Analysis Overview
SHA256
d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544
Threat Level: Known bad
The file d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544 was found to be: Known bad.
Malicious Activity Summary
Stealc
RedLine
Lumma Stealer
Detect ZGRat V1
Amadey
SmokeLoader
DcRat
ZGRat
RedLine payload
Pitou
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Blocklisted process makes network request
UPX packed file
Executes dropped EXE
Reads data files stored by FTP clients
Loads dropped DLL
Deletes itself
Reads WinSCP keys stored on the system
Identifies Wine through registry keys
Unexpected DNS network traffic destination
Checks BIOS information in registry
Reads user/profile data of web browsers
Reads local data of messenger clients
Adds Run key to start application
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Writes to the Master Boot Record (MBR)
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-14 05:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 05:12
Reported
2024-03-14 05:17
Platform
win7-20240220-en
Max time kernel
44s
Max time network
300s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Pitou
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8E89.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8E89.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8E89.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76F.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8E89.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B76F.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 91.211.247.248 | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E89.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1200 set thread context of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\B76F.exe | C:\Users\Admin\AppData\Local\Temp\B76F.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\8E89.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\197E.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\EF51.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E89.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe
"C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe"
C:\Users\Admin\AppData\Local\Temp\8E89.exe
C:\Users\Admin\AppData\Local\Temp\8E89.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AFEF.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AFEF.dll
C:\Users\Admin\AppData\Local\Temp\B76F.exe
C:\Users\Admin\AppData\Local\Temp\B76F.exe
C:\Users\Admin\AppData\Local\Temp\B76F.exe
C:\Users\Admin\AppData\Local\Temp\B76F.exe
C:\Users\Admin\AppData\Local\Temp\EF51.exe
C:\Users\Admin\AppData\Local\Temp\EF51.exe
C:\Users\Admin\AppData\Local\Temp\197E.exe
C:\Users\Admin\AppData\Local\Temp\197E.exe
C:\Users\Admin\AppData\Local\Temp\217A.exe
C:\Users\Admin\AppData\Local\Temp\217A.exe
C:\Users\Admin\AppData\Local\Temp\38F1.exe
C:\Users\Admin\AppData\Local\Temp\38F1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 124
C:\Users\Admin\AppData\Local\Temp\466A.exe
C:\Users\Admin\AppData\Local\Temp\466A.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
C:\Users\Admin\AppData\Local\Temp\april.exe
"C:\Users\Admin\AppData\Local\Temp\april.exe"
C:\Users\Admin\AppData\Local\Temp\is-NBFM7.tmp\466A.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NBFM7.tmp\466A.tmp" /SL5="$8011C,1678053,54272,C:\Users\Admin\AppData\Local\Temp\466A.exe"
C:\Users\Admin\AppData\Local\Temp\is-7F4QC.tmp\april.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7F4QC.tmp\april.tmp" /SL5="$80120,1697899,56832,C:\Users\Admin\AppData\Local\Temp\april.exe"
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
"C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -i
C:\Users\Admin\AppData\Local\Temp\6550.exe
C:\Users\Admin\AppData\Local\Temp\6550.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
C:\Users\Admin\AppData\Local\Temp\u1ik.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1ik.0.exe"
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
"C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -s
C:\Users\Admin\AppData\Local\Temp\u1ik.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1ik.1.exe"
C:\Users\Admin\AppData\Local\Temp\8B67.exe
C:\Users\Admin\AppData\Local\Temp\8B67.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 576
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
"C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe"
C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe
"C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe"
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\721934792624_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe
"C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BAEBGHCFCA.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCBAEHCAEG.exe"
C:\Users\Admin\AppData\Local\Temp\BAEBGHCFCA.exe
"C:\Users\Admin\AppData\Local\Temp\BAEBGHCFCA.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000874021\random.cmd" "
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe"
C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe
"C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"
C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe
"C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 256
C:\Users\Admin\AppData\Local\Temp\onefile_1448_133548669116962000\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe"
C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe
"C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe"
C:\Users\Admin\AppData\Local\Temp\1000936001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000936001\toolspub1.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\BAEBGHCFCA.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Users\Admin\AppData\Local\Temp\1000010001\frukt.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\frukt.exe"
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN InstallSetup8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe" /F
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\taskeng.exe
taskeng.exe {F9BA1921-EEBE-4548-95F1-4EB0350C7231} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\721934792624_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F66.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\7818.exe
C:\Users\Admin\AppData\Local\Temp\7818.exe
C:\Users\Admin\AppData\Local\Temp\7818.exe
C:\Users\Admin\AppData\Local\Temp\7818.exe
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| RU | 185.215.113.45:80 | 185.215.113.45 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 172.67.171.112:80 | midnight.bestsup.su | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| KR | 211.171.233.129:80 | trmpc.com | tcp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | nidoe.org | udp |
| MO | 122.100.154.145:80 | nidoe.org | tcp |
| MO | 122.100.154.145:80 | nidoe.org | tcp |
| MO | 122.100.154.145:80 | nidoe.org | tcp |
| MO | 122.100.154.145:80 | nidoe.org | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| MO | 122.100.154.145:80 | nidoe.org | tcp |
| RU | 193.233.132.62:57893 | 193.233.132.62 | tcp |
| MO | 122.100.154.145:80 | nidoe.org | tcp |
| MO | 122.100.154.145:80 | nidoe.org | tcp |
| DE | 185.172.128.109:80 | 185.172.128.109 | tcp |
| MO | 122.100.154.145:80 | nidoe.org | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 81.94.150.149:80 | galandskiyher5.com | tcp |
| MO | 122.100.154.145:80 | nidoe.org | tcp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| MO | 122.100.154.145:80 | nidoe.org | tcp |
| RU | 193.233.132.139:30468 | 193.233.132.139 | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| KR | 119.204.11.2:80 | sdfjhuz.com | tcp |
| TR | 217.195.207.156:47721 | tcp | |
| LT | 91.211.247.248:53 | bwdynuu.com | udp |
| RU | 5.42.65.31:48396 | tcp | |
| TR | 195.16.74.230:80 | bwdynuu.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
Files
memory/2904-1-0x00000000007B0000-0x00000000008B0000-memory.dmp
memory/2904-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2904-3-0x0000000000400000-0x000000000071E000-memory.dmp
memory/2904-5-0x0000000000400000-0x000000000071E000-memory.dmp
memory/1204-4-0x0000000002E20000-0x0000000002E36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8E89.exe
| MD5 | b6297922e4d7e05d1b009613d201883e |
| SHA1 | b6c739fd153f0078e115386bd0f87d784c1b5588 |
| SHA256 | 91a101f00488af2027b7fee5bfe9a14f290bcc401d183d352c9de40625af3700 |
| SHA512 | ab503a34d096ba5b6695505054e12ddf16ddd1407c1737d0fb5655b21947bab4de49e546b0ee1bbc9cdd581b8f32522ec720d27fa0fe9b79796ea0e3a6e3be79 |
memory/2632-17-0x00000000008C0000-0x0000000000D6E000-memory.dmp
memory/2632-18-0x0000000077350000-0x0000000077352000-memory.dmp
memory/2632-30-0x0000000002450000-0x0000000002451000-memory.dmp
memory/2632-29-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
memory/2632-28-0x0000000002510000-0x0000000002511000-memory.dmp
memory/2632-27-0x0000000002470000-0x0000000002471000-memory.dmp
memory/2632-26-0x0000000002440000-0x0000000002441000-memory.dmp
memory/2632-25-0x0000000002520000-0x0000000002521000-memory.dmp
memory/2632-24-0x0000000000D80000-0x0000000000D81000-memory.dmp
memory/2632-23-0x00000000026C0000-0x00000000026C1000-memory.dmp
memory/2632-22-0x0000000002480000-0x0000000002481000-memory.dmp
memory/2632-21-0x0000000002590000-0x0000000002591000-memory.dmp
memory/2632-20-0x0000000002530000-0x0000000002531000-memory.dmp
memory/2632-19-0x00000000008C0000-0x0000000000D6E000-memory.dmp
memory/2632-33-0x0000000002860000-0x0000000002861000-memory.dmp
memory/2632-32-0x0000000002460000-0x0000000002461000-memory.dmp
memory/2632-35-0x0000000000E90000-0x0000000000E91000-memory.dmp
memory/2632-34-0x0000000002810000-0x0000000002811000-memory.dmp
memory/2632-36-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/2632-41-0x00000000008C0000-0x0000000000D6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AFEF.dll
| MD5 | 54cb28e69125f2bc899399942744ab45 |
| SHA1 | d44785924d075f97e45618e82f53ef61ed4a2b51 |
| SHA256 | f601f958e30cf92f2af4a14209153eab34bbe5cb347f5ce8f340c3a945bdfd7d |
| SHA512 | b9193bb4ab19460cd588ab8a8f8ea7a02003d55168fa1df0d2042b5e7fb60ee7e0c656f288d800ec80785214259133c26283f653098e79d0fdccfe1a83c3e920 |
\Users\Admin\AppData\Local\Temp\AFEF.dll
| MD5 | 2fec3edd89c1341cdb4d83933b9019c6 |
| SHA1 | 28b0c38d3f8b4fc9fc365173ff85cb2d963c9e11 |
| SHA256 | 1a52d0d48a027a8be37104220ede8268f83c815ed0eeb1110b9a8704cf8f4bfc |
| SHA512 | f58fed736c7bcf29e145ce00c4bf0ea57ea9fb178383f64bc0cdcf550e4d01bbe6ed2c96178ba5143e226d49e9c3621b43a915305e6abb855b8abedb243111b1 |
memory/1708-45-0x0000000010000000-0x00000000102CE000-memory.dmp
memory/1708-47-0x00000000001C0000-0x00000000001C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B76F.exe
| MD5 | 996c2b1fb60f980ea6618aeefbe4cebf |
| SHA1 | a8553f7f723132a1d35f7a57cae1a2e267cbc2ac |
| SHA256 | f91c0a4753cdb98cce0ade020917fdefe7a8daf88d23b4c07595de741402ca50 |
| SHA512 | 4af8fb921a332c5ac3d43b85bc23c859e431702e00852537bf1831c7af8b990d880808d044a1317873c77fbdecb1af7c97bed9edd9e2185bcbfa390c463f9056 |
C:\Users\Admin\AppData\Local\Temp\B76F.exe
| MD5 | a3753e9ed59f01cb1571ac0c5430a8a8 |
| SHA1 | f85e924060cfe5da576e2773b6a0acb62eaeea98 |
| SHA256 | 7074367a6e92a34cff78eece62750916395a07b73675c6e52d3373490bf9f64d |
| SHA512 | 209a366f793e75e00f4a9b85d543a8b09b1da22feeaa8dc68faea861b7dbfe2ac53897bcd2d5c211fe6332b31d662c4ed0f1e89f1689036ac6a10dc814d616a6 |
memory/1708-54-0x0000000002670000-0x000000000279B000-memory.dmp
memory/1708-55-0x00000000027A0000-0x00000000028AF000-memory.dmp
memory/1708-58-0x00000000027A0000-0x00000000028AF000-memory.dmp
memory/1200-59-0x0000000001F50000-0x0000000002108000-memory.dmp
