Analysis Overview
SHA256
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
Threat Level: Known bad
The file 5cddaacf9782c030db128e3ebfd8f301.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
SmokeLoader
Glupteba payload
Lumma Stealer
Glupteba
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Modifies Windows Firewall
Deletes itself
Reads data files stored by FTP clients
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
UPX packed file
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-27 01:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 01:44
Reported
2024-02-27 01:46
Platform
win7-20240221-en
Max time kernel
59s
Max time network
158s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E42B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\590.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3307.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\590.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3307.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3307.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3307.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\E024.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\E42B.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1996 set thread context of 980 | N/A | C:\Users\Admin\AppData\Local\Temp\E024.exe | C:\Users\Admin\AppData\Local\Temp\E024.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\CF50.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7DBF.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe
"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"
C:\Users\Admin\AppData\Local\Temp\CF50.exe
C:\Users\Admin\AppData\Local\Temp\CF50.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 124
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D911.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\D911.dll
C:\Users\Admin\AppData\Local\Temp\E024.exe
C:\Users\Admin\AppData\Local\Temp\E024.exe
C:\Users\Admin\AppData\Local\Temp\E024.exe
C:\Users\Admin\AppData\Local\Temp\E024.exe
C:\Users\Admin\AppData\Local\Temp\E42B.exe
C:\Users\Admin\AppData\Local\Temp\E42B.exe
C:\Users\Admin\AppData\Local\Temp\590.exe
C:\Users\Admin\AppData\Local\Temp\590.exe
C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp" /SL5="$201F6,2424585,54272,C:\Users\Admin\AppData\Local\Temp\590.exe"
C:\Users\Admin\AppData\Local\Temp\3307.exe
C:\Users\Admin\AppData\Local\Temp\3307.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\4705.exe
C:\Users\Admin\AppData\Local\Temp\4705.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\nsz66C1.tmp
C:\Users\Admin\AppData\Local\Temp\nsz66C1.tmp
C:\Users\Admin\AppData\Local\Temp\7DBF.exe
C:\Users\Admin\AppData\Local\Temp\7DBF.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 124
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227014540.log C:\Windows\Logs\CBS\CbsPersist_20240227014540.cab
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 172.67.171.112:80 | joly.bestsup.su | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| FR | 91.121.181.6:9001 | tcp | |
| DE | 167.86.94.107:9001 | tcp | |
| US | 8.8.8.8:53 | trmpc.com | udp |
| ES | 188.26.207.181:19001 | tcp | |
| PA | 200.46.202.73:80 | trmpc.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| N/A | 127.0.0.1:49312 | tcp | |
| AT | 109.70.100.29:443 | tcp | |
| US | 154.35.175.225:443 | tcp | |
| NL | 195.189.96.148:443 | tcp | |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| CA | 199.58.81.140:443 | tcp | |
| FR | 87.98.242.239:443 | tcp | |
| CZ | 87.236.195.216:80 | tcp | |
| CZ | 87.236.195.216:80 | tcp | |
| FR | 87.98.242.239:443 | tcp | |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| CO | 186.147.159.149:80 | kamsmad.com | tcp |
| CO | 186.147.159.149:80 | kamsmad.com | tcp |
| CO | 186.147.159.149:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | forum.one-teams.com | udp |
| US | 8.8.8.8:53 | forum.one-teams.com | udp |
| US | 8.8.8.8:53 | tansiq.mod.gov.eg | udp |
| US | 8.8.8.8:53 | tansiq.mod.gov.eg | udp |
| US | 8.8.8.8:53 | voterportal.eci.gov.in | udp |
| US | 8.8.8.8:53 | playone1.com | udp |
| US | 8.8.8.8:53 | myp508.com | udp |
| US | 8.8.8.8:53 | m.forzza.com | udp |
| US | 8.8.8.8:53 | my.wizardingworld.com | udp |
| US | 8.8.8.8:53 | voterportal.eci.gov.in | udp |
| US | 8.8.8.8:53 | voterportal.eci.gov.in | udp |
| US | 8.8.8.8:53 | playone1.com | udp |
| US | 8.8.8.8:53 | voterportal.eci.gov.in | udp |
| US | 8.8.8.8:53 | myp508.com | udp |
| US | 8.8.8.8:53 | m.forzza.com | udp |
| US | 8.8.8.8:53 | myp508.com | udp |
| CO | 186.147.159.149:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | mestermc.hu | udp |
| US | 8.8.8.8:53 | my.wizardingworld.com | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| US | 8.8.8.8:53 | mestermc.hu | udp |
| US | 8.8.8.8:53 | passport.twitch.tv | udp |
| US | 103.224.212.215:21 | myp508.com | tcp |
| US | 8.8.8.8:53 | coincommunity.com | udp |
| HU | 94.125.176.47:21 | mestermc.hu | tcp |
| NL | 37.48.65.152:22 | forum.one-teams.com | tcp |
| US | 104.18.13.241:443 | m.forzza.com | tcp |
| GB | 18.245.218.127:21 | my.wizardingworld.com | tcp |
| GB | 18.245.218.127:443 | my.wizardingworld.com | tcp |
| US | 8.8.8.8:53 | paidtask.in | udp |
| US | 8.8.8.8:53 | passport.twitch.tv | udp |
| US | 8.8.8.8:53 | park-mx.above.com | udp |
| US | 8.8.8.8:53 | coincommunity.com | udp |
| US | 8.8.8.8:53 | passport.twitch.tv | udp |
| US | 8.8.8.8:53 | passport.twitch.tv | udp |
| US | 8.8.8.8:53 | passport.twitch.tv | udp |
| US | 8.8.8.8:53 | passport.twitch.tv | udp |
| EG | 62.117.41.16:995 | tansiq.mod.gov.eg | tcp |
| US | 8.8.8.8:53 | paidtask.in | udp |
| GB | 18.245.218.127:143 | my.wizardingworld.com | tcp |
| US | 8.8.8.8:53 | mx3.zoho.eu | udp |
| US | 8.8.8.8:53 | mx3.zoho.eu | udp |
| US | 8.8.8.8:53 | account.protonvpn.com | udp |
| US | 8.8.8.8:53 | servsafe.com | udp |
| HU | 94.125.176.47:443 | mestermc.hu | tcp |
| US | 50.28.72.26:22 | coincommunity.com | tcp |
| US | 8.8.8.8:53 | servsafe.com | udp |
| US | 8.8.8.8:53 | servsafe.com | udp |
| US | 104.18.13.241:995 | m.forzza.com | tcp |
| US | 104.18.13.241:143 | m.forzza.com | tcp |
| US | 104.18.13.241:465 | m.forzza.com | tcp |
| GB | 18.245.218.127:995 | my.wizardingworld.com | tcp |
| US | 199.59.243.225:465 | playone1.com | tcp |
| IN | 117.239.179.130:143 | voterportal.eci.gov.in | tcp |
| US | 50.28.72.26:21 | coincommunity.com | tcp |
| US | 199.59.243.225:143 | playone1.com | tcp |
| US | 103.224.212.215:80 | myp508.com | tcp |
| US | 104.18.13.241:80 | m.forzza.com | tcp |
| US | 103.224.212.34:143 | park-mx.above.com | tcp |
| GB | 18.245.218.127:80 | my.wizardingworld.com | tcp |
| US | 103.224.212.34:465 | park-mx.above.com | tcp |
| NL | 37.48.65.152:21 | forum.one-teams.com | tcp |
| US | 199.59.243.225:80 | playone1.com | tcp |
| US | 8.8.8.8:53 | account.protonvpn.com | udp |
| US | 8.8.8.8:53 | mx2.emailsrvr.com | udp |
| GB | 18.245.218.127:465 | my.wizardingworld.com | tcp |
| US | 8.8.8.8:53 | portal.essor.com.br | udp |
| GB | 18.245.187.125:22 | passport.twitch.tv | tcp |
| US | 103.224.212.34:995 | park-mx.above.com | tcp |
| IN | 117.239.179.130:465 | voterportal.eci.gov.in | tcp |
| US | 50.28.72.26:443 | coincommunity.com | tcp |
| GB | 18.245.218.93:21 | my.wizardingworld.com | tcp |
| GB | 18.245.187.83:21 | passport.twitch.tv | tcp |
| HU | 94.125.176.47:80 | mestermc.hu | tcp |
| US | 199.59.243.225:995 | playone1.com | tcp |
| GB | 18.245.187.7:443 | passport.twitch.tv | tcp |
| GB | 18.245.187.83:143 | passport.twitch.tv | tcp |
| DE | 185.159.159.143:22 | account.protonvpn.com | tcp |
| IN | 117.239.179.130:995 | voterportal.eci.gov.in | tcp |
| US | 104.18.13.241:80 | m.forzza.com | tcp |
| NL | 185.230.212.166:143 | mx3.zoho.eu | tcp |
| GB | 18.245.187.7:80 | passport.twitch.tv | tcp |
| US | 8.8.8.8:53 | aluno.seduc.ce.gov.br | udp |
| NL | 185.230.212.166:465 | mx3.zoho.eu | tcp |
| US | 68.142.70.44:22 | servsafe.com | tcp |
| GB | 18.245.218.93:143 | my.wizardingworld.com | tcp |
| US | 68.142.70.44:21 | servsafe.com | tcp |
| IN | 117.239.179.130:80 | voterportal.eci.gov.in | tcp |
| GB | 18.245.187.7:465 | passport.twitch.tv | tcp |
| NL | 185.230.212.166:995 | mx3.zoho.eu | tcp |
| US | 104.18.12.241:143 | m.forzza.com | tcp |
| GB | 18.245.187.7:995 | passport.twitch.tv | tcp |
| US | 173.203.187.2:143 | mx2.emailsrvr.com | tcp |
| DE | 185.159.159.143:21 | account.protonvpn.com | tcp |
| HU | 94.125.176.47:21 | mestermc.hu | tcp |
| DE | 185.159.159.143:443 | account.protonvpn.com | tcp |
| GB | 18.245.218.127:80 | my.wizardingworld.com | tcp |
| GB | 18.245.218.80:21 | my.wizardingworld.com | tcp |
| US | 104.18.12.241:465 | m.forzza.com | tcp |
| GB | 18.245.187.7:22 | passport.twitch.tv | tcp |
| GB | 18.245.218.93:465 | my.wizardingworld.com | tcp |
| US | 8.8.8.8:53 | portal.essor.com.br | udp |
| US | 8.8.8.8:53 | auth.riotgames.com | udp |
| US | 8.8.8.8:53 | aluno.seduc.ce.gov.br | udp |
| US | 8.8.8.8:53 | ww25.myp508.com | udp |
| US | 8.8.8.8:53 | portal.essor.com.br | udp |
| US | 104.18.12.241:995 | m.forzza.com | tcp |
| GB | 18.245.218.93:995 | my.wizardingworld.com | tcp |
| GB | 18.245.218.80:143 | my.wizardingworld.com | tcp |
| US | 8.8.8.8:53 | auth.riotgames.com | udp |
| GB | 18.245.187.75:21 | passport.twitch.tv | tcp |
| US | 8.8.8.8:53 | mx.servsafe.com | udp |
| GB | 18.245.187.75:143 | passport.twitch.tv | tcp |
| US | 173.203.187.2:465 | mx2.emailsrvr.com | tcp |
| US | 104.18.13.241:443 | m.forzza.com | tcp |
| DE | 185.159.159.143:143 | account.protonvpn.com | tcp |
| GB | 18.245.187.75:995 | passport.twitch.tv | tcp |
| US | 8.8.8.8:53 | s.activision.com | udp |
| US | 8.8.8.8:53 | signup.tr.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | signup.tr.leagueoflegends.com | udp |
| CO | 186.147.159.149:80 | kamsmad.com | tcp |
| GB | 18.245.187.75:465 | passport.twitch.tv | tcp |
| US | 50.28.72.26:80 | coincommunity.com | tcp |
| US | 68.142.70.44:443 | servsafe.com | tcp |
| US | 173.203.187.2:995 | mx2.emailsrvr.com | tcp |
| NL | 37.48.65.152:22 | forum.one-teams.com | tcp |
| US | 199.59.243.225:80 | ww25.myp508.com | tcp |
| US | 103.224.212.215:80 | myp508.com | tcp |
| US | 45.60.64.42:22 | portal.essor.com.br | tcp |
| HU | 94.125.176.47:80 | mestermc.hu | tcp |
| BR | 177.71.235.216:22 | aluno.seduc.ce.gov.br | tcp |
| US | 104.16.120.50:22 | auth.riotgames.com | tcp |
| US | 103.224.212.34:143 | park-mx.above.com | tcp |
| BR | 177.71.235.216:21 | aluno.seduc.ce.gov.br | tcp |
| DE | 185.159.159.143:465 | account.protonvpn.com | tcp |
| DE | 185.159.159.143:80 | account.protonvpn.com | tcp |
| US | 38.98.152.194:465 | mx.servsafe.com | tcp |
| US | 103.224.212.34:465 | park-mx.above.com | tcp |
| BR | 177.71.235.216:443 | aluno.seduc.ce.gov.br | tcp |
| GB | 18.245.187.7:443 | passport.twitch.tv | tcp |
| US | 45.60.64.42:21 | portal.essor.com.br | tcp |
| US | 45.60.64.42:443 | portal.essor.com.br | tcp |
| GB | 18.245.187.7:80 | passport.twitch.tv | tcp |
| US | 50.28.72.26:80 | coincommunity.com | tcp |
| GB | 18.245.218.127:443 | my.wizardingworld.com | tcp |
| NL | 37.48.65.152:21 | forum.one-teams.com | tcp |
| DE | 185.159.159.143:80 | account.protonvpn.com | tcp |
| DE | 185.159.159.143:995 | account.protonvpn.com | tcp |
| US | 45.60.64.42:143 | portal.essor.com.br | tcp |
| US | 8.8.8.8:53 | bbolen2.solcreative.ca | udp |
| EG | 62.117.41.16:22 | tansiq.mod.gov.eg | tcp |
| US | 38.98.152.194:143 | mx.servsafe.com | tcp |
| HU | 94.125.176.47:443 | mestermc.hu | tcp |
| US | 104.16.120.50:21 | auth.riotgames.com | tcp |
| US | 50.28.72.26:80 | coincommunity.com | tcp |
| GB | 18.135.83.51:22 | signup.tr.leagueoflegends.com | tcp |
| US | 103.224.212.34:995 | park-mx.above.com | tcp |
| US | 104.16.119.50:22 | auth.riotgames.com | tcp |
| US | 8.8.8.8:53 | s.activision.com | udp |
| US | 8.8.8.8:53 | bbolen2.solcreative.ca | udp |
| US | 8.8.8.8:53 | e.batelco.com | udp |
| US | 103.224.212.215:21 | myp508.com | tcp |
| US | 104.18.13.241:143 | m.forzza.com | tcp |
| US | 68.142.70.44:80 | servsafe.com | tcp |
| US | 38.98.152.194:995 | mx.servsafe.com | tcp |
| HU | 94.125.176.47:990 | mestermc.hu | tcp |
| US | 173.203.187.2:143 | mx2.emailsrvr.com | tcp |
| US | 8.8.8.8:53 | www.servsafe.com | udp |
| US | 8.8.8.8:53 | remotedesktop.google.com | udp |
| US | 8.8.8.8:53 | m.viewporn.tv | udp |
| US | 8.8.8.8:53 | e.batelco.com | udp |
| GB | 18.135.83.51:21 | signup.tr.leagueoflegends.com | tcp |
| US | 199.59.243.225:143 | ww25.myp508.com | tcp |
