Malware Analysis Report

2024-11-30 05:04

Sample ID 240229-f4a2kafc38
Target 4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe
SHA256 4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809
Tags
smokeloader pub1 backdoor bootkit persistence trojan upx glupteba lumma dropper loader stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809

Threat Level: Known bad

The file 4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader pub1 backdoor bootkit persistence trojan upx glupteba lumma dropper loader stealer

SmokeLoader

Glupteba

Lumma Stealer

Glupteba payload

UPX dump on OEP (original entry point)

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing URLs to raw contents of a Github gist

Detects executables containing artifacts associated with disabling Widnows Defender

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects executables Discord URL observed in first stage droppers

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 05:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 05:25

Reported

2024-02-29 05:29

Platform

win7-20240221-en

Max time kernel

137s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7CBE.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\D665.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2668 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe C:\Users\Admin\AppData\Local\Temp\7CBE.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B5BA.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4AAC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4AAC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4AAC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 1200 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 1200 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 1200 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7CBE.exe C:\Users\Admin\AppData\Local\Temp\7CBE.exe
PID 1200 wrote to memory of 2620 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2620 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2620 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2620 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2620 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2620 wrote to memory of 2612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2620 wrote to memory of 2612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2620 wrote to memory of 2612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2620 wrote to memory of 2612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2620 wrote to memory of 2612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2620 wrote to memory of 2612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2620 wrote to memory of 2612 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1200 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BA.exe
PID 1200 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BA.exe
PID 1200 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BA.exe
PID 1200 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BA.exe
PID 1200 wrote to memory of 2848 N/A N/A C:\Users\Admin\AppData\Local\Temp\D665.exe
PID 1200 wrote to memory of 2848 N/A N/A C:\Users\Admin\AppData\Local\Temp\D665.exe
PID 1200 wrote to memory of 2848 N/A N/A C:\Users\Admin\AppData\Local\Temp\D665.exe
PID 1200 wrote to memory of 2848 N/A N/A C:\Users\Admin\AppData\Local\Temp\D665.exe
PID 2484 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\B5BA.exe C:\Windows\SysWOW64\WerFault.exe
PID 2484 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\B5BA.exe C:\Windows\SysWOW64\WerFault.exe
PID 2484 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\B5BA.exe C:\Windows\SysWOW64\WerFault.exe
PID 2484 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\B5BA.exe C:\Windows\SysWOW64\WerFault.exe
PID 1200 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe
PID 1200 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe
PID 1200 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe
PID 1200 wrote to memory of 2676 N/A N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe
PID 1200 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\Temp\4AAC.exe
PID 1200 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\Temp\4AAC.exe
PID 1200 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\Temp\4AAC.exe
PID 1200 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\Temp\4AAC.exe
PID 2676 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2676 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2676 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2676 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2676 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2676 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2676 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2676 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2676 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2676 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2676 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\19AC.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe

"C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe"

C:\Users\Admin\AppData\Local\Temp\7CBE.exe

C:\Users\Admin\AppData\Local\Temp\7CBE.exe

C:\Users\Admin\AppData\Local\Temp\7CBE.exe

C:\Users\Admin\AppData\Local\Temp\7CBE.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\897C.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\897C.dll

C:\Users\Admin\AppData\Local\Temp\B5BA.exe

C:\Users\Admin\AppData\Local\Temp\B5BA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 124

C:\Users\Admin\AppData\Local\Temp\D665.exe

C:\Users\Admin\AppData\Local\Temp\D665.exe

C:\Users\Admin\AppData\Local\Temp\19AC.exe

C:\Users\Admin\AppData\Local\Temp\19AC.exe

C:\Users\Admin\AppData\Local\Temp\4AAC.exe

C:\Users\Admin\AppData\Local\Temp\4AAC.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
FR 46.105.227.109:443 tcp
CA 149.56.98.216:9001 tcp
N/A 127.0.0.1:49224 tcp
US 75.176.45.87:9001 tcp
US 38.145.200.61:443 tcp
NL 45.66.33.45:443 tcp
FR 91.121.86.59:993 tcp
FR 85.25.213.211:80 tcp
DE 193.23.244.244:443 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
CA 199.58.81.140:443 tcp
FR 62.210.123.24:443 tcp
DE 176.9.63.240:8450 tcp
LU 107.189.7.219:9001 tcp
MX 189.232.56.10:80 tcp
DE 176.9.63.240:8450 tcp
LU 107.189.7.219:9001 tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
US 8.8.8.8:53 jrsworldwide.shop udp
US 8.8.8.8:53 fulloflifellc.shop udp
US 8.8.8.8:53 beautiposition.shop udp
US 8.8.8.8:53 sauna365.site udp
US 8.8.8.8:53 nongki69.site udp
US 162.254.39.101:443 fulloflifellc.shop tcp
CA 23.227.38.65:443 beautiposition.shop tcp
US 162.254.39.102:443 jrsworldwide.shop tcp
US 8.8.8.8:53 metodode.site udp
US 8.8.8.8:53 tania-blu.site udp
US 104.21.48.124:443 nongki69.site tcp
JP 183.90.182.103:443 sauna365.site tcp
US 8.8.8.8:53 kreatifin.site udp
US 8.8.8.8:53 morganfin.site udp
DE 144.24.177.196:443 tania-blu.site tcp
ID 103.163.138.29:443 kreatifin.site tcp
BR 149.100.155.211:443 morganfin.site tcp
US 8.8.8.8:53 tabberger.site udp
US 162.241.226.34:443 tabberger.site tcp
US 8.8.8.8:53 vinaphone.site udp
US 8.8.8.8:53 standexpo.site udp
US 8.8.8.8:53 arabixxg4u.site udp
US 8.8.8.8:53 chrisbench.site udp
US 8.8.8.8:53 cyberfjord.site udp
US 8.8.8.8:53 arabxsx4xs.site udp
US 8.8.8.8:53 cryptovlog.site udp
US 8.8.8.8:53 easynights.site udp
US 8.8.8.8:53 ezhandbook.site udp
US 162.144.13.149:443 standexpo.site tcp
SG 191.101.230.134:443 vinaphone.site tcp
US 104.21.3.35:443 chrisbench.site tcp
US 45.15.27.36:443 easynights.site tcp
GB 109.70.148.67:443 cryptovlog.site tcp
US 8.8.8.8:53 elderycare.site udp
US 8.8.8.8:53 hairvoluum.site udp
US 8.8.8.8:53 flymenshop.site udp
US 8.8.8.8:53 t8chnofest.site udp
US 8.8.8.8:53 sempreliso.site udp
US 8.8.8.8:53 taxidalatd.site udp
US 8.8.8.8:53 techimport.site udp
US 104.21.4.48:443 ezhandbook.site tcp
US 8.8.8.8:53 taxidalate.site udp
US 8.8.8.8:53 bisnis-basu.site udp
US 8.8.8.8:53 alarictower.site udp
US 195.35.10.197:443 sempreliso.site tcp
US 131.153.147.162:443 hairvoluum.site tcp
US 8.8.8.8:53 deltacrypto.site udp
US 8.8.8.8:53 duck-behind.site udp
KR 183.111.183.77:80 elderycare.site tcp
VN 103.74.118.155:443 taxidalate.site tcp
BR 89.117.7.202:443 techimport.site tcp
US 8.8.8.8:53 arabxffxx23.site udp
US 8.8.8.8:53 foradoradar.site udp
JP 160.251.151.77:443 duck-behind.site tcp
US 8.8.8.8:53 viebitcoin.site udp
SG 172.96.191.204:443 alarictower.site tcp
GB 109.70.148.67:443 viebitcoin.site tcp
SG 194.163.42.245:443 bisnis-basu.site tcp
US 8.8.8.8:53 prodentimst.site udp
VN 103.74.118.155:443 taxidalate.site tcp
US 162.241.224.158:443 prodentimst.site tcp
BR 185.213.81.235:443 foradoradar.site tcp
US 8.8.8.8:53 mega228x500.site udp
US 8.8.8.8:53 indukmujaer.site udp
US 8.8.8.8:53 jaishreeram.site udp
US 8.8.8.8:53 lojadocurso.site udp
US 104.21.49.210:443 arabxffxx23.site tcp
GB 109.70.148.67:443 viebitcoin.site tcp
US 8.8.8.8:53 onlybeboteo.site udp
US 8.8.8.8:53 xx2ufreexx6.site udp
US 8.8.8.8:53 pizzayumyum.site udp
US 8.8.8.8:53 lagesdasorte.site udp
US 8.8.8.8:53 radhakrishna.site udp
US 8.8.8.8:53 incognito.black udp
US 8.8.8.8:53 amandaandrade.site udp
US 8.8.8.8:53 argentramites.site udp
US 8.8.8.8:53 leonbets-jur14.site udp
US 172.67.208.156:443 incognito.black tcp
BR 89.117.7.203:443 amandaandrade.site tcp
US 8.8.8.8:53 www.teschconsulting.site udp
US 8.8.8.8:53 adityadiksha2023.site udp
US 217.21.76.145:443 argentramites.site tcp
US 8.8.8.8:53 kamsmad.com udp
SG 149.28.154.118:80 mega228x500.site tcp
US 82.180.174.24:443 jaishreeram.site tcp
BG 95.158.162.200:80 kamsmad.com tcp
US 8.8.8.8:53 premiosorteado.site udp
US 8.8.8.8:53 lehagosutesis.site udp
US 8.8.8.8:53 udp
N/A 127.0.0.1:20959 tcp
N/A 127.0.0.1:20959 tcp
N/A 127.0.0.1:20959 tcp
N/A 127.0.0.1:20959 tcp
N/A 127.0.0.1:49361 tcp
N/A 127.0.0.1:49370 tcp
N/A 127.0.0.1:49374 tcp
N/A 127.0.0.1:49378 tcp
N/A 127.0.0.1:49383 tcp
N/A 127.0.0.1:49388 tcp
N/A 127.0.0.1:49407 tcp
N/A 127.0.0.1:49412 tcp
N/A 127.0.0.1:49422 tcp
N/A 127.0.0.1:49424 tcp
N/A 127.0.0.1:49429 tcp
N/A 127.0.0.1:49431 tcp
N/A 127.0.0.1:49442 tcp
N/A 127.0.0.1:49444 tcp
N/A 127.0.0.1:49460 tcp
N/A 127.0.0.1:49463 tcp
N/A 127.0.0.1:49465 tcp
N/A 127.0.0.1:49473 tcp
N/A 127.0.0.1:49479 tcp
N/A 127.0.0.1:49481 tcp
N/A 127.0.0.1:49483 tcp
N/A 127.0.0.1:49487 tcp
N/A 127.0.0.1:49489 tcp
N/A 127.0.0.1:49494 tcp
N/A 127.0.0.1:49506 tcp
N/A 127.0.0.1:49510 tcp
N/A 127.0.0.1:49514 tcp
N/A 127.0.0.1:49516 tcp
N/A 127.0.0.1:49523 tcp
N/A 127.0.0.1:49525 tcp
N/A 127.0.0.1:49527 tcp
N/A 127.0.0.1:49539 tcp
N/A 127.0.0.1:49543 tcp
N/A 127.0.0.1:49547 tcp
N/A 127.0.0.1:49558 tcp
N/A 127.0.0.1:49560 tcp
N/A 127.0.0.1:49562 tcp
N/A 127.0.0.1:49564 tcp
N/A 127.0.0.1:49566 tcp
N/A 127.0.0.1:49568 tcp
N/A 127.0.0.1:49571 tcp
N/A 127.0.0.1:49587 tcp
N/A 127.0.0.1:49601 tcp
N/A 127.0.0.1:49603 tcp
N/A 127.0.0.1:49605 tcp
N/A 127.0.0.1:49618 tcp
N/A 127.0.0.1:49621 tcp
N/A 127.0.0.1:49627 tcp
N/A 127.0.0.1:49629 tcp
N/A 127.0.0.1:49631 tcp
N/A 127.0.0.1:49633 tcp
N/A 127.0.0.1:49635 tcp
N/A 127.0.0.1:49637 tcp
N/A 127.0.0.1:49641 tcp
N/A 127.0.0.1:49645 tcp
N/A 127.0.0.1:49658 tcp
N/A 127.0.0.1:49660 tcp
N/A 127.0.0.1:49662 tcp
N/A 127.0.0.1:49667 tcp
N/A 127.0.0.1:49669 tcp
N/A 127.0.0.1:49679 tcp
N/A 127.0.0.1:49681 tcp
N/A 127.0.0.1:49689 tcp
N/A 127.0.0.1:49691 tcp
N/A 127.0.0.1:49694 tcp
N/A 127.0.0.1:49708 tcp
IN 217.21.87.246:443 adityadiksha2023.site tcp
US 174.136.26.135:443 www.teschconsulting.site tcp
US 8.8.8.8:53 digitalbookman.site udp
US 8.8.8.8:53 kobolanc.store udp
BG 95.158.162.200:80 kamsmad.com tcp
BG 95.158.162.200:80 kamsmad.com tcp
BR 45.132.157.152:443 onlybeboteo.site tcp
US 192.185.211.108:443 lojadocurso.site tcp
N/A 127.0.0.1:49711 tcp
N/A 127.0.0.1:49717 tcp
N/A 127.0.0.1:49721 tcp
N/A 127.0.0.1:49724 tcp
N/A 127.0.0.1:49728 tcp
N/A 127.0.0.1:49736 tcp
BR 185.9.54.21:443 premiosorteado.site tcp
SG 45.13.133.16:80 indukmujaer.site tcp
N/A 127.0.0.1:49738 tcp
N/A 127.0.0.1:49744 tcp
N/A 127.0.0.1:49746 tcp
N/A 127.0.0.1:49748 tcp
N/A 127.0.0.1:49750 tcp
N/A 127.0.0.1:49752 tcp
US 8.8.8.8:53 vibamapin.store udp
FR 193.203.239.78:443 pizzayumyum.site tcp
N/A 127.0.0.1:49757 tcp
N/A 127.0.0.1:49760 tcp
BG 95.158.162.200:80 kamsmad.com tcp
US 8.8.8.8:53 leonbets-mlv17.site udp
US 8.8.8.8:53 leon-zerkalo17.site udp
US 8.8.8.8:53 leonbets-vua3.site udp
US 8.8.8.8:53 komongto.store udp
US 8.8.8.8:53 pixilated.store udp
US 8.8.8.8:53 shredplus.store udp
US 8.8.8.8:53 dudeworld.store udp
US 8.8.8.8:53 leonbets-qkt16.site udp
US 8.8.8.8:53 crazycapy.store udp
US 8.8.8.8:53 kobopladc.store udp
US 63.250.43.138:443 shredplus.store tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 172.67.210.12:80 crazycapy.store tcp
US 8.8.8.8:53 ascredones.store udp
NL 85.17.31.41:443 dudeworld.store tcp
N/A 127.0.0.1:49768 tcp
US 8.8.8.8:53 findthesky.store udp
N/A 127.0.0.1:49775 tcp
N/A 127.0.0.1:49777 tcp
N/A 127.0.0.1:49779 tcp
NL 185.104.29.148:80 ascredones.store tcp