memory/1200-60-0x0000000001F50000-0x0000000002108000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B76F.exe
| MD5 | d0e1400d23279e9d4772b0ae3c0d9e54 |
| SHA1 | 5b5ac3776b98ec30c1fd98666f53fd98906b3f9f |
| SHA256 | d1608cdf18108b0c1f7485191127d46380771c1e3e9eb5af6dbebc63171bdafe |
| SHA512 | df8601246b48e3aef28d6443aa4a1b8d573ca6b52fb4ab048521372adaf8eabf2e735a28c7f32604dbc3045063fee0d9fffa61f17c4e64d8ac318d01891abec3 |
memory/1756-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1200-63-0x0000000002110000-0x00000000022C7000-memory.dmp
memory/1756-66-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1756-68-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1756-69-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B76F.exe
| MD5 | 412622de109100dbe7c1407b8e15a2fe |
| SHA1 | aa21b277bea98a2c606eb1f8bc9e84cb8761ecc1 |
| SHA256 | de937417a1f8731bf9d53d24d7584fdadde27f0388bb47b4ff46da8ffb228017 |
| SHA512 | 1352d2968b0d7d65bf9b9581ec0b6df18c38030a66c2392712465ee74ee029d82be2d65d868ad1f2710036e260490780f8062d5adbfc83289d6c5ba50a502d7f |
memory/1756-70-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1756-71-0x0000000000400000-0x0000000000848000-memory.dmp
\Users\Admin\AppData\Local\Temp\B76F.exe
| MD5 | 6d392f1421340e79a359d5e608734ecf |
| SHA1 | cb36d6ce45aa9d31bb5c2b8b2d366fe426400a1d |
| SHA256 | 8f60d4b36646e9bdd1174e92267cd28dacb6749e7bede209f5335c966ab3b707 |
| SHA512 | cecdb41d9646397e5e576b21c564a7a1ff36a0719878180b9fda466ec634d8b5f858411cc84c8b748780e931936ae0c81033bfc26229a1e83ddd642e8b6d449f |
memory/1756-72-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1756-75-0x0000000000270000-0x0000000000276000-memory.dmp
\Users\Admin\AppData\Local\Temp\AFEF.dll
| MD5 | e38a5abdc5910bd18427552de8930b14 |
| SHA1 | c4828008057429bc4c35fab01045b5ef18d2fda8 |
| SHA256 | 567b3e0ffd4e8403f5a52a7469f76fafc40e73ae95bc8ef5903b748a5949b4cc |
| SHA512 | 7a2ac8309ef3661d89117ee0e248db7fad06bff6867ca44c9ef913e3f6270112abe65bf312c9fc2d70831704072b4b655a112034a5754b1fceee662172ca8db8 |
memory/1756-77-0x0000000002C80000-0x0000000002DAB000-memory.dmp
memory/1756-81-0x0000000002DB0000-0x0000000002EBF000-memory.dmp
memory/1756-84-0x0000000002DB0000-0x0000000002EBF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EF51.exe
| MD5 | 68a9bf2ea7d3e606644b594a3420d9cc |
| SHA1 | 4366fbef31500ca265fad6f0a080802fc69c5465 |
| SHA256 | 3b386b16dc4c9683d3c7a30270a133ed87c06675d8c76c2a9fb0cb77bb50448f |
| SHA512 | dec7d0e2e6259b50f3971919e9492950a3392e7228827d3e879ed69d19d93e058c68f234728a2aa88f4ef1ad61788c027ac84a0126ca8a340707ff04587241e4 |
memory/1708-87-0x0000000010000000-0x00000000102CE000-memory.dmp
memory/1604-90-0x00000000012E0000-0x000000000187E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\197E.exe
| MD5 | 81ed68e85b095ceb1ec4b3f9b6699e21 |
| SHA1 | 1bd3882f103afe8120c24c7f63833d5f285375f4 |
| SHA256 | aeb43d3f19701a34981b0882e5305fe416a39a2f16c8728c307ef7d0fcfb654a |
| SHA512 | e332eb6dbbcc4737306bd85fdef34ecd9d14062edc13e009a96e77ec47bb141e2717da67b3a1c14e1cf74ff007b3a0293d4813bb66f9a5490c03e7d53af47d58 |
memory/1604-95-0x0000000005060000-0x000000000529A000-memory.dmp
memory/2296-97-0x00000000012F0000-0x0000000001FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\217A.exe
| MD5 | a1b5ee1b9649ab629a7ac257e2392f8d |
| SHA1 | dc1b14b6d57589440fb3021c9e06a3e3191968dc |
| SHA256 | 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65 |
| SHA512 | 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b |
memory/1916-108-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/2296-109-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2296-111-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2296-113-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2296-114-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2296-116-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2296-118-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2296-121-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2296-123-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2296-126-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2296-128-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2296-131-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2296-133-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2296-136-0x0000000000140000-0x0000000000141000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\38F1.exe
| MD5 | 08c7993cba41d1e99087c7563d86acbb |
| SHA1 | 23c7393fe790acbeed959c6198c8c5657da1e7ef |
| SHA256 | 791146f020de235494a4d80045743b22dd12430a8fe20d90ddd89e95ec2deb5b |
| SHA512 | 623250d5e18f0324338d8fe5b86244982d10fa9a6302cb30102783646745373199012aa35df245dec1853044fc67165af2cf94666abcaad6ef8b321fe74db1a2 |
memory/840-145-0x0000000000250000-0x00000000004A2000-memory.dmp
memory/1604-146-0x0000000073D60000-0x000000007444E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\38F1.exe
| MD5 | de126d2ab8fe0b4ba1fbb1fabb98a92e |
| SHA1 | 33a16c5267e02d394b2c9e53e8d32bfe635c067e |
| SHA256 | 4f9d4170b57f57e094fd8744143f0992320e6eee9df2a75d03dd58ba6f494a95 |
| SHA512 | cb11c04f729a162c0a4d40752e849d2b065695a386743238ecabaa264ddb730a700660d89bb4094529ebf448875fa039818859950cc4ce82211bff596071e87c |
memory/1916-150-0x0000000001BC0000-0x0000000001CC0000-memory.dmp
memory/1916-154-0x0000000000220000-0x000000000028B000-memory.dmp
memory/1916-156-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/2296-158-0x0000000000150000-0x0000000000151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\466A.exe
| MD5 | 2720b13efe7efd301e55e2842fa79144 |
| SHA1 | fa88aeb2f671070b4263acad18335b99de78cc28 |
| SHA256 | 44d12fb26d47338e99659e731679755acaefe86a513e0c6c49cb87a211280c4f |
| SHA512 | 035e975d11aa25e80c799abd630db925c156a5173951c6881aa779282cca8929235f0638973ca06b43772bd15067b390ecdee5e6006e470e79aa6b21758277a1 |
memory/2380-167-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
| MD5 | c75cbb954f63d490e03fceea09bc8e32 |
| SHA1 | bd87491341ddba3ca9ff4b96cbf50c8dfa1a7a2b |
| SHA256 | b73fed3630a6c199a455ab1342eb3d6afff32d60a4122b50ac2b3c547ae4d2f8 |
| SHA512 | 1a3292adfdda199aac202bac82374f3a927ccd2da516334b27ef4d7d3348370deb00341be01d720da4a6e00f7fe6d6e98aab2a35ecad83145c1c07c0ff053d48 |
C:\Users\Admin\AppData\Local\Temp\april.exe
| MD5 | c73bc3df042e28aec3b3624e60c32a7c |
| SHA1 | 59d8364cf706419d4d1cad16add50e7bda268b09 |
| SHA256 | 6c67ccedff9062fba93f27e1e780ee482c066cbfa3e46617ccdb354f0e216771 |
| SHA512 | 97a1b705a31dfb094d4acae84094c4a1e79bedffa94bd26b6683e41bf4232c732bd18f2a6349fcf557a034ebc4976c308437cc8efcf56c781cf72a601fa3d75f |
\Users\Admin\AppData\Local\Temp\197E.exe
| MD5 | e5e2eece8c0b563097fd4dbc979a5db4 |
| SHA1 | ab6b685633b23b059ed3653094f2dea0d45cb08f |
| SHA256 | d6d51d8018797ae24cba1a108fa0198ae48db2d8e1e560ec8b22eb721ba2ef4c |
| SHA512 | 609f8a3c339f0ec16cb038bd6a37386876870e32d017568f532f85a32a705f7d2dcc7e5eb3bdb7ed148cd9e6f953b6f0b103b6cc5a0c1132a5571d2462f4a094 |
C:\Users\Admin\AppData\Local\Temp\april.exe
| MD5 | 7e4cab8d4afb695d8c036c20aa5cc2a4 |
| SHA1 | 2bef85d07704564607e7983852ecb081010ba605 |
| SHA256 | b08c46dee564834f052938ed423a9247a00a3d6d0c6cd3767694bf7d008e21dc |
| SHA512 | f6e217ede07e912a193a965661c2f6fd04f39d58bc213dbabf45028bf09472ccc186f586a964f8bbe211bd0ac58264a2fb04924397e0d0834001898c0757f8e5 |
memory/840-185-0x0000000073D60000-0x000000007444E000-memory.dmp
memory/1288-184-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-7F4QC.tmp\april.tmp
| MD5 | 4df57aaf92a50f25127408e03415e9ae |
| SHA1 | 8f7670cfae2f405be830c8ec5f06856358d301a1 |
| SHA256 | d247810adf596b210b373af971bfeeeebea4f574cf2175d87d4899dcfa6e405c |
| SHA512 | a2bbb20f3d41b86f01455640c188b2c80d2bf8559ffd335e4cbeac7d70b8d88da3f75432e19a3597ffb79c183c32e1f071f0d259b277caf9173cf60479d312b5 |
C:\Users\Admin\AppData\Local\Temp\is-NBFM7.tmp\466A.tmp
| MD5 | c525e77d2e33c307848205b1921c23b9 |
| SHA1 | 195ed1d4581bba1ee5d5d2bdc54835a20f60b146 |
| SHA256 | 559471df6c535e3bdf7072c3a7de93cf7260a070c12f39480bb992036a593cdf |
| SHA512 | 9ab82dcb85ca1b1233182b21c36d2c1d1e5bf6e5debb6a8c3f481d7e9f54b97aa0223f428abe7efcf915b2a411dc1f85fa2c8c900c85edf252ad9b6a19a5242e |
\Users\Admin\AppData\Local\Temp\is-L3E5V.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Email Box Organizer\is-30O1N.tmp
| MD5 | 6231b452e676ade27ca0ceb3a3cf874a |
| SHA1 | f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1 |
| SHA256 | 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf |
| SHA512 | f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c |
\Users\Admin\AppData\Local\Temp\is-L3E5V.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-NBFM7.tmp\466A.tmp
| MD5 | 33da9dc521f467c0405d3ef5377ce04b |
| SHA1 | 5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f |
| SHA256 | dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c |
| SHA512 | a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55 |
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
| MD5 | 37d284e87eceacea55df22ce74605ebe |
| SHA1 | 86408c00ddb91986e996f61865c78ac19f2f28ef |
| SHA256 | 507bbf6666d88a286c030eaa1c065048bcec1f39b7c36296ee54245f30c94025 |
| SHA512 | 10297220cd597cc0f61d68a1934ea6cf1e43d8a18e85a150fd61e70efe9a556925452123a55259326e2c0bc43757369835e93a3351324be792fde97078c3d54a |
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
| MD5 | 925124964e0da47419dee645fbedf1fd |
| SHA1 | ade75c567e5ec025e80f14d82bb044cf1b3220b9 |
| SHA256 | a387c71e0e84c0e8c47347fbfbb83c30ae21dc3a18f0ad6cb5df79843e649b84 |
| SHA512 | 87cd638ea07b0ee08b0aa7b798f60b34486e3f3001d4968be4f61d45496db27e279f517e2a9f7f8079677b4f98503414a9cad98ece53c7f699eb403979b6ca8f |
\Users\Admin\AppData\Local\Temp\april.exe
| MD5 | f39dd4217ca407ca45ec79e43e1939a2 |
| SHA1 | c52b1e1f33008c38755f8aeebd91302bafb5ae20 |
| SHA256 | 055a30c4c817c6d85dc96971bf974f47eec8a420a02084e02a40d05bfc1ff58a |
| SHA512 | a2444bc348f4eb3ecf9cb1850559d2c3e4ec48e2ea3caefb7608ee88c92da40e7cf2ee2c187c929eaa90cc22ad4a8fa72eeda944fd9ecfcf658779d7aa9be307 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
| MD5 | c7118610fefdaad90083c662bd4ef37f |
| SHA1 | 9c051ff43747b8b52032b3cbe4d5b9a1edf8b9a5 |
| SHA256 | 333836d1c49ef069087f74844295e31ac2273b5337c2c2d70eb3c8f74901af14 |
| SHA512 | 7afa9b4b623927dee5a46ce471eb73dfa295dd989f789accf274526c618e2996ed5bd0d0a1930d84395a01412ccd966eca51359187e5612d18a988206e09d256 |
memory/840-160-0x0000000073D60000-0x000000007444E000-memory.dmp
memory/1604-165-0x0000000000980000-0x00000000009C0000-memory.dmp
memory/2296-157-0x00000000012F0000-0x0000000001FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6550.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | 053eeb9e1945aca4425205986c36620c |
| SHA1 | 7b29cdee2ed7b5a9fa3fc04f2c3b43b011aa930c |
| SHA256 | d1fffd9e53d2f931d27ad39fd56cb70f7630235537e889017c7edeca2b521425 |
| SHA512 | 6b5f8b9c61cedc12d77b969bbe3edc2afa0f3aeed0dc87ffb59e20db49b14f3fbc60a18fa2356d3a1cf20c36f0b3dc0632ed6331306028d42b059bed6c608e28 |
memory/2996-264-0x00000000003E0000-0x000000000088E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | eb7f73f290f1875876c51977441aeba8 |
| SHA1 | 22b7a335fb75a0576e2ac49faf9c4cd2b755ce17 |
| SHA256 | df870d52c6d554711068feac3ec42973f0218c082c8d17356f6c5f1262b7c004 |
| SHA512 | 233ec8d3fa4e107f59749f485a76e6f14e5f9da648687d556199f0acd6c7146b7c1f4fefeec9aa05b71d57205dbe9480d5fa542ef64e04de33fa33a78d0b4b5a |
\Users\Admin\AppData\Local\Temp\u1ik.0.exe
| MD5 | eae8f1cff410a54725527cd0e759ce41 |
| SHA1 | 9537e90abd8c6da642f8c26b56fe35997add10f3 |
| SHA256 | 415a23efec7414a0d75d07b7f57f4af8a3c92deafd35e61226b1efa12cf22f94 |
