Analysis Overview
SHA256
06fa7e3221aa6f67eeefa8b807a6abb0b4c385d7eb61434ccec55ad2a5d3a1dd
Threat Level: Known bad
The file BlitzedGrabberV12.rar was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
StormKitty
Orcus
Stormkitty family
Orcus main payload
Orcurs Rat Executable
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in System32 directory
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Unsigned PE
Enumerates physical storage devices
Program crash
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-05 17:26
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:38
Platform
win7-20240221-en
Max time kernel
669s
Max time network
677s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mxfix.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\mxfix.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe"
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cdoz9_dm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE73.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE72.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\ProgramData\Chrome\chromedriver.exe
"C:\ProgramData\Chrome\chromedriver.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {E5C30EB6-1BD9-4821-9894-1E5BDF216D20} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 4876 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 4876 "/protectFile"
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
Network
| Country | Destination | Domain | Proto |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp |
Files
memory/2868-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp
memory/2868-1-0x0000000000B60000-0x0000000000DA4000-memory.dmp
\Users\Admin\AppData\Local\Temp\mxfix.EXE
| MD5 | b4ec612c441786aa614ce5f32edae475 |
| SHA1 | 3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d |
| SHA256 | e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd |
| SHA512 | c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16 |
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
| MD5 | 3926c7b8fdfb0ab3b92303760b14d402 |
| SHA1 | b33e12ef4bdcd418139db59d048609c45fe8f9eb |
| SHA256 | c101904ec19b45612213c2b398892a4523f63862bb3e24c245509db2417585e7 |
| SHA512 | 4a022be27f58b1735f3a0ac9abdedbd769adb4e3ca1dacdcdc98700b17e138b647f9059585c8ef37fdd7072ad6283e95f10def171584097eb8c70e7d1212ce0e |
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
| MD5 | 228a69dc15032fd0fb7100ff8561185e |
| SHA1 | f8dbc89fed8078da7f306cb78b92ce04a0bdeb00 |
| SHA256 | 920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709 |
| SHA512 | 373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1 |
memory/2704-24-0x0000000000380000-0x000000000038E000-memory.dmp
memory/2704-23-0x000007FEF203E000-0x000007FEF203F000-memory.dmp
memory/2704-22-0x0000000000A20000-0x0000000000AA0000-memory.dmp
memory/2868-25-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2704-21-0x000000001AEB0000-0x000000001AF0C000-memory.dmp
memory/2868-19-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2112-30-0x000000001B290000-0x000000001B572000-memory.dmp
memory/2112-31-0x0000000002390000-0x0000000002398000-memory.dmp
memory/2704-32-0x000007FEF1D80000-0x000007FEF271D000-memory.dmp
memory/2420-33-0x0000000000290000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1
| MD5 | 5d792fc7c4e2fd3eb595fce4883dcb2d |
| SHA1 | ee2a88f769ad746f119e144bd06832cb55ef1e0f |
| SHA256 | 41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb |
| SHA512 | 4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e |
\??\c:\Users\Admin\AppData\Local\Temp\cdoz9_dm.cmdline
| MD5 | 4bd37ad15ca4337749111683f8fc3ea6 |
| SHA1 | 96fdf980c489a2c0105f52f7b8677561e3c740dc |
| SHA256 | e0a58a6708b4dd859652b1d2a1c9f566417d39c670ae8717cc3e4ed62fd019c0 |
| SHA512 | ba6446a3676907c0e95005061e157c3507a295cb4130d9899d8302586112fd1b8719a20b9764effe0019346bb58178a43e6d6b15005472dc9f08889650176625 |
\??\c:\Users\Admin\AppData\Local\Temp\cdoz9_dm.0.cs
| MD5 | 6011503497b1b9250a05debf9690e52c |
| SHA1 | 897aea61e9bffc82d7031f1b3da12fb83efc6d82 |
| SHA256 | 08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434 |
| SHA512 | 604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCE72.tmp
| MD5 | 6f53ab201a9b89d8527c796a715d2c66 |
| SHA1 | bce9dcf0ea7b49d5ad0ed5163688401372ec7d8b |
| SHA256 | a4e62f9c9ee4da0284a5af7cb1d57c734da3820ec49b42dd613fcad30a258e2a |
| SHA512 | 997475d99d67b7202dc5be22ddd91d1def9baee45e69b7840ee15a22aa1ae952c29d353f1f2f7abbce55a1b2fcae0b8827c389f0e0b3dae21cea04bc9992365f |
C:\Users\Admin\AppData\Local\Temp\RESE73.tmp
| MD5 | d8e940f782adbf1bee405f45dba37577 |
| SHA1 | 9a4f038dcc5240d134b525595171f80255abfde5 |
| SHA256 | 188382593e9cb97b3a786caec81c4ec042a0199ff1c273279b22da9bf7fdb69c |
| SHA512 | d7326239d42d8d2f086fdc34d4049a91a658ca78cbd5d03f2312d9ebf1d138b55ea904bd832e3581ac2618b1ec1751c1b1aa003e6d8a9f179965aa876b82a3af |
memory/2704-47-0x0000000000A00000-0x0000000000A16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cdoz9_dm.dll
| MD5 | d798b68b0e6632fc901f9d76db1be607 |
| SHA1 | e8c56a135ddf7475a399f0b5c7825c757c468ce9 |
| SHA256 | 2e20d0d09078a6d01f6a97d179bd807bc1443728728013ad50f58daffd4cb0b2 |
| SHA512 | 1b190c553c9cfecc04d2d95d93d417ed9918e4aac23719f881208e90b61efaec1c501e5faf62e26da6be29784b8296dae860c3cba8cd924a7e83d62d413bf482 |
memory/2704-49-0x00000000003C0000-0x00000000003D2000-memory.dmp
memory/2704-50-0x00000000007A0000-0x00000000007A8000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/1956-58-0x0000000001200000-0x000000000120C000-memory.dmp
memory/2420-59-0x0000000004FB0000-0x00000000051A2000-memory.dmp
\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/2420-66-0x0000000073B60000-0x0000000073B97000-memory.dmp
memory/2420-67-0x0000000073E40000-0x0000000073EC0000-memory.dmp