| GB | 18.245.218.127:143 | my.wizardingworld.com | tcp |
| BR | 177.71.235.216:80 | aluno.seduc.ce.gov.br | tcp |
| NL | 37.48.65.152:22 | forum.one-teams.com | tcp |
| NL | 185.230.212.166:143 | mx3.zoho.eu | tcp |
| GB | 18.245.187.7:21 | passport.twitch.tv | tcp |
| GB | 18.245.218.127:995 | my.wizardingworld.com | tcp |
| BR | 177.71.235.216:995 | aluno.seduc.ce.gov.br | tcp |
| US | 45.60.64.42:995 | portal.essor.com.br | tcp |
| US | 104.16.120.50:143 | auth.riotgames.com | tcp |
| GB | 18.245.187.7:80 | passport.twitch.tv | tcp |
| US | 68.142.70.44:21 | www.servsafe.com | tcp |
| GB | 18.245.218.127:80 | my.wizardingworld.com | tcp |
| US | 45.60.64.42:80 | portal.essor.com.br | tcp |
| US | 8.8.8.8:53 | m.viewporn.tv | udp |
| US | 8.8.8.8:53 | login.blockchain.com | udp |
| US | 104.18.13.241:80 | m.forzza.com | tcp |
| US | 199.59.243.225:80 | ww25.myp508.com | tcp |
| DE | 185.159.159.143:443 | account.protonvpn.com | tcp |
| US | 103.224.212.215:80 | myp508.com | tcp |
| NL | 185.230.212.166:465 | mx3.zoho.eu | tcp |
| US | 104.16.120.50:465 | auth.riotgames.com | tcp |
| US | 173.203.187.2:995 | mx2.emailsrvr.com | tcp |
| US | 107.162.146.187:21 | e.batelco.com | tcp |
| US | 103.224.212.34:587 | park-mx.above.com | tcp |
| GB | 18.135.83.51:143 | signup.tr.leagueoflegends.com | tcp |
| GB | 96.16.109.30:143 | s.activision.com | tcp |
| US | 103.224.212.215:80 | myp508.com | tcp |
| GB | 96.16.109.30:465 | s.activision.com | tcp |
| GB | 96.16.109.30:80 | s.activision.com | tcp |
| US | 45.60.64.42:22 | portal.essor.com.br | tcp |
| GB | 3.10.126.228:143 | signup.tr.leagueoflegends.com | tcp |
| US | 50.28.72.26:80 | coincommunity.com | tcp |
| US | 104.16.120.50:80 | auth.riotgames.com | tcp |
| US | 50.28.72.26:80 | coincommunity.com | tcp |
| US | 8.8.8.8:53 | rajshaladarpan.nic.in | udp |
| DE | 185.159.159.143:143 | account.protonvpn.com | tcp |
| US | 8.8.8.8:53 | cp.ernex.com | udp |
| US | 8.8.8.8:53 | remotedesktop.google.com | udp |
| US | 8.8.8.8:53 | remotedesktop.google.com | udp |
| US | 8.8.8.8:53 | remotedesktop.google.com | udp |
| US | 8.8.8.8:53 | login.blockchain.com | udp |
| US | 8.8.8.8:53 | rajshaladarpan.nic.in | udp |
| US | 50.28.72.26:80 | coincommunity.com | tcp |
| IN | 117.239.179.130:80 | voterportal.eci.gov.in | tcp |
| GB | 18.135.83.51:80 | signup.tr.leagueoflegends.com | tcp |
| GB | 18.245.218.127:443 | my.wizardingworld.com | tcp |
| US | 199.59.243.225:993 | ww25.myp508.com | tcp |
| GB | 18.245.187.7:443 | passport.twitch.tv | tcp |
| US | 104.16.120.50:80 | auth.riotgames.com | tcp |
| US | 104.18.13.241:443 | m.forzza.com | tcp |
| US | 68.142.70.44:990 | www.servsafe.com | tcp |
| DE | 185.159.159.143:80 | account.protonvpn.com | tcp |
| US | 104.16.30.98:443 | login.blockchain.com | tcp |
| US | 199.59.243.225:80 | ww25.myp508.com | tcp |
| GB | 18.245.218.127:993 | my.wizardingworld.com | tcp |
| GB | 172.217.16.238:143 | remotedesktop.google.com | tcp |
| US | 45.60.64.42:443 | portal.essor.com.br | tcp |
| DE | 185.159.159.143:80 | account.protonvpn.com | tcp |
| US | 8.8.8.8:53 | myaccount.google.com | udp |
| HU | 94.125.176.47:80 | mestermc.hu | tcp |
| US | 45.60.64.42:80 | portal.essor.com.br | tcp |
| HU | 94.125.176.47:80 | mestermc.hu | tcp |
| US | 68.142.70.44:443 | www.servsafe.com | tcp |
Files
memory/3064-1-0x00000000023F0000-0x00000000024F0000-memory.dmp
memory/3064-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/3064-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1256-4-0x0000000002AC0000-0x0000000002AD6000-memory.dmp
memory/3064-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CF50.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
C:\Users\Admin\AppData\Local\Temp\CF50.exe
| MD5 | a646fcf542433f66fdd00124341a9e86 |
| SHA1 | 3cd7e3049b7a7372910b1b8ce2a4db280bfdaf24 |
| SHA256 | 0225146767ca5842d186b883d6ee94cbbb88d4ea2179a43173b9f82bea8654f2 |
| SHA512 | b7a0be1f2385b4421c34a9ea0dd4c3eb9f4145e875c45aa5c1a5db21e9510fbb6de3638fc0055ace90de8e93243077c0568ca3670fd52914bfe3298ccfca8a33 |
memory/2668-16-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2668-21-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2668-19-0x0000000001130000-0x00000000019DF000-memory.dmp
memory/2668-23-0x00000000774C0000-0x00000000774C1000-memory.dmp
memory/2668-22-0x0000000001130000-0x00000000019DF000-memory.dmp
memory/2668-18-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2668-25-0x0000000000090000-0x0000000000091000-memory.dmp
\Users\Admin\AppData\Local\Temp\CF50.exe
| MD5 | 0a246e8a1939d2aaa24ee489bab659d9 |
| SHA1 | 2cbb2d2a42f505579b119bd7fdd043d49fed72f0 |
| SHA256 | 6c5ee11145859d91a720747f3c602c67921ea50e3deaf3c1b860fe87cf1c4996 |
| SHA512 | 7ff589661c00399eab76c60aefcfcdc654b9f0124ac456ff95fab83c4f908ecbf6cda49b1b96b7d966156525204741c74930518608a1db1b14aff8c6470b4b90 |
\Users\Admin\AppData\Local\Temp\CF50.exe
| MD5 | f40812f88092a72b4a80a56d74456452 |
| SHA1 | 0be636d0a130870f6be17130378422b803742ba8 |
| SHA256 | 0e2b963e6f42ff17b85a173d0e3406193b44dfab46a85d7cd959e7d6e45d8851 |
| SHA512 | 48806f65786c8080f7623daffee18bdd396bbe51975564010f168c202699b833c04a70af82bd1a5f6e04e39fe2ee0d58b58625adf031b6fd02add4bedc63379c |
C:\Users\Admin\AppData\Local\Temp\D911.dll
| MD5 | d4f8a7b87e314de52b2eee95fb03d2b5 |
| SHA1 | 02aadb8ec54b0e86f29605ff374eafce765694b2 |
| SHA256 | 745ee7c3aa4b9731955a38fe69933df2e78051f244a928e5b8227ea014d2787f |
| SHA512 | 7a13a179ab8d8667df203f04b473e65fbcf508dc568e4b88f7936d295d97d140cb9cb79b8eda0cea1ade0353725d4fe3302b740e1fabbc951a5eec18d4dccfa0 |
\Users\Admin\AppData\Local\Temp\D911.dll
| MD5 | 7aecbe510817ee9636a5bcbff0ee5fdd |
| SHA1 | 6a3f27f7789ccf1b19c948774d84c865a9ac6825 |
| SHA256 | b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac |
| SHA512 | a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae |
memory/2456-32-0x0000000000100000-0x0000000000106000-memory.dmp
memory/2456-33-0x0000000010000000-0x000000001020A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E024.exe
| MD5 | c5c406dbc57f69005ff8854f28e7bd92 |
| SHA1 | 776bc4f2f64e6767c76ae22eaaa3156e92c8693e |
| SHA256 | 784a1816912b23c7940873f956fd731a9fcf728709c53bceca0cbeadc0b3bec0 |
| SHA512 | 98dd4d749ec7e58f4eb4947e412e1c3d4d5ca28a98fb51d339a6a957acfe8bcae85cb54ef3627b31a9a95659a79f31637f97a6efd0efc43859caa254d447bc32 |
memory/1996-41-0x0000000003670000-0x0000000003828000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E024.exe
| MD5 | 3a57dc900df7d0c26658c8359e9cf0ed |
| SHA1 | 13bf3442ea417341c42a99fc00627fda7d3cf623 |
| SHA256 | d86b53f57b7e62d4e0d02d9566e6a893c2ca85d7b81c8623d3f362e61fc4cf84 |
| SHA512 | 57153a2e069a8ce6879529c6bc47e6ef970796bd6d1e354e5f7fd231f6408e2c0935b3c0f1b83f96d9ae9aff715dd9a2d7f058ed7f2afd9702348cbb5cdc893e |
memory/1996-43-0x0000000003830000-0x00000000039E7000-memory.dmp
memory/1996-42-0x0000000003670000-0x0000000003828000-memory.dmp
\Users\Admin\AppData\Local\Temp\E024.exe
| MD5 | 8858584011af51a30c31b647e63d82c0 |
| SHA1 | 7f850261de72d27eb034cb8cc159797fa0a57a1b |
| SHA256 | e8b291c937c8b8a3bacea98fc24efed3b7c48367f796c978d6563f3a4d23e378 |
| SHA512 | e61107cc426fe2545869b5f719a4298f66396a8a100efb569f60102dd73d165cb090508d44dabb208e365c378fc07bd52fa03464c7e9f09c001d033dd6493416 |
C:\Users\Admin\AppData\Local\Temp\E024.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/980-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E42B.exe
| MD5 | e6dd149f484e5dd78f545b026f4a1691 |
| SHA1 | 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6 |
| SHA256 | 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7 |
| SHA512 | 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b |
C:\Users\Admin\AppData\Local\Temp\E024.exe
| MD5 | 1df9c98963f3d20b3f3f5db8152e3052 |
| SHA1 | c8203e4dee088a27c97cb3e334c1dd9aafdd0786 |
| SHA256 | cb96f8c2286c4b66024b37b6b09038ba358cbf9572042077b6e1d3c6a0e8336f |
| SHA512 | bfc3c8923b0cb1baf62be9545c16c0678f28bb8d0875cf9cbea217521804cd39c35adba3f31d6adc4e9460f5a56c771596a80a7528a4c17810fb208cfce3bb60 |
memory/980-58-0x0000000000400000-0x0000000000848000-memory.dmp
memory/620-59-0x0000000004580000-0x00000000045EB000-memory.dmp
memory/980-61-0x0000000000400000-0x0000000000848000-memory.dmp
memory/620-60-0x0000000000290000-0x0000000000390000-memory.dmp
memory/980-53-0x0000000000400000-0x0000000000848000-memory.dmp
memory/980-63-0x0000000000400000-0x0000000000848000-memory.dmp
memory/620-62-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/620-64-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/980-65-0x0000000000400000-0x0000000000848000-memory.dmp
\Users\Admin\AppData\Local\Temp\D911.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/980-67-0x0000000000400000-0x0000000000848000-memory.dmp
memory/980-70-0x0000000000270000-0x0000000000276000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\590.exe
| MD5 | 7b96170ca36e7650b9d3a075126b8622 |
| SHA1 | 311068f2f6282577513123b9181283ffb01d55ce |
| SHA256 | e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6 |
| SHA512 | e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd |
memory/1788-75-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\590.exe
| MD5 | 308f05365b5778ea836482f5ea12870f |
| SHA1 | 140d5aeb4c8b53a6078541c940c1f32a949021c8 |
| SHA256 | 08799d13619c9d39798ec8bc2cac904d6a6538e48cda60c96e0cf78e7e40ca7a |
| SHA512 | e683b194c0d22fea61c29130587a8f6935cb01f9e133ee9eea2640dbacdc64d818ccbd965b3ce147bd91c92585816570737ed075515a420d2c8513de77314429 |
\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp
| MD5 | 951c5cff24d9852fc47e239f8a3184b0 |
| SHA1 | 26b6c602a93093326446761e3a07a8e69de981c8 |
| SHA256 | fa7c173d6b452a5f897508c293ee962960c70e5789697f13b9dd630d5398c0a7 |
| SHA512 | f93dd3849427551a16af746c38fb295c90b6d6c0e2460fd778ce600071eb6968b4659031cb541ac833223506cedc43312f99d1682a06347ae6862ca2374a684e |
C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp
| MD5 | 49becb0626a04b87221c00d30c3d14a2 |
| SHA1 | 96e2f9ea00aa118ce62a368ded287f6b888c0cd4 |
| SHA256 | 95480cadb85d9df813521fd2360328eafc500001fa487324d3ec571397382b3f |
| SHA512 | a1f4fef9d039fd42a704d68b68552e3932d258123a02a3c66c78b8b2d48623b1e305662b378e0024d9c8b419824d3fd1b91dec96c5149123d945e7707bd6eda2 |
\Users\Admin\AppData\Local\Temp\is-V1GTF.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-V1GTF.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2668-96-0x0000000001130000-0x00000000019DF000-memory.dmp
\??\c:\users\admin\appdata\local\temp\is-flfhf.tmp\590.tmp
| MD5 | 951ac648539bfaa0f113db5e0406de5b |
| SHA1 | 1b42de9ef8aaf1740de90871c5fc16963a842f43 |
| SHA256 | bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe |
| SHA512 | 795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d |
memory/620-105-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/1536-106-0x0000000000240000-0x0000000000241000-memory.dmp
memory/980-107-0x0000000002AB0000-0x0000000002BD9000-memory.dmp
memory/2456-108-0x0000000002120000-0x0000000002249000-memory.dmp
memory/980-109-0x0000000002BE0000-0x0000000002CEE000-memory.dmp
memory/980-110-0x0000000002BE0000-0x0000000002CEE000-memory.dmp
memory/980-113-0x0000000002BE0000-0x0000000002CEE000-memory.dmp
memory/2456-114-0x0000000002250000-0x000000000235E000-memory.dmp
memory/2456-116-0x0000000002250000-0x000000000235E000-memory.dmp
memory/2456-117-0x0000000002250000-0x000000000235E000-memory.dmp
memory/980-118-0x0000000002BE0000-0x0000000002CEE000-memory.dmp
memory/1788-123-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3307.exe
| MD5 | c3f5e923e98033384378a97de22f6fe7 |
| SHA1 | 28220ec8eb322e95ecad1556885f73a43ad2ebf4 |
| SHA256 | 4b2388ef97e538904f770f45f5e294711378b584241e3256f7b755a5210b9e1d |
| SHA512 | 0db32fa0388e0f3ae72ec73a878a288256b31dc7574912467639f26182907f186c9ea39ced564b3532481f31b1d7e144d5020344557cd55fcfa966d4317a6e75 |
C:\Users\Admin\AppData\Local\Temp\3307.exe
| MD5 | 17d2301b2e6709fbc82d586eb8b833df |
| SHA1 | 74dbdb416b28071578fb43318d33ab4e62fe6a1c |
| SHA256 | 5fc49f408707b26cf4ccd7f08dc972a1383459f2699832ea772357c64e83eb9c |
| SHA512 | 844d04c930d6c47bf118ca490dfeade96a49c7e159aa42a129d8124740eb41b3f63651c181d286dcd9d77a4a725f5150c709663faf2cb6618de4926bb10adbdf |
memory/980-129-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2364-131-0x0000000000E20000-0x00000000016D6000-memory.dmp
memory/1536-132-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2364-133-0x0000000073230000-0x000000007391E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 34666eafe0fffb6a73e31c1e09ecac4f |