Files

memory/2088-1-0x0000000001BD0000-0x0000000001CD0000-memory.dmp

memory/2088-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2088-3-0x0000000000400000-0x0000000001A2C000-memory.dmp

memory/2088-5-0x0000000000400000-0x0000000001A2C000-memory.dmp

memory/1200-4-0x0000000002500000-0x0000000002516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7CBE.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/2668-17-0x0000000003470000-0x0000000003628000-memory.dmp

memory/2668-18-0x0000000003470000-0x0000000003628000-memory.dmp

memory/2604-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2668-21-0x0000000003630000-0x00000000037E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7CBE.exe

MD5 987421f9217166a36da6186bb4f6af33
SHA1 28c4673b54e9df462b2e884c841ac83287d577d5
SHA256 de4f8f970a60c8087aabe2b2ef3092221965d22ba5ae424c9502143bdb66979f
SHA512 15abd8ab39176db089e054205e36297421fb0a4f999cbcca2c6b16993a0b2b9adbc10b11e9210b9611c2991e672c77ed1cf3eac1330bd8ceda094f407121e665

\Users\Admin\AppData\Local\Temp\7CBE.exe

MD5 34c292f7112a9db3194e6c78ab2fe7b1
SHA1 150dd5ac6efd93b95d167897a2c870c5125df0ab
SHA256 c029d47b22cb4a9cc49bbc1bde9983bf675f6a981fce1e5fb7f62a9bc54c8f01
SHA512 f44ed24daaf28441776952fe821d2de7b1a0f6b2800a3d75eabbf15a37e85c35b8d788fd86ae674468a2f16c6c49b33610b2ad988a2cea62b9a3d2d6790ea6be

memory/2604-24-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7CBE.exe

MD5 1df9c98963f3d20b3f3f5db8152e3052
SHA1 c8203e4dee088a27c97cb3e334c1dd9aafdd0786
SHA256 cb96f8c2286c4b66024b37b6b09038ba358cbf9572042077b6e1d3c6a0e8336f
SHA512 bfc3c8923b0cb1baf62be9545c16c0678f28bb8d0875cf9cbea217521804cd39c35adba3f31d6adc4e9460f5a56c771596a80a7528a4c17810fb208cfce3bb60

memory/2604-27-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-28-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-30-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-31-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\897C.dll

MD5 617d2f770e1869cf34b743534ef8323f
SHA1 5ee85d27f47c60d6277a32598614822da590ba42
SHA256 b433c20d4cc2b7df0d0d4588166504aae8a3c5549349791c6c0ff7269f7fb779
SHA512 9852fe65281f9f6bd3930ad2ed2c84c99c35b64f09a98c68947b9da68d6148e30c4f17cc76283c589ec16101e0c29ef51ee49d1520e9ce2ed3724f24f23860a2

\Users\Admin\AppData\Local\Temp\897C.dll

MD5 cf05928cd240febca7779c195602f469
SHA1 6e1dc94b3a4a5a44961cdb27d24c572246445e94
SHA256 46ea2db3555bfc56e8a2e6cf04904043e2487d2b9d5ce478da7692775d68148e
SHA512 3373f0fd74f2fc34ad1dbf83029639e9d13a84efc104b068333c4fa5df784657f9223db4d543b56991457eaa89a357aeb13b1fadfa530bf82a91f0ab994bfedd

memory/2612-39-0x0000000010000000-0x0000000010202000-memory.dmp

memory/2612-40-0x00000000000C0000-0x00000000000C6000-memory.dmp

memory/2604-42-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2612-43-0x0000000002680000-0x00000000027A8000-memory.dmp

memory/2612-44-0x00000000027B0000-0x00000000028BD000-memory.dmp

memory/2612-47-0x00000000027B0000-0x00000000028BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5BA.exe

MD5 f118c788778d37b3f0167f1e1b0bb342
SHA1 83bc0512e1fb21ba2575884de94d8b7c9a21870f
SHA256 0dfeeb4f07cd58faf076ead08184bcb6d7df61a3b922f8cf89294776a2931159
SHA512 c97b928aedf01bf2c13a9b8085f1a3974fefaea880b8f73a872fe983c07a2371f15bd8722beae3e94edc1c0b225af55233113efd78855e078e9ab8c4caf7532f

C:\Users\Admin\AppData\Local\Temp\B5BA.exe

MD5 23af6eda50d9ed9cd7af23d5c5d2edce
SHA1 15a2df4a4d013da65dfc9c36cd0df41f37b6ae08
SHA256 4b1271cb49598c8e50d1b9074a2e4a83076c4f6920e935c755d03e2893a733b1
SHA512 d27148874fc906ec7959cd5c6ab01288fd7d9bb570b7b97b7ea0b8db47d375e319a1d506b2f3ffea9337d662efaa6c0e0be208130fc4ac6fe426c9c466154650

memory/2612-55-0x0000000010000000-0x0000000010202000-memory.dmp

memory/2484-53-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2484-57-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2484-56-0x00000000008B0000-0x00000000011A1000-memory.dmp

memory/2484-61-0x0000000077270000-0x0000000077271000-memory.dmp

memory/2484-59-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2484-63-0x00000000000D0000-0x00000000000D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D665.exe

MD5 2a81374a8b278b85f5aaacdf32eb86c9
SHA1 b56866009d1de7ed2505025c2659971117267124
SHA256 ab3004109054ee88c18c79af7e560a6b3f572536cb4e541fbf25672bbee985ed
SHA512 171782f726f618020f5f3dcd668ec4446aee664745b5e7f9e047fbca12a7a5c504e26be3b8a40a4842c915fa3c63bab99f79b659d6c6cda66165ca5a35114791

memory/2604-71-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D665.exe

MD5 938a4855471e0480aa40d77f313a3edc
SHA1 18918b6771d11b102553b585f0423b961c331949
SHA256 4876077475e867e7264eaa2da1e9a581cd705c892a044f60ebb8e14e59ae26c7
SHA512 738408b6f2d957d69506af10a912c0e9033447f52c818e07b30df7c60ec6b711a815f2ec35dffd5a1de485da5fa7832f69dedca216d3458ede716cab0ccefff2

memory/2848-73-0x0000000001BB0000-0x0000000001CB0000-memory.dmp

memory/2848-74-0x0000000000220000-0x000000000028B000-memory.dmp

memory/2848-76-0x0000000000400000-0x0000000001A77000-memory.dmp

\Users\Admin\AppData\Local\Temp\B5BA.exe

MD5 0b68e3e9e0132d3696a61f166c86905e
SHA1 21383a6c48af2770aeb85b5913d83a7e593b261e
SHA256 892c097b2e93284e767cc206d279ffafb25e8f40d14121edb08618a72cf0adfc
SHA512 60f06adf467a28089c28528c8fce5422a35441642ddbf03988884d751484ea5e9515032be1783d66131ce583c612fe3817fed85b0924d97a33d2b7878b9812fd