| SHA512 | 2d735aac10c0638fc903aa073f12fa5346e1283c8463aa91371967c63047fac15deec8b4bf0f425eb63a9e1e75f6e7116e490c4677797551395b91e95167e5cc |
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
| MD5 | 7a8f28fd05ccc91e836fd56251a4425d |
| SHA1 | 1d78fada34f0a1064bdb692c562be6c817fbaa7f |
| SHA256 | a50c12cc04019fdcd0d9ca0c9cfc4e69bb988245444930ac3ba5fc7ae8d1df2f |
| SHA512 | 9a4253468e9bf3b88df9a0f2291df306125f1bdb79b53a4233ac7e5a07c440e9a0e6f2d5e9482bba1e269ed8548cd55eb6dc24970196e8c1d3c25029d40a7d83 |
memory/3060-285-0x0000000000400000-0x00000000005D9000-memory.dmp
\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | 8e3d884097d2dad555573d99e916af96 |
| SHA1 | 649d9267b6255240ce09c9f982e214b524b78648 |
| SHA256 | 6b3d6c581a7a255fb198b15792cd67de204da441a7c757d2f8bf473837c36457 |
| SHA512 | 7a9f99e2e9a56fb1858222ff7ba373ceea2016e6f718ddc0e4500a08baeeaae850c5d8fdf5c88eba33e8ba419d68767df24a88563e703001db826f025c54cb1b |
\Users\Admin\AppData\Local\Temp\u1ik.1.exe
| MD5 | 2692835e4a6eab15be64ef77ea797ec4 |
| SHA1 | 7473986d972424b55a15e7ca6bd6845e372765d9 |
| SHA256 | 4cbc9b7f5a181e9e9e4e01c3a8f1aff1dd42f68235fa88ba1bd9e1fd69cdcbba |
| SHA512 | 37e4115a16f7b88953198706d0c0f053740027eae8e729e0c6a8e703c8036b92184518ede0d84b97c14b24397bead49c6c8412a2e4d1b10376a0aa5084076eae |
C:\Users\Admin\AppData\Local\Temp\u1ik.1.exe
| MD5 | 14f16a065ed9312017ea917244e91e5c |
| SHA1 | 1ab9f23276f95b684556673b4c5c9235490a2158 |
| SHA256 | 4ebf18592c3a8df3f36828431e5f53209b73fd9c33d549b8e7fd5f7ab7d9ae11 |
| SHA512 | 62f9e3262e9268408469cab84cdc26f417645bffbbeb56725ee68a6de4cf5e6691ae7f4afd8d2ea119865c7dc1de1e2e99134cfbf533a740fb67eb6068dfff35 |
memory/1964-302-0x000000000093F000-0x0000000000975000-memory.dmp
memory/1964-303-0x0000000000250000-0x00000000002B7000-memory.dmp
memory/1964-304-0x0000000000400000-0x000000000049B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8B67.exe
| MD5 | 5edc27f4fb945833e627a554407746a1 |
| SHA1 | ce0f744e2a827d7ba428562f7fd4932e6f144cbc |
| SHA256 | 608f8c358e578d87c5668673eff699f5bceb5a9fff9a9b51a0da6b1be51b1466 |
| SHA512 | 4deea18efe3c586f7a7ceb240819b88fc17ea3ad1bef238eec9c7d4d2ab50e3b4040cf4cf544fd82e0607da41b83fde156205904faf5a3b329df461fcbbc3c50 |
\Users\Admin\AppData\Local\Temp\u1ik.1.exe
| MD5 | 878c830c1299b4949edcff11bbf20d04 |
| SHA1 | b1262134e25928e4708a125a6736d756c9d0f4bf |
| SHA256 | 0edfafbe74c65b4d37f1f5a5ce8cde9012bb99682af03c92071819d24e6959aa |
| SHA512 | 650491fdbace695af97871036dbf86bd5e9b2ea8494110b166a339b1f761dbd2a3b2fee020bbb817f3a3cfd06491103791fc81c62f61a30b0a7066e8ee961f3b |
\Users\Admin\AppData\Local\Temp\u1ik.1.exe
| MD5 | 01a90e9b395761e38299d1bf60706e31 |
| SHA1 | 1d760ee68f064ef2efb345b929a59b662fe5070f |
| SHA256 | 1f0fab66b4e866692bb196aa02e61ff685f6bdc23bb69269549191e6879f36cd |
| SHA512 | 3d6c46e9cad52d8544f31cfcdac28c9932f487b9d7330f3c4be1184e99eaa1e666031c5912384665d39b32c9b9223260e5051ed2a7d9eb4e19f3f2320a10c7b0 |
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe
| MD5 | 0cd7cc1ececd29f44a846dc3516c0464 |
| SHA1 | 1a7c9e06d63555df7541c76e009d0e8e6ee0c768 |
| SHA256 | be8614ab582d6b194ccac803679c2209868b585480a77f9eff56155ce89168cf |
| SHA512 | 099df213b13685478cfd758392299d17ddf22614cc387244ab9befdf62062f92b607927d799d03ac7584d7529a88a6be62a06cd0b8149995f96a72a01fe6c66b |
C:\Windows\Tasks\explorgu.job
| MD5 | f89ced814efbeca417345c599500c7aa |
| SHA1 | 983dcfbc44237f3d10f9916603ee22f61a8e49e6 |
| SHA256 | 1cbeda558707ffb80a85917570e5174ef197862e9ed4ded946f2d48c421ebd43 |
| SHA512 | 3b9cd8c81f49931e849de1897d645509db92e5bc580a943c3c257d775a92f790101c8b3c421cea2c7ad23a468b65c6019e92cf6168fb3f231ea9a9da5ace9b15 |
\Users\Admin\AppData\Local\Temp\EF51.exe
| MD5 | a312ddba00ea2c394a4675991ac079ae |
| SHA1 | 903adb62a739556ce565e508b5f9890bb27ffc62 |
| SHA256 | 05eeaebff84be64c401ab40dcaf095107ab0fba5d2f6868e9addde3bd8e7fffe |
| SHA512 | 07f10e99bdd5ca98dfafca72a26f54eda4cf052b20e8baf39f3569f4cf0b269b0a95a2f92844405614d9f4c63dfb3601a45dd2fba1343fc28c5685464da6c1fe |
memory/1392-320-0x0000000000BD6000-0x0000000000BEB000-memory.dmp
memory/1392-322-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1392-323-0x0000000000400000-0x0000000000724000-memory.dmp
\Users\Admin\AppData\Local\Temp\EF51.exe
| MD5 | 68e81892b80fa6716025fcb1a2af36ff |
| SHA1 | 0b3d95ca92fcd52882481053435bd5d854d82b1d |
| SHA256 | 7e4ad35d21b4ac44c746c71fa43151528093ce2c87ead245dd3a7b3ea90fb1c2 |
| SHA512 | 4833b872a2cd74e25268c49879f35709f6deeafcca95d94344b431605f6ab5c1e341725a39ba3c36499eea44f365866f0f033203d3b70345c1c817828b2d92e4 |
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
| MD5 | a3f8b60a08da0f600cfce3bb600d5cb3 |
| SHA1 | b00d7721767b717b3337b5c6dade4ebf2d56345e |
| SHA256 | 0c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb |
| SHA512 | 14f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d |
\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
| MD5 | b873ccdd97b4ded1a9cc656fbcacbbd3 |
| SHA1 | 288af299ca89eaff08e43ef30cea363ed634242c |
| SHA256 | 58a9ce8c6b76493f1b2cd1d3af80abd73c64654639accab104fa244e5d48280c |
| SHA512 | b36bdd51920bf7c61109861763cb7e28b67831acc2e3ee4e0f0c265f7e437f18dcb0d057df8fc59a64b22c723281c838eeb69e91ee36fd768f8281cb3d855f4e |
memory/1120-338-0x00000000009A0000-0x0000000000A2C000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe
| MD5 | 0c4fee8706a8ea370b7a272b7c5bbc85 |
| SHA1 | bda2a1ebc921db843d06aa5074884207ccbe9242 |
| SHA256 | 9ec8397acd7c4106763ba84f4ebe1fd1cf39b4b0de442be8f89cd57de6151aac |
| SHA512 | dd2c1d00325533db2cc5fe14ab52747182a494a2524e4f891e3dcd3ce2ab9685322a9fe1f5f2bd2b9808d6f1efab2a9cdfcc762016935464a7ddd237e620f9a4 |
memory/2012-403-0x00000000000D0000-0x0000000000162000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe
| MD5 | 5bc4c899b1a92d101d4377016c856fbb |
| SHA1 | 40a1085239dd4b3698ecf76417285ccfa8b3b1d4 |
| SHA256 | efbb4590bdb6beb761525fbb3005c8328de0e2aabeb358ac259fff88de8efdbb |
| SHA512 | 21ec4ab6d5837f69abbaf45a15156a9efe43d1a490adac5489785b1f2bd872bd57848336ba2f530bd881f6c7b6433d422c158591d1049e52b5b0d832980c0903 |
C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe
| MD5 | 12b6f76b557ac91491e84f979cb8af08 |
| SHA1 | 1ee68fe2041399e7a0727b3e3f60bd03ed8555a2 |
| SHA256 | acf2c667463495b2b04e915080cbf100d6addab4d1b5bd4d69cc69894f9ea734 |
| SHA512 | 52dd6d7baa04e5d329d1bcf5b52257b3ac59b09817d6f6db0dbe1fe25faa86c5c12cbb1fdb40b853fe80d8643fa1786c99ac5b829a49511d56ee39a996904ca3 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe
| MD5 | 1f22a7e6656435da34317aa3e7a95f51 |
| SHA1 | 8bec84fa7a4a5e4113ea3548eb0c0d95d050f218 |
| SHA256 | 55fbfaaeee07219fa0c1854b2d594a4b334d94fad72e84f9f4b24f367628ca6c |
| SHA512 | a263145b00ff21ecaf04214996f1b277db13bdc5013591c3c9cf25e9082fc99bc5e357f56aba4cea4dbcc68f85262fe7bbd7f1cec93cde81c0b30dae77f1b95e |
memory/2384-531-0x0000000000946000-0x000000000095B000-memory.dmp
memory/1164-535-0x000000001B540000-0x000000001B822000-memory.dmp
memory/1164-536-0x0000000002810000-0x0000000002818000-memory.dmp
memory/1616-529-0x00000000008A0000-0x0000000000A5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
| MD5 | 538210b986be477618df46f781b648e8 |
| SHA1 | b504ec3dbc01ffa194990d454f82b6170d281a4a |
| SHA256 | 0aaf7021364e865bbfc649dea016af730fc382a7ef41c24d570a5b2302104551 |
| SHA512 | ddbbe251015fb78b17025c92914ba429446a8464f6cf99f8f14ed14590f5c1edaa7122519b5699f73eed5b2ba31441f9cbf565fdc3050b0163c5cd2403281bb8 |
memory/1776-538-0x0000000000EA0000-0x0000000000EBE000-memory.dmp
memory/2384-534-0x0000000000400000-0x0000000000724000-memory.dmp
memory/2384-533-0x0000000000220000-0x0000000000247000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000874021\random.cmd
| MD5 | 7ca00195b480ee284ddaebfea321f27e |
| SHA1 | a9ef34c03c1285c450b0414a20fce7f9533f7fa6 |
| SHA256 | c133cb730f4483b60434981714e8544a30bdb422376495c74aabeb16b13fd5d6 |
| SHA512 | c78ba3153ac0999f71c1ab0e5c4738e2e46d03f6567045e8c5ec3bd7157adabe4ce61b56554c546ce6070f09c84f26a64354ffaef0bf32175a4b40c27d4a3035 |
memory/1164-590-0x000000000285B000-0x00000000028C2000-memory.dmp
memory/1616-593-0x0000000073D60000-0x000000007444E000-memory.dmp
memory/1164-586-0x0000000002854000-0x0000000002857000-memory.dmp
memory/2792-601-0x0000000000400000-0x0000000000592000-memory.dmp
memory/1164-584-0x000007FEF30D0000-0x000007FEF3A6D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe
| MD5 | 818dc0dd7334787c46fdf54843c02417 |
| SHA1 | 7635d080a51c429a0945c1370435c59f45c2ecdc |
| SHA256 | 8c234dd732bcbd1bc5db85e94289adcf22a501b643f1fc4da9f06ad664ca5543 |
| SHA512 | 5ec240a099e320521f5a5bfaaa16b8c90f1f0413dad785aa1ca4002a836e6f96415a456f49f5f3c80c922643acd3dce38664a4d62f09681bf4312bce65f6c934 |
C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe
| MD5 | 2360df510c08c4e5c28d1f1781926caa |
| SHA1 | 28431c0f11a095ca7accc2e2bb3e478071c1f6f6 |
| SHA256 | 78efb7926cb47df2ad223406af9b0d6b5a099fa111564f82b3c9c38dbb9ecb59 |
| SHA512 | e8b95e94c845c76b14b71d1fd5ac0380c34c142e0f24bdaf1df4524a7371a323ba2180bb46d3d817a6338e8013af5f5a4bf3066d62ad867bfd3fc7ad09e66540 |
memory/2688-514-0x0000000001100000-0x0000000001154000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe
| MD5 | de0a3c0f33147c7f1f7046d7013bb4be |
| SHA1 | 0d2ab457db0beb7b1c87975d565278fe9fda516e |
| SHA256 | 2c5734dbe0498b97b7c06fee2f249b8c87100167e0eda86a59b1249c91156b48 |
| SHA512 | fc4f04eb0442bbc90decdabc97a6ed27c3e4d9767eed5e250b15d1ba48a8696935971f60aea6ed1824ab203101cfa73506ca5d691c9f6e9c456150da43c23fca |
C:\Users\Admin\AppData\Local\Temp\1000010001\frukt.exe
| MD5 | 0348f416c569b4276adbd2101d283669 |
| SHA1 | e90e94a49d3e97f5f64b11810ce07e07b0b6dc2d |
| SHA256 | c85575e45adf9aa4fe23b0c23e5834bd51140f507fc0d3f71213824f1b9ab6ba |
| SHA512 | 0b8b0e96bb9467eb7e17d4cf918e81fb84284629f70bb1be4e96dcfc524ca8ef4aa93848e1770b737faa94391f479f2f548a692986a7f47e27974e5b50956295 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 15a42d3e4579da615a384c717ab2109b |
| SHA1 | 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301 |
| SHA256 | 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103 |
| SHA512 | 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444 |
C:\Users\Admin\AppData\Local\Temp\nsp7CB2.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 726cd06231883a159ec1ce28dd538699 |
| SHA1 | 404897e6a133d255ad5a9c26ac6414d7134285a2 |
| SHA256 | 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46 |
| SHA512 | 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e |
C:\Users\Admin\AppData\Local\Temp\F66.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\7818.exe
| MD5 | 4cfc8ad2dcdb75023522d8ce5399b848 |
| SHA1 | e9df741de3aa107dbef0b0b57e15b6f2ddb55d21 |
| SHA256 | 0245b98c5523f0fe169741a6eae0bf56e194aa1b77f8b20ca30f2f3a78ce7da5 |
| SHA512 | c3afa71e76a47a21e3fc23880ac76bc7813f2ad7d6d7f09f61c3d69acabe3cc2c8ba5c7d5f54a2fb2713613b85323327deb4a5b525e6cb449b31f697e55bf444 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 05:12
Reported
2024-03-14 05:18
Platform
win10-20240221-en
Max time kernel
170s
Max time network
303s
Command Line
Signatures
Amadey
DcRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Pitou