| SHA1 | ffd5c92070e4a8fab8f8095316d73ccd485f6294 |
| SHA256 | d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232 |
| SHA512 | 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | aaf0bb37ae70edf36b650977fe25658f |
| SHA1 | dec39feae72f0c5ae84775303e543ca353de6256 |
| SHA256 | bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06 |
| SHA512 | d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4 |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d3c015d761ac4697c31779ebd67685fe |
| SHA1 | 6eda243187265592a404feca52bf612ddc66e396 |
| SHA256 | 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea |
| SHA512 | 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 0f68106658c054bde5c705e5b1f000e6 |
| SHA1 | 5cc1bb15c4dfd5ad0630ae0ae9ac2286f3050102 |
| SHA256 | 58d6747e01ef0fce7a9a53341707556e91276314acbae7f6228d782291686b3c |
| SHA512 | 30bbfc56175b7245acb175f85fc5023b497bb0ed26e6ccf6a585b408044b6adc8d165e1b6e797f1de1e5dd33806c14c9e3d5d818f5455ea0d7a2c381c269e59e |
memory/2060-143-0x0000000002830000-0x0000000002C28000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | b17be9c9cd31a7c69c5dccc4222f3241 |
| SHA1 | 0c4f24a70c3f555d8ebee3397a850a08f68051d1 |
| SHA256 | 45c0c53b6d1c5d7694e381ae14a6cd19e44d54dddb7c4aac00fe5fba9483b9ea |
| SHA512 | ff0884a00096e018008b5b50876ef6345959eaea8f5a0945a748070df87824ffb47566c50fc1474bf7f988801ffbc8a5c04e273483ee93615de027890efc3787 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | b4cd344bdf164bc552a7e4b7fd152594 |
| SHA1 | 8e41f116655fbb8f4f614c21c0b02f06b281beba |
| SHA256 | 65e375fbf5477a9c9ea06b4fd5115169b96478deaf55d65f207d89327269a015 |
| SHA512 | 1624548747342c564bac7e0830bc2710b6de8585fc70d1003ac77e972aaeb907ac6ce45ef53e04f9af38a60811aac6435be9192ded73106c538ddb9dd82916a0 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 10da85ae04da6c225fd4ea9d204378c9 |
| SHA1 | d3730e020f9e2a5c217926180d44b65a91cf6a4a |
| SHA256 | d753eef117aabaa8247c3bcea0d39f64cfeaf612193e30995f5c00ead203e9c5 |
| SHA512 | 1cc1ef5da86f4683422301f8318c1bd6d30515aa36e1d6949eb749b47a3b557990b79f7bc682eb3e3f2ccef4155e56f8adeb1f09beec97de067acf40c91e9d69 |
memory/2364-158-0x0000000073230000-0x000000007391E000-memory.dmp
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 56b83c068dc6c8df9c02236e9587cd42 |
| SHA1 | 9803091206a0fff470768e67577426cce937a939 |
| SHA256 | 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e |
| SHA512 | e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb |
C:\Users\Admin\AppData\Local\Temp\4705.exe
| MD5 | 0ca68f13f3db569984dbcc9c0be6144a |
| SHA1 | 8c53b9026e3c34bcf20f35af15fc6545cb337936 |
| SHA256 | 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a |
| SHA512 | 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d |
memory/980-165-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2060-166-0x0000000002830000-0x0000000002C28000-memory.dmp
memory/2060-168-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/620-170-0x0000000004580000-0x00000000045EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28b72e7425d6d224c060d3cf439c668c |
| SHA1 | a0a14c90e32e1ffd82558f044c351ad785e4dcd8 |
| SHA256 | 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98 |
| SHA512 | 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6 |
memory/2060-171-0x0000000002C30000-0x000000000351B000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsy52A3.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 9d185f0fd5b659435bc019c9099db580 |
| SHA1 | 1cd9db6640706a06c4440427c2bc49c909c24f01 |
| SHA256 | 0ea631ce1d7134e9bf394f7e36519b2e98e06785fbf23c94e908979f4fff005c |
| SHA512 | 2020ef68692cbb607da0a8bed4c93552a098e6c5beac92edacb7558f04c11cb33b9c88cab4b9f5e3aee34a52d649d423d04cdb1752b287a17086a8fea6f6fa3d |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 0382fa4f0e27cfe8971b5ee495c5ecd3 |
| SHA1 | 9f19db447e16a1ba65608dfde4857ed17a5ebf83 |
| SHA256 | d118eddfed9567a4e5e49b56259f5366ed74e19270b1e0232ba6df34968c65ee |
| SHA512 | 37e3e4e73e626e5b2c14203b9c5d6e2dd95e809745d030aba6c91ee96fe9525e80c9b909a1927761915b16b2805503b742a765e73fd7d7deed559abee9e47356 |
memory/620-182-0x0000000000290000-0x0000000000390000-memory.dmp
memory/980-183-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1164-189-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1164-188-0x00000000024B0000-0x00000000025B0000-memory.dmp
memory/1628-187-0x0000000000240000-0x0000000000241000-memory.dmp
memory/980-191-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1164-190-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsz66C1.tmp
| MD5 | 9089c5ddf54262d275ab0ea6ceaebcba |
| SHA1 | 4796313ad8d780936e549ea509c1932deb41e02a |
| SHA256 | 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a |
| SHA512 | ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c |
memory/2060-206-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1256-208-0x00000000039B0000-0x00000000039C6000-memory.dmp
memory/1164-207-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1628-214-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/1488-216-0x0000000000250000-0x0000000000277000-memory.dmp
memory/1488-215-0x0000000002410000-0x0000000002510000-memory.dmp
memory/1488-217-0x0000000000400000-0x00000000022D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7DBF.exe
| MD5 | cef45ef8a5a648c3b83abb21933a054e |
| SHA1 | 0ce2fecefe51ee3cba3abac1575987e00991d4ce |
| SHA256 | 922d042369769d5c2c049303d86cd3214931dfbeb9b9577fe0ce2c02f1b3dbab |
| SHA512 | d3d659ce80d2cc54e68caccd00400e15d4f7059c18daaaf3bd16d469514112bede7643932e8f49cce340faa02dd541e563642a3afbf83d559f3cb7156275423d |
memory/980-222-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\7DBF.exe
| MD5 | 98032e01a07b787b4416121c3fdf3ae5 |
| SHA1 | 65c8dc24c8b5d416c1e51105e190c440762069f3 |
| SHA256 | 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7 |
| SHA512 | 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | b8bbbebf6a96db29f8a6c2c3e2726b72 |
| SHA1 | 074958a02f3c65261dfe5d4c349b7af4849ee707 |
| SHA256 | 25acbb3a7b3a4932482dee31862427ff7d8bb58035d5864a6ea8e6e4c653ae39 |
| SHA512 | 1f63650dc10cb4c074387e8df352c17b58a05305b363bc4042949872aa4eb9221e831a5ef17e73fe8c24cab2715361e0629e775f7b5c790598a7ee5b075c5f74 |
memory/2520-236-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2520-245-0x00000000002D0000-0x0000000000D7D000-memory.dmp
memory/2520-275-0x00000000774C0000-0x00000000774C1000-memory.dmp
memory/2520-277-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2520-285-0x00000000001E0000-0x00000000001E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\7DBF.exe
| MD5 | 6669371ff96389b0ec050b86918a98ac |
| SHA1 | 28d2c7360e3f10fa6aff0b2b0bbd384371407cba |
| SHA256 | 88147009a4746cf66d54f5be049d7c36781f2a84c0fc21e9249424fc19ae4803 |
| SHA512 | d7c6ff78e7e215a67c87f78d1c143cfdfc6c8e0dc6a6339b74f0853c184535f1563fdebd1e58bd1fa1833f5c5a84853d40c79232d20e5a54139bf3c4592cce25 |
\Users\Admin\AppData\Local\Temp\7DBF.exe
| MD5 | 93482d73c7977a8486f8d1d59b8a5775 |
| SHA1 | cf17a1a776ccdb3993901f0e48383ed6803b3996 |
| SHA256 | 4b47d6feba365f064331a63afd8132d95b9d6ddcaf3b715e17615774fa301192 |
| SHA512 | 80885ea4aaacf99c1577dfe1c0e338f78d6543881a032eefb052be3c692e2950576e0bf21995c336c40b4f35f2cd98197f3fb1830d4ee8964b9c6b3c762b0094 |
\Users\Admin\AppData\Local\Temp\7DBF.exe
| MD5 | 192c2bee85452b62bbc7b9bd93b24b07 |
| SHA1 | 3ef36ceccecb900280aff4297c8136a3746f024f |
| SHA256 | cd989adfe10e50fb4bc10dd7b1cc24bc0729cc218a238cf3fb1fc268ad530ae4 |
| SHA512 | 07981649ef443bce9eb1a5815321999dcc99cc96539dc2540d953b8208dcbbda24243ed4e542f6c9682a3d76eb7226d9fd6205e9631d96de85490b85f38b4b2f |
\Users\Admin\AppData\Local\Temp\7DBF.exe
| MD5 | 0434ebfc7b8efe114543e34d6cdf4952 |
| SHA1 | ddec4208a23e8d4e3c9ce589185e16292024ad6e |
| SHA256 | ae88c38e3a299998c1085e317dc29b6e5da6d659e638e301c45702458379c344 |
| SHA512 | 1d63fd7ef2649bb9581291d1c44495a8c90f8396ae53f267c4fbcfcbc89d70574438798e32dc9179ddd2c5ca37bb2d9f7b525430d9ac16037bfc5494ac88181c |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 3e15b66793892cd12d81bd4c2d59919e |
| SHA1 | 8aeca5bff3549f3ac0e8bfaf12160be4e9f503ac |
| SHA256 | cbfae0c1c01572e0538e0a951ad365c8757492165d33efbfbf85f7e8714c1768 |
| SHA512 | 4def262d824a10b5995f3267f8a4d514818c00a8e2c123537dd8c2dec6f79e45ee3f21a51631175e9fd3c7fa7b6d960f57eae504112762179b95161b38277668 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | e7b4463b55575c4b778ef1a9c52dd863 |
| SHA1 | 1f4bf0a3b30ada5013a15ffd97bc0a1aa0dbd2c8 |
| SHA256 | 1c623144a973b01898c9155341077b0430fcea87854616a090d5af69559808eb |
| SHA512 | 34d0b805567e6f0e0298e3ba1bcde24d3e71686a8c51f5dcbbe9d28a47e2478fae09d1fa5f74384fc6f184bc239d66fce4a45b3be8470e6507f535d6f045714c |
memory/2060-314-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 50148f4315ccf59c839a333b524595a5 |
| SHA1 | abadbc87f030d1323115261f075dc16252648091 |
| SHA256 | b5bd19a7fbe8a92bec9d5c245ee65ddb6c391a1fa30fcef49f71c51303281f7b |
| SHA512 | 3270b1951106e7b91738d3f0c6fc71396e1ee0a516edfccc852bc29b0369f8c413a4ec28350c38dacbfceac0d3af2c26f2321a25bcbaf6e5855c82f444e83779 |
memory/2060-337-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2848-342-0x00000000025B0000-0x00000000029A8000-memory.dmp
memory/2848-345-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1628-346-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1204-351-0x000000001B200000-0x000000001B4E2000-memory.dmp
memory/1204-352-0x0000000001D50000-0x0000000001D58000-memory.dmp
memory/1204-353-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp
memory/1204-354-0x00000000025F0000-0x0000000002670000-memory.dmp
memory/1204-355-0x00000000025F4000-0x00000000025F7000-memory.dmp
memory/1204-357-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp
memory/1204-356-0x00000000025FB000-0x0000000002662000-memory.dmp
memory/1204-358-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp
memory/1488-359-0x0000000000400000-0x00000000022D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b03886cb64c04b828b6ec1b2487df4a4 |
| SHA1 | a7b9a99950429611931664950932f0e5525294a4 |
| SHA256 | 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc |
| SHA512 | 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659 |
\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 147b6aa5bd0222e5d58af8984b073c56 |
| SHA1 | 399923e38ba252bffbe5c13b39bcbf41798e15f5 |
| SHA256 | 6a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9 |
| SHA512 | c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70 |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | b29cd31f15d37cebbe2804adc62ce2e9 |
| SHA1 | e036f370e3b9a849609823c1cf295c07968b91a0 |
| SHA256 | 082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2 |
| SHA512 | 2a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4 |
memory/2620-375-0x0000000000E60000-0x0000000000E68000-memory.dmp
memory/1488-377-0x0000000002410000-0x0000000002510000-memory.dmp
memory/2620-374-0x0000000019B20000-0x0000000019E02000-memory.dmp
memory/2620-378-0x000007FEF4980000-0x000007FEF531D000-memory.dmp
memory/2620-380-0x0000000001110000-0x0000000001190000-memory.dmp
memory/2620-381-0x000007FEF4980000-0x000007FEF531D000-memory.dmp
memory/2620-382-0x0000000001110000-0x0000000001190000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 7c277165dcead3616b33d9432afcb485 |
| SHA1 | b725f0009bb07f8c3f434adc10ccc8d78967ea62 |
| SHA256 | a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30 |
| SHA512 | 2f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105 |
\Windows\rss\csrss.exe
| MD5 | 8968359e460df9992c18c113c1c17674 |
| SHA1 | 1370811cb82506f311c9ea7564df9a0029bd2265 |
| SHA256 | da196e9c74d5f55018e8b34e506f8d15dafaff07ad297215139e28bc2f11f07c |
| SHA512 | cc9ce4a2cf680d5bf9945ee00600877e4a28a940888e6e9db90b431469f2a926fb386a4cb98243d60da4ad52353088d156a6815b1335e6b9077ed04a13e9f7d3 |
memory/2520-394-0x00000000002D0000-0x0000000000D7D000-memory.dmp
memory/2848-396-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2620-398-0x0000000001110000-0x0000000001190000-memory.dmp
memory/2620-399-0x000007FEF4980000-0x000007FEF531D000-memory.dmp
memory/2788-407-0x0000000002780000-0x0000000002B78000-memory.dmp
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 029a5147d2f0d080800b095d06298a55 |
| SHA1 | 6d53b0c00f128318d23de9db082989e30369baad |
| SHA256 | cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566 |
| SHA512 | b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 01:44
Reported
2024-02-27 01:46
Platform
win10v2004-20240226-en
Max time kernel
94s
Max time network