\Users\Admin\AppData\Local\Temp\B5BA.exe

MD5 e3d7c4a86bcce9e0cd449ecd0937591b
SHA1 20b283dd2448ab6d2b38cf50938fe542d205dc3e
SHA256 5de4584043b152a8e2554175c36d9b4419dddd4d5a20d5c7291e7d9ef1d9df1a
SHA512 13bfb10d3569b0690f178ba271e6f448153e1383b2ecbd3daccca0171bf897786b4a23e1ca8ef6a437ea448802d2544cd90c01be6bcfee1fafc01f0d27d55b51

C:\Users\Admin\AppData\Local\Temp\19AC.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2604-85-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2676-84-0x00000000008B0000-0x0000000000D3C000-memory.dmp

memory/2848-87-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/2604-88-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-89-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 4df729f40643359da4bee10a7b6953fb
SHA1 efaa8d0b2b92b4293919d9a9d2c8a67778d312e6
SHA256 8454518704e7da116b93bbf9d00d5653fce2cb0dca665e88e9e4e75b567f3905
SHA512 38a8fb34b8f9ae31290bdb90868651f1b57da0c3f75f676c2315209dc07c1a33ffcb81d5f37551025e043748feb3ee464ebe1b3003b2360d7ea798b74a2442b0

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 577cf94479fd6ed8003dbdc5d77dfd88
SHA1 d511096c4ca3d3df4cfe511ecc356400f5f00915
SHA256 cef1e699040be5a8f1fdc76ed76a2281f755180ec558889365712e790c41da1c
SHA512 7e1f307d768721ebfefd7c03ba67300dc006ebfdab7551e4c3faebc44aaaf490d67be4fb8f24fce5df247d85f48bbd977b2a70d4e8725285d1b21ea454d64176

C:\Users\Admin\AppData\Local\Temp\4AAC.exe

MD5 0c3f7f76be32866fafcf1b1d26b831c3
SHA1 d7bb7e9437e922de417ce9e9102d2ee6cba7e9e7
SHA256 454e17045a7dd1a6a36dc0a8dcf5dfeebcd0ea36436c94d793de80bd9f150fe2
SHA512 a09084ab2dd088b85b2dbce2e4973c91a372898eda91419c1a79058a53742cced45d87b1c67b2e8c5528c333a2bf0e16d005edcdf33da40626c3c7b07933ad1d

C:\Users\Admin\AppData\Local\Temp\4AAC.exe

MD5 f5e7a68d787bec3ebc78d57260f657aa
SHA1 9368677802b53f15bcb17a4075fb186b4e425de2
SHA256 64cd0f08180ca0d679bbfdc6ced6e936351e9353ef9cc10373b9ce370e35a7fd
SHA512 10768f4ef872791282fb54fedbecae86c086bbe0cad33f64ce2233ab4da4d4d0ad2847cfe2d0bc6db8be2dc1ecc6bea86327e803bc7f579f4d4559c687d0ecc7

memory/1200-123-0x0000000002860000-0x0000000002876000-memory.dmp

memory/2612-125-0x00000000028C0000-0x00000000048E0000-memory.dmp

memory/2612-124-0x00000000027B0000-0x00000000028BD000-memory.dmp

memory/2340-126-0x0000000000400000-0x00000000022D4000-memory.dmp

memory/2340-137-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2612-133-0x00000000049E0000-0x0000000004AD9000-memory.dmp

memory/2340-129-0x0000000002403000-0x0000000002410000-memory.dmp

memory/2612-128-0x00000000048E0000-0x00000000049D9000-memory.dmp

\Users\Admin\AppData\Local\Temp\B5BA.exe

MD5 185eb7f5321f1aa6887f528c759b8e68
SHA1 af12c9c92dc8159234c90456de96ae803fce4847
SHA256 51c467472b4d097f4caa111af67b04dd4d12777935bba47cdfc0cec2372efe67
SHA512 40038fec1f081e8177636240cb8c0f5e6c380abf250300c2ca0445ea5cd83b5d6323d6e736b3b7583c0c5f15164772ce42b90cadd8d3c6e507eff4cb38485aaa

memory/2676-141-0x0000000073020000-0x000000007370E000-memory.dmp

memory/2604-142-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-146-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-153-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-150-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-157-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

MD5 14f5fb2b38f16063069e44de5613cedf
SHA1 b9769216530865b993f056a37b06e0223add80c1
SHA256 514ea1203463ccb38da3508b57d400377dede04db9542f0dbd75f46eeaa154c7
SHA512 fdbd936ee118d2315abcd4f3157e3ab631528415b3e942e456b80ccb68065ea46b620a103d78f879634ff76bb9e7943c7ce25d62462b0e72cc928c63901d158e

memory/2604-159-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-158-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-163-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-162-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2040-167-0x0000000001B60000-0x0000000001C60000-memory.dmp

memory/2604-166-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2604-168-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2040-175-0x0000000000240000-0x00000000002A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 7d853f08e3cf6ebc373f66c9a6393397
SHA1 3a3a41c3e8b3c84b8100e283496bf8fe3efd0083
SHA256 f5ec15f602e74d3af31128187a5986326ee9405d95f6f58df61f7fdfbce9fab3
SHA512 61fe9be46c3498c739933675f9dc581d2e7f05bcec2d281a00def7052784aa3d0ae2d0d1d9384bc96679ee712aa8757121fe934518974da21f8dd39bf4b1f8f7

memory/2040-193-0x0000000000400000-0x0000000001A4B000-memory.dmp

memory/2676-189-0x0000000073020000-0x000000007370E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fa5183a50620533fa7db14d53993f457
SHA1 9a9ae0a778200b31c1dc814b47607debc653356a
SHA256 6607a24b48c9898d364d643cb9813d287615a9bab40b61f628107c515117451f
SHA512 d3655c253517e0215eca99d3984cf7fd6b2b691f2d56371bd69ba6ca5da7dc38a1ea6b5a3aa5f03ea051bb73ed0d282f057267e9005761525078aba0fc36d6d4

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 09c4db1c81ef28610d1241de08caabe6
SHA1 a017f73950a7a37cca002969cf77645aef5fe44c
SHA256 f8e3ab17808353a6cfa02d64ecd5b7fb958c6e54cde2de0c4f9494a106e6cbe8
SHA512 65116b020d01f25f056108fe213ef7cdf1338d442e157693dc8573908ba0ec4415491280d9e84bc98d5852ae943ba5b64b36d2bff8f863a5a6c6c3b64aa28dd2

memory/692-212-0x0000000000400000-0x0000000001E0F000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 66ee906285b8c5c79b7834ab5d61e91f
SHA1 ad17b1cbf9d67eabb9566604c8e38c3809cdaf56
SHA256 0d21a7640ec4ecd85f8eadd96e5167760af397f2e49f1be687ee14b2349c7fa5
SHA512 9202311917b68d72ae9b5c69631ed0dd1f8af045337221df4f88bf0b74a73b3d1157d5e892c0381245d7d25be1259ae2ed59556d21d35697381af4970f367b38

memory/2604-165-0x0000000000400000-0x0000000000848000-memory.dmp

memory/692-225-0x00000000035A0000-0x0000000003998000-memory.dmp

memory/2604-160-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

MD5 0564a9bf638169a89ccb3820a6b9a58e
SHA1 57373f3b58f7cc2b9ea1808bdabb600d580a9ceb
SHA256 9e4b0556f698c9bc9a07c07bf13d60908d31995e0bd73510d9dd690b20b11058
SHA512 36b81c374529a9ba5fcbc6fcfebf145c27a7c30916814d63612c04372556d47994a8091cdc5f78dab460bb5296466ce0b284659c8b01883f7960ab08a1631ea6

memory/2604-149-0x0000000000400000-0x0000000000848000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 05:25

Reported

2024-02-29 05:28

Platform

win10v2004-20240226-en

Max time kernel

32s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\98A6.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\AE92.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2948 set thread context of 632 N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe C:\Users\Admin\AppData\Local\Temp\98A6.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 2948 N/A N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 3384 wrote to memory of 2948 N/A N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 3384 wrote to memory of 2948 N/A N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 2948 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 2948 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 2948 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 2948 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 2948 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 2948 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 2948 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 2948 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\98A6.exe C:\Users\Admin\AppData\Local\Temp\98A6.exe
PID 3384 wrote to memory of 1256 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3384 wrote to memory of 1256 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1256 wrote to memory of 4844 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1256 wrote to memory of 4844 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1256 wrote to memory of 4844 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3384 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABE2.exe
PID 3384 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABE2.exe
PID 3384 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABE2.exe
PID 3384 wrote to memory of 5016 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE92.exe
PID 3384 wrote to memory of 5016 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE92.exe
PID 3384 wrote to memory of 5016 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE92.exe
PID 3384 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\B932.exe
PID 3384 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\B932.exe
PID 3384 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\B932.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe

"C:\Users\Admin\AppData\Local\Temp\4db6f4628dcd3a4ef8417290ad40c858047ceaed4daaff87a4a5f0d873745809.exe"

C:\Users\Admin\AppData\Local\Temp\98A6.exe

C:\Users\Admin\AppData\Local\Temp\98A6.exe

C:\Users\Admin\AppData\Local\Temp\98A6.exe

C:\Users\Admin\AppData\Local\Temp\98A6.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9ED1.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9ED1.dll

C:\Users\Admin\AppData\Local\Temp\ABE2.exe

C:\Users\Admin\AppData\Local\Temp\ABE2.exe

C:\Users\Admin\AppData\Local\Temp\AE92.exe

C:\Users\Admin\AppData\Local\Temp\AE92.exe

C:\Users\Admin\AppData\Local\Temp\B932.exe

C:\Users\Admin\AppData\Local\Temp\B932.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\C808.exe

C:\Users\Admin\AppData\Local\Temp\C808.exe

C:\Users\Admin\AppData\Local\Temp\u3s8.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3s8.0.exe"

C:\Users\Admin\AppData\Local\Temp\u3s8.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3s8.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1568