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\EA31.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\D092.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\EA31.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\EA31.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\D092.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\D092.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\EA31.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\D092.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FE76.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\376A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\FE76.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CAAKFIIDGI.exe" | C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\9887.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA31.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D092.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2772 set thread context of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\FE76.exe | C:\Users\Admin\AppData\Local\Temp\FE76.exe |
| PID 764 set thread context of 5116 | N/A | C:\Users\Admin\AppData\Local\Temp\376A.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\EA31.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E8FD.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E8FD.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E8FD.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E8FD.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3k0.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe
"C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe"
C:\Users\Admin\AppData\Local\Temp\EA31.exe
C:\Users\Admin\AppData\Local\Temp\EA31.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F52E.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\F52E.dll
C:\Users\Admin\AppData\Local\Temp\FE76.exe
C:\Users\Admin\AppData\Local\Temp\FE76.exe
C:\Users\Admin\AppData\Local\Temp\FE76.exe
C:\Users\Admin\AppData\Local\Temp\FE76.exe
C:\Users\Admin\AppData\Local\Temp\376A.exe
C:\Users\Admin\AppData\Local\Temp\376A.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\8F00.exe
C:\Users\Admin\AppData\Local\Temp\8F00.exe
C:\Users\Admin\AppData\Local\Temp\9887.exe
C:\Users\Admin\AppData\Local\Temp\9887.exe
C:\Users\Admin\AppData\Local\Temp\A0E5.exe
C:\Users\Admin\AppData\Local\Temp\A0E5.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
C:\Users\Admin\AppData\Local\Temp\april.exe
"C:\Users\Admin\AppData\Local\Temp\april.exe"
C:\Users\Admin\AppData\Local\Temp\A981.exe
C:\Users\Admin\AppData\Local\Temp\A981.exe
C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp" /SL5="$60230,1697899,56832,C:\Users\Admin\AppData\Local\Temp\april.exe"
C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp" /SL5="$3027E,1678053,54272,C:\Users\Admin\AppData\Local\Temp\A981.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 968
C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 504
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\824464007487_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\D092.exe
C:\Users\Admin\AppData\Local\Temp\D092.exe
C:\Users\Admin\AppData\Local\Temp\u3k0.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3k0.1.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\E8FD.exe
C:\Users\Admin\AppData\Local\Temp\E8FD.exe
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe"
C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe
"C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| RU | 185.215.113.45:80 | 185.215.113.45 | tcp |
| US | 8.8.8.8:53 | 45.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | 32.113.215.185.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 104.21.29.103:80 | midnight.bestsup.su | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.29.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 172.67.181.250:443 | wisemassiveharmonious.shop | tcp |
| US | 8.8.8.8:53 | 250.181.67.172.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | herdbescuitinjurywu.shop | udp |
| US | 172.67.206.194:443 | herdbescuitinjurywu.shop | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | 194.206.67.172.in-addr.arpa | udp |
| US | 172.67.181.250:443 | wisemassiveharmonious.shop | tcp |
| US | 8.8.8.8:53 | 187.128.172.185.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| US | 8.8.8.8:53 | 126.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| PA | 190.218.35.32:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | 32.35.218.190.in-addr.arpa | udp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| FR | 80.67.172.162:443 | tcp | |
| US | 184.105.220.24:9001 | tcp | |
| US | 8.8.8.8:53 | 162.172.67.80.in-addr.arpa | udp |
| AU | 124.168.18.172:9001 | tcp | |
| FR | 51.15.246.170:443 | tcp | |
| US | 162.251.116.10:443 | tcp | |
| NO | 95.141.83.146:443 | tcp | |
| US | 8.8.8.8:53 | 170.246.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.83.141.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.116.251.162.in-addr.arpa | udp |
| N/A | 127.0.0.1:50271 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nidoe.org | udp |
| AR | 190.195.60.212:80 | nidoe.org | tcp |
| US | 162.251.116.10:443 | tcp | |
| US | 8.8.8.8:53 | 212.60.195.190.in-addr.arpa | udp |
| NO | 95.141.83.146:443 | tcp | |
| AR | 190.195.60.212:80 | nidoe.org | tcp |
| N/A | 127.0.0.1:20129 | tcp | |
| AR | 190.195.60.212:80 | nidoe.org | tcp |
| AR | 190.195.60.212:80 | nidoe.org | tcp |
| AR | 190.195.60.212:80 | nidoe.org | tcp |
| AR | 190.195.60.212:80 | nidoe.org | tcp |
| AR | 190.195.60.212:80 | nidoe.org | tcp |
| AR | 190.195.60.212:80 | nidoe.org | tcp |
| N/A | 127.0.0.1:20129 | tcp | |
| AR | 190.195.60.212:80 | nidoe.org | tcp |
| N/A | 127.0.0.1:20129 | tcp | |
| AR | 190.195.60.212:80 | nidoe.org | tcp |
| N/A | 127.0.0.1:20129 | tcp | |
| US | 8.8.8.8:53 | account.kemnaker.go.id | udp |
| N/A | 127.0.0.1:20129 | tcp | |
| N/A | 127.0.0.1:50402 | tcp | |
| N/A | 127.0.0.1:50408 | tcp | |
| US | 8.8.8.8:53 | bluesea.com.bd | udp |
| US | 8.8.8.8:53 | account.kemnaker.go.id | udp |
| US | 8.8.8.8:53 | bluesea.com.bd | udp |
| US | 8.8.8.8:53 | pendaftaran.unpad.ac.id | udp |
| US | 8.8.8.8:53 | regayzanko.com | udp |
| US | 8.8.8.8:53 | pendaftaran.unpad.ac.id | udp |
| ID | 149.129.233.232:22 | account.kemnaker.go.id | tcp |
| ID | 149.129.233.232:443 | account.kemnaker.go.id | tcp |
| US | 8.8.8.8:53 | regayzanko.com | udp |
| US | 8.8.8.8:53 | masryonsat.net | udp |
| ID | 149.129.233.232:21 | account.kemnaker.go.id | tcp |
| US | 8.8.8.8:53 | masryonsat.net | udp |
| ID | 111.223.252.90:443 | pendaftaran.unpad.ac.id | tcp |
| US | 8.8.8.8:53 | stud.infostud.uniroma1.it | udp |
| ID | 149.129.233.232:143 | account.kemnaker.go.id | tcp |
| US | 8.8.8.8:53 | stud.infostud.uniroma1.it | udp |
| ID | 111.223.252.90:21 | pendaftaran.unpad.ac.id | tcp |
| ID | 111.223.252.90:22 | pendaftaran.unpad.ac.id | tcp |
| US | 172.67.180.4:22 | regayzanko.com | tcp |
| US | 172.67.180.4:21 | regayzanko.com | tcp |
| ID | 149.129.233.232:465 | account.kemnaker.go.id | tcp |
| US | 8.8.8.8:53 | 232.233.129.149.in-addr.arpa | udp |
| ID | 149.129.233.232:80 | account.kemnaker.go.id | tcp |
| US | 8.8.8.8:53 | farmasiint.com | udp |
| US | 172.67.180.4:443 | regayzanko.com | tcp |
| US | 8.8.8.8:53 | sloty.com | udp |
| SG | 172.96.191.76:21 | masryonsat.net | tcp |
| SG | 172.96.191.76:22 | masryonsat.net | tcp |
| ID | 149.129.233.232:995 | account.kemnaker.go.id | tcp |
| US | 8.8.8.8:53 | farmasiint.com | udp |
| US | 8.8.8.8:53 | 90.252.223.111.in-addr.arpa | udp |
| US | 8.8.8.8:53 | adobeid.services.adobe.com | udp |
| US | 8.8.8.8:53 | sloty.com | udp |
| ID | 111.223.252.90:143 | pendaftaran.unpad.ac.id | tcp |
| SG | 172.96.191.76:443 | masryonsat.net | tcp |
| IT | 151.100.101.215:22 | stud.infostud.uniroma1.it | tcp |
| IT | 151.100.101.215:21 | stud.infostud.uniroma1.it | tcp |
| ID | 111.223.252.90:465 | pendaftaran.unpad.ac.id | tcp |
| US | 8.8.8.8:53 | bluesea.com.bd | udp |
| US | 8.8.8.8:53 | adobeid.services.adobe.com | udp |
| US | 8.8.8.8:53 | sso.emea.teleperformance.com | udp |
| US | 172.67.180.4:143 | regayzanko.com | tcp |
| US | 8.8.8.8:53 | 4.180.67.172.in-addr.arpa | udp |
| US | 172.67.180.4:465 | regayzanko.com | tcp |
| IT | 151.100.101.215:443 | stud.infostud.uniroma1.it | tcp |
| TR | 195.46.154.244:22 | farmasiint.com | tcp |
| US | 8.8.8.8:53 | sso.emea.teleperformance.com | udp |
| GB | 107.154.212.223:22 | sloty.com | tcp |
| US | 8.8.8.8:53 | claimfreecoins.io | udp |
| ID | 111.223.252.90:995 | pendaftaran.unpad.ac.id | tcp |
| ID | 147.139.164.60:22 | account.kemnaker.go.id | tcp |
| US | 8.8.8.8:53 | 76.191.96.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | claimfreecoins.io | udp |
| US | 172.67.180.4:80 | regayzanko.com | tcp |
| ID | 147.139.164.60:21 | account.kemnaker.go.id | tcp |
| SG | 172.96.191.76:143 | masryonsat.net | tcp |
| ID | 149.129.233.232:80 | account.kemnaker.go.id | tcp |
| TR | 195.46.154.244:21 | farmasiint.com | tcp |
| GB | 107.154.212.223:21 | sloty.com | tcp |
| ID | 111.223.252.90:80 | pendaftaran.unpad.ac.id | tcp |
| US | 172.67.180.4:995 | regayzanko.com | tcp |
| US | 8.8.8.8:53 | sloty-com.mail.protection.outlook.com | udp |
| ID | 147.139.164.60:143 | account.kemnaker.go.id | tcp |
| US | 8.8.8.8:53 | farmasiint-com.mail.protection.outlook.com | udp |
| US | 172.67.180.4:80 | regayzanko.com | tcp |
| TR | 195.46.154.244:443 | farmasiint.com | tcp |
| US | 104.21.31.220:21 | regayzanko.com | tcp |
| US | 104.21.31.220:22 | regayzanko.com | tcp |
| ID | 147.139.164.60:465 | account.kemnaker.go.id | tcp |
| US | 8.8.8.8:53 | rl-itdept01-ukftxamwrq.app02-21.logmein.com | udp |
| US | 8.8.8.8:53 | rl-itdept01-ukftxamwrq.app02-21.logmein.com | udp |
| US | 172.64.155.61:21 | adobeid.services.adobe.com | tcp |
| US | 172.64.155.61:22 | adobeid.services.adobe.com | tcp |
| GB | 107.154.212.223:443 | sloty.com | tcp |
| US | 8.8.8.8:53 | bithourly.net | udp |
| US | 8.8.8.8:53 | 215.101.100.151.in-addr.arpa | udp |
| IT | 151.100.101.215:143 | stud.infostud.uniroma1.it | tcp |
| SG | 172.96.191.76:80 | masryonsat.net | tcp |
| N/A | 127.0.0.1:50412 | tcp | |
| SG | 172.96.191.76:465 | masryonsat.net | tcp |
| US | 172.64.155.61:443 | adobeid.services.adobe.com | tcp |
| ID | 111.223.252.90:80 | pendaftaran.unpad.ac.id | tcp |
| ID | 149.129.233.232:443 | account.kemnaker.go.id | tcp |
| ID | 147.139.164.60:995 | account.kemnaker.go.id | tcp |
| SG | 172.96.191.76:995 | masryonsat.net | tcp |
| NL | 52.101.73.1:143 | farmasiint-com.mail.protection.outlook.com | tcp |
| US | 172.67.144.98:22 | claimfreecoins.io | tcp |
| US | 172.67.144.98:21 | claimfreecoins.io | tcp |
| US | 104.21.31.220:143 | regayzanko.com | tcp |
| IT | 151.100.101.215:80 | stud.infostud.uniroma1.it | tcp |
| IT | 151.100.101.215:465 | stud.infostud.uniroma1.it | tcp |
| NL | 52.101.73.11:143 | sloty-com.mail.protection.outlook.com | tcp |
| IT | 151.100.101.215:80 | stud.infostud.uniroma1.it | tcp |
| US | 104.21.31.220:465 | regayzanko.com | tcp |
| US | 107.154.248.223:22 | sloty.com | tcp |
| NL | 52.101.73.11:465 | sloty-com.mail.protection.outlook.com | tcp |
| SG | 172.96.191.76:80 | masryonsat.net | tcp |
| N/A | 127.0.0.1:50416 | tcp | |
| N/A | 127.0.0.1:50422 | tcp | |
| N/A | 127.0.0.1:50430 | tcp | |
| N/A | 127.0.0.1:50432 | tcp | |
| N/A | 127.0.0.1:50434 | tcp | |
| N/A | 127.0.0.1:50437 | tcp | |
| GB | 107.154.212.223:80 | sloty.com | tcp |
| NL | 52.101.73.1:465 | farmasiint-com.mail.protection.outlook.com | tcp |
| GB | 107.154.212.223:80 | sloty.com | tcp |
| US | 8.8.8.8:53 | bithourly.net | udp |
| US | 104.21.31.220:995 | regayzanko.com | tcp |
| US | 104.18.32.195:22 | adobeid.services.adobe.com | tcp |
| N/A | 127.0.0.1:50440 | tcp | |
| TR | 195.46.154.244:80 | farmasiint.com | tcp |
| US | 104.18.32.195:21 | adobeid.services.adobe.com | tcp |
| US | 8.8.8.8:53 | us05web.zoom.us | udp |
| US | 8.8.8.8:53 | bluesea.com.bd | udp |
| US | 172.67.180.4:443 | regayzanko.com | tcp |