157s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\F84C.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\375C.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F84C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\F84C.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\FACE.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 924 set thread context of 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\F84C.exe | C:\Users\Admin\AppData\Local\Temp\F84C.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4901.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4901.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4901.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4901.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe
"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"
C:\Users\Admin\AppData\Local\Temp\EC25.exe
C:\Users\Admin\AppData\Local\Temp\EC25.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F231.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\F231.dll
C:\Users\Admin\AppData\Local\Temp\F84C.exe
C:\Users\Admin\AppData\Local\Temp\F84C.exe
C:\Users\Admin\AppData\Local\Temp\F84C.exe
C:\Users\Admin\AppData\Local\Temp\F84C.exe
C:\Users\Admin\AppData\Local\Temp\FACE.exe
C:\Users\Admin\AppData\Local\Temp\FACE.exe
C:\Users\Admin\AppData\Local\Temp\723.exe
C:\Users\Admin\AppData\Local\Temp\723.exe
C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp" /SL5="$D002C,2424585,54272,C:\Users\Admin\AppData\Local\Temp\723.exe"
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -i
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -s
C:\Users\Admin\AppData\Local\Temp\375C.exe
C:\Users\Admin\AppData\Local\Temp\375C.exe
C:\Users\Admin\AppData\Local\Temp\4901.exe
C:\Users\Admin\AppData\Local\Temp\4901.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp
C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\AppData\Local\Temp\70AE.exe
C:\Users\Admin\AppData\Local\Temp\70AE.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1956
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 92.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 172.67.171.112:80 | joly.bestsup.su | tcp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 112.171.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| RU | 213.158.31.231:22711 | tcp | |
| DE | 185.220.101.22:30022 | tcp | |
| US | 8.8.8.8:53 | trmpc.com | udp |
| MX | 189.232.56.10:80 | trmpc.com | tcp |
| CA | 149.56.98.216:9001 | tcp | |
| US | 8.8.8.8:53 | 10.56.232.189.in-addr.arpa | udp |
| LV | 195.123.209.91:5092 | tcp | |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| DE | 185.220.101.145:10145 | tcp | |
| US | 154.35.175.225:443 | tcp | |
| N/A | 127.0.0.1:58864 | tcp | |
| US | 8.8.8.8:53 | 145.101.220.185.in-addr.arpa | udp |
| BR | 143.107.229.210:42256 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| DE | 37.221.196.71:443 | tcp | |
| DE | 141.147.45.13:443 | tcp | |
| US | 8.8.8.8:53 | 13.45.147.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.196.221.37.in-addr.arpa | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| DE | 37.221.196.71:443 | tcp | |
| DE | 141.147.45.13:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| PL | 51.68.137.186:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 186.137.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| MX | 187.204.68.217:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | 217.68.204.187.in-addr.arpa | udp |
| MX | 187.204.68.217:80 | kamsmad.com | tcp |
| MX | 187.204.68.217:80 | kamsmad.com | tcp |
| MX | 187.204.68.217:80 | kamsmad.com | tcp |
| N/A | 127.0.0.1:20428 | tcp | |
| MX | 187.204.68.217:80 | kamsmad.com | tcp |
| MX | 187.204.68.217:80 | kamsmad.com | tcp |
| MX | 187.204.68.217:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | 9b6112bf-4703-435e-a986-e508b6e797a0.uuid.statsexplorer.org | udp |
| MX | 187.204.68.217:80 | kamsmad.com | tcp |
| MX | 187.204.68.217:80 | kamsmad.com | tcp |
| MX | 187.204.68.217:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | bocapaverseal.com | udp |
| US | 8.8.8.8:53 | britches-peru.com | udp |
| US | 162.0.209.83:443 | bocapaverseal.com | tcp |
| US | 8.8.8.8:53 | onepercentmindsetof.com | udp |
| US | 8.8.8.8:53 | onesentencepolitics.com | udp |
| US | 198.54.126.63:80 | britches-peru.com | tcp |
| US | 8.8.8.8:53 | projectsaudeebeleza.com | udp |
| US | 8.8.8.8:53 | thepeoplesproject-my.com | udp |
| US | 162.241.216.41:443 | onesentencepolitics.com | tcp |
| US | 192.185.222.207:443 | onepercentmindsetof.com | tcp |
| US | 8.8.8.8:53 | karensonlinemarketing.com | udp |
| US | 8.8.8.8:53 | cyberworldinformation.com | udp |
| US | 192.185.213.241:443 | projectsaudeebeleza.com | tcp |
| US | 162.241.224.209:443 | thepeoplesproject-my.com | tcp |
| US | 8.8.8.8:53 | dashdeliverylogistics.com | udp |
| US | 162.241.218.61:443 | karensonlinemarketing.com | tcp |
| US | 8.8.8.8:53 | deckbuildersinstcloud.com | udp |
| US | 8.8.8.8:53 | 83.209.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.126.54.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.222.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.216.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detectivesprivadosipc.com | udp |
| US | 8.8.8.8:53 | www.deutsches-ki-institut.de | udp |
| US | 89.117.139.252:443 | dashdeliverylogistics.com | tcp |
| US | 185.150.190.167:80 | cyberworldinformation.com | tcp |
| US | 8.8.8.8:53 | www.discoverytranslations.com | udp |
| US | 199.59.243.225:443 | deckbuildersinstcloud.com | tcp |
| US | 8.8.8.8:53 | doingcleaningservices.com | udp |
| US | 162.241.61.248:443 | detectivesprivadosipc.com | tcp |
| US | 8.8.8.8:53 | dreduardoacevedoreuma.com | udp |
| DE | 85.13.162.216:443 | www.deutsches-ki-institut.de | tcp |
| IT | 89.46.108.58:443 | www.discoverytranslations.com | tcp |
| US | 8.8.8.8:53 | www.ds-renovation-habitat.com | udp |
| US | 8.8.8.8:53 | enchantedvisionevents.com | udp |
| US | 8.8.8.8:53 | energyproviderexperts.com | udp |
| US | 165.22.142.86:443 | doingcleaningservices.com | tcp |
| US | 8.8.8.8:53 | essencefurniturestore.com | udp |
| US | 8.8.8.8:53 | faizonetransportation.com | udp |
| US | 8.8.8.8:53 | 209.224.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.218.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.213.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.150.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.139.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.61.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | everythingcooperstown.com | udp |
| US | 162.241.61.144:443 | dreduardoacevedoreuma.com | tcp |
| US | 8.8.8.8:53 | flybynightweddingblog.com | udp |
| US | 8.8.8.8:53 | weltraum.de | udp |
| US | 8.8.8.8:53 | forumcgeciacademy2023.com | udp |
| US | 89.117.139.222:443 | enchantedvisionevents.com | tcp |
| US | 68.65.122.36:443 | essencefurniturestore.com | tcp |
| FR | 109.234.162.86:443 | www.ds-renovation-habitat.com | tcp |
| US | 8.8.8.8:53 | www.fullpolymathpotential.com | udp |
| US | 198.54.126.155:80 | energyproviderexperts.com | tcp |
| US | 162.241.253.18:443 | flybynightweddingblog.com | tcp |
| US | 8.8.8.8:53 | fumigacionesartropoda.com | udp |
| US | 162.241.123.168:443 | faizonetransportation.com | tcp |
| DE | 85.13.163.149:443 | weltraum.de | tcp |
| US | 192.154.227.151:443 | everythingcooperstown.com | tcp |
| US | 8.8.8.8:53 | gagafreightforwarders.com | udp |
| FR | 195.154.94.212:443 | forumcgeciacademy2023.com | tcp |
| US | 8.8.8.8:53 | gaiathehomeofportwine.com | udp |
| US | 8.8.8.8:53 | 216.162.13.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.108.46.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.142.22.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.61.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.162.234.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.139.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.122.65.68.in-addr.arpa | udp |
| US | 208.82.114.180:443 | gagafreightforwarders.com | tcp |
| US | 8.8.8.8:53 | global-account-summit.com | udp |
| US | 67.205.11.201:443 | www.fullpolymathpotential.com | tcp |
| CA | 144.217.96.200:443 | fumigacionesartropoda.com | tcp |
| US | 8.8.8.8:53 | www.guyleroy-photographie.com | udp |
| US | 8.8.8.8:53 | helps4homeimprovement.com | udp |
| PT | 176.221.38.101:443 | gaiathehomeofportwine.com | tcp |
| NL | 160.153.129.24:443 | global-account-summit.com | tcp |
| US | 8.8.8.8:53 | hojalateriavillalobos.co.cr | udp |
| GB | 185.77.97.80:443 | helps4homeimprovement.com | tcp |
| FR | 155.133.142.10:443 | www.guyleroy-photographie.com | tcp |
| US | 8.8.8.8:53 | improvementssolutions.com | udp |
| US | 8.8.8.8:53 | indianastrologyinutah.com | udp |
| US | 8.8.8.8:53 | infinityautopartdeals.com | udp |
| US | 8.8.8.8:53 | thuexesanbaycamranh79.com | udp |
| US | 8.8.8.8:53 | tierodreplacementcost.com | udp |
| US | 8.8.8.8:53 | threadsvideodownloads.com | udp |
| US | 8.8.8.8:53 | inmopremiumproperties.com | udp |
| US | 8.8.8.8:53 | toogoodforyoueveryday.com | udp |
| US | 8.8.8.8:53 | 149.163.13.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.253.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.227.154.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.123.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.94.154.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.11.205.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.114.82.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.96.217.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.38.221.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | top-one-training-room.com | udp |
| US | 8.8.8.8:53 | torontopsychoanalysis.com | udp |
| US | 104.21.74.60:443 | hotelmaconmississippi.com | tcp |
| US | 75.102.22.59:443 | hojalateriavillalobos.co.cr | tcp |
| US | 172.67.136.11:443 | improvementssolutions.com | tcp |
| US | 8.8.8.8:53 | ugradnjaklime-beograd.com | udp |
| US | 8.8.8.8:53 | vacationreviewremover.com | udp |
| GB | 154.49.138.105:443 | indianastrologyinutah.com | tcp |
| US | 8.8.8.8:53 | vidasaudaveleradiante.com | udp |
| US | 172.67.165.220:443 | threadsvideodownloads.com | tcp |
| US | 74.208.236.242:443 | torontopsychoanalysis.com | tcp |
| TR | 83.150.213.229:443 | tierodreplacementcost.com | tcp |
| ES | 185.136.88.42:443 | inmopremiumproperties.com | tcp |
| US | 50.116.87.239:443 | toogoodforyoueveryday.com | tcp |
| US | 8.8.8.8:53 | vikingstrongfreelance.com | udp |
| US | 8.8.8.8:53 | www.vitalitywealthadvisors.com | udp |
| US | 8.8.8.8:53 | vidasaludablecondiana.com | udp |
| US | 195.35.33.234:443 | infinityautopartdeals.com | tcp |
| SG | 184.168.98.97:80 | top-one-training-room.com | tcp |
| VN | 103.74.116.222:443 | thuexesanbaycamranh79.com | tcp |
| US | 8.8.8.8:53 | 80.97.77.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.142.133.155.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.126.54.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.74.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | waterlifetechnologies.com | udp |
| US | 198.54.126.155:443 | energyproviderexperts.com | tcp |
| US | 74.208.236.227:443 | vacationreviewremover.com | tcp |
| GB | 54.36.166.224:443 | ugradnjaklime-beograd.com | tcp |
| US | 8.8.8.8:53 | weaverglobalmarketing.com | udp |
| US | 8.8.8.8:53 | whitehousecocainecoin.com | udp |
| US | 108.179.192.33:443 | vidasaudaveleradiante.com | tcp |
| US | 208.113.253.208:443 | www.vitalitywealthadvisors.com | tcp |
| US | 162.241.226.58:443 | vikingstrongfreelance.com | tcp |
| GB | 154.49.138.119:443 | vidasaludablecondiana.com | tcp |
| US | 8.8.8.8:53 | www.wiggancreativestudios.com | udp |
| US | 8.8.8.8:53 | woodendeskaccessories.com | udp |
| US | 8.8.8.8:53 | yoshimura-houmubucyou.com | udp |
| US | 8.8.8.8:53 | www.threadsvideodownloads.com | udp |
| US | 8.8.8.8:53 | yourdigitaltechnician.com | udp |
| US | 8.8.8.8:53 | zideagroupofcompanies.com | udp |
| US | 8.8.8.8:53 | 11.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.22.102.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.138.49.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.165.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.88.136.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.213.150.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.87.116.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.236.208.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.33.35.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.116.74.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.166.36.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | threads-video-download.com | udp |