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
DE 62.141.38.69:443 tcp
PL 145.239.84.172:80 tcp
US 8.8.8.8:53 172.84.239.145.in-addr.arpa udp
N/A 127.0.0.1:60404 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 204.13.164.118:443 tcp
US 8.8.8.8:53 trmpc.com udp
US 8.8.8.8:53 118.164.13.204.in-addr.arpa udp
AR 186.13.17.220:80 trmpc.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 23.88.75.73:9001 tcp
US 192.34.87.86:9001 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 151.69.67.172.in-addr.arpa udp
DE 185.172.128.127:80 tcp
DE 185.172.128.109:80 185.172.128.109 tcp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
US 8.8.8.8:53 109.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
DE 23.88.75.73:9001 tcp
US 192.34.87.86:9001 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ezytm.in udp
US 8.8.8.8:53 ezytm.in udp
US 8.8.8.8:53 ns448.easy.gr udp
US 8.8.8.8:53 ns448.easy.gr udp
US 8.8.8.8:53 iqarabian.net udp
DE 213.239.212.61:22 ezytm.in tcp
US 8.8.8.8:53 iqarabian.net udp
US 8.8.8.8:53 de.myfigurecollection.net udp
DE 213.239.212.61:21 ezytm.in tcp
US 8.8.8.8:53 auth.demre.cl udp
DE 213.239.212.61:443 ezytm.in tcp
NL 185.107.56.59:22 iqarabian.net tcp
US 8.8.8.8:53 de.myfigurecollection.net udp
US 8.8.8.8:53 auth.demre.cl udp
US 8.8.8.8:53 the.hiveos.farm udp
NL 185.107.56.59:21 iqarabian.net tcp
US 8.8.8.8:53 120profit.com udp
NL 185.107.56.59:443 iqarabian.net tcp
CL 200.89.78.253:22 auth.demre.cl tcp
US 104.26.12.153:22 de.myfigurecollection.net tcp
US 104.26.12.153:21 de.myfigurecollection.net tcp
US 8.8.8.8:53 120profit.com udp
US 8.8.8.8:53 the.hiveos.farm udp
FR 87.98.186.54:22 ns448.easy.gr tcp
FR 87.98.186.54:21 ns448.easy.gr tcp
FR 87.98.186.54:443 ns448.easy.gr tcp
US 8.8.8.8:53 61.212.239.213.in-addr.arpa udp
US 104.26.12.153:443 de.myfigurecollection.net tcp
CL 200.89.78.253:21 auth.demre.cl tcp
US 8.8.8.8:53 my.economydesigner3.com udp
US 8.8.8.8:53 my.economydesigner3.com udp
US 8.8.8.8:53 my.hirezstudios.com udp
FR 87.98.186.54:143 ns448.easy.gr tcp
NL 185.107.56.59:143 iqarabian.net tcp
CL 200.89.78.253:443 auth.demre.cl tcp
DE 213.239.212.61:80 ezytm.in tcp
US 8.8.8.8:53 my.hirezstudios.com udp
US 8.8.8.8:53 59.56.107.185.in-addr.arpa udp
FR 87.98.186.54:465 ns448.easy.gr tcp
NL 185.107.56.59:465 iqarabian.net tcp
NL 185.107.56.59:80 iqarabian.net tcp
NL 185.107.56.59:80 iqarabian.net tcp
US 172.67.28.84:22 the.hiveos.farm tcp
US 104.26.12.153:143 de.myfigurecollection.net tcp
NL 185.107.56.59:80 iqarabian.net tcp
US 8.8.8.8:53 mailstore1.secureserver.net udp
US 8.8.8.8:53 nationsglory.fr udp
US 172.67.203.243:22 my.economydesigner3.com tcp
US 172.67.28.84:443 the.hiveos.farm tcp
US 8.8.8.8:53 nationsglory.fr udp
US 8.8.8.8:53 54.186.98.87.in-addr.arpa udp
NL 185.107.56.59:995 iqarabian.net tcp
FR 87.98.186.54:80 ns448.easy.gr tcp
US 172.67.28.84:21 the.hiveos.farm tcp
US 8.8.8.8:53 153.12.26.104.in-addr.arpa udp
US 104.26.12.153:465 de.myfigurecollection.net tcp
US 104.16.109.154:22 my.hirezstudios.com tcp
US 8.8.8.8:53 solidariaweb.com.co udp
US 8.8.8.8:53 mynextgen.io udp
CL 200.89.78.253:143 auth.demre.cl tcp
FR 87.98.186.54:995 ns448.easy.gr tcp
US 8.8.8.8:53 253.78.89.200.in-addr.arpa udp
US 104.26.12.153:995 de.myfigurecollection.net tcp
US 104.16.109.154:21 my.hirezstudios.com tcp
US 8.8.8.8:53 solidariaweb.com.co udp
US 104.26.12.153:80 de.myfigurecollection.net tcp
FR 87.98.186.54:443 ns448.easy.gr tcp
US 172.67.75.59:22 de.myfigurecollection.net tcp
FR 87.98.186.54:21 ns448.easy.gr tcp
FR 92.204.80.3:143 mailstore1.secureserver.net tcp
US 8.8.8.8:53 mynextgen.io udp
US 8.8.8.8:53 ferrolikombiservismerkezi.com udp
US 104.26.4.75:22 nationsglory.fr tcp
US 104.26.12.153:80 de.myfigurecollection.net tcp
US 172.67.75.59:21 de.myfigurecollection.net tcp
US 172.67.28.84:143 the.hiveos.farm tcp
CL 200.89.78.253:465 auth.demre.cl tcp
CL 200.89.78.253:80 auth.demre.cl tcp
US 8.8.8.8:53 84.28.67.172.in-addr.arpa udp
US 8.8.8.8:53 id.hiveon.com udp
FR 92.204.80.3:995 mailstore1.secureserver.net tcp
FR 92.204.80.3:465 mailstore1.secureserver.net tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 172.67.203.243:21 my.economydesigner3.com tcp
DE 213.239.212.61:80 ezytm.in tcp
DE 213.239.212.61:443 ezytm.in tcp
US 104.22.10.47:22 the.hiveos.farm tcp
US 172.67.28.84:465 the.hiveos.farm tcp
US 8.8.8.8:53 ferrolikombiservismerkezi.com udp
CL 200.89.78.253:995 auth.demre.cl tcp
US 172.67.28.84:80 the.hiveos.farm tcp
US 172.67.203.243:443 my.economydesigner3.com tcp
US 104.16.109.154:443 my.hirezstudios.com tcp
NL 185.107.56.59:80 iqarabian.net tcp
US 104.26.4.75:21 nationsglory.fr tcp
US 104.22.10.47:21 the.hiveos.farm tcp
US 172.67.203.243:143 my.economydesigner3.com tcp
US 104.26.13.153:22 de.myfigurecollection.net tcp
NL 185.107.56.59:80 iqarabian.net tcp
NL 185.107.56.59:80 iqarabian.net tcp
US 172.67.28.84:995 the.hiveos.farm tcp
US 172.67.69.151:22 mynextgen.io tcp
US 8.8.8.8:53 mx0.mail.ovh.net udp
FR 87.98.186.54:443 ns448.easy.gr tcp
US 104.26.13.153:21 de.myfigurecollection.net tcp
US 172.67.75.59:143 de.myfigurecollection.net tcp
US 104.21.37.46:22 my.economydesigner3.com tcp
US 45.60.22.52:22 solidariaweb.com.co tcp
US 104.22.12.108:443 id.hiveon.com tcp
US 45.60.22.52:21 solidariaweb.com.co tcp
US 104.26.4.75:443 nationsglory.fr tcp
US 104.16.109.154:143 my.hirezstudios.com tcp
FR 87.98.186.54:143 ns448.easy.gr tcp
US 172.67.203.243:465 my.economydesigner3.com tcp
US 8.8.8.8:53 iq.opensooq.com udp
US 8.8.8.8:53 e-gaminghost.info udp
US 104.22.11.47:22 the.hiveos.farm tcp
US 104.16.110.154:22 my.hirezstudios.com tcp
US 172.67.203.243:80 my.economydesigner3.com tcp
US 172.67.69.151:21 mynextgen.io tcp
US 172.67.75.59:465 de.myfigurecollection.net tcp
US 8.8.8.8:53 120profit.com udp
US 172.67.68.40:22 nationsglory.fr tcp
US 104.22.10.47:143 the.hiveos.farm tcp
US 104.22.11.47:21 the.hiveos.farm tcp
CL 200.89.78.253:80 auth.demre.cl tcp
US 104.16.109.154:465 my.hirezstudios.com tcp
US 104.21.37.46:21 my.economydesigner3.com tcp
US 104.16.109.154:80 my.hirezstudios.com tcp
US 172.67.203.243:995 my.economydesigner3.com tcp
US 104.26.12.153:443 de.myfigurecollection.net tcp
US 172.67.69.151:443 mynextgen.io tcp
US 104.16.110.154:21 my.hirezstudios.com tcp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 243.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 154.109.16.104.in-addr.arpa udp
US 8.8.8.8:53 e-gaminghost.info udp
US 172.67.75.59:995 de.myfigurecollection.net tcp
US 104.21.57.237:22 ferrolikombiservismerkezi.com tcp
US 104.21.57.237:21 ferrolikombiservismerkezi.com tcp
US 8.8.8.8:53 oauth.smartschool.be udp
US 104.26.13.153:143 de.myfigurecollection.net tcp
FR 178.33.252.245:143 mx0.mail.ovh.net tcp
US 8.8.8.8:53 mx.zoho.eu udp
US 8.8.8.8:53 mx.yandex.net udp
US 172.67.68.40:21 nationsglory.fr tcp
US 104.21.37.46:143 my.economydesigner3.com tcp
US 45.60.22.52:443 solidariaweb.com.co tcp
FR 87.98.186.54:21 ns448.easy.gr tcp
US 104.16.109.154:995 my.hirezstudios.com tcp
US 104.21.57.237:443 ferrolikombiservismerkezi.com tcp
US 8.8.8.8:53 75.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 52.22.60.45.in-addr.arpa udp
US 104.16.112.154:22 my.hirezstudios.com tcp
US 104.26.13.153:465 de.myfigurecollection.net tcp
US 104.22.10.47:465 the.hiveos.farm tcp
US 8.8.8.8:53 108.12.22.104.in-addr.arpa udp
US 104.26.5.75:22 nationsglory.fr tcp
US 104.22.10.47:995 the.hiveos.farm tcp
US 104.26.15.238:22 mynextgen.io tcp
US 104.22.11.47:143 the.hiveos.farm tcp
FR 178.33.252.245:465 mx0.mail.ovh.net tcp
US 104.26.12.153:443 de.myfigurecollection.net tcp
US 172.67.28.84:443 the.hiveos.farm tcp
US 45.60.25.52:22 solidariaweb.com.co tcp
US 104.16.112.154:21 my.hirezstudios.com tcp
US 104.16.110.154:143 my.hirezstudios.com tcp
US 104.26.13.153:995 de.myfigurecollection.net tcp
US 104.21.37.46:465 my.economydesigner3.com tcp
NL 185.107.56.59:80 iqarabian.net tcp
US 8.8.8.8:53 oauth.smartschool.be udp
US 8.8.8.8:53 account.xiaomi.com udp
US 172.67.203.243:80 my.economydesigner3.com tcp
DE 213.239.212.61:443 ezytm.in tcp
US 8.8.8.8:53 account.xiaomi.com udp
US 104.26.15.238:21 mynextgen.io tcp
IE 54.228.71.148:22 iq.opensooq.com tcp
IE 54.228.71.148:21 iq.opensooq.com tcp
DE 213.239.212.61:80 ezytm.in tcp
US 104.26.5.75:21 nationsglory.fr tcp
US 104.16.109.154:80 my.hirezstudios.com tcp
US 45.60.22.52:465 solidariaweb.com.co tcp
US 104.16.110.154:465 my.hirezstudios.com tcp
US 45.60.22.52:80 solidariaweb.com.co tcp
NL 185.230.212.166:143 mx.zoho.eu tcp
NL 185.107.56.59:80 iqarabian.net tcp
FR 178.33.252.245:995 mx0.mail.ovh.net tcp
US 104.21.37.46:995 my.economydesigner3.com tcp
US 104.26.4.75:80 nationsglory.fr tcp
FR 87.98.186.54:443 ns448.easy.gr tcp
US 8.8.8.8:53 mx.zoho.eu udp
US 8.8.8.8:53 245.252.33.178.in-addr.arpa udp
US 8.8.8.8:53 237.57.21.104.in-addr.arpa udp
US 104.26.12.153:21 de.myfigurecollection.net tcp
US 172.67.193.129:22 ferrolikombiservismerkezi.com tcp
US 172.67.193.129:21 ferrolikombiservismerkezi.com tcp
US 104.22.11.47:995 the.hiveos.farm tcp
US 8.8.8.8:53 nvsp.in udp
US 8.8.8.8:53 br.z8games.com udp
US 104.16.112.154:143 my.hirezstudios.com tcp
FR 87.98.186.54:22 ns448.easy.gr tcp
FR 87.98.186.54:80 ns448.easy.gr tcp
CL 200.89.78.253:443 auth.demre.cl tcp
US 172.67.28.84:80 the.hiveos.farm tcp
US 104.26.4.75:80 nationsglory.fr tcp
US 104.16.110.154:995 my.hirezstudios.com tcp
US 8.8.8.8:53 e-gaminghost.info udp
DE 213.239.212.61:22 ezytm.in tcp