| US | 172.67.144.98:443 | claimfreecoins.io | tcp |
| N/A | 127.0.0.1:50452 | tcp | |
| N/A | 127.0.0.1:50455 | tcp | |
| US | 104.21.71.102:22 | claimfreecoins.io | tcp |
| US | 8.8.8.8:53 | sso.emea.teleperformance.com | udp |
| IE | 52.101.68.39:143 | farmasiint-com.mail.protection.outlook.com | tcp |
| US | 104.21.71.102:21 | claimfreecoins.io | tcp |
| IE | 52.101.68.8:143 | sloty-com.mail.protection.outlook.com | tcp |
| IE | 52.101.68.8:465 | sloty-com.mail.protection.outlook.com | tcp |
| IT | 151.100.101.215:995 | stud.infostud.uniroma1.it | tcp |
| TR | 195.46.154.244:22 | farmasiint.com | tcp |
| IE | 52.101.68.39:465 | farmasiint-com.mail.protection.outlook.com | tcp |
| ID | 111.223.252.90:465 | pendaftaran.unpad.ac.id | tcp |
| IE | 52.101.68.39:143 | farmasiint-com.mail.protection.outlook.com | tcp |
| N/A | 127.0.0.1:50459 | tcp | |
| NL | 52.101.73.1:995 | farmasiint-com.mail.protection.outlook.com | tcp |
| IE | 52.101.68.36:143 | farmasiint-com.mail.protection.outlook.com | tcp |
| N/A | 127.0.0.1:50462 | tcp | |
| N/A | 127.0.0.1:50463 | tcp | |
| N/A | 127.0.0.1:50469 | tcp | |
| N/A | 127.0.0.1:50477 | tcp | |
| N/A | 127.0.0.1:50481 | tcp | |
| US | 8.8.8.8:53 | rl-itdept01-ukftxamwrq.app02-21.logmein.com | udp |
| IE | 52.101.68.12:143 | sloty-com.mail.protection.outlook.com | tcp |
| IE | 52.101.68.39:465 | farmasiint-com.mail.protection.outlook.com | tcp |
| NL | 52.101.73.6:143 | farmasiint-com.mail.protection.outlook.com | tcp |
| IE | 52.101.68.36:465 | farmasiint-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | myaccount.centerpointenergy.com | udp |
| US | 8.8.8.8:53 | adobeid.services.adobe.com | udp |
| IE | 52.101.68.12:465 | sloty-com.mail.protection.outlook.com | tcp |
| IE | 52.101.68.39:995 | farmasiint-com.mail.protection.outlook.com | tcp |
| NL | 52.101.73.6:465 | farmasiint-com.mail.protection.outlook.com | tcp |
| SG | 172.96.191.76:80 | masryonsat.net | tcp |
| US | 172.64.155.61:143 | adobeid.services.adobe.com | tcp |
| US | 172.64.155.61:80 | adobeid.services.adobe.com | tcp |
| US | 8.8.8.8:53 | 223.212.154.107.in-addr.arpa | udp |
| IE | 52.101.68.36:995 | farmasiint-com.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | 244.154.46.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.155.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sso.emea.teleperformance.com | udp |
| US | 8.8.8.8:53 | bluesea.com.bd | udp |
| US | 8.8.8.8:53 | _dc-mx.7f0121abe11c.claimfreecoins.io | udp |
| US | 8.8.8.8:53 | sloty-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | us05web.zoom.us | udp |
| US | 8.8.8.8:53 | bithourly.net | udp |
| US | 8.8.8.8:53 | myaccount.centerpointenergy.com | udp |
| US | 8.8.8.8:53 | project-infinity.cloud | udp |
| US | 8.8.8.8:53 | adobeid.services.adobe.com | udp |
| N/A | 127.0.0.1:50484 | tcp | |
| N/A | 127.0.0.1:50489 | tcp | |
| N/A | 127.0.0.1:50491 | tcp | |
| N/A | 127.0.0.1:50496 | tcp | |
| N/A | 127.0.0.1:50502 | tcp | |
| N/A | 127.0.0.1:50505 | tcp | |
| N/A | 127.0.0.1:50507 | tcp | |
| N/A | 127.0.0.1:50515 | tcp | |
| N/A | 127.0.0.1:50518 | tcp | |
| N/A | 127.0.0.1:50521 | tcp | |
| N/A | 127.0.0.1:50531 | tcp | |
| US | 172.67.144.98:80 | claimfreecoins.io | tcp |
| N/A | 127.0.0.1:50538 | tcp | |
| N/A | 127.0.0.1:50541 | tcp | |
| N/A | 127.0.0.1:50544 | tcp | |
| US | 8.8.8.8:53 | rl-itdept01-ukftxamwrq.app02-21.logmein.com | udp |
| US | 8.8.8.8:53 | project-infinity.cloud | udp |
| ID | 111.223.252.90:443 | pendaftaran.unpad.ac.id | tcp |
| N/A | 127.0.0.1:50553 | tcp | |
| N/A | 127.0.0.1:50555 | tcp | |
| N/A | 127.0.0.1:50559 | tcp | |
| N/A | 127.0.0.1:50571 | tcp | |
| N/A | 127.0.0.1:50575 | tcp | |
| N/A | 127.0.0.1:50582 | tcp | |
| N/A | 127.0.0.1:50584 | tcp | |
| N/A | 127.0.0.1:50586 | tcp | |
| N/A | 127.0.0.1:50590 | tcp | |
| N/A | 127.0.0.1:50594 | tcp | |
| N/A | 127.0.0.1:50597 | tcp | |
| N/A | 127.0.0.1:50602 | tcp | |
| N/A | 127.0.0.1:50616 | tcp | |
| N/A | 127.0.0.1:50623 | tcp | |
| N/A | 127.0.0.1:50627 | tcp | |
| US | 8.8.8.8:53 | pb-dekthai.com | udp |
| IT | 151.100.101.215:443 | stud.infostud.uniroma1.it | tcp |
| N/A | 127.0.0.1:50632 | tcp | |
| N/A | 127.0.0.1:50635 | tcp | |
| N/A | 127.0.0.1:50638 | tcp | |
| N/A | 127.0.0.1:50645 | tcp | |
| N/A | 127.0.0.1:50648 | tcp | |
| N/A | 127.0.0.1:50650 | tcp | |
| N/A | 127.0.0.1:50653 | tcp | |
| N/A | 127.0.0.1:50655 | tcp | |
| US | 8.8.8.8:53 | pb-dekthai.com | udp |
| ID | 111.223.252.90:80 | pendaftaran.unpad.ac.id | tcp |
| US | 8.8.8.8:53 | idp.nycenet.edu | udp |
| US | 8.8.8.8:53 | bithourly.net | udp |
| US | 8.8.8.8:53 | rl-itdept01-ukftxamwrq.app02-21.logmein.com | udp |
| N/A | 127.0.0.1:50663 | tcp | |
| N/A | 127.0.0.1:50665 | tcp | |
| N/A | 127.0.0.1:50668 | tcp | |
| N/A | 127.0.0.1:50675 | tcp | |
| N/A | 127.0.0.1:50678 | tcp | |
| N/A | 127.0.0.1:50682 | tcp | |
| N/A | 127.0.0.1:50684 | tcp | |
| N/A | 127.0.0.1:50688 | tcp | |
| N/A | 127.0.0.1:50696 | tcp | |
| N/A | 127.0.0.1:50704 | tcp | |
| N/A | 127.0.0.1:50711 | tcp | |
| N/A | 127.0.0.1:50718 | tcp | |
| N/A | 127.0.0.1:50723 | tcp | |
| N/A | 127.0.0.1:50728 | tcp | |
| N/A | 127.0.0.1:50731 | tcp | |
| N/A | 127.0.0.1:50735 | tcp | |
| N/A | 127.0.0.1:50747 | tcp | |
| N/A | 127.0.0.1:50752 | tcp | |
| N/A | 127.0.0.1:50755 | tcp | |
| N/A | 127.0.0.1:50757 | tcp | |
| N/A | 127.0.0.1:50763 | tcp | |
| N/A | 127.0.0.1:50766 | tcp | |
| N/A | 127.0.0.1:50775 | tcp | |
| N/A | 127.0.0.1:50777 | tcp | |
| N/A | 127.0.0.1:50781 | tcp | |
| US | 8.8.8.8:53 | lebenslauf2go.de | udp |
| GB | 107.154.212.223:80 | sloty.com | tcp |
| US | 8.8.8.8:53 | idp.nycenet.edu | udp |
| US | 8.8.8.8:53 | lebenslauf2go.de | udp |
| N/A | 127.0.0.1:50787 | tcp | |
| N/A | 127.0.0.1:50792 | tcp | |
| N/A | 127.0.0.1:50800 | tcp | |
| N/A | 127.0.0.1:50803 | tcp | |
| N/A | 127.0.0.1:50808 | tcp | |
| N/A | 127.0.0.1:50810 | tcp | |
| N/A | 127.0.0.1:50816 | tcp | |
| N/A | 127.0.0.1:50824 | tcp | |
| N/A | 127.0.0.1:50828 | tcp | |
| US | 8.8.8.8:53 | seminolewildcard.com | udp |
| SG | 172.96.191.76:80 | masryonsat.net | tcp |
| US | 8.8.8.8:53 | seminolewildcard.com | udp |
| ID | 149.129.233.232:80 | account.kemnaker.go.id | tcp |
| GB | 107.154.212.223:80 | sloty.com | tcp |
| N/A | 127.0.0.1:50840 | tcp | |
| N/A | 127.0.0.1:50844 | tcp | |
| N/A | 127.0.0.1:50846 | tcp | |
| N/A | 127.0.0.1:50849 | tcp | |
| N/A | 127.0.0.1:50853 | tcp | |
| N/A | 127.0.0.1:50859 | tcp | |
| N/A | 127.0.0.1:50862 | tcp | |
| N/A | 127.0.0.1:50867 | tcp | |
| N/A | 127.0.0.1:50872 | tcp | |
| N/A | 127.0.0.1:50876 | tcp | |
| N/A | 127.0.0.1:50878 | tcp | |
| N/A | 127.0.0.1:50880 | tcp | |
| US | 8.8.8.8:53 | madafaka.ru | udp |
| US | 8.8.8.8:53 | www.farmasi.com.tr | udp |
| US | 8.8.8.8:53 | madafaka.ru | udp |
| US | 13.58.172.217:443 | www.farmasi.com.tr | tcp |
| US | 8.8.8.8:53 | bithourly.net | udp |
| N/A | 127.0.0.1:50883 | tcp | |
| N/A | 127.0.0.1:50887 | tcp | |
| N/A | 127.0.0.1:50890 | tcp | |
| N/A | 127.0.0.1:50893 | tcp | |
| N/A | 127.0.0.1:50900 | tcp | |
| N/A | 127.0.0.1:50902 | tcp | |
| N/A | 127.0.0.1:50907 | tcp | |
| N/A | 127.0.0.1:50909 | tcp | |
| N/A | 127.0.0.1:50912 | tcp | |
| N/A | 127.0.0.1:50921 | tcp | |
| N/A | 127.0.0.1:50925 | tcp | |
| N/A | 127.0.0.1:50928 | tcp | |
| N/A | 127.0.0.1:50931 | tcp | |
| N/A | 127.0.0.1:50933 | tcp | |
| N/A | 127.0.0.1:50935 | tcp | |
| N/A | 127.0.0.1:50937 | tcp | |
| SG | 172.96.191.76:80 | masryonsat.net | tcp |
| N/A | 127.0.0.1:50943 | tcp | |
| N/A | 127.0.0.1:50945 | tcp | |
| N/A | 127.0.0.1:50950 | tcp | |
| N/A | 127.0.0.1:50953 | tcp | |
| N/A | 127.0.0.1:50960 | tcp | |
| N/A | 127.0.0.1:50964 | tcp | |
| N/A | 127.0.0.1:50967 | tcp | |
| N/A | 127.0.0.1:50975 | tcp | |
| N/A | 127.0.0.1:50977 | tcp | |
| N/A | 127.0.0.1:50979 | tcp | |
| N/A | 127.0.0.1:50981 | tcp | |
| N/A | 127.0.0.1:50985 | tcp | |
| N/A | 127.0.0.1:50991 | tcp | |
| N/A | 127.0.0.1:50997 | tcp | |
| N/A | 127.0.0.1:51000 | tcp | |
| US | 8.8.8.8:53 | login.gaijin.net | udp |
| N/A | 127.0.0.1:51006 | tcp | |
| US | 8.8.8.8:53 | api.julofinance.com | udp |
| ID | 111.223.252.90:443 | pendaftaran.unpad.ac.id | tcp |
| N/A | 127.0.0.1:51009 | tcp | |
| US | 172.67.180.4:80 | regayzanko.com | tcp |
| N/A | 127.0.0.1:51012 | tcp | |
| N/A | 127.0.0.1:51023 | tcp | |
| N/A | 127.0.0.1:51033 | tcp | |
| US | 8.8.8.8:53 | 98.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | madafaka.ru | udp |
| US | 8.8.8.8:53 | bluesea.com.bd | udp |
| N/A | 127.0.0.1:51044 | tcp | |
| N/A | 127.0.0.1:51047 | tcp | |
| US | 170.114.52.5:80 | us05web.zoom.us | tcp |
| N/A | 127.0.0.1:51049 | tcp | |
| US | 8.8.8.8:53 | api.julofinance.com | udp |
| US | 8.8.8.8:53 | login.gaijin.net | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| N/A | 127.0.0.1:51054 | tcp | |
| N/A | 127.0.0.1:51058 | tcp | |
| N/A | 127.0.0.1:51060 | tcp | |
| N/A | 127.0.0.1:51063 | tcp | |
| N/A | 127.0.0.1:51068 | tcp | |
| TR | 195.46.154.244:80 | farmasiint.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | apps.trac.jobs | udp |
| US | 8.8.8.8:53 | sso.emea.teleperformance.com | udp |
| N/A | 127.0.0.1:51079 | tcp | |
| N/A | 127.0.0.1:51082 | tcp | |
| N/A | 127.0.0.1:51086 | tcp | |
| N/A | 127.0.0.1:51091 | tcp | |
| N/A | 127.0.0.1:51093 | tcp | |
| N/A | 127.0.0.1:51097 | tcp | |
| N/A | 127.0.0.1:51105 | tcp | |
| N/A | 127.0.0.1:51111 | tcp | |
| N/A | 127.0.0.1:51114 | tcp | |
| N/A | 127.0.0.1:51117 | tcp | |
| N/A | 127.0.0.1:51120 | tcp | |
| US | 8.8.8.8:53 | apps.trac.jobs | udp |
| US | 8.8.8.8:53 | asia.wargaming.net | udp |
| N/A | 127.0.0.1:51130 | tcp | |
| N/A | 127.0.0.1:51135 | tcp | |
| N/A | 127.0.0.1:51138 | tcp | |
| N/A | 127.0.0.1:51140 | tcp | |
| N/A | 127.0.0.1:51142 | tcp | |
| N/A | 127.0.0.1:51148 | tcp | |
| N/A | 127.0.0.1:51150 | tcp | |
| N/A | 127.0.0.1:51152 | tcp | |
| N/A | 127.0.0.1:51155 | tcp | |
| N/A | 127.0.0.1:51158 | tcp | |
| N/A | 127.0.0.1:51163 | tcp | |
| N/A | 127.0.0.1:51166 | tcp | |
| N/A | 127.0.0.1:51169 | tcp | |
| N/A | 127.0.0.1:51175 | tcp | |
| N/A | 127.0.0.1:51178 | tcp | |
| N/A | 127.0.0.1:51181 | tcp | |
| N/A | 127.0.0.1:51183 | tcp | |
| N/A | 127.0.0.1:51185 | tcp | |
| N/A | 127.0.0.1:51191 | tcp | |
| N/A | 127.0.0.1:51197 | tcp | |
| N/A | 127.0.0.1:51199 | tcp | |
| N/A | 127.0.0.1:51202 | tcp | |
| N/A | 127.0.0.1:51214 | tcp | |
| N/A | 127.0.0.1:51216 | tcp | |
| N/A | 127.0.0.1:51221 | tcp | |
| N/A | 127.0.0.1:51225 | tcp | |
| N/A | 127.0.0.1:51227 | tcp | |
| US | 8.8.8.8:53 | asia.wargaming.net | udp |
| US | 8.8.8.8:53 | molotov.tv | udp |
| US | 8.8.8.8:53 | ftp.bluesea.com.bd | udp |
| US | 8.8.8.8:53 | molotov.tv | udp |
| US | 8.8.8.8:53 | kogama.com.br | udp |
| US | 8.8.8.8:53 | account.protonvpn.com | udp |
| US | 8.8.8.8:53 | kogama.com.br | udp |
| US | 8.8.8.8:53 | account.protonvpn.com | udp |
| US | 8.8.8.8:53 | ecampus.uesiglo21.edu.ar | udp |
| US | 8.8.8.8:53 | sloty-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | ecampus.uesiglo21.edu.ar | udp |
| US | 8.8.8.8:53 | farmasiint-com.mail.protection.outlook.com | udp |
| N/A | 127.0.0.1:51237 | tcp | |
| N/A | 127.0.0.1:51240 | tcp | |
| N/A | 127.0.0.1:51243 | tcp | |
| N/A | 127.0.0.1:51245 | tcp | |
| N/A | 127.0.0.1:51248 | tcp | |
| US | 8.8.8.8:53 | cscgraminnaukri.in | udp |
| US | 8.8.8.8:53 | rl-itdept01-ukftxamwrq.app02-21.logmein.com | udp |
| US | 8.8.8.8:53 | cscgraminnaukri.in | udp |
| US | 8.8.8.8:53 | play.na.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | bithourly.net | udp |