memory/2420-68-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-69-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-85-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-71-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-73-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-77-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-75-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-83-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-81-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-79-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-93-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-87-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-91-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-89-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-97-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-95-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-111-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-117-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-99-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-103-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-105-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-101-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-129-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-127-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-125-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-123-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-121-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-119-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-115-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-113-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-109-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/2420-107-0x0000000004FB0000-0x000000000519E000-memory.dmp
memory/4772-11725-0x0000000001310000-0x000000000131C000-memory.dmp
memory/4876-11736-0x0000000000C00000-0x0000000000CFC000-memory.dmp
memory/2704-11735-0x000007FEF1D80000-0x000007FEF271D000-memory.dmp
memory/4876-11737-0x0000000000510000-0x0000000000522000-memory.dmp
memory/4876-11738-0x00000000022E0000-0x000000000232E000-memory.dmp
memory/4876-11739-0x0000000002110000-0x0000000002128000-memory.dmp
memory/4876-11741-0x0000000002130000-0x0000000002140000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/1400-11750-0x0000000000860000-0x0000000000868000-memory.dmp
memory/2420-11756-0x0000000073B60000-0x0000000073B97000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:38
Platform
win7-20231129-en
Max time kernel
614s
Max time network
617s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\README.txt
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:38
Platform
win10v2004-20240419-en
Max time kernel
446s
Max time network
450s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\README.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:37
Platform
win7-20240221-en
Max time kernel
606s
Max time network
619s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2484 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2484 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2484 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2484 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 556
Network
Files
memory/2484-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2484-1-0x0000000001170000-0x00000000011EA000-memory.dmp
memory/2484-2-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:37
Platform
win10v2004-20240419-en
Max time kernel
455s
Max time network
459s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 242.44.101.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.anonfiles.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
Files
memory/4516-1-0x00007FFDE8A93000-0x00007FFDE8A95000-memory.dmp
memory/4516-0-0x00000000002E0000-0x00000000002F6000-memory.dmp
memory/4516-3-0x000000001C400000-0x000000001C41A000-memory.dmp
memory/4516-2-0x0000000002430000-0x000000000243A000-memory.dmp
memory/4516-4-0x00007FFDE8A90000-0x00007FFDE9551000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\passwords.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
memory/4516-26-0x000000001D350000-0x000000001D362000-memory.dmp
memory/4516-27-0x000000001D3B0000-0x000000001D3EC000-memory.dmp
memory/4516-29-0x00007FFDE8A90000-0x00007FFDE9551000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:38
Platform
win10v2004-20240426-en
Max time kernel
436s
Max time network
441s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.anonfiles.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
Files
memory/2140-0-0x0000000000250000-0x0000000000266000-memory.dmp
memory/2140-1-0x00007FFB21EF3000-0x00007FFB21EF5000-memory.dmp
memory/2140-3-0x000000001B2D0000-0x000000001B2EA000-memory.dmp
memory/2140-2-0x00000000023B0000-0x00000000023BA000-memory.dmp
memory/2140-5-0x00007FFB21EF0000-0x00007FFB229B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\passwords.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
memory/2140-24-0x000000001C250000-0x000000001C262000-memory.dmp
memory/2140-25-0x000000001C3C0000-0x000000001C3FC000-memory.dmp
memory/2140-27-0x00007FFB21EF0000-0x00007FFB229B1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:38
Platform
win7-20240221-en
Max time kernel
613s
Max time network
616s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\APIFOR.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:37
Platform
win10v2004-20240419-en
Max time kernel
450s
Max time network
453s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:37
Platform
win7-20231129-en
Max time kernel
499s
Max time network