IE 54.228.71.148:443 iq.opensooq.com tcp
US 45.60.22.52:995 solidariaweb.com.co tcp
US 172.67.69.151:80 mynextgen.io tcp
NL 185.230.212.166:465 mx.zoho.eu tcp
BE 193.56.132.11:22 oauth.smartschool.be tcp
DE 213.239.212.61:21 ezytm.in tcp
US 172.67.203.243:443 my.economydesigner3.com tcp
NL 185.107.56.59:22 iqarabian.net tcp
US 104.26.12.153:22 de.myfigurecollection.net tcp
US 8.8.8.8:53 120profit.com udp
BE 193.56.132.11:21 oauth.smartschool.be tcp
US 172.67.69.151:80 mynextgen.io tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 br.z8games.com udp
US 8.8.8.8:53 nvsp.in udp
IE 63.34.220.114:22 iq.opensooq.com tcp
US 45.60.22.52:143 solidariaweb.com.co tcp
NL 20.47.97.75:22 account.xiaomi.com tcp
CL 200.89.78.253:22 auth.demre.cl tcp
US 172.67.203.243:22 my.economydesigner3.com tcp
US 172.67.28.84:22 the.hiveos.farm tcp
US 104.26.12.153:80 de.myfigurecollection.net tcp
NL 185.230.212.166:995 mx.zoho.eu tcp
IE 63.34.220.114:21 iq.opensooq.com tcp
CL 200.89.78.253:21 auth.demre.cl tcp
NL 185.107.56.59:21 iqarabian.net tcp
US 8.8.8.8:53 mailstore1.secureserver.net udp
NL 20.47.97.75:21 account.xiaomi.com tcp
US 104.16.109.154:443 my.hirezstudios.com tcp
NL 185.107.56.59:143 iqarabian.net tcp
US 172.67.75.59:22 de.myfigurecollection.net tcp
US 104.21.57.237:80 ferrolikombiservismerkezi.com tcp
BE 193.56.132.11:443 oauth.smartschool.be tcp
US 8.8.8.8:53 siae.uam.mx udp
US 8.8.8.8:53 us04web.zoom.us udp
US 8.8.8.8:53 148.71.228.54.in-addr.arpa udp
US 172.67.75.59:21 de.myfigurecollection.net tcp
FR 87.98.186.54:21 ns448.easy.gr tcp
IE 54.228.71.148:143 iq.opensooq.com tcp
NL 185.107.56.59:995 iqarabian.net tcp
RU 77.88.21.249:465 mx.yandex.net tcp
US 104.21.57.237:80 ferrolikombiservismerkezi.com tcp
NL 185.107.56.59:465 iqarabian.net tcp
US 172.67.203.243:21 my.economydesigner3.com tcp
US 104.26.12.153:143 de.myfigurecollection.net tcp
CL 200.89.78.253:80 auth.demre.cl tcp
US 104.26.12.153:80 de.myfigurecollection.net tcp
US 8.8.8.8:53 mx2.account.xiaomi.com udp
NL 185.107.56.59:80 iqarabian.net tcp
US 172.67.28.84:21 the.hiveos.farm tcp
NL 20.47.97.75:443 account.xiaomi.com tcp
US 45.60.22.52:80 solidariaweb.com.co tcp
CL 200.89.78.253:143 auth.demre.cl tcp
GB 104.77.160.213:22 br.z8games.com tcp
IN 61.0.172.246:21 nvsp.in tcp
US 8.8.8.8:53 siae.uam.mx udp
US 104.16.109.154:22 my.hirezstudios.com tcp
US 8.8.8.8:53 us04web.zoom.us udp
US 8.8.8.8:53 undertale-porn.com udp
US 8.8.8.8:53 e-gaminghost.info udp
FR 87.98.186.54:995 ns448.easy.gr tcp
DE 213.239.212.61:80 ezytm.in tcp
IE 63.34.220.114:143 iq.opensooq.com tcp
US 172.67.75.59:143 de.myfigurecollection.net tcp
US 104.21.37.46:21 my.economydesigner3.com tcp
IE 54.228.71.148:80 iq.opensooq.com tcp
FR 87.98.186.54:465 ns448.easy.gr tcp
RU 77.88.21.249:995 mx.yandex.net tcp
BE 193.56.132.11:143 oauth.smartschool.be tcp
US 104.26.4.75:22 nationsglory.fr tcp
US 104.16.109.154:21 my.hirezstudios.com tcp
US 104.26.4.75:443 nationsglory.fr tcp
US 104.26.12.153:995 de.myfigurecollection.net tcp
NL 185.107.56.59:80 iqarabian.net tcp
US 104.22.12.108:443 id.hiveon.com tcp
US 172.67.28.84:143 the.hiveos.farm tcp
FR 87.98.186.54:443 ns448.easy.gr tcp
US 172.67.69.151:22 mynextgen.io tcp
GB 104.77.160.213:443 br.z8games.com tcp
GB 104.77.160.200:22 br.z8games.com tcp
CL 200.89.78.253:465 auth.demre.cl tcp
US 45.60.22.52:22 solidariaweb.com.co tcp
GB 104.77.160.213:21 br.z8games.com tcp
US 172.67.203.243:465 my.economydesigner3.com tcp
US 104.16.110.154:22 my.hirezstudios.com tcp
US 8.8.8.8:53 undertale-porn.com udp
US 8.8.8.8:53 analytics.moz.com udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
IE 54.228.71.148:465 iq.opensooq.com tcp
IE 54.228.71.148:995 iq.opensooq.com tcp
FR 87.98.186.54:143 ns448.easy.gr tcp
BE 193.56.132.11:465 oauth.smartschool.be tcp
FR 87.98.186.54:443 ns448.easy.gr tcp
US 172.67.203.243:143 my.economydesigner3.com tcp
CL 200.89.78.253:995 auth.demre.cl tcp
BE 193.56.132.11:80 oauth.smartschool.be tcp
US 104.26.4.75:21 nationsglory.fr tcp
US 172.67.69.151:21 mynextgen.io tcp
US 172.67.69.151:443 mynextgen.io tcp
US 8.8.8.8:53 11.132.56.193.in-addr.arpa udp
US 8.8.8.8:53 75.97.47.20.in-addr.arpa udp
US 172.67.68.40:22 nationsglory.fr tcp
US 104.16.110.154:21 my.hirezstudios.com tcp
US 172.67.28.84:465 the.hiveos.farm tcp
US 172.67.75.59:995 de.myfigurecollection.net tcp
US 104.22.10.47:143 the.hiveos.farm tcp
FR 92.204.80.3:143 mailstore1.secureserver.net tcp
US 8.8.8.8:53 120profit.com udp
FR 92.204.80.3:995 mailstore1.secureserver.net tcp
FR 92.204.80.3:465 mailstore1.secureserver.net tcp
IE 54.228.71.148:80 iq.opensooq.com tcp
US 45.60.22.52:21 solidariaweb.com.co tcp
US 8.8.8.8:53 analytics.moz.com udp
US 8.8.8.8:53 remotedesktop.google.com udp
US 104.16.109.154:465 my.hirezstudios.com tcp
US 172.67.28.84:995 the.hiveos.farm tcp
MX 148.206.159.226:22 siae.uam.mx tcp
US 104.26.15.238:22 mynextgen.io tcp
US 104.21.57.237:21 ferrolikombiservismerkezi.com tcp
BE 193.56.132.11:995 oauth.smartschool.be tcp
FR 178.33.252.245:143 mx0.mail.ovh.net tcp
US 104.26.12.153:443 de.myfigurecollection.net tcp
US 172.67.68.40:21 nationsglory.fr tcp
NL 20.47.97.75:80 account.xiaomi.com tcp
US 104.26.15.238:21 mynextgen.io tcp
CN 42.62.48.103:143 mx2.account.xiaomi.com tcp
US 45.60.25.52:22 solidariaweb.com.co tcp
US 172.67.203.243:995 my.economydesigner3.com tcp
US 104.21.57.237:22 ferrolikombiservismerkezi.com tcp
US 104.16.109.154:143 my.hirezstudios.com tcp
GB 104.77.160.200:21 br.z8games.com tcp
US 104.21.37.46:465 my.economydesigner3.com tcp
US 8.8.8.8:53 ftp.120profit.com udp
US 104.16.109.154:995 my.hirezstudios.com tcp
US 172.67.203.243:80 my.economydesigner3.com tcp
US 8.8.8.8:53 213.160.77.104.in-addr.arpa udp
MX 148.206.159.226:21 siae.uam.mx tcp
US 104.21.57.237:80 ferrolikombiservismerkezi.com tcp
US 8.8.8.8:53 remotedesktop.google.com udp
US 45.60.22.52:143 solidariaweb.com.co tcp
IE 54.228.71.148:22 iq.opensooq.com tcp
IN 61.0.172.246:143 nvsp.in tcp
FR 178.33.252.245:465 mx0.mail.ovh.net tcp
US 104.16.109.154:80 my.hirezstudios.com tcp
FR 87.98.186.54:21 ns448.easy.gr tcp
CN 42.62.48.103:995 mx2.account.xiaomi.com tcp
NL 185.107.56.59:990 iqarabian.net tcp
IE 54.228.71.148:21 iq.opensooq.com tcp
US 172.67.203.243:80 my.economydesigner3.com tcp
NL 20.47.97.75:80 account.xiaomi.com tcp
CL 200.89.78.253:80 auth.demre.cl tcp
US 8.8.8.8:53 e-gaminghost.info udp
US 8.8.8.8:53 120profit.com udp
FR 87.98.186.54:222 ns448.easy.gr tcp
US 64.91.248.15:21 undertale-porn.com tcp
GB 104.77.160.213:143 br.z8games.com tcp
US 45.60.22.52:465 solidariaweb.com.co tcp
US 170.114.52.4:443 us04web.zoom.us tcp
NL 185.230.212.166:143 mx.zoho.eu tcp
US 104.17.7.82:22 analytics.moz.com tcp
FR 178.33.252.245:995 mx0.mail.ovh.net tcp
NL 185.230.212.166:465 mx.zoho.eu tcp
BE 193.56.132.11:22 oauth.smartschool.be tcp
US 8.8.8.8:53 na.wargaming.net udp
US 8.8.8.8:53 mx156.hostedmxserver.com udp
US 8.8.8.8:53 4.52.114.170.in-addr.arpa udp
US 8.8.8.8:53 226.159.206.148.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
DE 213.239.212.61:222 ezytm.in tcp
IN 61.0.172.246:465 nvsp.in tcp
IN 61.0.172.246:80 nvsp.in tcp
US 104.26.12.153:222 de.myfigurecollection.net tcp
US 172.67.28.84:222 the.hiveos.farm tcp
US 172.67.203.243:222 my.economydesigner3.com tcp
DE 213.239.212.61:990 ezytm.in tcp
NL 185.107.56.59:222 iqarabian.net tcp
US 104.21.57.237:80 ferrolikombiservismerkezi.com tcp
BE 193.56.132.11:21 oauth.smartschool.be tcp
DE 213.239.212.61:443 ezytm.in tcp
US 104.26.12.153:990 de.myfigurecollection.net tcp
IE 54.228.71.148:443 iq.opensooq.com tcp
DE 213.239.212.61:80 ezytm.in tcp
US 172.67.28.84:990 the.hiveos.farm tcp
CL 200.89.78.253:222 auth.demre.cl tcp
NL 20.47.97.75:22 account.xiaomi.com tcp
NL 185.107.56.59:80 iqarabian.net tcp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 45.60.22.52:80 solidariaweb.com.co tcp
US 64.91.248.15:443 undertale-porn.com tcp
GB 104.77.160.213:80 br.z8games.com tcp
US 172.67.28.84:80 the.hiveos.farm tcp
US 104.26.4.75:80 nationsglory.fr tcp
CL 200.89.78.253:990 auth.demre.cl tcp
US 8.8.8.8:53 launchpad.classlink.com udp
US 8.8.8.8:53 launchpad.classlink.com udp
US 8.8.8.8:53 turbo.omnilink.com.br udp
US 8.8.8.8:53 na.wargaming.net udp
BE 193.56.132.11:443 oauth.smartschool.be tcp
FR 87.98.186.54:80 ns448.easy.gr tcp
US 172.67.69.151:80 mynextgen.io tcp
FR 92.204.80.3:587 mailstore1.secureserver.net tcp
GB 104.77.160.213:80 br.z8games.com tcp
US 8.8.8.8:53 turbo.omnilink.com.br udp
US 8.8.8.8:53 sisualuno.mec.gov.br udp
US 8.8.8.8:53 120profit.com udp
US 8.8.8.8:53 ftp.120profit.com udp
MX 148.206.159.226:80 siae.uam.mx tcp
US 8.8.8.8:53 e-gaminghost.info udp
US 8.8.8.8:53 246.172.0.61.in-addr.arpa udp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 15.248.91.64.in-addr.arpa udp
NL 20.47.97.75:443 account.xiaomi.com tcp
US 104.26.12.153:80 de.myfigurecollection.net tcp
NL 20.47.97.75:80 account.xiaomi.com tcp
US 8.8.8.8:53 sisualuno.mec.gov.br udp
US 172.67.203.243:443 my.economydesigner3.com tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 br.z8games.com udp
US 170.114.52.4:80 us04web.zoom.us tcp
US 64.91.248.15:80 undertale-porn.com tcp
DE 213.239.212.61:80 ezytm.in tcp
US 8.8.8.8:53 mail.120profit.com udp
US 8.8.8.8:53 sammobile.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 e-gaminghost.info udp
US 104.16.109.154:443 my.hirezstudios.com tcp
US 104.21.57.237:80 ferrolikombiservismerkezi.com tcp