| US | 8.8.8.8:53 | play.na.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | ipstresser.com | udp |
| US | 8.8.8.8:53 | ipstresser.com | udp |
| US | 8.8.8.8:53 | titkosviszony.com | udp |
| US | 8.8.8.8:53 | titkosviszony.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | bluesea.com.bd | udp |
| US | 8.8.8.8:53 | forum.generationzero.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | forum.generationzero.com | udp |
| US | 8.8.8.8:53 | serviciosdigitales.imss.gob.mx | udp |
| US | 8.8.8.8:53 | prepaidonline.com | udp |
| US | 8.8.8.8:53 | serviciosdigitales.imss.gob.mx | udp |
| US | 8.8.8.8:53 | prepaidonline.com | udp |
| US | 8.8.8.8:53 | btech-loyalty360.dsquares.com | udp |
| US | 8.8.8.8:53 | mail.project-infinity.cloud | udp |
| US | 8.8.8.8:53 | sso.emea.teleperformance.com | udp |
| US | 8.8.8.8:53 | btech-loyalty360.dsquares.com | udp |
| US | 8.8.8.8:53 | emb.mbbank.com.vn | udp |
| US | 8.8.8.8:53 | emb.mbbank.com.vn | udp |
| US | 8.8.8.8:53 | habblet.city | udp |
| US | 8.8.8.8:53 | habblet.city | udp |
| US | 8.8.8.8:53 | eur.pokerstarscasino.eu | udp |
| US | 8.8.8.8:53 | eur.pokerstarscasino.eu | udp |
| US | 8.8.8.8:53 | flyheight.com | udp |
| US | 8.8.8.8:53 | flyheight.com | udp |
| US | 8.8.8.8:53 | windscribe.com | udp |
| US | 8.8.8.8:53 | windscribe.com | udp |
| US | 8.8.8.8:53 | dominion.games | udp |
| US | 8.8.8.8:53 | help.steampowered.com | udp |
| US | 8.8.8.8:53 | dominion.games | udp |
| US | 8.8.8.8:53 | help.steampowered.com | udp |
| US | 8.8.8.8:53 | pb-dekthai.com | udp |
| US | 8.8.8.8:53 | portal.elm.sa | udp |
| US | 8.8.8.8:53 | webtop.co.il | udp |
| US | 8.8.8.8:53 | webtop.co.il | udp |
| US | 8.8.8.8:53 | login.gog.com | udp |
| US | 8.8.8.8:53 | login.gog.com | udp |
| US | 8.8.8.8:53 | studio.rockcontent.com | udp |
| US | 8.8.8.8:53 | studio.rockcontent.com | udp |
| US | 8.8.8.8:53 | career10.successfactors.com | udp |
| US | 8.8.8.8:53 | common.99taxis.mobi | udp |
| US | 8.8.8.8:53 | career10.successfactors.com | udp |
| US | 8.8.8.8:53 | common.99taxis.mobi | udp |
| US | 8.8.8.8:53 | retail.onlinesbi.com | udp |
| US | 8.8.8.8:53 | socialtools.ru | udp |
| US | 8.8.8.8:53 | retail.onlinesbi.com | udp |
| US | 8.8.8.8:53 | socialtools.ru | udp |
| US | 8.8.8.8:53 | ptronline.co.uk | udp |
| US | 8.8.8.8:53 | account.samsung.com | udp |
| US | 8.8.8.8:53 | ptronline.co.uk | udp |
| US | 8.8.8.8:53 | account.samsung.com | udp |
| US | 8.8.8.8:53 | connect.ubisoft.com | udp |
| US | 8.8.8.8:53 | connect.ubisoft.com | udp |
| US | 8.8.8.8:53 | app.resumecoach.com | udp |
| US | 8.8.8.8:53 | app.resumecoach.com | udp |
| US | 8.8.8.8:53 | portal.trueinternet.co.th | udp |
| US | 8.8.8.8:53 | portal.trueinternet.co.th | udp |
| US | 8.8.8.8:53 | apps.timeclockwizard.com | udp |
| US | 8.8.8.8:53 | mx0.jobware.net | udp |
| US | 8.8.8.8:53 | apps.timeclockwizard.com | udp |
| US | 8.8.8.8:53 | pmprb.menpan.go.id | udp |
| US | 8.8.8.8:53 | cabinet.salyk.kz | udp |
| US | 8.8.8.8:53 | pmprb.menpan.go.id | udp |
| US | 8.8.8.8:53 | cabinet.salyk.kz | udp |
| US | 8.8.8.8:53 | eblagh.adliran.ir | udp |
| US | 8.8.8.8:53 | eblagh.adliran.ir | udp |
| US | 8.8.8.8:53 | online.nationalgridus.com | udp |
| US | 8.8.8.8:53 | online.nationalgridus.com | udp |
| US | 8.8.8.8:53 | login.blockchain.com | udp |
| US | 8.8.8.8:53 | superbahis199.com | udp |
| US | 8.8.8.8:53 | superbahis199.com | udp |
| US | 8.8.8.8:53 | albarcollege.com | udp |
| US | 8.8.8.8:53 | albarcollege.com | udp |
| US | 8.8.8.8:53 | ahmdsat.com | udp |
| US | 8.8.8.8:53 | ahmdsat.com | udp |
| US | 8.8.8.8:53 | signup.br.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | signup.br.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | olion.cash | udp |
| US | 8.8.8.8:53 | olion.cash | udp |
| US | 8.8.8.8:53 | bepay.zendesk.com | udp |
| US | 8.8.8.8:53 | 217.172.58.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ec.infoanuncios.com | udp |
| US | 8.8.8.8:53 | ec.infoanuncios.com | udp |
| US | 8.8.8.8:53 | plusdede.com | udp |
| US | 8.8.8.8:53 | madafaka.ru | udp |
| US | 8.8.8.8:53 | plusdede.com | udp |
| US | 8.8.8.8:53 | hphconnect.harvardpilgrim.org | udp |
| US | 8.8.8.8:53 | hphconnect.harvardpilgrim.org | udp |
| US | 8.8.8.8:53 | mxa-005e3801.gslb.pphosted.com | udp |
| US | 8.8.8.8:53 | exam.etoos.com | udp |
| US | 8.8.8.8:53 | siagapendis.com | udp |
| US | 8.8.8.8:53 | exam.etoos.com | udp |
| US | 8.8.8.8:53 | shopee.co.id | udp |
| US | 8.8.8.8:53 | siagapendis.com | udp |
| US | 8.8.8.8:53 | shopee.co.id | udp |
| US | 8.8.8.8:53 | sso.garena.com | udp |
| US | 8.8.8.8:53 | sso.garena.com | udp |
| US | 8.8.8.8:53 | avoncosmetics.ro | udp |
| US | 8.8.8.8:53 | avoncosmetics.ro | udp |
| US | 8.8.8.8:53 | makedollars.in | udp |
| US | 8.8.8.8:53 | makedollars.in | udp |
| US | 8.8.8.8:53 | xflow.cc | udp |
| US | 8.8.8.8:53 | xflow.cc | udp |
| US | 8.8.8.8:53 | buddy4study.com | udp |
| US | 8.8.8.8:53 | buddy4study.com | udp |
| US | 8.8.8.8:53 | signup.na.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | signup.na.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | auth.dadeschools.net | udp |
| US | 8.8.8.8:53 | auth.dadeschools.net | udp |
| US | 8.8.8.8:53 | kissasian.com | udp |
| US | 8.8.8.8:53 | kissasian.com | udp |
| US | 8.8.8.8:53 | auth.tankionline.com | udp |
| US | 8.8.8.8:53 | auth.tankionline.com | udp |
| US | 8.8.8.8:53 | trakt.tv | udp |
| US | 8.8.8.8:53 | trakt.tv | udp |
| US | 8.8.8.8:53 | slotxo.com | udp |
| US | 8.8.8.8:53 | 5.52.114.170.in-addr.arpa | udp |
| US | 8.8.8.8:53 | slotxo.com | udp |
| US | 8.8.8.8:53 | salonv.utecvirtual.edu.sv | udp |
| US | 8.8.8.8:53 | salonv.utecvirtual.edu.sv | udp |
| US | 8.8.8.8:53 | pt-br.facebook.com | udp |
| US | 8.8.8.8:53 | pt-br.facebook.com | udp |
| US | 8.8.8.8:53 | ladypopular.ro | udp |
| US | 8.8.8.8:53 | ladypopular.ro | udp |
| US | 8.8.8.8:53 | yggtorrent.si | udp |
| US | 8.8.8.8:53 | yggtorrent.si | udp |
| US | 8.8.8.8:53 | alt1.gmr-smtp-in.l.google.com | udp |
| US | 8.8.8.8:53 | passport.twitch.tv | udp |
| US | 8.8.8.8:53 | stakes.com | udp |
| US | 8.8.8.8:53 | passport.twitch.tv | udp |
| US | 8.8.8.8:53 | stakes.com | udp |
| US | 8.8.8.8:53 | my.te.eg | udp |
| US | 8.8.8.8:53 | my.te.eg | udp |
| US | 8.8.8.8:53 | fuelly.com | udp |
| US | 8.8.8.8:53 | fuelly.com | udp |
| US | 8.8.8.8:53 | identi.li | udp |
| US | 8.8.8.8:53 | identi.li | udp |
| US | 8.8.8.8:53 | gdfplay7.com | udp |
| US | 8.8.8.8:53 | grupoboticario.csod.com | udp |
| US | 8.8.8.8:53 | gdfplay7.com | udp |
| US | 8.8.8.8:53 | grupoboticario.csod.com | udp |
| US | 8.8.8.8:53 | bajajallianzlifeonline.co.in | udp |
| US | 8.8.8.8:53 | bajajallianzlifeonline.co.in | udp |
| US | 8.8.8.8:53 | predeled.com | udp |
| US | 8.8.8.8:53 | predeled.com | udp |
| US | 8.8.8.8:53 | app-vlc.hotmart.com | udp |
| US | 8.8.8.8:53 | app-vlc.hotmart.com | udp |
| N/A | 127.0.0.1:51250 | tcp | |
| N/A | 127.0.0.1:51254 | tcp | |
| N/A | 127.0.0.1:51256 | tcp | |
| N/A | 127.0.0.1:51259 | tcp | |
| N/A | 127.0.0.1:51270 | tcp | |
| N/A | 127.0.0.1:51278 | tcp | |
| N/A | 127.0.0.1:51280 | tcp | |
| N/A | 127.0.0.1:51285 | tcp | |
| N/A | 127.0.0.1:51291 | tcp | |
| N/A | 127.0.0.1:51295 | tcp | |
| N/A | 127.0.0.1:51298 | tcp | |
| N/A | 127.0.0.1:51303 | tcp | |
| N/A | 127.0.0.1:51306 | tcp | |
| N/A | 127.0.0.1:51309 | tcp | |
| N/A | 127.0.0.1:51312 | tcp | |
| N/A | 127.0.0.1:51319 | tcp | |
| N/A | 127.0.0.1:51328 | tcp | |
| N/A | 127.0.0.1:51331 | tcp | |
| N/A | 127.0.0.1:51333 | tcp | |
| N/A | 127.0.0.1:51341 | tcp | |
| N/A | 127.0.0.1:51346 | tcp | |
| N/A | 127.0.0.1:51349 | tcp | |
| N/A | 127.0.0.1:51352 | tcp | |
| N/A | 127.0.0.1:51356 | tcp | |
| N/A | 127.0.0.1:51361 | tcp | |
| N/A | 127.0.0.1:51365 | tcp | |
| N/A | 127.0.0.1:51369 | tcp | |
| N/A | 127.0.0.1:51374 | tcp | |
| N/A | 127.0.0.1:51378 | tcp | |
| N/A | 127.0.0.1:51380 | tcp | |
| N/A | 127.0.0.1:51387 | tcp | |
| N/A | 127.0.0.1:51389 | tcp | |
| N/A | 127.0.0.1:51393 | tcp | |
| N/A | 127.0.0.1:51405 | tcp | |
| N/A | 127.0.0.1:51409 | tcp | |
| N/A | 127.0.0.1:51411 | tcp | |
| N/A | 127.0.0.1:51415 | tcp | |
| N/A | 127.0.0.1:51421 | tcp | |
| N/A | 127.0.0.1:51424 | tcp | |
| N/A | 127.0.0.1:51426 | tcp | |
| N/A | 127.0.0.1:51429 | tcp | |
| N/A | 127.0.0.1:51432 | tcp | |
| N/A | 127.0.0.1:51437 | tcp | |
| N/A | 127.0.0.1:51439 | tcp | |
| N/A | 127.0.0.1:51442 | tcp | |
| N/A | 127.0.0.1:51445 | tcp | |
| N/A | 127.0.0.1:51448 | tcp | |
| N/A | 127.0.0.1:20129 | tcp | |
| N/A | 127.0.0.1:51463 | tcp | |
| N/A | 127.0.0.1:51466 | tcp | |
| N/A | 127.0.0.1:51470 | tcp | |
| N/A | 127.0.0.1:51476 | tcp | |
| N/A | 127.0.0.1:51482 | tcp | |
| N/A | 127.0.0.1:51484 | tcp | |
| N/A | 127.0.0.1:51490 | tcp | |
| N/A | 127.0.0.1:51494 | tcp | |
| N/A | 127.0.0.1:51497 | tcp | |
| US | 8.8.8.8:53 | loja.levelupgames.com.br | udp |
| US | 158.81.16.60:80 | myaccount.centerpointenergy.com | tcp |
| US | 104.26.8.16:80 | project-infinity.cloud | tcp |
| IT | 151.100.101.215:80 | stud.infostud.uniroma1.it | tcp |
| US | 165.155.116.81:80 | idp.nycenet.edu | tcp |
| DE | 89.146.206.134:80 | lebenslauf2go.de | tcp |
| GB | 107.154.212.223:80 | sloty.com | tcp |
| SG | 172.96.191.76:80 | masryonsat.net | tcp |
| ID | 111.223.252.90:80 | pendaftaran.unpad.ac.id | tcp |
| ID | 149.129.224.24:80 | api.julofinance.com | tcp |
| US | 104.20.221.62:80 | login.gaijin.net | tcp |
| BE | 64.233.166.84:80 | accounts.google.com | tcp |
| SG | 92.223.17.165:80 | asia.wargaming.net | tcp |
| US | 104.26.8.16:80 | project-infinity.cloud | tcp |
| ID | 149.129.233.232:80 | account.kemnaker.go.id | tcp |
| US | 8.8.8.8:53 | classe-numerique.fr | udp |
| US | 104.18.40.175:80 | apps.trac.jobs | tcp |
| US | 8.8.8.8:53 | habilitacaonet.com.br | udp |
| US | 8.8.8.8:53 | epic.ecfmgepic.org | udp |
| US | 104.18.34.95:80 | seminolewildcard.com | tcp |
| US | 8.8.8.8:53 | 62.221.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cbilling.in | udp |
| N/A | 127.0.0.1:51507 | tcp | |
| N/A | 127.0.0.1:51510 | tcp | |
| US | 8.8.8.8:53 | 134.206.146.89.in-addr.arpa | udp |
| IT | 151.100.101.215:80 | stud.infostud.uniroma1.it | tcp |
| US | 104.26.8.16:80 | project-infinity.cloud | tcp |
| US | 165.155.116.81:80 | idp.nycenet.edu | tcp |
| US | 8.8.8.8:53 | 84.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.116.155.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.224.129.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.17.223.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.16.81.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | loja.levelupgames.com.br | udp |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| US | 104.18.40.175:80 | apps.trac.jobs | tcp |
| N/A | 127.0.0.1:51514 | tcp | |
| US | 8.8.8.8:53 | 95.34.18.104.in-addr.arpa | udp |
| US | 104.26.8.16:80 | project-infinity.cloud | tcp |
| US | 8.8.8.8:53 | classe-numerique.fr | udp |
| US | 8.8.8.8:53 | 175.40.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.8.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myptc.pulaskitech.edu | udp |
| US | 8.8.8.8:53 | olion.cash | udp |
| US | 8.8.8.8:53 | signup.na.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | www.unitybyhardrock.com | udp |
| US | 8.8.8.8:53 | mail.albarcollege.com | udp |
| US | 8.8.8.8:53 | mx3.mail.ovh.net | udp |
| US | 8.8.8.8:53 | signup.br.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | help.steampowered.com | udp |
| US | 8.8.8.8:53 | mxa-004fae02.gslb.pphosted.com | udp |
| US | 8.8.8.8:53 | ssh.bluesea.com.bd | udp |
