.38.178.133 N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\dllhost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 10e5a4e72455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = f08ca91e2555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 302326cc2455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 30775fd52455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = f0f39df02455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 10a43ccd2455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b081af542555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 10bc60732455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = d05579972455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 7036d3712455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 7061baa92555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 3034ee012555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b0aa38852455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b07be4f82455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b04b654d2555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b034c7a82455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0f3a8032555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 105fd8662555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f08657942555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 90c88d5f2455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 107ebb282555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 901cbc552455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 30f39b0d2555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 50cb533f2555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b081af542555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 30c9dcaa2555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 50aa5cb12555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 70c81f842455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b0814ca92455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b07be4f82455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 309ef5722455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0b22ac32455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 9095113b2555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 1092d86f2555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = f0ff1d822555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 10ee56962455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f051f6392555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = d0076e952555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionReason = "1" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 30c63a142555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 7011bf5e2555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 504d24742555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 7061baa92555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 30a249572455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0f8fbba2455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0ff1d822555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 901cbc552455da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = d0ae73162555da01 C:\Windows\SysWOW64\dllhost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = d069d8502555da01 C:\Windows\SysWOW64\dllhost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004500320031003600390036004200450042003300440044003300350043000000 C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\s.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
PID 2820 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
PID 2820 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
PID 2820 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
PID 2604 wrote to memory of 2696 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 2604 wrote to memory of 2696 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 2604 wrote to memory of 2696 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 2604 wrote to memory of 2696 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 2604 wrote to memory of 2696 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 2604 wrote to memory of 2696 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 2604 wrote to memory of 2696 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 2604 wrote to memory of 2696 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 2604 wrote to memory of 2696 N/A C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe C:\Windows\SysWOW64\dllhost.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2696 wrote to memory of 2124 N/A C:\Windows\SysWOW64\dllhost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\s.exe

"C:\Users\Admin\AppData\Local\Temp\s.exe"

C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe

C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe

C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe

"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 100 2188

C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe

"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 200 0

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\system32\dllhost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2696

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.6c18.com udp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
CN 61.139.2.69:53 cdn.6c18.com udp
CN 202.98.96.68:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
HK 205.252.144.228:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:22 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
JP 92.38.178.133:80 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:443 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:443 cdn.6c18.com tcp
US 8.8.8.8:53 cdn.6c18.com udp
JP 92.38.178.133:53 cdn.6c18.com tcp
JP 92.38.178.133:53 cdn.6c18.com tcp

Files

memory/2820-0-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2820-1-0x0000000010000000-0x000000001005D000-memory.dmp

\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe

MD5 0ba73a0db3913ba14be521f82c1b2c6c
SHA1 15920f9b5c190b70f927d18fa9d03793cb1f6332
SHA256 212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f
SHA512 51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

C:\Users\Admin\AppData\Local\Temp\OUT\RoboForm.DLL

MD5 ee1887696c8445caaaad13bdb39d5dba
SHA1 bc09e8530d2497befaeacbf4d50022181ffc59cc
SHA256 2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b
SHA512 94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

C:\Users\Admin\AppData\Local\Temp\OUT\update.log

MD5 8c49d603e67e5933ff07216c80b0ed4b
SHA1 a31aaff7adccb8563a2f798816f9b211b774bf08
SHA256 6e9f83f1c98551bf184a008b44511ffebc5aa415d4620cbd158bb9be13eee20c
SHA512 48397e74b3c6b5fe9f4235acae7087404cb2e9e605d39caa315fcb5e17a873324d375fd7a141f383e8546e4f8ccf5d9102bf83eb7b21a49680b3538c8dbc6ce4

memory/2188-15-0x0000000000180000-0x0000000000280000-memory.dmp

memory/2188-16-0x00000000002D0000-0x00000000002FE000-memory.dmp

memory/2188-17-0x00000000002D0000-0x00000000002FE000-memory.dmp

memory/2820-18-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2676-37-0x00000000002B0000-0x00000000002DE000-memory.dmp

memory/2676-38-0x00000000002B0000-0x00000000002DE000-memory.dmp

memory/2676-41-0x00000000002B0000-0x00000000002DE000-memory.dmp

memory/2604-45-0x0000000000150000-0x000000000017E000-memory.dmp

memory/2604-47-0x0000000000150000-0x000000000017E000-memory.dmp

memory/2696-50-0x0000000000070000-0x0000000000071000-memory.dmp

memory/2604-49-0x0000000000150000-0x000000000017E000-memory.dmp

memory/2696-54-0x0000000000090000-0x00000000000AC000-memory.dmp

memory/2696-56-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/2696-58-0x0000000000070000-0x0000000000071000-memory.dmp

memory/2696-59-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-60-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-61-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-63-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-68-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-70-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-76-0x0000000000070000-0x0000000000071000-memory.dmp

memory/2696-77-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-78-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-79-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-80-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-83-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2696-84-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2676-85-0x00000000002B0000-0x00000000002DE000-memory.dmp

memory/2696-86-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2604-87-0x0000000000150000-0x000000000017E000-memory.dmp

memory/2188-91-0x00000000002D0000-0x00000000002FE000-memory.dmp

memory/2124-102-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2124-106-0x0000000000260000-0x000000000028E000-memory.dmp

memory/2676-117-0x00000000002B0000-0x00000000002DE000-memory.dmp

memory/2696-124-0x0000000000230000-0x000000000025E000-memory.dmp

memory/2124-126-0x0000000000260000-0x000000000028E000-memory.dmp