IE 54.228.71.148:80 iq.opensooq.com tcp
US 8.8.8.8:53 sammobile.com udp
US 104.17.7.82:80 analytics.moz.com tcp
US 104.26.4.75:443 nationsglory.fr tcp
US 104.26.12.153:587 de.myfigurecollection.net tcp
US 172.67.28.84:443 the.hiveos.farm tcp
NL 185.107.56.59:80 iqarabian.net tcp
FR 87.98.186.54:443 ns448.easy.gr tcp
CL 200.89.78.253:443 auth.demre.cl tcp
US 172.67.69.151:443 mynextgen.io tcp
BE 193.56.132.11:80 oauth.smartschool.be tcp
US 8.8.8.8:53 discordea.net udp
US 8.8.8.8:53 discordea.net udp
IE 74.125.193.100:80 remotedesktop.google.com tcp
IN 61.0.172.246:443 nvsp.in tcp
US 8.8.8.8:53 120profit.com udp
US 8.8.8.8:53 ww12.undertale-porn.com udp
US 8.8.8.8:53 e-gaminghost.info udp
US 8.8.8.8:53 ftp.iqarabian.net udp
US 8.8.8.8:53 ftp.120profit.com udp
US 104.26.12.153:443 de.myfigurecollection.net tcp
NL 20.47.97.75:80 account.xiaomi.com tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 fotofastdelivery.net udp
US 8.8.8.8:53 myasp.net udp
US 8.8.8.8:53 us-smtp-inbound-2.mimecast.com udp
US 8.8.8.8:53 82.7.17.104.in-addr.arpa udp
US 172.67.203.243:80 my.economydesigner3.com tcp
MX 148.206.159.226:80 siae.uam.mx tcp
DE 213.239.212.61:443 ezytm.in tcp
CL 200.89.78.253:80 auth.demre.cl tcp
US 8.8.8.8:53 ftp.ezytm.in udp
US 8.8.8.8:53 ftp.de.myfigurecollection.net udp
US 8.8.8.8:53 ssh.120profit.com udp
US 8.8.8.8:53 ftp.the.hiveos.farm udp
US 8.8.8.8:53 ftp.my.economydesigner3.com udp
US 8.8.8.8:53 mail.120profit.com udp
US 8.8.8.8:53 mail.iqarabian.net udp
US 8.8.8.8:53 myasp.net udp
US 8.8.8.8:53 a3forum.fr udp
US 8.8.8.8:53 ftp.auth.demre.cl udp
US 8.8.8.8:53 e-gaminghost.info udp
US 8.8.8.8:53 ftp.e-gaminghost.info udp
US 8.8.8.8:53 100.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 ftp.solidariaweb.com.co udp
BE 13.225.239.11:80 launchpad.classlink.com tcp
US 92.223.56.72:80 na.wargaming.net tcp
US 170.114.52.4:443 us04web.zoom.us tcp
BR 200.185.141.77:80 turbo.omnilink.com.br tcp
US 75.2.81.221:80 ww12.undertale-porn.com tcp
US 104.21.57.237:80 ferrolikombiservismerkezi.com tcp
US 8.8.8.8:53 mail.auth.demre.cl udp
US 8.8.8.8:53 mail.de.myfigurecollection.net udp
US 8.8.8.8:53 ftp.my.hirezstudios.com udp
US 8.8.8.8:53 mail.the.hiveos.farm udp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 54.228.71.148:443 iq.opensooq.com tcp
BE 13.225.239.9:80 sisualuno.mec.gov.br tcp
US 8.8.8.8:53 correspondenciasdigitais.itau.com.br udp
US 104.17.7.82:443 analytics.moz.com tcp
US 104.26.4.75:80 nationsglory.fr tcp
US 64.91.248.15:80 undertale-porn.com tcp
US 8.8.8.8:53 br.z8games.com udp
US 8.8.8.8:53 mail.my.economydesigner3.com udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 ftp.nationsglory.fr udp
US 8.8.8.8:53 mx0.mail.ovh.net udp
US 8.8.8.8:53 ftp.ferrolikombiservismerkezi.com udp
US 8.8.8.8:53 ftp.mynextgen.io udp
US 8.8.8.8:53 ftp.ns448.easy.gr udp
US 8.8.8.8:53 smtp.secureserver.net udp
US 8.8.8.8:53 steamcommunity.com udp
US 45.60.22.52:80 solidariaweb.com.co tcp
US 104.16.109.154:80 my.hirezstudios.com tcp
US 104.22.12.108:443 id.hiveon.com tcp
US 8.8.8.8:53 a3forum.fr udp
US 8.8.8.8:53 correspondenciasdigitais.itau.com.br udp
FR 87.98.186.54:80 ns448.easy.gr tcp
BE 193.56.132.11:443 oauth.smartschool.be tcp
US 172.67.69.151:80 mynextgen.io tcp
GB 23.214.154.77:80 steamcommunity.com tcp
US 8.8.8.8:53 s202.wildguns.pl udp
US 8.8.8.8:53 fotofastdelivery.net udp
US 8.8.8.8:53 mx3.mail.ovh.net udp
US 8.8.8.8:53 11.239.225.13.in-addr.arpa udp
US 8.8.8.8:53 72.56.223.92.in-addr.arpa udp
US 8.8.8.8:53 221.81.2.75.in-addr.arpa udp
GB 104.77.160.213:80 br.z8games.com tcp
US 8.8.8.8:53 mx0.mail.ovh.net udp
US 8.8.8.8:53 120profit.com udp
US 8.8.8.8:53 e-gaminghost.info udp
US 8.8.8.8:53 mail.120profit.com udp
US 8.8.8.8:53 ftp.120profit.com udp
US 8.8.8.8:53 s202.wildguns.pl udp
US 8.8.8.8:53 auth.riotgames.com udp
US 172.67.203.243:443 my.economydesigner3.com tcp
IE 74.125.193.100:80 remotedesktop.google.com tcp
US 8.8.8.8:53 mail5002.site4now.net udp
US 8.8.8.8:53 9.239.225.13.in-addr.arpa udp
US 8.8.8.8:53 77.154.214.23.in-addr.arpa udp
US 8.8.8.8:53 mail.solidariaweb.com.co udp
US 8.8.8.8:53 mail.my.hirezstudios.com udp
DE 213.239.212.61:80 ezytm.in tcp
US 104.20.203.54:80 sammobile.com tcp
US 104.26.12.153:80 mail.de.myfigurecollection.net tcp
US 8.8.8.8:53 ftp.iq.opensooq.com udp
US 8.8.8.8:53 fotofastdelivery.net udp
CL 200.89.78.253:80 auth.demre.cl tcp
US 8.8.8.8:53 ftp.oauth.smartschool.be udp
US 8.8.8.8:53 ftp.ezytm.in udp
US 8.8.8.8:53 ftp.account.xiaomi.com udp
US 8.8.8.8:53 ssh.120profit.com udp
US 8.8.8.8:53 iq.opensooq.com udp
US 8.8.8.8:53 ftp.the.hiveos.farm udp
US 8.8.8.8:53 mail.ns448.easy.gr udp
US 8.8.8.8:53 auth.riotgames.com udp
US 8.8.8.8:53 my.konami.net udp
US 8.8.8.8:53 ftp.my.economydesigner3.com udp
US 8.8.8.8:53 mail.120profit.com udp
US 8.8.8.8:53 mail.a3forum.fr udp
US 8.8.8.8:53 oauth.smartschool.be udp
US 8.8.8.8:53 ftp.solidariaweb.com.co udp
US 8.8.8.8:53 ftp.auth.demre.cl udp
US 8.8.8.8:53 ftp.nvsp.in udp
US 8.8.8.8:53 ftp.e-gaminghost.info udp
US 8.8.8.8:53 ftp.my.hirezstudios.com udp
BE 13.225.239.11:443 launchpad.classlink.com tcp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.57.237:80 ftp.ferrolikombiservismerkezi.com tcp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 my.konami.net udp
US 8.8.8.8:53 s202.wildguns.pl udp
NL 20.47.97.75:443 account.xiaomi.com tcp
NL 20.47.97.75:80 account.xiaomi.com tcp
IN 61.0.172.246:80 nvsp.in tcp
US 104.21.34.37:80 discordea.net tcp
US 8.8.8.8:53 dcuniverseonline.com udp
US 8.8.8.8:53 mail.the.hiveos.farm udp
US 8.8.8.8:53 mail.iq.opensooq.com udp
US 8.8.8.8:53 e-gaminghost.info udp
US 8.8.8.8:53 ftp.br.z8games.com udp
BE 13.225.239.9:443 sisualuno.mec.gov.br tcp
US 8.8.8.8:53 mail.my.economydesigner3.com udp
IE 54.228.71.148:80 mail.iq.opensooq.com tcp
US 92.223.56.72:80 na.wargaming.net tcp
US 104.26.4.75:443 nationsglory.fr tcp
US 170.114.52.4:80 us04web.zoom.us tcp
US 104.17.7.82:80 analytics.moz.com tcp
US 8.8.8.8:53 54.203.20.104.in-addr.arpa udp
US 8.8.8.8:53 mail.auth.demre.cl udp
US 8.8.8.8:53 ftp.nationsglory.fr udp
US 8.8.8.8:53 mail.oauth.smartschool.be udp
US 104.17.7.82:80 analytics.moz.com tcp
US 8.8.8.8:53 ftp.mynextgen.io udp
US 172.67.171.112:80 tcp
US 208.118.63.10:80 myasp.net tcp
FR 87.98.186.54:443 ns448.easy.gr tcp
US 172.67.69.151:80 mynextgen.io tcp
BE 193.56.132.11:80 oauth.smartschool.be tcp
GB 23.214.154.77:443 steamcommunity.com tcp
US 45.60.22.52:80 solidariaweb.com.co tcp
US 8.8.8.8:53 dcuniverseonline.com udp
US 8.8.8.8:53 bolandperfume.com udp
US 8.8.8.8:53 us04web.zoom.us udp
US 8.8.8.8:53 s202.wildguns.pl udp
US 8.8.8.8:53 fotofastdelivery.net udp
US 8.8.8.8:53 ftp.siae.uam.mx udp
US 64.91.248.15:80 undertale-porn.com tcp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 37.34.21.104.in-addr.arpa udp
US 104.16.109.154:443 my.hirezstudios.com tcp
US 172.67.28.84:80 the.hiveos.farm tcp
BR 200.185.141.77:80 turbo.omnilink.com.br tcp
FR 37.187.148.167:80 mail.a3forum.fr tcp
US 172.67.203.243:80 my.economydesigner3.com tcp
US 8.8.8.8:53 mx1.account.xiaomi.com udp
US 8.8.8.8:53 mail.120profit.com udp
US 8.8.8.8:53 bolandperfume.com udp
US 8.8.8.8:53 correspondenciasdigitais.itau.com.br udp
US 8.8.8.8:53 mail.e-gaminghost.info udp
US 8.8.8.8:53 120profit.com udp
US 8.8.8.8:53 ssh.e-gaminghost.info udp
US 8.8.8.8:53 fotofastdelivery.net udp
US 8.8.8.8:53 s202.wildguns.pl udp
US 8.8.8.8:53 ftp.us04web.zoom.us udp
US 8.8.8.8:53 ssh.ns448.easy.gr udp
US 8.8.8.8:53 mx2.zoho.eu udp
US 8.8.8.8:53 br.z8games.com udp
US 8.8.8.8:53 ftp.undertale-porn.com udp
DE 213.239.212.61:443 ezytm.in tcp
US 8.8.8.8:53 mail.solidariaweb.com.co udp
US 104.20.203.54:443 sammobile.com tcp
US 8.8.8.8:53 ssh.ezytm.in udp
US 104.26.12.153:443 mail.de.myfigurecollection.net tcp
US 8.8.8.8:53 ssh.de.myfigurecollection.net udp
US 8.8.8.8:53 ssh.the.hiveos.farm udp
US 8.8.8.8:53 mail.nvsp.in udp
US 8.8.8.8:53 ssh.my.economydesigner3.com udp
US 8.8.8.8:53 ssh.iqarabian.net udp
US 8.8.8.8:53 ftp.ezytm.in udp
US 8.8.8.8:53 ftp.oauth.smartschool.be udp
US 8.8.8.8:53 mail.ns448.easy.gr udp
GB 104.84.79.45:80 correspondenciasdigitais.itau.com.br tcp
MX 148.206.159.226:80 siae.uam.mx tcp
US 8.8.8.8:53 ssh.120profit.com udp
US 8.8.8.8:53 ftp.account.xiaomi.com udp
US 8.8.8.8:53 ssh.auth.demre.cl udp
US 8.8.8.8:53 play.esea.net udp
US 8.8.8.8:53 kyte.site udp
IE 74.125.193.100:80 remotedesktop.google.com tcp
US 8.8.8.8:53 mail.br.z8games.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 ftp.solidariaweb.com.co udp
US 8.8.8.8:53 mail.my.hirezstudios.com udp
US 8.8.8.8:53 ssh.my.hirezstudios.com udp
US 8.8.8.8:53 ssh.nationsglory.fr udp
US 8.8.8.8:53 mail.auth.demre.cl udp
US 8.8.8.8:53 mail.my.economydesigner3.com udp
US 8.8.8.8:53 mail.the.hiveos.farm udp
US 8.8.8.8:53 ftp.nvsp.in udp
US 8.8.8.8:53 10.63.118.208.in-addr.arpa udp
US 8.8.8.8:53 ftp.e-gaminghost.info udp
GB 104.84.79.45:80 correspondenciasdigitais.itau.com.br tcp
US 8.8.8.8:53 ftp.the.hiveos.farm udp
US 8.8.8.8:53 167.148.187.37.in-addr.arpa udp
US 104.21.57.237:80 ftp.ferrolikombiservismerkezi.com tcp
US 8.8.8.8:53 s202.wildguns.pl udp
US 8.8.8.8:53 play.esea.net udp
US 8.8.8.8:53 kyte.site udp
US 8.8.8.8:53 www.myasp.net udp
US 8.8.8.8:53 ftp.analytics.moz.com udp
US 8.8.8.8:53 www.a3forum.fr udp
US 8.8.8.8:53 ftp.remotedesktop.google.com udp
US 8.8.8.8:53 lae-mx1.daybreakgames.com udp
US 8.8.8.8:53 launchpad.classlink.com udp