| US | 192.254.236.78:443 | waterlifetechnologies.com | tcp |
| US | 104.21.25.40:443 | weaverglobalmarketing.com | tcp |
| US | 67.212.174.154:443 | www.wiggancreativestudios.com | tcp |
| CH | 194.191.24.20:443 | whitehousecocainecoin.com | tcp |
| PL | 195.78.67.65:443 | woodendeskaccessories.com | tcp |
| US | 172.67.165.220:443 | www.threadsvideodownloads.com | tcp |
| US | 8.8.8.8:53 | torneodeteniscampestre.com | udp |
| US | 8.8.8.8:53 | www.transmitdispatchingllc.com | udp |
| US | 8.8.8.8:53 | universodabelezaesaude.com | udp |
| JP | 219.94.155.183:80 | yoshimura-houmubucyou.com | tcp |
| US | 162.254.39.141:443 | threads-video-download.com | tcp |
| US | 8.8.8.8:53 | waynereedyconstruction.com | udp |
| US | 172.67.199.198:443 | zideagroupofcompanies.com | tcp |
| US | 8.8.8.8:53 | zeuscosmeticindustries.com | udp |
| US | 8.8.8.8:53 | www.zonguldakkorogluturizm.com | udp |
| US | 162.254.39.115:443 | yourdigitaltechnician.com | tcp |
| US | 8.8.8.8:53 | izmirhealingevdesaglik.com | udp |
| US | 8.8.8.8:53 | 119.138.49.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jcmlandscapingservices.com | udp |
| US | 8.8.8.8:53 | 208.253.113.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.226.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.236.254.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.192.179.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.24.191.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.67.78.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.174.212.67.in-addr.arpa | udp |
| US | 208.113.253.208:443 | www.vitalitywealthadvisors.com | tcp |
| US | 208.113.253.208:443 | www.vitalitywealthadvisors.com | tcp |
| US | 8.8.8.8:53 | justusleagueconsulting.com | udp |
| US | 8.8.8.8:53 | knightshorttermrentals.com | udp |
| US | 208.113.253.208:443 | www.vitalitywealthadvisors.com | tcp |
| US | 162.241.203.40:443 | universodabelezaesaude.com | tcp |
| GB | 99.84.9.52:443 | www.transmitdispatchingllc.com | tcp |
| US | 50.31.176.166:443 | torneodeteniscampestre.com | tcp |
| US | 172.67.218.68:443 | waynereedyconstruction.com | tcp |
| US | 8.8.8.8:53 | laacademiadeconduccion.com | udp |
| US | 8.8.8.8:53 | leahyspharmacyloughrea.com | udp |
| US | 8.8.8.8:53 | leaninspirationnetwork.com | udp |
| US | 8.8.8.8:53 | legendary-construction.com | udp |
| US | 8.8.8.8:53 | luciadamatophotography.com | udp |
| US | 8.8.8.8:53 | loscaballerosdedurango.com | udp |
| US | 8.8.8.8:53 | lucianamilessiofficial.com | udp |
| US | 8.8.8.8:53 | madame-beaute-actuelle.com | udp |
| US | 195.179.236.25:443 | jcmlandscapingservices.com | tcp |
| US | 89.117.139.246:443 | zeuscosmeticindustries.com | tcp |
| TR | 77.245.159.14:443 | www.zonguldakkorogluturizm.com | tcp |
| US | 8.8.8.8:53 | 141.39.254.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.199.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.155.94.219.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marketingsoftwaremagic.com | udp |
| FR | 51.91.236.193:80 | madame-beaute-actuelle.com | tcp |
| US | 172.67.192.215:443 | legendary-construction.com | tcp |
| US | 8.8.8.8:53 | memindmeresponsibility.com | udp |
| US | 8.8.8.8:53 | miamiprestigetransport.com | udp |
| US | 8.8.8.8:53 | morelifelessloneliness.com | udp |
| US | 8.8.8.8:53 | movelyfurnitureremoval.com | udp |
| NL | 213.249.67.35:443 | leaninspirationnetwork.com | tcp |
| US | 75.75.243.253:443 | knightshorttermrentals.com | tcp |
| US | 162.240.14.39:443 | justusleagueconsulting.com | tcp |
| FR | 89.116.147.51:443 | luciadamatophotography.com | tcp |
| GB | 141.136.33.13:443 | leahyspharmacyloughrea.com | tcp |
| US | 8.8.8.8:53 | movies-recommendations.com | udp |
| US | 8.8.8.8:53 | niceinteractionsjp2023.com | udp |
| US | 8.8.8.8:53 | myplasticsurgeryescape.com | udp |
| BR | 154.49.247.20:443 | laacademiadeconduccion.com | tcp |
| US | 104.21.88.25:443 | lucianamilessiofficial.com | tcp |
| US | 8.8.8.8:53 | orangecountycawellness.com | udp |
| US | 8.8.8.8:53 | orderpainkillersonline.com | udp |
| US | 8.8.8.8:53 | 115.39.254.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.9.84.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.203.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.159.245.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.236.179.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.139.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | owcpdoctorgreenvillesc.com | udp |
| US | 8.8.8.8:53 | pacificregentb.wpengine.com | udp |
| US | 8.8.8.8:53 | patrickjohnsonsoftware.com | udp |
| US | 8.8.8.8:53 | northernstar-jewellery.com | udp |
| US | 8.8.8.8:53 | paulspencerphotography.com | udp |
| US | 8.8.8.8:53 | plumbingservicescanada.com | udp |
| US | 162.241.61.133:443 | loscaballerosdedurango.com | tcp |
| US | 162.241.253.216:80 | memindmeresponsibility.com | tcp |
| US | 8.8.8.8:53 | possessivelyparanormal.com | udp |
| US | 8.8.8.8:53 | procareinjurysolutions.com | udp |
| DE | 168.119.136.101:80 | marketingsoftwaremagic.com | tcp |
| US | 65.181.111.144:443 | movelyfurnitureremoval.com | tcp |
| FR | 89.117.169.53:443 | morelifelessloneliness.com | tcp |
| US | 8.8.8.8:53 | pusatwikaservicecenter.com | udp |
| US | 54.205.144.65:443 | niceinteractionsjp2023.com | tcp |
| US | 8.8.8.8:53 | queencommerciallaundry.com | udp |
| US | 8.8.8.8:53 | quintetglobalsolutions.com | udp |
| IE | 54.77.140.175:443 | movies-recommendations.com | tcp |
| BR | 154.56.48.47:443 | miamiprestigetransport.com | tcp |
| US | 8.8.8.8:53 | radiocristalstereojima.com | udp |
| US | 8.8.8.8:53 | jjsploit.live | udp |
| US | 8.8.8.8:53 | vezionline.live | udp |
| US | 8.8.8.8:53 | 215.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.236.91.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.67.249.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.147.116.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.33.136.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.243.75.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.14.240.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.88.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.247.49.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.176.31.50.in-addr.arpa | udp |
| US | 107.154.154.140:443 | myplasticsurgeryescape.com | tcp |
| US | 54.215.1.130:443 | orangecountycawellness.com | tcp |
| US | 172.67.215.157:80 | paulspencerphotography.com | tcp |
| US | 35.238.127.232:443 | pacificregentb.wpengine.com | tcp |
| US | 92.204.135.33:443 | owcpdoctorgreenvillesc.com | tcp |
| US | 162.241.253.135:443 | patrickjohnsonsoftware.com | tcp |
| FR | 92.204.222.124:443 | northernstar-jewellery.com | tcp |
| US | 184.94.213.161:443 | plumbingservicescanada.com | tcp |
| US | 160.153.0.134:443 | possessivelyparanormal.com | tcp |
| US | 8.8.8.8:53 | god77.club | udp |
| US | 8.8.8.8:53 | urban730.club | udp |
| DE | 162.55.100.32:443 | quintetglobalsolutions.com | tcp |
| US | 160.153.0.156:443 | procareinjurysolutions.com | tcp |
| ID | 103.7.226.176:443 | pusatwikaservicecenter.com | tcp |
| US | 23.145.120.19:443 | radiocristalstereojima.com | tcp |
| US | 173.201.186.53:443 | queencommerciallaundry.com | tcp |
| US | 8.8.8.8:53 | pepeversion3.club | udp |
| US | 8.8.8.8:53 | resurgents.club | udp |
| US | 8.8.8.8:53 | theinvisibleyou.club | udp |
| US | 8.8.8.8:53 | adaf100.click | udp |
| US | 8.8.8.8:53 | aiproductivityaccelerator.club | udp |
| US | 8.8.8.8:53 | good78dayday.click | udp |
| US | 8.8.8.8:53 | iqhub.tech | udp |
| US | 8.8.8.8:53 | molda.tech | udp |
| US | 162.0.232.113:443 | vezionline.live | tcp |
| US | 8.8.8.8:53 | 53.169.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.136.119.168.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.61.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.111.181.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.253.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.48.56.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.154.154.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.0.153.160.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.215.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | samsal.tech | udp |
| US | 8.8.8.8:53 | mrkhan.tech | udp |
| US | 8.8.8.8:53 | linqit.tech | udp |
| US | 66.29.146.56:443 | jjsploit.live | tcp |
| US | 162.241.24.179:443 | god77.club | tcp |
| US | 8.8.8.8:53 | www.jinyao.tech | udp |
| US | 8.8.8.8:53 | divein2.tech | udp |
| US | 8.8.8.8:53 | vivity.tech | udp |
| US | 8.8.8.8:53 | 175.140.77.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brglabs.tech | udp |
| US | 108.167.143.112:443 | urban730.club | tcp |
| US | 8.8.8.8:53 | invarex.tech | udp |
| US | 8.8.8.8:53 | humtube.tech | udp |
| US | 162.241.225.108:443 | theinvisibleyou.club | tcp |
| US | 172.67.215.157:443 | paulspencerphotography.com | tcp |
| DE | 198.251.84.169:443 | linqit.tech | tcp |
| US | 162.241.226.112:443 | mrkhan.tech | tcp |
| US | 68.65.122.36:443 | resurgents.club | tcp |
| LT | 84.32.84.32:443 | samsal.tech | tcp |
| JP | 163.44.176.16:443 | good78dayday.click | tcp |
| US | 8.8.8.8:53 | 232.127.238.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.135.204.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.253.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.213.94.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.0.153.160.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.100.55.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.226.7.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.120.145.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.232.0.162.in-addr.arpa | udp |
| JP | 163.44.176.16:443 | good78dayday.click | tcp |
| US | 8.8.8.8:53 | nanovibe.tech | udp |
| US | 8.8.8.8:53 | innovibe.tech | udp |
| US | 8.8.8.8:53 | grapheen.tech | udp |
| DE | 81.169.145.156:80 | vivity.tech | tcp |
| CN | 121.40.253.244:443 | www.jinyao.tech | tcp |
| IN | 89.117.27.190:443 | brglabs.tech | tcp |
| LT | 84.32.84.32:443 | samsal.tech | tcp |
| US | 8.8.8.8:53 | devwebwp.tech | udp |
| US | 8.8.8.8:53 | shoeshub.tech | udp |
| US | 8.8.8.8:53 | cardcube.tech | udp |
| US | 8.8.8.8:53 | blacklove.tech | udp |
| US | 8.8.8.8:53 | futuroit.tech | udp |
| US | 8.8.8.8:53 | biomedico.tech | udp |
| US | 195.35.33.219:443 | humtube.tech | tcp |
| US | 8.8.8.8:53 | codeproz.tech | udp |
| US | 8.8.8.8:53 | avialearn.tech | udp |
| US | 8.8.8.8:53 | natewhite.tech | udp |
| US | 8.8.8.8:53 | newsdekho.tech | udp |
| US | 8.8.8.8:53 | skillspro.tech | udp |
| US | 8.8.8.8:53 | 179.24.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.146.29.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.143.167.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.225.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iazstudio.tech | udp |
| US | 8.8.8.8:53 | gamestop20.tech | udp |
| US | 8.8.8.8:53 | cabsandbox.tech | udp |
| CZ | 46.28.105.4:80 | invarex.tech | tcp |
| US | 8.8.8.8:53 | altarturih.tech | udp |
| US | 8.8.8.8:53 | adonovanwp.tech | udp |
| US | 8.8.8.8:53 | farmcentral.tech | udp |
| US | 8.8.8.8:53 | digitaljiya.tech | udp |
| US | 8.8.8.8:53 | goldenfxroi.tech | udp |
| US | 149.100.151.55:443 | grapheen.tech | tcp |
| GB | 185.77.97.90:443 | innovibe.tech | tcp |
| IN | 89.117.27.195:443 | nanovibe.tech | tcp |
| US | 195.35.38.194:443 | devwebwp.tech | tcp |
| US | 8.8.8.8:53 | shwetadixit.tech | udp |
| US | 8.8.8.8:53 | technovarise.tech | udp |
| US | 8.8.8.8:53 | chetansawle.tech | udp |
| US | 8.8.8.8:53 | signfireinfo.tech | udp |
| US | 8.8.8.8:53 | 4esci-europe.com | udp |
| US | 8.8.8.8:53 | gamesonline9.tech | udp |
| US | 8.8.8.8:53 | gamesonline7.tech | udp |
| US | 8.8.8.8:53 | gamesonline8.tech | udp |
| US | 8.8.8.8:53 | 32.84.32.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.84.251.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.226.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.176.44.163.in-addr.arpa | udp |
| CA | 23.227.38.65:443 | blacklove.tech | tcp |
| SG | 217.21.74.44:443 | avialearn.tech | tcp |
| US | 185.212.71.30:443 | skillspro.tech | tcp |
| US | 149.100.151.72:443 | natewhite.tech | tcp |
| IN | 89.117.157.49:443 | codeproz.tech | tcp |
| US | 162.241.244.59:443 | gamestop20.tech | tcp |
| US | 86.38.202.143:443 | futuroit.tech | tcp |
| US | 50.87.146.148:443 | cabsandbox.tech | tcp |