| US | 8.8.8.8:53 | bluesea.com.bd | udp |
| US | 8.8.8.8:53 | myptc.pulaskitech.edu | udp |
| US | 8.8.8.8:53 | mail.bluesea.com.bd | udp |
| US | 8.8.8.8:53 | park-mx.above.com | udp |
| US | 8.8.8.8:53 | portal.trueinternet.co.th | udp |
| US | 8.8.8.8:53 | mailmx.bezeqint.net | udp |
| US | 8.8.8.8:53 | habilitacaonet.com.br | udp |
| US | 8.8.8.8:53 | mail.kissasian.com | udp |
| US | 8.8.8.8:53 | mail.zendesk.com | udp |
| US | 8.8.8.8:53 | www.lebenslauf2go.de | udp |
| US | 8.8.8.8:53 | login.gaijin.net | udp |
| US | 8.8.8.8:53 | mail.rediffmailpro.com | udp |
| US | 8.8.8.8:53 | epic.ecfmgepic.org | udp |
| US | 8.8.8.8:53 | cbilling.in | udp |
| US | 8.8.8.8:53 | cabinet.salyk.kz | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | madafaka.ru | udp |
| US | 8.8.8.8:53 | smtp.secureserver.net | udp |
| US | 8.8.8.8:53 | grupoboticario.csod.com | udp |
| US | 8.8.8.8:53 | sso.emea.teleperformance.com | udp |
| US | 8.8.8.8:53 | adobeid.services.adobe.com | udp |
| US | 8.8.8.8:53 | bithourly.net | udp |
| US | 8.8.8.8:53 | pb-dekthai.com | udp |
| US | 8.8.8.8:53 | connect.ubisoft.com | udp |
| US | 8.8.8.8:53 | rl-itdept01-ukftxamwrq.app02-21.logmein.com | udp |
| US | 8.8.8.8:53 | eu-smtp-inbound-1.mimecast.com | udp |
| US | 8.8.8.8:53 | career10.successfactors.com | udp |
| US | 8.8.8.8:53 | login.gog.com | udp |
| TR | 195.46.154.244:80 | farmasiint.com | tcp |
| US | 8.8.8.8:53 | mx.transip.email | udp |
| US | 8.8.8.8:53 | ftp.bluesea.com.bd | udp |
| US | 8.8.8.8:53 | account.kemnaker.go.id | udp |
| US | 8.8.8.8:53 | emb.mbbank.com.vn | udp |
| US | 8.8.8.8:53 | mx2.zohomail.com | udp |
| US | 8.8.8.8:53 | adobeid.services.adobe.com | udp |
| US | 8.8.8.8:53 | serviciosdigitales.imss.gob.mx | udp |
| US | 8.8.8.8:53 | rl-itdept01-ukftxamwrq.app02-21.logmein.com | udp |
| US | 8.8.8.8:53 | sso.emea.teleperformance.com | udp |
| US | 8.8.8.8:53 | prepaidonline.com | udp |
| US | 8.8.8.8:53 | bithourly.net | udp |
| US | 8.8.8.8:53 | farmasiint-com.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | spamassassin02.titkosviszony.com | udp |
| US | 8.8.8.8:53 | gdfplay7.com | udp |
| US | 8.8.8.8:53 | cabinet.salyk.kz | udp |
| US | 8.8.8.8:53 | grupoboticario.csod.com | udp |
| US | 8.8.8.8:53 | play.na.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | sloty-com.mail.protection.outlook.com | udp |
| SG | 92.223.17.165:80 | asia.wargaming.net | tcp |
| US | 8.8.8.8:53 | pb-dekthai.com | udp |
| US | 8.8.8.8:53 | route2.mx.cloudflare.net | udp |
| US | 8.8.8.8:53 | olion.cash | udp |
| US | 8.8.8.8:53 | app-vlc.hotmart.com | udp |
| US | 8.8.8.8:53 | myptc.pulaskitech.edu | udp |
| US | 8.8.8.8:53 | pt-br.facebook.com | udp |
| US | 8.8.8.8:53 | bluesea.com.bd | udp |
| US | 172.67.216.115:80 | ipstresser.com | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | rl-itdept01-ukftxamwrq.app02-21.logmein.com | udp |
| US | 52.1.1.237:80 | app-vlc.hotmart.com | tcp |
| US | 172.67.70.60:80 | fuelly.com | tcp |
| US | 8.8.8.8:53 | signup.na.leagueoflegends.com | udp |
| US | 162.159.138.6:80 | bepay.zendesk.com | tcp |
| GB | 23.214.154.77:80 | help.steampowered.com | tcp |
| US | 8.8.8.8:53 | pop.salonv.utecvirtual.edu.sv | udp |
| US | 8.8.8.8:53 | mail.account.samsung.com | udp |
| US | 8.8.8.8:53 | mail.ipstresser.com | udp |
| US | 8.8.8.8:53 | cscgraminnaukri.in | udp |
| US | 8.8.8.8:53 | shopee.co.id | udp |
| US | 8.8.8.8:53 | emb.mbbank.com.vn | udp |
| US | 8.8.8.8:53 | ftp.retail.onlinesbi.com | udp |
| US | 8.8.8.8:53 | ftp.play.na.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | passport.twitch.tv | udp |
| US | 8.8.8.8:53 | imap.rl-itdept01-ukftxamwrq.app02-21.logmein.com | udp |
| US | 8.8.8.8:53 | account.samsung.com | udp |
| US | 8.8.8.8:53 | ftp.adobeid.services.adobe.com | udp |
| US | 8.8.8.8:53 | signup.br.leagueoflegends.com | udp |
| US | 8.8.8.8:53 | madafaka.ru | udp |
| US | 8.8.8.8:53 | help.steampowered.com | udp |
| US | 8.8.8.8:53 | tools.worldposta.com | udp |
| US | 8.8.8.8:53 | myptc.pulaskitech.edu | udp |
| GB | 163.70.147.22:80 | pt-br.facebook.com | tcp |
| US | 199.59.243.225:80 | ahmdsat.com | tcp |
| US | 172.67.156.97:80 | slotxo.com | tcp |
| IN | 3.7.158.175:80 | buddy4study.com | tcp |
| SG | 54.255.23.190:80 | siagapendis.com | tcp |
| US | 45.60.156.127:80 | portal.trueinternet.co.th | tcp |
| IN | 192.12.109.69:80 | retail.onlinesbi.com | tcp |
| US | 99.83.203.169:80 | eur.pokerstarscasino.eu | tcp |
| BG | 193.203.198.157:80 | ladypopular.ro | tcp |
| US | 162.159.137.232:80 | discord.com | tcp |
| SG | 202.181.90.248:80 | shopee.co.id | tcp |
| US | 15.197.192.55:80 | xflow.cc | tcp |
| US | 158.81.16.60:80 | myaccount.centerpointenergy.com | tcp |
| US | 104.20.53.127:80 | ecampus.uesiglo21.edu.ar | tcp |
| US | 172.67.165.28:80 | ec.infoanuncios.com | tcp |
| FR | 13.249.9.51:80 | passport.twitch.tv | tcp |
| GB | 3.9.51.5:80 | signup.br.leagueoflegends.com | tcp |
| US | 172.67.3.215:80 | trakt.tv | tcp |
| US | 172.67.70.60:80 | fuelly.com | tcp |
| US | 8.8.8.8:53 | mx3.mail.ovh.net | udp |
| US | 8.8.8.8:53 | asia.wargaming.net | udp |
| US | 8.8.8.8:53 | www.farmasi.com.tr | udp |
| US | 8.8.8.8:53 | 115.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | serviciosdigitales.imss.gob.mx | udp |
| US | 8.8.8.8:53 | ssh.bluesea.com.bd | udp |
| US | 8.8.8.8:53 | pb-dekthai.com | udp |
| US | 8.8.8.8:53 | ftp.pendaftaran.unpad.ac.id | udp |
| US | 8.8.8.8:53 | vestibulinhoetec.com.br | udp |
| US | 8.8.8.8:53 | m.hoyolab.com | udp |
| US | 172.67.182.74:80 | yggtorrent.si | tcp |
Files
memory/2156-2-0x0000000000850000-0x000000000085B000-memory.dmp
memory/2156-3-0x0000000000400000-0x000000000071E000-memory.dmp
memory/2156-1-0x0000000000A10000-0x0000000000B10000-memory.dmp
memory/3300-4-0x00000000009F0000-0x0000000000A06000-memory.dmp
memory/2156-5-0x0000000000400000-0x000000000071E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA31.exe
| MD5 | b6297922e4d7e05d1b009613d201883e |
| SHA1 | b6c739fd153f0078e115386bd0f87d784c1b5588 |
| SHA256 | 91a101f00488af2027b7fee5bfe9a14f290bcc401d183d352c9de40625af3700 |
| SHA512 | ab503a34d096ba5b6695505054e12ddf16ddd1407c1737d0fb5655b21947bab4de49e546b0ee1bbc9cdd581b8f32522ec720d27fa0fe9b79796ea0e3a6e3be79 |
memory/3884-15-0x0000000000CA0000-0x000000000114E000-memory.dmp
memory/3884-16-0x00000000777E4000-0x00000000777E5000-memory.dmp
memory/3884-17-0x0000000000CA0000-0x000000000114E000-memory.dmp
memory/3884-19-0x0000000004D70000-0x0000000004D71000-memory.dmp
memory/3884-18-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/3884-20-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/3884-21-0x0000000004D90000-0x0000000004D91000-memory.dmp
memory/3884-22-0x0000000004D30000-0x0000000004D31000-memory.dmp
memory/3884-23-0x0000000004D40000-0x0000000004D41000-memory.dmp
memory/3884-24-0x0000000004D80000-0x0000000004D81000-memory.dmp
memory/3884-27-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
memory/3884-26-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
memory/3884-32-0x0000000000CA0000-0x000000000114E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F52E.dll
| MD5 | b0fb18cfcac1983582e7fd67b2843ce8 |
| SHA1 | ca29cf7cee80be38c5d667d5e8c00e6ea11b3294 |
| SHA256 | 4132c2587cfe85b944d95835d8d0bf92a08a0f831ea26a45c826146048347f45 |
| SHA512 | 4d9e1b14ef1a8adc15d38846c0a4e1d762e76fd944c76621ef6ac3a8482d14e40cfd4d7a14853d7a99cca2a99aa438eba996e842f1172f5f9a8f34ba1d97daf9 |
memory/3752-36-0x0000000002B60000-0x0000000002B66000-memory.dmp
memory/3752-37-0x0000000010000000-0x00000000102CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FE76.exe
| MD5 | 996c2b1fb60f980ea6618aeefbe4cebf |
| SHA1 | a8553f7f723132a1d35f7a57cae1a2e267cbc2ac |
| SHA256 | f91c0a4753cdb98cce0ade020917fdefe7a8daf88d23b4c07595de741402ca50 |
| SHA512 | 4af8fb921a332c5ac3d43b85bc23c859e431702e00852537bf1831c7af8b990d880808d044a1317873c77fbdecb1af7c97bed9edd9e2185bcbfa390c463f9056 |
memory/3752-43-0x0000000004A10000-0x0000000004B3B000-memory.dmp
memory/2904-47-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3752-46-0x0000000004B40000-0x0000000004C4F000-memory.dmp
memory/2772-49-0x0000000002490000-0x0000000002647000-memory.dmp
memory/2904-53-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3752-54-0x0000000004B40000-0x0000000004C4F000-memory.dmp
memory/2904-55-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2772-45-0x00000000022D0000-0x000000000248C000-memory.dmp
memory/2904-56-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2904-57-0x0000000000400000-0x0000000000848000-memory.dmp
\Users\Admin\AppData\Local\Temp\F52E.dll
| MD5 | 4df0328552dc0b92f1de868ce2c403b2 |
| SHA1 | 70c8958e04aa39ae014f4a3b872dd8767bd53787 |
| SHA256 | 0d3631ed4e8fc19b9bb69109bb1d22ea063c665e678b30fe89a6aa4c7327f061 |
| SHA512 | ece5b5cf68a6e2247b1f83240b54758e5620153a944283c4251cd5d1f2ad45a7c0c062322f7ab934c1a839a0ec1accc28298db89c32e6fa2bb7ed3087a463267 |
memory/2904-58-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2904-61-0x00000000009E0000-0x00000000009E6000-memory.dmp
memory/3752-63-0x0000000010000000-0x00000000102CE000-memory.dmp
memory/2904-64-0x0000000002E10000-0x0000000002F3B000-memory.dmp
memory/2904-65-0x0000000002F40000-0x000000000304F000-memory.dmp
memory/2904-68-0x0000000002F40000-0x000000000304F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\376A.exe
| MD5 | 6bca42e5eb66bfe3afe72372a6321bf4 |
| SHA1 | dabcb08da88d6ceb695ae8139b8a2536878d64f8 |
| SHA256 | c348697434d4f5836faaa00ab05f2d0990b24ca359577187a8144809f0abc00a |
| SHA512 | 031cff5e0dea4920934b02a25b029c9cec9a740a52179d6a18fd0fe2e648b964c2a685cc0754271a089e7ab29eb7529fce0695c7060c646105370cc40d0e3ad4 |
C:\Users\Admin\AppData\Local\Temp\376A.exe
| MD5 | f6e4c8cd26710fed940c182f9da0c9c1 |
| SHA1 | 7458c638a33d79677e5f55d2108212779b55d06e |
| SHA256 | 69d3da358977a702c9cc23368430d5548bb72c199f31b2696a3a41c631578001 |
| SHA512 | b6055e9a3030a3600ad7f48e27fa69619524fcd2975cd9bbc04276609edee67cb9a9a8176ec5cdcca5c306d6f74c7d56d22bc7ba5e6015f81aa53d17e4cad936 |
memory/764-75-0x0000000000700000-0x0000000000C9E000-memory.dmp
memory/764-77-0x0000000073170000-0x000000007385E000-memory.dmp
memory/764-78-0x00000000055F0000-0x0000000005600000-memory.dmp
memory/764-79-0x0000000005BD0000-0x00000000060FC000-memory.dmp
memory/764-80-0x0000000005520000-0x0000000005540000-memory.dmp
memory/764-76-0x0000000005600000-0x000000000569C000-memory.dmp
memory/764-81-0x0000000005710000-0x000000000594A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/5104-87-0x0000000000E00000-0x00000000012AE000-memory.dmp
memory/5104-89-0x00000000049A0000-0x00000000049A1000-memory.dmp
memory/5104-88-0x0000000000E00000-0x00000000012AE000-memory.dmp
memory/5104-90-0x00000000049B0000-0x00000000049B1000-memory.dmp
memory/5104-91-0x0000000004990000-0x0000000004991000-memory.dmp
memory/5104-92-0x00000000049D0000-0x00000000049D1000-memory.dmp
memory/5104-94-0x0000000004980000-0x0000000004981000-memory.dmp
memory/5104-93-0x0000000004970000-0x0000000004971000-memory.dmp
memory/5104-95-0x00000000049C0000-0x00000000049C1000-memory.dmp
memory/5104-96-0x00000000049F0000-0x00000000049F1000-memory.dmp
memory/5104-97-0x00000000049E0000-0x00000000049E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8F00.exe
| MD5 | 335a4e93da9525ca826c55ed2d895edb |
| SHA1 | a9dab3c0d0ceb7afe87bcafa64bd60d09f02e848 |
| SHA256 | bcda23a97e9cafce4b5a314859453d6f10731171e5f11b5766bb268da05aa892 |
| SHA512 | a303a0be5eddcd9a96ba1a1db4bd58bd92b19206dd079d2a2473c80744e83523c8e4e78005c468b5ff4b2a3dc35e38024bd68d5259fdee9de16156a154f7d5a6 |