Files

memory/3648-2-0x0000000001B90000-0x0000000001B9B000-memory.dmp

memory/3648-1-0x0000000001BB0000-0x0000000001CB0000-memory.dmp

memory/3648-3-0x0000000000400000-0x0000000001A2C000-memory.dmp

memory/3384-4-0x00000000031A0000-0x00000000031B6000-memory.dmp

memory/3648-5-0x0000000000400000-0x0000000001A2C000-memory.dmp

memory/3648-8-0x0000000001B90000-0x0000000001B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\98A6.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/2948-17-0x0000000003850000-0x0000000003A13000-memory.dmp

memory/2948-18-0x0000000003A20000-0x0000000003BD7000-memory.dmp

memory/632-19-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-22-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-23-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-24-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-25-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-26-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ED1.dll

MD5 9b1697d40dfd386fdd7e9327844f301a
SHA1 e75defb119e2c7b7d3f75ab70a100ec504af5ebf
SHA256 69e7b08c127dde5fd1f85e1e8107d06aa686e94aef3fd48ff0bb092b38a0cb1d
SHA512 3e945bf24ed81fdc49e974d086a70f9758a17b8656bb0e460dca0be2a84fa0ba065b62b6dd5d55ca1dbe0b4f19ec4f164df84c115244f1cbfddd79611d013d69

memory/4844-34-0x0000000000CD0000-0x0000000000CD6000-memory.dmp

memory/4844-35-0x0000000010000000-0x0000000010202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABE2.exe

MD5 f5f798ecba790f756b78dd89ac64e502
SHA1 92bcc0200867e0721ad5b02dba346f21b8035664
SHA256 200b4a840b7e8632d1f0154f4ea79ed70c1ad9f6ed28ce80d0d26923242a99cd
SHA512 7f30d3326cfba0a4fb61a522d80376dbb1d30375b4d6f97f000c90d15358814a85d48e05802421fff20c2033163ed4f36b717279ef18c5911bc2622351d97bc3

C:\Users\Admin\AppData\Local\Temp\ABE2.exe

MD5 ea446e36071029f84b871f4ade6eb3bf
SHA1 1eb4be5b2321d2cc78e8e5b6fa0c55625fc6a612
SHA256 225a8f771eea223e9fc913d6dcbb32c93625192a82dc5671e58b16861d300568
SHA512 e356e8e4d08914658d027f2fe346143a9eaba327c02ac3093e1a4aaef7472795d098889df422d693a8914da0248f4cc7a00d335dbbd4356b886a8bd561a9268e

memory/1976-42-0x00000000001A0000-0x0000000000A91000-memory.dmp

memory/1976-41-0x0000000001080000-0x0000000001081000-memory.dmp

memory/1976-46-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/1976-48-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/1976-49-0x0000000002A50000-0x0000000002A82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE92.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/1976-51-0x0000000002A50000-0x0000000002A82000-memory.dmp

memory/1976-52-0x0000000002A50000-0x0000000002A82000-memory.dmp

memory/5016-55-0x0000000001C50000-0x0000000001D50000-memory.dmp

memory/5016-56-0x00000000036F0000-0x000000000375B000-memory.dmp

memory/632-58-0x0000000000400000-0x0000000000848000-memory.dmp

memory/5016-57-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/4844-59-0x0000000002940000-0x0000000002A68000-memory.dmp

memory/4844-60-0x0000000002A70000-0x0000000002B7D000-memory.dmp

memory/4844-63-0x0000000002A70000-0x0000000002B7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B932.exe