| US | 86.38.202.150:443 | cardcube.tech | tcp |
| US | 8.8.8.8:53 | 156.145.169.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.27.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deskpit.de | udp |
| US | 8.8.8.8:53 | gamesonline6.tech | udp |
| US | 8.8.8.8:53 | gamesonline5.tech | udp |
| US | 8.8.8.8:53 | gotatibetana.tech | udp |
| US | 216.92.109.79:443 | biomedico.tech | tcp |
| US | 162.241.24.179:443 | goldenfxroi.tech | tcp |
| US | 8.8.8.8:53 | pivotalworks.tech | udp |
| US | 195.179.236.72:443 | adonovanwp.tech | tcp |
| IN | 68.178.149.104:443 | shwetadixit.tech | tcp |
| IN | 89.117.157.156:443 | digitaljiya.tech | tcp |
| US | 195.179.237.69:443 | technovarise.tech | tcp |
| IN | 217.21.84.204:443 | chetansawle.tech | tcp |
| US | 66.29.132.84:443 | altarturih.tech | tcp |
| DE | 217.160.0.97:443 | 4esci-europe.com | tcp |
| US | 8.8.8.8:53 | 219.33.35.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.97.77.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.27.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.151.100.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.38.35.195.in-addr.arpa | udp |
| ID | 153.92.9.66:443 | gamesonline5.tech | tcp |
| ID | 153.92.9.66:443 | gamesonline5.tech | tcp |
| ID | 153.92.9.66:443 | gamesonline5.tech | tcp |
| US | 8.8.8.8:53 | gamesonline4.tech | udp |
| US | 8.8.8.8:53 | gamesonline3.tech | udp |
| US | 8.8.8.8:53 | gamesonline2.tech | udp |
| US | 8.8.8.8:53 | igniteproduct.tech | udp |
| US | 50.16.92.190:80 | farmcentral.tech | tcp |
| US | 63.250.43.135:443 | signfireinfo.tech | tcp |
| US | 8.8.8.8:53 | gamesonline10.tech | udp |
| ID | 153.92.9.66:443 | gamesonline10.tech | tcp |
| ID | 153.92.9.66:443 | gamesonline10.tech | tcp |
| DE | 81.169.145.90:80 | deskpit.de | tcp |
| US | 162.241.24.158:80 | pivotalworks.tech | tcp |
| US | 8.8.8.8:53 | guestsolutions.tech | udp |
| US | 8.8.8.8:53 | circuitmasters.tech | udp |
| ID | 153.92.9.66:443 | gamesonline10.tech | tcp |
| ID | 153.92.9.66:443 | gamesonline10.tech | tcp |
| US | 8.8.8.8:53 | rankyourwebsite.tech | udp |
| US | 50.87.233.13:443 | igniteproduct.tech | tcp |
| US | 154.49.142.60:443 | guestsolutions.tech | tcp |
| US | 8.8.8.8:53 | 65.38.227.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.157.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.151.100.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.244.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.146.87.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.71.212.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.202.38.86.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.74.21.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.202.38.86.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.109.92.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.236.179.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.237.179.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.157.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.84.21.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.132.29.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.145.169.81.in-addr.arpa | udp |
| FR | 89.117.169.99:443 | circuitmasters.tech | tcp |
| US | 8.8.8.8:53 | 190.92.16.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | numerikamarketing.tech | udp |
| ID | 153.92.9.66:443 | gamesonline10.tech | tcp |
| ID | 153.92.9.66:443 | gamesonline10.tech | tcp |
| US | 8.8.8.8:53 | cortexinnovations.tech | udp |
| US | 8.8.8.8:53 | comprasbrasilonline.tech | udp |
| DE | 81.169.145.90:443 | deskpit.de | tcp |
| US | 8.8.8.8:53 | nativetechsolutions.tech | udp |
| LT | 84.32.84.32:443 | rankyourwebsite.tech | tcp |
| US | 8.8.8.8:53 | advanced-connectivity.tech | udp |
| US | 63.250.43.3:443 | cortexinnovations.tech | tcp |
| NL | 185.166.188.44:443 | numerikamarketing.tech | tcp |
| US | 8.8.8.8:53 | zginformationtechnology.tech | udp |
| US | 8.8.8.8:53 | pornvideos.buzz | udp |
| US | 104.21.34.194:443 | nativetechsolutions.tech | tcp |
| US | 8.8.8.8:53 | phimsexhay.buzz | udp |
| US | 8.8.8.8:53 | smaak.space | udp |
| US | 8.8.8.8:53 | hachi.space | udp |
| US | 8.8.8.8:53 | 135.43.250.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.24.241.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.9.92.153.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.169.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.233.87.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.142.49.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.188.166.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.43.250.63.in-addr.arpa | udp |
| DE | 217.160.0.198:443 | advanced-connectivity.tech | tcp |
| US | 8.8.8.8:53 | aistock.space | udp |
| US | 8.8.8.8:53 | wildfree.space | udp |
| US | 191.101.13.28:443 | zginformationtechnology.tech | tcp |
| US | 172.67.132.43:443 | phimsexhay.buzz | tcp |
| US | 191.101.13.198:443 | aistock.space | tcp |
| SG | 156.67.222.242:443 | hachi.space | tcp |
| NL | 185.182.56.12:80 | smaak.space | tcp |
| US | 8.8.8.8:53 | juabeblog.space | udp |
| US | 194.163.45.177:443 | pornvideos.buzz | tcp |
| US | 8.8.8.8:53 | kaypablog.space | udp |
| US | 104.21.80.73:443 | juabeblog.space | tcp |
| US | 104.21.90.60:443 | kaypablog.space | tcp |
| US | 8.8.8.8:53 | hosterfast.space | udp |
| US | 8.8.8.8:53 | antirungkad.space | udp |
| US | 104.21.48.197:80 | hosterfast.space | tcp |
| US | 3.33.130.190:443 | antirungkad.space | tcp |
| US | 8.8.8.8:53 | 194.34.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.132.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.13.101.191.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.56.182.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.13.101.191.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.45.163.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.90.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.222.67.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | homemsaudavell.space | udp |
| US | 8.8.8.8:53 | jeanyvesbonnet.space | udp |
| US | 8.8.8.8:53 | www.intrattenimento.space | udp |
| US | 8.8.8.8:53 | dssl.pro | udp |
| US | 8.8.8.8:53 | ivps.pro | udp |
| US | 8.8.8.8:53 | canvo.pro | udp |
| US | 8.8.8.8:53 | ezseo.pro | udp |
| US | 8.8.8.8:53 | apklili.pro | udp |
| US | 8.8.8.8:53 | burton.pro | udp |
| US | 8.8.8.8:53 | siamseo.pro | udp |
| US | 8.8.8.8:53 | spayafa.pro | udp |
| US | 8.8.8.8:53 | vz99bet.pro | udp |
| US | 8.8.8.8:53 | memeable.pro | udp |
| US | 8.8.8.8:53 | sailaway.pro | udp |
| US | 8.8.8.8:53 | ku11-77vn.pro | udp |
| US | 8.8.8.8:53 | rapidmesh.pro | udp |
| US | 8.8.8.8:53 | weathersh.pro | udp |
| US | 104.21.55.131:443 | ivps.pro | tcp |
| US | 44.230.85.241:443 | canvo.pro | tcp |
| FR | 51.91.236.193:80 | jeanyvesbonnet.space | tcp |
| BR | 89.116.58.127:443 | homemsaudavell.space | tcp |
| US | 8.8.8.8:53 | 197.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| UA | 91.222.136.254:443 | www.intrattenimento.space | tcp |
| US | 160.153.0.123:443 | dssl.pro | tcp |
| GB | 5.134.14.225:443 | burton.pro | tcp |
| US | 8.8.8.8:53 | cloud2tech.pro | udp |
| US | 172.67.143.159:443 | vz99bet.pro | tcp |
| US | 172.67.214.78:443 | ku11-77vn.pro | tcp |
| US | 172.67.223.166:443 | sailaway.pro | tcp |
| US | 172.67.152.47:80 | weathersh.pro | tcp |
| US | 86.38.202.88:443 | rapidmesh.pro | tcp |
| IN | 89.117.188.243:443 | apklili.pro | tcp |
| US | 89.117.139.185:443 | siamseo.pro | tcp |
| US | 8.8.8.8:53 | imperfecta.pro | udp |
| US | 68.178.246.77:80 | ezseo.pro | tcp |
| US | 8.8.8.8:53 | moonchocolatecbar.com | udp |
| GB | 84.32.41.15:443 | cloud2tech.pro | tcp |
| US | 8.8.8.8:53 | mousetrapcreative.com | udp |
| US | 8.8.8.8:53 | neurobrainoficial.com | udp |
| US | 8.8.8.8:53 | nerdyhansofficial.com | udp |
| US | 8.8.8.8:53 | 131.55.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.0.153.160.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.136.222.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.85.230.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.58.116.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.14.134.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.143.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.223.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.152.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | newportharvestcog.com | udp |
| US | 191.96.56.194:443 | moonchocolatecbar.com | tcp |
| US | 104.21.45.22:443 | imperfecta.pro | tcp |
| US | 172.67.174.16:443 | mousetrapcreative.com | tcp |
| US | 104.21.83.116:443 | nerdyhansofficial.com | tcp |
| BR | 154.49.247.18:443 | neurobrainoficial.com | tcp |
| US | 54.173.137.223:80 | newportharvestcog.com | tcp |
| US | 8.8.8.8:53 | nhathuocthephuong.com | udp |
| US | 8.8.8.8:53 | www.btcmine.cc | udp |
| GB | 142.250.200.19:443 | www.btcmine.cc | tcp |
| US | 8.8.8.8:53 | www.nimestatemedicine.com | udp |
| VN | 103.74.118.169:443 | nhathuocthephuong.com | tcp |
| US | 8.8.8.8:53 | nirmalpolyplastic.com | udp |
| US | 8.8.8.8:53 | 88.202.38.86.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.139.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.188.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.41.32.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.45.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.174.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.56.96.191.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.137.173.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.247.49.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.200.250.142.in-addr.arpa | udp |
| US | 173.236.240.231:443 | www.nimestatemedicine.com | tcp |
| US | 8.8.8.8:53 | nocityfordreaming.com | udp |
| US | 8.8.8.8:53 | www.blogger.com | udp |
| US | 8.8.8.8:53 | ofallongaragedoor.com | udp |
| US | 8.8.8.8:53 | omegaacumuladores.com | udp |
| US | 8.8.8.8:53 | officiallwebsiite.com | udp |
| IN | 103.180.121.28:443 | nirmalpolyplastic.com | tcp |
| US | 66.33.199.103:443 | nocityfordreaming.com | tcp |
| GB | 216.58.201.105:443 | www.blogger.com | tcp |
| FR | 193.70.117.88:443 | omegaacumuladores.com | tcp |
| US | 8.8.8.8:53 | opironruck.wpengine.com | udp |
| US | 149.100.151.36:443 | officiallwebsiite.com | tcp |
| US | 8.8.8.8:53 | papasconmojogames.com | udp |
| US | 8.8.8.8:53 | oreghegyvendeghaz.com | udp |
| US | 8.8.8.8:53 | hitclubgame24.online | udp |
| US | 8.8.8.8:53 | hitclubgame25.online | udp |
| US | 8.8.8.8:53 | 169.118.74.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.240.236.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.121.180.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.117.70.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.199.33.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hitclubgame26.online | udp |
| US | 8.8.8.8:53 | insuresmartly.online | udp |
| US | 104.196.225.196:443 | opironruck.wpengine.com | tcp |
| US | 8.8.8.8:53 | www.linux-for-all.online | udp |
| N/A | 192.168.100.6:443 | papasconmojogames.com | tcp |
| US | 8.8.8.8:53 | madison-decor.online | udp |
| US | 8.8.8.8:53 | mnemo-english.online | udp |
| US | 8.8.8.8:53 | mysmartliving.online | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 172.67.162.232:443 | hitclubgame25.online | tcp |
| US | 8.8.8.8:53 | technosreview.online | udp |
| US | 104.21.58.203:443 | hitclubgame26.online | tcp |
| US | 104.21.85.215:443 | hitclubgame24.online | tcp |
| PL | 77.55.153.146:443 | www.linux-for-all.online | tcp |
| HU | 217.13.97.42:443 | oreghegyvendeghaz.com | tcp |
| BE | 64.233.167.84:443 | accounts.google.com | tcp |
| IN | 62.72.28.38:443 | technosreview.online | tcp |
| US | 8.8.8.8:53 | 36.151.100.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.225.196.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.162.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.58.21.104.in-addr.arpa | udp |
| NL | 185.219.81.139:80 | mnemo-english.online | tcp |
| US | 8.8.8.8:53 | telenovelashd.online | udp |
| US | 8.8.8.8:53 | testing-world.online | udp |
| US | 8.8.8.8:53 | travelingcity.online | udp |
| US | 8.8.8.8:53 | testinflooens.online | udp |
| US | 8.8.8.8:53 | uptownmonster.online | udp |
| PL | 185.208.164.24:80 | mysmartliving.online | tcp |
| US | 8.8.8.8:53 | vitamindiskon.online | udp |
| US | 8.8.8.8:53 | vidarbhadaily.online | udp |
| US | 8.8.8.8:53 | aba-conference.online | udp |
| US | 50.16.92.190:443 | farmcentral.tech | tcp |
| US | 172.67.143.8:443 | telenovelashd.online | tcp |