C:\Users\Admin\AppData\Local\Temp\8F00.exe
| MD5 | ffa00d51e3c494262790ff62c4b0ecc1 |
| SHA1 | 67efcaea156e58ded3f30c9d76708a8b28de6c4a |
| SHA256 | 7c48a615d3bcd024025bf9095d739ef90e02ee0bdbec08d4496966ba3124447f |
| SHA512 | 761d9946bd48f4b2b6021d11fdd02edb4fa7f4bd83200c01a6378694ada057af67fbeea7bd2b94bdba94fd73d31ba5bb2b82b99efbefaabf9eecbf1e22478ae5 |
memory/4984-102-0x0000000000300000-0x0000000000FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9887.exe
| MD5 | a1b5ee1b9649ab629a7ac257e2392f8d |
| SHA1 | dc1b14b6d57589440fb3021c9e06a3e3191968dc |
| SHA256 | 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65 |
| SHA512 | 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b |
memory/4984-111-0x0000000001540000-0x0000000001541000-memory.dmp
memory/4984-107-0x0000000001530000-0x0000000001531000-memory.dmp
memory/4984-116-0x0000000001570000-0x0000000001571000-memory.dmp
memory/4984-118-0x0000000001580000-0x0000000001581000-memory.dmp
memory/5104-119-0x0000000000E00000-0x00000000012AE000-memory.dmp
memory/4984-123-0x0000000003040000-0x0000000003041000-memory.dmp
memory/4984-125-0x0000000000300000-0x0000000000FE1000-memory.dmp
memory/3484-120-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/4984-121-0x0000000003030000-0x0000000003031000-memory.dmp
memory/3484-126-0x0000000001B10000-0x0000000001C10000-memory.dmp
memory/3484-127-0x0000000003680000-0x00000000036EB000-memory.dmp
memory/3484-128-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/5100-135-0x0000000000260000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A0E5.exe
| MD5 | ed405b69dc78d7703197e7ef76c4ceb3 |
| SHA1 | ad971b8e600585fbcbaafad2b50c76ed486c84b4 |
| SHA256 | 419e364c1116dc6dfb7135a90bd883bcc31ec9ddf969fdea7c2688623d3f8c88 |
| SHA512 | d7f79aacb2884889b61a000a1b8a7d10922d73c5e1ae318e21253c4635f5c23314f38eaa21ef269c66bf171526be3ba0c633a5d72f2d4945faf6cd6e053d0b65 |
C:\Users\Admin\AppData\Local\Temp\A0E5.exe
| MD5 | 507d3872e4909f6e3f72d7cc2e502e78 |
| SHA1 | e4cdb05b2a4750c7694f39c38df67a0af7535fe4 |
| SHA256 | dcc5994819a3ac71139e22b9af167ed8e400978ff3f2a6d84e231b3b3116c889 |
| SHA512 | 5992d8b114537e909e6bee4a510518e8a2f27771c4b9341a6f3148b61f16f90c6553c7584e745d89c5000b0871f8835058a6e08766567ce51def8fd13f766f48 |
memory/4984-131-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/5100-139-0x0000000073170000-0x000000007385E000-memory.dmp
memory/4984-138-0x0000000003050000-0x0000000003051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
| MD5 | c7118610fefdaad90083c662bd4ef37f |
| SHA1 | 9c051ff43747b8b52032b3cbe4d5b9a1edf8b9a5 |
| SHA256 | 333836d1c49ef069087f74844295e31ac2273b5337c2c2d70eb3c8f74901af14 |
| SHA512 | 7afa9b4b623927dee5a46ce471eb73dfa295dd989f789accf274526c618e2996ed5bd0d0a1930d84395a01412ccd966eca51359187e5612d18a988206e09d256 |
memory/5100-158-0x0000000073170000-0x000000007385E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\april.exe
| MD5 | ff53af18de2bfc3453e218b054926e5d |
| SHA1 | 8a095ca30837e43708bbbff4d89595bea57f97fc |
| SHA256 | a72946fd5e817180bd554edb719ede7f9d9bb71f2b3afafd66792f817b4a1c9d |
| SHA512 | 921f4962c256afd82bc9ebea4e8f43f84210a9fcff185b3fa0337c3c370009db91c410eb40bfb9a6028722192692f75afb867e5e1358d17c5004c01f6dc828ab |
memory/4604-154-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\april.exe
| MD5 | e9885e9acf8d5dc31e928df20a1f1c8a |
| SHA1 | adb4fa31cd41668d024e31498a403d8265bdb648 |
| SHA256 | 5b74625a1cd0f269fcbf551cbd5c4470d96d9f32cbf0a5c807816965ab655770 |
| SHA512 | e3bc810d8ecba2f8976031f73ad0a2d8ab84656404a8b3500b66b3a5b1cb423f0f6b80cfc2bd7dd3621a1ed81b1982d54161782268216572cc2b72ea7b168461 |
C:\Users\Admin\AppData\Local\Temp\A981.exe
| MD5 | 3aef73f7235c49f5c233591ee0132b7b |
| SHA1 | 47d62e19f96fc323d22f5cb153f29097a521ab9e |
| SHA256 | 25586cdae0033053b4e8ebc44f0e2f396a58e0bd3e4e80a1a8f0453dd843756a |
| SHA512 | e27de3b8f90f05240507ed6c762a7d6f122d0005cde6753195855a306947e096e7015f85d11d0204c96fd6ca00d5e12fe76d2ef424423fae97e33a667157d5e3 |
C:\Users\Admin\AppData\Local\Temp\A981.exe
| MD5 | 8abf48438b61456fc36a6aa49eea0234 |
| SHA1 | 8e18d62ea2bff92be528b045abfb1f6863bdaf68 |
| SHA256 | a1474fa7386ad1fe168b8bac33650d345a536e602d3e2a9d6919caf57ab31877 |
| SHA512 | 7a239bf580abd98f5ec608783142c931f3cf8102c8776c1c773208f44df0b3a1f60951764e3b8f686b98c9b78ebf596417fd9da6f7411d7ece48b2a79d3be7dc |
memory/316-156-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp
| MD5 | 11292ce7f6dc3908b42abac623600d17 |
| SHA1 | d738e5475199564968d3cde0df90a3fd3f0819d0 |
| SHA256 | a3150d1c52a5362eedcabee10c0140d6ae7b391376efa2dbdc923e861dbd568e |
| SHA512 | f9e17889b141da051a31645952efa146779a366befa5a20fb43669f610404a8301e4dc56b4c7748265e19fc3b6746d6a84aed56fabb358962eea01782e66d6f1 |
C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp
| MD5 | 33da9dc521f467c0405d3ef5377ce04b |
| SHA1 | 5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f |
| SHA256 | dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c |
| SHA512 | a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55 |
\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | d0071888451e7faff1da3f0465021560 |
| SHA1 | 6d01522d7be5b27b8022d12eb6254f81e8440101 |
| SHA256 | 667a1530efc4d2801d3cf1f9684671ad64e442199e814b35d00dfe850e97e25d |
| SHA512 | db0b1ab87f5f23a780f1299c0762e30cfd5ab01d5ff3c73cf2f3620324a6c01b566769f3748d9dae1baf4fe32d91af2327e6b58d902adee6c47c5d86cfc672ae |
\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 0eca92264aba7cb1a427a949c60d960c |
| SHA1 | c74b8d840289cf8742ab1c46a8a07eb735b18b3d |
| SHA256 | 34e5900430f2734c7adf0449e81846647e8a75fd8e29025b2d970f90fbc284fa |
| SHA512 | c0070c0c9e9b5a3a9727a912d6304666d82e0df6786fe933b778fd75a8e3c89aa6ef96801bdf52e2aa50e3b51113b3021a82d56c282e98c0cf498e942e67135f |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 8797aa2e2071a68bad19e87bc5ffbfde |
| SHA1 | 7ec594cc608ebe2d8b02904884f3c49516a4a557 |
| SHA256 | 8012deedc605cb859912ab19c907ae170397b6c673d44c7aaabdd81ab87674a4 |
| SHA512 | cabc364faf55796d20faded4304b845ab3b17fab3b222115a13081cf3e99c67c505f9788a1463673a52ed78a9f2b64e11d132e73165e67aa9be4da6db69d2ec3 |
C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp
| MD5 | 4df57aaf92a50f25127408e03415e9ae |
| SHA1 | 8f7670cfae2f405be830c8ec5f06856358d301a1 |
| SHA256 | d247810adf596b210b373af971bfeeeebea4f574cf2175d87d4899dcfa6e405c |
| SHA512 | a2bbb20f3d41b86f01455640c188b2c80d2bf8559ffd335e4cbeac7d70b8d88da3f75432e19a3597ffb79c183c32e1f071f0d259b277caf9173cf60479d312b5 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
C:\Users\Admin\AppData\Local\Temp\is-GRETI.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Email Box Organizer\is-Q786A.tmp
| MD5 | 6231b452e676ade27ca0ceb3a3cf874a |
| SHA1 | f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1 |
| SHA256 | 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf |
| SHA512 | f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c |
memory/2156-215-0x00000000005D0000-0x00000000005D1000-memory.dmp
memory/2116-206-0x00000000001F0000-0x00000000001F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GRETI.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/5104-189-0x0000000000E00000-0x00000000012AE000-memory.dmp
memory/764-217-0x0000000007440000-0x00000000075D2000-memory.dmp
memory/764-216-0x0000000073170000-0x000000007385E000-memory.dmp
memory/764-223-0x00000000055E0000-0x00000000055F0000-memory.dmp
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | df7d343d7847d68ac1dc0e6cdabcbb56 |
| SHA1 | 27920c700f995bb21066c6b43506ca6b76be8621 |
| SHA256 | afbd870158993713ae58d4832c5905e00868eb9bf90573cb5008756da0c219de |
| SHA512 | a53892a4cd8e55c5a8d1ef8a58189e6d9a28e5dc7e0a26da6972ecd3b01e2a7020a4705790a22fd34ad3635d1b60746ec5e65766bb939af45a8954fa43f4e1cd |
memory/764-226-0x00000000055F0000-0x0000000005600000-memory.dmp
memory/5116-227-0x0000000000400000-0x0000000000448000-memory.dmp
memory/764-225-0x00000000055F0000-0x0000000005600000-memory.dmp
memory/764-224-0x00000000055F0000-0x0000000005600000-memory.dmp
memory/764-232-0x00000000055F0000-0x0000000005600000-memory.dmp
memory/764-230-0x00000000055F0000-0x0000000005600000-memory.dmp
memory/764-235-0x00000000055F0000-0x0000000005600000-memory.dmp
memory/5116-236-0x0000000000400000-0x0000000000448000-memory.dmp
memory/5116-234-0x0000000000400000-0x0000000000448000-memory.dmp
memory/5116-238-0x0000000001310000-0x0000000001350000-memory.dmp
memory/5116-237-0x0000000001310000-0x0000000001350000-memory.dmp
memory/764-233-0x0000000073170000-0x000000007385E000-memory.dmp
memory/3484-242-0x0000000000400000-0x0000000001A77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe
| MD5 | eae8f1cff410a54725527cd0e759ce41 |
| SHA1 | 9537e90abd8c6da642f8c26b56fe35997add10f3 |
| SHA256 | 415a23efec7414a0d75d07b7f57f4af8a3c92deafd35e61226b1efa12cf22f94 |
| SHA512 | 2d735aac10c0638fc903aa073f12fa5346e1283c8463aa91371967c63047fac15deec8b4bf0f425eb63a9e1e75f6e7116e490c4677797551395b91e95167e5cc |
C:\Users\Admin\AppData\Local\Temp\D092.exe
| MD5 | 0139acb5d04d78be7263030c28adcb7c |
| SHA1 | 6bd18aea4c66615bf2f3e64eeb0f36dc07623b5d |
| SHA256 | 387cd1ae4ec475a18991fddb7adb46be6a6e397ee6ee4f26f050f8f73d2d72bb |
| SHA512 | 5071f867dfc04a7bcad9955a921195b975c12d33fc6d8e353d942a02df292a1cb342690e7bb897f4fed1757c8a321afb784acc03bb5223c907422a7c3d826b92 |
memory/4604-263-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3k0.1.exe
| MD5 | 751f807e555a1c06dd2b8cb1f5297de8 |
| SHA1 | 7e0af7a0df81bf657d7a46372cab7ead49efdc28 |
| SHA256 | 79a3d83590ba6ff505d255c855093cb41c1185c35e437bee3d2d8652a5839c3c |
| SHA512 | 92ee075e84fa1a4e905e50f9ae8e13f62eeccbc786f31eb41595fe76cc9e99d1d32ab7bc0fc9c669355635f18bea9bc5822243c277ab8a1ddaac1a6f3ba7515a |
memory/4608-260-0x0000000000400000-0x000000000049B000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
C:\Users\Admin\AppData\Local\Temp\E8FD.exe
| MD5 | 5edc27f4fb945833e627a554407746a1 |
| SHA1 | ce0f744e2a827d7ba428562f7fd4932e6f144cbc |
| SHA256 | 608f8c358e578d87c5668673eff699f5bceb5a9fff9a9b51a0da6b1be51b1466 |
| SHA512 | 4deea18efe3c586f7a7ceb240819b88fc17ea3ad1bef238eec9c7d4d2ab50e3b4040cf4cf544fd82e0607da41b83fde156205904faf5a3b329df461fcbbc3c50 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h5cf4tcg.5n3.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
\ProgramData\nss3.dll
| MD5 | 82a4b498a1dc1fde068c3e0aa2fd62ea |
| SHA1 | 7f2e76329f294bafb7b98d0ee7c9fd9612f53a2b |
| SHA256 | 03c964cce04ad4843161863b7edcca5ec875b9b113161db886a1945252c8faff |
| SHA512 | 48b341a58cc8cbbb2fc66f3cc9efb92a04dae9698c65183f9562a5ff917463aacb13de4e6df4a8bbf48965a2612f8106aeecedb10b8e9d341f48cd5de860ea75 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe
| MD5 | 42b838cf8bdf67400525e128d917f6e0 |
| SHA1 | a578f6faec738912dba8c41e7abe1502c46d0cae |
| SHA256 | 0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d |
| SHA512 | f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 0e82665af2b5fb32d0f44731689e4242 |
| SHA1 | 3598cb67ba0ec0def68deb9306ac803390909c00 |
| SHA256 | 6a8815b2dd74277d3c4cce7d277226602e381c73710c4bd37f071a602c2997e9 |
| SHA512 | 73ed8ed727bc6cb779012380a9c24ccf964b2d6889b88badafd6c4adffb8a08bb96d94948294a581e14be4eb33b8139880beedd6381cf589a98a75f2853a635a |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | b7772d02793bbb067d1eaf2906f314ec |
| SHA1 | bf50feea17e2fa2991103bd5c5131373425922d8 |
| SHA256 | 4627f68903772107f83b282d95585da2c3726e0c0ac02d721bcf9a5af28542b3 |
| SHA512 | bb68406d7d0252b5cfa69292025561e9e3f7682ea20f9229655e20e10a93ecc7bde6311ceedd73e8d05a067fafabfdd10614bf5b45abfa3e39dcba6e307890b5 |