MD5 ef97a2cf8f3015c110351bf96c790836
SHA1 2d6a3cafde1c16e1ece10ae20ab182b50d54e6d5
SHA256 225b608e1e208b1d5beadb157750091b67cfca2d47b444e59c2567a423834739
SHA512 5e3eb887c3c2bf3a602090984cbca2d0a3c50fb4248282c866c4df88a914739ca201783285b88450f642be15bce57c69f61d60f84ed96f9b892211982ce2fe6a

C:\Users\Admin\AppData\Local\Temp\B932.exe

MD5 f0ad6d68d2595f49f9f1c24513a2915a
SHA1 01d7505030a8c23e044aa373624b3d0ba4aca8ca
SHA256 ce5a77e91440ad1251cdfa4be58450ca942a3a92ade0fc48abe64cb733a6fdc6
SHA512 755f2c69a9d4ee5b570058499a34f2093bdbc4e575184b511e23f12c18d9f27ecf5fa1ca2437e7f0d99d2f3c9abc5f0f1e7d9a8ff57fa1ded734644d1cc21dd5

memory/2860-68-0x0000000000240000-0x00000000006CC000-memory.dmp

memory/2860-69-0x0000000073C90000-0x0000000074440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

MD5 0564a9bf638169a89ccb3820a6b9a58e
SHA1 57373f3b58f7cc2b9ea1808bdabb600d580a9ceb
SHA256 9e4b0556f698c9bc9a07c07bf13d60908d31995e0bd73510d9dd690b20b11058
SHA512 36b81c374529a9ba5fcbc6fcfebf145c27a7c30916814d63612c04372556d47994a8091cdc5f78dab460bb5296466ce0b284659c8b01883f7960ab08a1631ea6

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 14a51bd9bcd50a7de4e4c7f3be243294
SHA1 058b9962697644087087dd2c81f158a676ed044a
SHA256 66c2f28ee6d0c3bf54525c0ebb55c4c10f7065e5abf2555a3193c89405ad8e91
SHA512 2c0556c494c4574aa52104a12f7ed5d73ff754f5b4d9b6613f95ca2a94592f6552103f7aad790f814076fbe619abc207501c507e900fd823454f406ad1b76f44

memory/632-84-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4904-87-0x0000000001CF0000-0x0000000001DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d8b44191aed4506044ef57a952c299b9
SHA1 7cc2b70e06728f3ab50325991ff5f8472bf5ed0f
SHA256 07fc5910c33228e5658d31829142e85dc40d40491ec314ac97689528b687aaa8
SHA512 0ac226cdadfc5f20d049e053f71957a14a3c5fd10409f62ac75cd363fa7abc9f83ee269bd9a05e12eeb1e7b78c04e9a49cdbf79a5bd5ce24c9246d2f67434b6d

memory/632-93-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4904-90-0x00000000036A0000-0x0000000003707000-memory.dmp

memory/4904-94-0x0000000000400000-0x0000000001A4B000-memory.dmp

memory/2860-88-0x0000000073C90000-0x0000000074440000-memory.dmp

memory/1916-97-0x00000000039D0000-0x0000000003DCF000-memory.dmp

memory/1916-98-0x0000000003ED0000-0x00000000047BB000-memory.dmp

memory/1916-106-0x0000000000400000-0x0000000001E0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 6450edca72c459cbce71afa12ceeaa00
SHA1 45a3c790fcbf50da668538d64f2a7819e35c358b
SHA256 46e628baec83704e4a11b37d44f289dcd086f4c4bb8a0204a3e0241469107112
SHA512 e3890c4cc854e4d07b72658fe5e4c3f6b29843831fd29c6b1d27391656423e9e03b64089f9f536451105063e2420d5969e9561b37a2f8a8b6b568242020b9433

C:\Users\Admin\AppData\Local\Temp\u3s8.0.exe

MD5 d0de3ce247b4ebb9b0778563f7bb3a47
SHA1 20259867152e73d0027da63f8c351c4e911690ca
SHA256 de333c544b3def02e10b7a8d1c3677efbcbb010ecce2b601573dae1584b9cc1f
SHA512 3811fe4864c154ee020a6c158557e1d42e8ef954c836192acb19241343ad01a2c21e69960f4780b5e2404bf963de0e51cf01fe0ed2b012c8cbec95b36c21661d

C:\Users\Admin\AppData\Local\Temp\C808.exe

MD5 0c3f7f76be32866fafcf1b1d26b831c3
SHA1 d7bb7e9437e922de417ce9e9102d2ee6cba7e9e7
SHA256 454e17045a7dd1a6a36dc0a8dcf5dfeebcd0ea36436c94d793de80bd9f150fe2
SHA512 a09084ab2dd088b85b2dbce2e4973c91a372898eda91419c1a79058a53742cced45d87b1c67b2e8c5528c333a2bf0e16d005edcdf33da40626c3c7b07933ad1d

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 c24f1ebbd32f61b861d09cca6f09bc19
SHA1 ea553e1b66fceef60f5bf62f1492db7661eb66ff
SHA256 63ee12640fa0e2b061d1afd5fd89f7c1d832601f81312cb4eac7e8e107eb98ed
SHA512 28c897569b6e3db50ed31288b395e980aa21bd4170992ec773481d01773c6e6f1e3f2e35d4b5078e263fa45ab294a90203e3e15d21fa5e395ae6b47e8b96f191

C:\Users\Admin\AppData\Local\Temp\u3s8.1.exe

MD5 5b87828ea000c7111084d8beed17175e
SHA1 e8aa3848e39c449051702a333e608fafd2e5330f
SHA256 1a557fae2d39d06392f4bea760fb72c87f0959a7c3ac66865e36f316866f57d3
SHA512 56b0d0e5422b89a4659969f59570962dbb267fde913ed051fbedf3d66653c9c23d15c945a6ae8ce5570af010b3671eb0be085e8afb44c3088def9f423290f385

C:\Users\Admin\AppData\Local\Temp\u3s8.1.exe

MD5 d402d420fce991517d2ea40202852224
SHA1 9b31490f2d98d12d3820c2de9e59865ff69d90c8
SHA256 87e4d59ba2ab9708b0c95e151193765c9804c902c372aee439732ff59dd52f9c
SHA512 4d86cbe168c6aa312d3ec6c08c89ca50ccb5dac44bbfbbc508a950e63ab4e99a773e6bf50313f92699a98812dd66a36ee574bd1042b19f14323db7b99465c2b7

C:\Users\Admin\AppData\Local\Temp\u3s8.1.exe

MD5 73d0427d9595724dd3d1408e14b3cf4f
SHA1 ee9f967fa342ad6529c2ac6d35f7bab97912266d
SHA256 8edc1054c407ce58e264800a20c83efa5e528ec7f3917a2887721f3aa0759815
SHA512 f878c369c15290f48e08dfc10f3818e622cee32cfb1a7ffcef3dc3473ac27d62985d5b1e9a0813fe025ac573abb8e2a45c7f0015f642fb6f9b972d87cf9d5dc9

memory/4844-134-0x0000000010000000-0x0000000010202000-memory.dmp

memory/5016-135-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/1064-136-0x0000000000400000-0x0000000000930000-memory.dmp

memory/1976-137-0x00000000001A0000-0x0000000000A91000-memory.dmp

memory/1064-138-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/4904-141-0x0000000000400000-0x0000000001A4B000-memory.dmp

memory/1960-146-0x0000000003F00000-0x0000000003F0B000-memory.dmp

memory/1960-145-0x0000000002660000-0x0000000002760000-memory.dmp

memory/1976-142-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/1960-147-0x0000000000400000-0x00000000022D4000-memory.dmp

memory/1916-149-0x0000000000400000-0x0000000001E0F000-memory.dmp

memory/632-150-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1976-152-0x0000000002A50000-0x0000000002A82000-memory.dmp

memory/1976-154-0x0000000002A50000-0x0000000002A82000-memory.dmp

memory/1976-153-0x0000000002A50000-0x0000000002A82000-memory.dmp

memory/4340-155-0x0000000002530000-0x0000000002630000-memory.dmp

memory/4340-157-0x0000000002460000-0x0000000002487000-memory.dmp

memory/4340-161-0x0000000000400000-0x00000000022DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/3384-169-0x0000000003550000-0x0000000003566000-memory.dmp

memory/4340-173-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1960-171-0x0000000000400000-0x00000000022D4000-memory.dmp

memory/4340-223-0x0000000000400000-0x00000000022DC000-memory.dmp

memory/1976-225-0x0000000002A50000-0x0000000002A82000-memory.dmp

memory/1064-224-0x0000000000400000-0x0000000000930000-memory.dmp

memory/5016-226-0x0000000001C50000-0x0000000001D50000-memory.dmp

memory/632-230-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-231-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-235-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-236-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-238-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-237-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-241-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-240-0x0000000000400000-0x0000000000848000-memory.dmp

memory/632-242-0x0000000000400000-0x0000000000848000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 b0d1706961e95955b6de992b41284061
SHA1 37160c22863d4c030e618bff76a507dfb0c52721
SHA256 5d3202c1e0d8eb4702e3ce68af119df0e3f63c6d176f5341b1eb35bba5fc16cc
SHA512 26dde3eb4a8e3a34aa7e409558722db18b26856ac7895303221c93459ea3001750a18cf9f2b2987a70ee2c5d30adb2743e7da059b7d7559b69d8ffe3b8616f3e

C:\ProgramData\nss3.dll

MD5 8522d68e2f3685042af5ccdc5c3d72c7
SHA1 78baa0a9e336d7d9103347cf94f46a60e15703b9
SHA256 4996f5f97f1526d8052e6ccb5581db8f37b86ff138951bba12141d0f6462741f
SHA512 c623b6ef03dde5b3dbd11b6872b257af3a3aa8999d7e72d9eff578a01760162ca950e4c2cf5ede5035a50f68e93cd856ec609368196c66854e68a84db29d6748

C:\ProgramData\mozglue.dll

MD5 4d1f2f1286f51561af51cd459568ad96
SHA1 318d68667307082be6129326678af41aa3bb1048
SHA256 e11f28d0a54156d633548b50ce8cb2b89ef3f280e18dec95d5ed3cbb402e931b
SHA512 7a6ff11bbf186f360ce2ff48bcb333d9478f645f76dbc622d2664a88a17dfd6957dabf3b544f70864b10663bdd1d36947a71e67ea9282a5697bce5a201d92bff

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b