| US | 8.8.8.8:53 | ayamgorengfood.online | udp |
| US | 8.8.8.8:53 | clubmultiverso.online | udp |
| US | 8.8.8.8:53 | operationironruck.com | udp |
| IN | 82.180.142.160:443 | testinflooens.online | tcp |
| US | 34.120.137.41:443 | travelingcity.online | tcp |
| US | 8.8.8.8:53 | 146.153.55.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.97.13.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.167.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.81.219.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.28.72.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.164.208.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | combaterefluxo.online | udp |
| US | 8.8.8.8:53 | goodtimingnews.online | udp |
| KZ | 92.118.115.65:443 | aba-conference.online | tcp |
| FR | 89.117.169.195:443 | testing-world.online | tcp |
| NL | 141.138.169.243:443 | uptownmonster.online | tcp |
| SG | 45.13.133.16:443 | vitamindiskon.online | tcp |
| US | 8.8.8.8:53 | www.hostingelshafei.net | udp |
| US | 8.8.8.8:53 | josetteleblanc.online | udp |
| US | 8.8.8.8:53 | mnemo-english.ru | udp |
| US | 8.8.8.8:53 | odettedimitriu.online | udp |
| US | 141.193.213.10:443 | operationironruck.com | tcp |
| BR | 154.49.247.181:443 | combaterefluxo.online | tcp |
| LT | 84.32.84.32:443 | goodtimingnews.online | tcp |
| US | 8.8.8.8:53 | pingatistiadat.online | udp |
| US | 8.8.8.8:53 | revolutintools.online | udp |
| US | 8.8.8.8:53 | tbmotorsdirect.online | udp |
| US | 8.8.8.8:53 | jainhealthcare.online | udp |
| US | 8.8.8.8:53 | www.nocityfordreaming.com | udp |
| SG | 45.80.183.92:443 | clubmultiverso.online | tcp |
| US | 8.8.8.8:53 | 8.143.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.137.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.169.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.142.180.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.115.118.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.169.138.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trykeravitapro.online | udp |
| US | 8.8.8.8:53 | vivercomsaude1.online | udp |
| US | 8.8.8.8:53 | desingdamascena.online | udp |
| US | 8.8.8.8:53 | bwgrinvestments.online | udp |
| PL | 185.208.164.24:80 | josetteleblanc.online | tcp |
| US | 172.67.187.206:443 | www.hostingelshafei.net | tcp |
| NL | 185.219.81.139:80 | mnemo-english.ru | tcp |
| IN | 86.38.243.25:443 | jainhealthcare.online | tcp |
| US | 104.21.19.77:443 | tbmotorsdirect.online | tcp |
| SG | 85.187.128.42:443 | pingatistiadat.online | tcp |
| US | 8.8.8.8:53 | digitalisuccess.online | udp |
| US | 8.8.8.8:53 | drakesdetailing.online | udp |
| US | 8.8.8.8:53 | forexpowertrade.online | udp |
| US | 66.33.199.103:443 | www.nocityfordreaming.com | tcp |
| US | 8.8.8.8:53 | goldencolors263.online | udp |
| US | 8.8.8.8:53 | howtofixwebsite.online | udp |
| BR | 45.132.157.236:443 | trykeravitapro.online | tcp |
| US | 8.8.8.8:53 | lashaccessories.online | udp |
| US | 8.8.8.8:53 | gustavooliveira.online | udp |
| US | 8.8.8.8:53 | growthtraderpro.online | udp |
| US | 8.8.8.8:53 | 10.213.193.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.247.49.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.133.13.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.183.80.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | poderfeminino25.online | udp |
| BR | 149.100.155.19:443 | vivercomsaude1.online | tcp |
| US | 8.8.8.8:53 | ratneshkushwaha.online | udp |
| BR | 191.6.222.25:443 | desingdamascena.online | tcp |
| IN | 89.117.188.67:443 | digitalisuccess.online | tcp |
| US | 198.143.137.44:443 | bwgrinvestments.online | tcp |
| US | 151.101.194.159:443 | drakesdetailing.online | tcp |
| GB | 153.92.6.22:443 | goldencolors263.online | tcp |
| US | 8.8.8.8:53 | revolutiontools.online | udp |
| US | 8.8.8.8:53 | salemcollection.online | udp |
| US | 8.8.8.8:53 | storyrueangsiao.online | udp |
| US | 8.8.8.8:53 | sunshinetraders.online | udp |
| US | 8.8.8.8:53 | taxihatinhgiare.online | udp |
| SG | 217.21.74.225:443 | poderfeminino25.online | tcp |
| US | 8.8.8.8:53 | deltatajhomestay.online | udp |
| US | 8.8.8.8:53 | 77.19.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.243.38.86.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.128.187.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.157.132.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.188.117.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.194.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.155.100.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.222.6.191.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.6.92.153.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.137.143.198.in-addr.arpa | udp |
| US | 89.117.9.231:443 | howtofixwebsite.online | tcp |
| IN | 89.117.157.229:443 | ratneshkushwaha.online | tcp |
| IN | 89.117.188.110:443 | growthtraderpro.online | tcp |
| US | 8.8.8.8:53 | educationmasters.online | udp |
| US | 8.8.8.8:53 | gameapplications.online | udp |
| SG | 156.67.222.79:443 | storyrueangsiao.online | tcp |
| US | 92.204.132.36:80 | salemcollection.online | tcp |
| US | 8.8.8.8:53 | healthcalculator.online | udp |
| PL | 185.208.164.24:80 | sunshinetraders.online | tcp |
Files
memory/2556-1-0x00000000023E0000-0x00000000024E0000-memory.dmp
memory/2556-2-0x0000000004020000-0x000000000402B000-memory.dmp
memory/2556-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3512-4-0x0000000003170000-0x0000000003186000-memory.dmp
memory/2556-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EC25.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
memory/2248-15-0x00000000018D0000-0x00000000018D1000-memory.dmp
memory/2248-17-0x0000000000AD0000-0x000000000137F000-memory.dmp
memory/2248-16-0x0000000000AD0000-0x000000000137F000-memory.dmp
memory/2248-21-0x00000000018E0000-0x00000000018E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F231.dll
| MD5 | 7aecbe510817ee9636a5bcbff0ee5fdd |
| SHA1 | 6a3f27f7789ccf1b19c948774d84c865a9ac6825 |
| SHA256 | b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac |
| SHA512 | a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae |
memory/2248-20-0x00000000018E0000-0x00000000018E1000-memory.dmp
memory/2248-23-0x00000000018E0000-0x00000000018E1000-memory.dmp
memory/4856-26-0x0000000010000000-0x000000001020A000-memory.dmp
memory/2248-25-0x00000000018E0000-0x00000000018E1000-memory.dmp
memory/4856-27-0x00000000009A0000-0x00000000009A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F84C.exe
| MD5 | aa4d2da41beb1cff9d5e8976a6614c9b |
| SHA1 | 55220085d0eadc5801f11d13a42407abb18164ec |
| SHA256 | 070358003d65fc59726a1c10c5f12ace47a20891037abc050e63a746b61a86f7 |
| SHA512 | 28d1884ae99281e8dd87d19b3a321741a8473c069531a5afdce52dc0dbd010e0af8cdb1b29d8af601b2eabb00be7a622aa35a385d5d711951a3ed35dea4d445f |
C:\Users\Admin\AppData\Local\Temp\F84C.exe
| MD5 | 1c93c2b85b451a03a59ca245c05132ec |
| SHA1 | 29e57d8e86d197c7c64ce59fb49720b1d80aaf07 |
| SHA256 | 490dbdbe3216e59c76a1753bf19c8f6d530dfe6d20aa83015ba0e79392ec34c5 |
| SHA512 | c003a51ebc4fc95085be8a504ba9a10e5c7e67b4bffd6f1092e1ea74b5d31b0dd4e127121746679112c5edcb2a424e904d5a8fe8546f80143a5363d51f674477 |
memory/924-34-0x0000000003880000-0x0000000003A3C000-memory.dmp
memory/924-35-0x0000000003A40000-0x0000000003BF7000-memory.dmp
memory/3232-36-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FACE.exe
| MD5 | e6dd149f484e5dd78f545b026f4a1691 |
| SHA1 | 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6 |
| SHA256 | 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7 |
| SHA512 | 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b |
memory/3232-39-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3232-44-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F84C.exe
| MD5 | 6e92468a589a118a0e52a69838812d5a |
| SHA1 | f7600765aaf24de6261aceabb2823992d5b7d11a |
| SHA256 | 89de3a6e7282355c370058f7b4fe364ec79205602c38013dc5f23196cf7a1f2a |
| SHA512 | f212a536db73fb5a9798cbd472913ca8dfcad06c724b19930098ec3868ca41f2bb825d9824f6f0aaace763f57c589768206f6565461f79d97ae93591f96fd570 |
memory/2248-46-0x0000000000AD0000-0x000000000137F000-memory.dmp
memory/3232-47-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4028-49-0x00000000048A0000-0x000000000490B000-memory.dmp
memory/3232-50-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4028-48-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/3232-51-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F231.dll
| MD5 | e736096289f39c401f8bad036cddc001 |
| SHA1 | 638ca4b629841616f5236ad883adcb0090762199 |
| SHA256 | 32e27f69b28765479817e017f44c36370942cf33ea4c15658c61d7032a5cbdf0 |
| SHA512 | 8a46d566078d35dbd3e162369ae1a412cddcca23aa128d493eb9ad67fa80edbdb9fc1b4c2826e3b040bf571e29e59426cb740eb1a6b90a8f51c2f93fa59ce1c8 |
memory/4028-55-0x0000000002DF0000-0x0000000002EF0000-memory.dmp
memory/3232-56-0x0000000000D60000-0x0000000000D66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\723.exe
| MD5 | 301cf70eae176450f29acd86816c0dc5 |
| SHA1 | 4dc0ce8c900485ac74978186a330b0e2db46c045 |
| SHA256 | 6447eb57931dd8620bb82793b26a70a7e1c6873378a17ec4cf050782f5896308 |
| SHA512 | 7686814c133c0bf1a953b98e04073932031f8ca8fc5e57a8e661db01aea803ead1abd5554b39bd5643f0aa28e6561622c50c10141179de16f4310c0fb48fd593 |
C:\Users\Admin\AppData\Local\Temp\723.exe
| MD5 | a7626d4194736b5c284a09feca2711c1 |
| SHA1 | 121f234a4e436a98036b99ebb5d9dbf0dc659b54 |
| SHA256 | 4550b7b36c6f67222e23fc7bae32689660712e4fc0d2c11515582c89d7429c55 |
| SHA512 | a74eb41cf0a3a4f36cd86f680e6d03ee2c0c6bbce4841f3acab200e4a13990fce43a7dd17d67eb4119706f1e7b499ddadd079558069c945e713edaf13371e78d |
memory/2868-61-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2248-64-0x0000000000AD0000-0x000000000137F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp
| MD5 | 951ac648539bfaa0f113db5e0406de5b |
| SHA1 | 1b42de9ef8aaf1740de90871c5fc16963a842f43 |
| SHA256 | bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe |
| SHA512 | 795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d |
memory/3588-77-0x0000000000540000-0x0000000000541000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EHLNL.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
| MD5 | e713ed39b5c4f067e930465a158dcfd3 |
| SHA1 | 510398056d90d6b733dd0e056aa7115cc111dce6 |
| SHA256 | 40dced9e1673384b696dce58e7fd6d6590fc62001613002c72c4b6023f91dc48 |
| SHA512 | 2052796f2601ee5e0316e43b5175e853032857746d9acc25b035a2b9110155b520a96632238122377074de1cdc2c8030e3cf10b824ef716a3077448e3b30b6f8 |
memory/400-108-0x0000000000400000-0x0000000000720000-memory.dmp
memory/400-111-0x0000000000400000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
| MD5 | dcc3d7bf1945b58e383069eba844c716 |
| SHA1 | 9cdcf351b845556ca7774bd337e5c6a4fc7a8545 |
| SHA256 | 1dbfd3ef0ee9e44fe875ca6d60a144d5cf03dbf5d8c16083859714e9873fa923 |
| SHA512 | 91e8cc2bda8d12cc8e24ad664129cbc65d54276b63e2cb3a36e876d6d23fc5f430366858ab8cb4bff4263ecab898a9be8a1d24defff5b88bc2e4b93b1fb3db0c |
memory/400-107-0x0000000000400000-0x0000000000720000-memory.dmp
memory/2068-114-0x0000000000400000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
| MD5 | cf8e6bca18a3374728f4464239d6ca47 |
| SHA1 | 071cb85b0144aae1e90351e99e8f39705dbb70de |
| SHA256 | 6f0ed636782772442e54a381d39d9d24bef456ed84c353a53b42c49be6280075 |
| SHA512 | 9ee8e5bc13ee97acf7e1c0fbe00c96740dda34bd67043bac432788d3a5a9238d18e6c4a64372b6f13cb787be29c0ea74006a8ead2cd31f9df77f7b0ed19f69c1 |
memory/2068-116-0x0000000000400000-0x0000000000720000-memory.dmp
memory/4856-117-0x0000000002370000-0x0000000002499000-memory.dmp
memory/4856-118-0x00000000024A0000-0x00000000025AE000-memory.dmp
memory/4856-119-0x00000000024A0000-0x00000000025AE000-memory.dmp
memory/4856-121-0x00000000024A0000-0x00000000025AE000-memory.dmp
memory/4856-122-0x00000000024A0000-0x00000000025AE000-memory.dmp
memory/3232-123-0x0000000002DB0000-0x0000000002ED9000-memory.dmp
memory/3232-125-0x0000000002EE0000-0x0000000002FEE000-memory.dmp
memory/3232-127-0x0000000002EE0000-0x0000000002FEE000-memory.dmp
memory/3232-128-0x0000000002EE0000-0x0000000002FEE000-memory.dmp
memory/3232-131-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3232-132-0x00000000758F0000-0x0000000075903000-memory.dmp
memory/4028-134-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/2868-138-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3588-139-0x0000000000400000-0x00000000004BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\375C.exe
| MD5 | 9a8ced484319575a23b23e72ef064368 |
| SHA1 | 630123e785da8b196387dd67444bb2153f71c054 |
| SHA256 | 2fdc3d510975484e43a2e755f922423b99eb6bcaf387490364fa3cecdb4da8cf |
| SHA512 | 0500b0cdb012d01e23fbefe2ed2b2c80644d496565ef608fe518b82f65aeb4461f9ad8f4d558b8f3913c739d8fa068e64b35a0dab0871855eb33b50696184336 |
C:\Users\Admin\AppData\Local\Temp\375C.exe
| MD5 | b5c2ec343dc281502edf2acb8cd6c48f |
| SHA1 | 6f9eaad5ce27c14f89a6cbf0ba7e7df200e1c5a1 |
| SHA256 | 1fe33d26d59f5f45c4b818ad7fe23edb58959e5798c7a4403b7acb9aca1849b1 |
| SHA512 | 9a1f6a2609b0def69d8cf3138731e0a92313fee71c931af0597875b2d75a00c959ece348aa8e674e4ac2e0b3e9909deee5c8b10f70d08e19eb8a87bc4e680ec2 |
memory/2068-143-0x0000000000400000-0x0000000000720000-memory.dmp
memory/3232-144-0x0000000000400000-0x0000000000848000-memory.dmp
memory/5104-145-0x0000000000C00000-0x00000000014B6000-memory.dmp
memory/3232-147-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | f6bf5c21a8247203eb4280e83fba6664 |
| SHA1 | e7558d48e41f127dd779c35a7eb1613c74761249 |
| SHA256 | 0774c2e1349c193926417a5f1783ed1961111ab1d30d2383fca93e6525262a6f |
| SHA512 | 60da2899d4fbc8910a69eb3daad48f96bdd769178ccba6c55e640989514943897a2f9f6a355ed97cb16bacdcceb57eaa7eedacd6901242887c045ae4593f0817 |
memory/5104-148-0x00000000733E0000-0x0000000073B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4901.exe
| MD5 | 0ca68f13f3db569984dbcc9c0be6144a |
| SHA1 | 8c53b9026e3c34bcf20f35af15fc6545cb337936 |
| SHA256 | 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a |
| SHA512 | 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 59782185bcf5b215e0db15afa0002e06 |
| SHA1 | 8a4e122681e234f1b39647eb6c0cde54d177fe9e |
| SHA256 | ff6eec4eee9143ac8234e33d2753a15f00a209cd08ac609e36ad58aa5e60304c |
| SHA512 | 36bd597ab3c08fb5ce6803ace74951bf5b208125fc15087fd0ffbb0c439b4ffa334b1f527c277eaf8169e6d4b11b4d9ec8cc0c8776ecc3c1938044dc6fe05ec9 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 76b128828f81877a5adfad5eb220a4fd |
| SHA1 | ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4 |
| SHA256 | 1ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5 |
| SHA512 | 6a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 43706993cce342c8b85b1b175f941c96 |
| SHA1 | d10587600a64da3210a83da771bd7b64d5b81e1f |
| SHA256 | bd7e266eea9db4686f795a0c2ae61684537ee997cdda24b9935e7c7af12d785c |
| SHA512 | 2180ff0458f547c3abb14e0089e7ab2f71d23ec4fe88d6a3596a76839d11dc180022520c0e61dff8b24c3e98dcf082df59279904b02ba3459b1e0298a10ea91d |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 7c09db9c2dacb9e2f18b225f9f204f7a |
| SHA1 | 8b2e2227f02371994fb1a5d3839568a713fa7600 |
| SHA256 | 2f0d802802e13e5208a8adf47fb03f66e2ba0625396220a2f6af920bd0fc6674 |
| SHA512 | ee6eb0cc2ccc30ebcb3a7b70e2bdbbbbaf17d8745576cc1eb5d80744118ac484e42eb202ff4b8c8a59aa380e95b2d5b09d1754d26c3d72bfb0c6f8ef4f85830b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | b17be9c9cd31a7c69c5dccc4222f3241 |
| SHA1 | 0c4f24a70c3f555d8ebee3397a850a08f68051d1 |
| SHA256 | 45c0c53b6d1c5d7694e381ae14a6cd19e44d54dddb7c4aac00fe5fba9483b9ea |
| SHA512 | ff0884a00096e018008b5b50876ef6345959eaea8f5a0945a748070df87824ffb47566c50fc1474bf7f988801ffbc8a5c04e273483ee93615de027890efc3787 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 9e3c0fbd879284ddc1a24e3ae2310922 |
| SHA1 | ec7dc55591baa85b28453ddfbebc7e5b5bffe02c |
| SHA256 | 4c3812e784e2b73faa15262bd1126be8479fb3246f5f18bd519c71e70b59594d |
| SHA512 | 1d82ec2ea8538aad5d74b31053860634825f3b62c0e8dce40d3576791cdef71967eb42792af18e8d088e85ca705365fefa8e635e2e0f6d4b1b0b2a2bab6fa21f |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\nsj4F64.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 70b05ac593ba4afd847436f2dbd542a3 |
| SHA1 | d8adc1ea4f762639a79f2f2ce2f3dece4a067e27 |
| SHA256 | dd24bebe073f6d912f3661a5944814beb824e7a655fecccb2245d768eda51a5a |
| SHA512 | 829eb47e34d72785857b964357edfcfd2e7121ed6292fed5f490a11bc8c3990902b960c7f8a4597c26b1a909befaf5cf3133f274540842d6e8b0d0c9e8fe03b7 |
memory/5104-191-0x00000000733E0000-0x0000000073B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 2fe9860d62aeebd600e504a6b6c7a9d2 |
| SHA1 | edaa583ccc78d914c79389e69d24ce7264a813ef |
| SHA256 | 1a75104e58525eed39afac6c3de839e436f7e5212390c4b50c8d308c4d0090c7 |
| SHA512 | 5429b0f28ed8745eae7d6f2c517ec6c7fc53a48c04c420fb7fb46363d1a98cb239125cf356a8167f23c55a66bd4f3b2872e6e7d10274531179d91544e7cbef57 |
memory/3232-194-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4432-195-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp
| MD5 | 9089c5ddf54262d275ab0ea6ceaebcba |
| SHA1 | 4796313ad8d780936e549ea509c1932deb41e02a |
| SHA256 | 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a |
| SHA512 | ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c |
C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp
| MD5 | 0ab522cd9cc4a004d8b7b21445b58132 |
| SHA1 | 62da3b22a7ef628712fc771cd10fac96bafb558f |
| SHA256 | 4e6080d8571cd53972a0dfa4f383d61ee95efef520988cf50a17bd569beb6486 |
| SHA512 | 7cc4575c6746eaa92ab837c38203deed2c4beaff6aae6bd60e68edd0a197091695be68f968289db6892f3a96425c334771673daa08c3d8a51be8deb56e75dfc9 |
memory/4028-208-0x0000000002DF0000-0x0000000002EF0000-memory.dmp
memory/3336-209-0x00000000028A0000-0x0000000002CA7000-memory.dmp
memory/3336-210-0x0000000002DB0000-0x000000000369B000-memory.dmp
memory/3336-211-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2068-214-0x0000000000400000-0x0000000000720000-memory.dmp
memory/3232-216-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3588-215-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2020-217-0x0000000002510000-0x0000000002610000-memory.dmp
memory/2020-218-0x00000000023F0000-0x00000000023FB000-memory.dmp
memory/2020-220-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\70AE.exe
| MD5 | b10895f77c325310116cfc47095d9252 |
| SHA1 | 4c1ae27fef692ec05ff826aa7eaab519ae5a8e06 |
| SHA256 | 851657de20aed9fdce10b608dce83523d137771c2e1e9582f8d9eecff5a14453 |
| SHA512 | d21cca7801fcf891e88b39378a7f06179577b218f5660f4cc049b16f03f7bf8f910370734af7b005cf17bc5769fb6aef868e6659a1a648cf374c70d4aa9a7910 |
C:\Users\Admin\AppData\Local\Temp\70AE.exe
| MD5 | 3b8ff5ba60fc77e4bce540bd0f9c09fd |
| SHA1 | d9b48cf74f8261a3c98d712a485a09547e01d4de |
| SHA256 | e08ba45aa1191f8c5e85a1d0d8ae916326d435f6b9859bc6d23c0672daee0c96 |
| SHA512 | c491be1946726fe31017080388095e28f141b86f56cf6276882105de491376612f7a928fc59de8661741413e4276ffd827e4142cf7945466ed40da10a6cbf68a |
memory/3336-226-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4816-227-0x0000000001790000-0x0000000001791000-memory.dmp
memory/4432-228-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/4816-229-0x00000000017A0000-0x00000000017A1000-memory.dmp
memory/4816-230-0x00000000017B0000-0x00000000017B1000-memory.dmp
memory/4816-233-0x0000000001800000-0x0000000001801000-memory.dmp
memory/4816-232-0x00000000017F0000-0x00000000017F1000-memory.dmp
memory/4816-234-0x0000000001810000-0x0000000001811000-memory.dmp
memory/4816-231-0x0000000000860000-0x000000000130D000-memory.dmp
memory/4816-236-0x0000000001820000-0x0000000001821000-memory.dmp
memory/2068-239-0x0000000000400000-0x0000000000720000-memory.dmp
memory/4816-240-0x00000000033A0000-0x00000000033D2000-memory.dmp
memory/4816-242-0x00000000033A0000-0x00000000033D2000-memory.dmp
memory/4816-243-0x00000000033A0000-0x00000000033D2000-memory.dmp
memory/4816-241-0x00000000033A0000-0x00000000033D2000-memory.dmp
memory/2084-246-0x00000000024C0000-0x00000000025C0000-memory.dmp
memory/2084-247-0x0000000002440000-0x0000000002467000-memory.dmp
memory/2084-248-0x0000000000400000-0x00000000022D9000-memory.dmp
memory/3512-250-0x00000000030A0000-0x00000000030B6000-memory.dmp
memory/4816-254-0x0000000000860000-0x000000000130D000-memory.dmp
memory/2020-255-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/4972-265-0x0000000002920000-0x0000000002956000-memory.dmp
memory/4972-269-0x00000000052B0000-0x00000000058D8000-memory.dmp
memory/4972-271-0x0000000072E50000-0x0000000073600000-memory.dmp
memory/4972-282-0x0000000004C70000-0x0000000004C80000-memory.dmp
memory/4972-286-0x0000000004C70000-0x0000000004C80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iywfhfbd.z3b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4432-294-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
memory/4972-287-0x0000000005160000-0x0000000005182000-memory.dmp
memory/4972-296-0x0000000005950000-0x00000000059B6000-memory.dmp
memory/4972-300-0x0000000005AA0000-0x0000000005B06000-memory.dmp
memory/4972-303-0x0000000005B10000-0x0000000005E64000-memory.dmp
memory/4972-325-0x0000000004CA0000-0x0000000004CBE000-memory.dmp
memory/4972-326-0x0000000005F60000-0x0000000005FAC000-memory.dmp
memory/4972-333-0x0000000006440000-0x0000000006484000-memory.dmp
memory/3336-341-0x00000000028A0000-0x0000000002CA7000-memory.dmp
memory/4972-342-0x0000000004C70000-0x0000000004C80000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | adb29a2b3d4aae105be1eca35da10afc |
| SHA1 | 8496caa674d5bd59c37340e949871e6a33a6a6a9 |
| SHA256 | 9bc8d90c27922ab30615548b2e41d62f15ab2749290713bb3714b53ae21ab4b7 |
| SHA512 | 7dba52ac5bdbaa9dafd8a98503e60636ab8db09ae99faa725b768c739147ca5dd42a6b78c3879b70af9ce7093ac8f1e23d706df7f53e2d64f66de5d13e958df9 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | c7fe878e6fc3be20c84b5e85b97efe17 |
| SHA1 | 51ebfabdef927465e68c5843ae4f2a930b82a24b |
| SHA256 | a4a662c0c92c27d74fc00f6f5e24b1b4116da7d582607161f0570cdfcc0a6040 |
| SHA512 | 24f2fd40425ce1a1585157255b0dbb856635fa2fb08f00419693ebf8e0c774d47890aad7b69adee08b315607b0bc68375421737f4785b577110894028a013289 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | c872c92977f6a8428d1f1bc05244f4a3 |
| SHA1 | aa1a48a997997717b66b4cc4621ff14d65d14afe |
| SHA256 | fae2fe308dee13de2c7a2be3dfac523a3ea62701a68eeea7fa34db79f02da1ea |
| SHA512 | 0d860841f0fd145c628e7d9f36c59b555f6bfdd4f8768769b74d3c6f67a0d87dcc08c442a3d3891c9831c2f08d40e98413e54c3362a9d842c0776b67e0009963 |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | b03886cb64c04b828b6ec1b2487df4a4 |
| SHA1 | a7b9a99950429611931664950932f0e5525294a4 |
| SHA256 | 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc |
| SHA512 | 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c0c8ca691935cdf1a3e382fbdb197cc2 |
| SHA1 | cf359727fa7d7e043d4d5edd2a7701ac16e270e1 |
| SHA256 | 0d6cedfae688b28f3ec53550d549465be5cf6b9e32d56e7004917d55a0f7615d |
| SHA512 | 60814fe27a14fab13468b923bfd087c3fc7a89169f33a37f005aed977cf12540c7c51f0751e87be3f63af478d3581e3c9cb9a7c2d108e5be9b2b02a88d980530 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7363ded56cc8c4fdc26e986428b3ff57 |
| SHA1 | 2bc1cc5db0bc6bfbe19442c4c91acc2ef911e1df |
| SHA256 | ca8b78e8498dc6ae407a438e68c64d62b4f88d9b1765a20100b6738fe47a93d6 |
| SHA512 | e8b98a74b07846091e9e3a6bf58673733b6c4c0567f37b10df5590ac919fd216fc16af757d2d61cda33b27314f712a7beee19437c577e494d24c812c00e882e8 |
C:\Windows\rss\csrss.exe
| MD5 | d122f827c4fc73f9a06d7f6f2d08cd95 |
| SHA1 | cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5 |
| SHA256 | b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc |
| SHA512 | 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a1a6e00ad86306a7e3cf5dfbdc85d668 |
| SHA1 | 648262ea8c7f0e0776f4148f52c2e08e5be62702 |
| SHA256 | 906e75e19d56b8ad5e81772fb789ffb2d39dee2cea68870bb2fc60e061d2ac0c |
| SHA512 | c6b77c9499fdefdd132e8b25e4fdefed55a3b5509fa6f7b819a01eafb568b2da26cc5f1b654946be0b5507436dacae3e4e1fc0ed65c8721458a398d60a1b3622 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9a1fb9e61d5edea2f4624ac4dbc7fdb1 |
| SHA1 | 881abd49ef4742faf67bc0ebda2114afe8754975 |
| SHA256 | b402713d34ead6b4cf6fc538478138de5432c79cabbda2fd60fb1d476755e046 |
| SHA512 | 721ed59f6b2210bb2e1e9d4dc2b3019761442e36d70ef1be4a5eefabe568274c29180f9db8d03255b2b6a67122989b84058ac92f7b6e71077dd6308f643bb8b0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 64fed1db05d52eac09cd954ce44867b9 |
| SHA1 | 65f2e6e551d50e512160945d13df310f0e692952 |
| SHA256 | 8ffb678a94cad10d604ed312fc31a02fae298e900c0a629f7e58b1ee4d56d33d |
| SHA512 | 1a0c0bab11e93f7dbf0a66c9ead6b55b2304caba0407d7d8f9fcee227405c0f3e87efcda155033a117967cbab475ab7bdfebfa7565db1db3be88ad44ce9bd9c5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | a0ab2251d3ceb1349776ff3642e807bb |
| SHA1 | 3a3c78a26b87b9cfc0b9605e94e03eccb288426d |
| SHA256 | 5b1fffd5f6d7e45458ced266a096de2d1b9af84f71c0bc97b0d2b64a317ae391 |
| SHA512 | bb11a89847dc5e9c874453df71dfc8089bbe46c2f7b5079543eb0a686fd4c3dcf468a0aba4f156d6fe193d15552a55b9d1cba58fa82cb59e863c4cda82159ea2 |