630s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\BlitzedGrabberV12\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\BlitzedGrabberV12\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\mxfix.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\mxfix.EXE | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000000000000200000001000000ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\NodeSlot = "8" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\NodeSlot = "6" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 00000000ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0 = 200000001a00eebbfe23000010003accbfb42cdb4c42b0297fe99a87c64100000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "7" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\MRUListEx = 00000000ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\Desktop\BlitzedGrabberV12\sdsa.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\Desktop\BlitzedGrabberV12\sdsa.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.rar
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.rar"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.rar"
C:\Users\Admin\Desktop\BlitzedGrabberV12\BlitzedGrabberV12.exe
"C:\Users\Admin\Desktop\BlitzedGrabberV12\BlitzedGrabberV12.exe"
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cyfbcaag.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFBEC.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\ProgramData\Chrome\chromedriver.exe
"C:\ProgramData\Chrome\chromedriver.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3E9DA57B-ABF6-4A25-9EA3-4991D6C8EB9E} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 2100 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 2100 "/protectFile"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4789758,0x7fef4789768,0x7fef4789778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1184 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3268 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3604 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3704 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3588 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2708 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4116 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3844 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3988 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3896 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3916 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3792 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5020 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4416 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4640 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5184 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5452 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5584 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5624 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4836 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5380 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5396 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5572 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6184 --field-trial-handle=1336,i,15368859722424648409,3466484237071756295,131072 /prefetch:1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vxktrpxy\vxktrpxy.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7639.tmp" "c:\Users\Admin\Desktop\BlitzedGrabberV12\CSC6EF15B44DC7F4CB6AA8E14678FE7DBCC.TMP"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Resources\UltraEmbeddable.exe "Resources\sdsa.exe" "sdsa.exe"
C:\Users\Admin\Desktop\BlitzedGrabberV12\Resources\UltraEmbeddable.exe
Resources\UltraEmbeddable.exe "Resources\sdsa.exe" "sdsa.exe"
C:\Users\Admin\Desktop\BlitzedGrabberV12\sdsa.exe
"C:\Users\Admin\Desktop\BlitzedGrabberV12\sdsa.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\Desktop\BlitzedGrabberV12\sdsa.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Users\Admin\Desktop\BlitzedGrabberV12\sdsa_Protect.exe
"C:\Users\Admin\Desktop\BlitzedGrabberV12\sdsa_Protect.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\Desktop\BlitzedGrabberV12\sdsa_Protect.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Users\Admin\Desktop\BlitzedGrabberV12\BlitzedGrabberV12.exe
"C:\Users\Admin\Desktop\BlitzedGrabberV12\BlitzedGrabberV12.exe"
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rjku8ioa.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DBB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5DBA.tmp"
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vnl2yl13\vnl2yl13.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36A.tmp" "c:\Users\Admin\Desktop\BlitzedGrabberV12\CSCFDFA49CA1D644259A0266A7BBE469569.TMP"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Resources\UltraEmbeddable.exe "Resources\dissteal.exe" "dissteal.exe"
C:\Users\Admin\Desktop\BlitzedGrabberV12\Resources\UltraEmbeddable.exe
Resources\UltraEmbeddable.exe "Resources\dissteal.exe" "dissteal.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4789758,0x7fef4789768,0x7fef4789778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1444 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3224 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3480 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3488 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2620 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3812 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3520 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3716 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4084 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4336 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 --field-trial-handle=1280,i,3111893937330509838,16607936668443976932,131072 /prefetch:8
C:\Users\Admin\Desktop\BlitzedGrabberV12\dissteal.exe
"C:\Users\Admin\Desktop\BlitzedGrabberV12\dissteal.exe"
C:\Users\Admin\Desktop\BlitzedGrabberV12\dissteal_Protect.exe
"C:\Users\Admin\Desktop\BlitzedGrabberV12\dissteal_Protect.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\Desktop\BlitzedGrabberV12\dissteal.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\Desktop\BlitzedGrabberV12\dissteal_Protect.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
Network
| Country | Destination | Domain | Proto |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | services.vlitag.com | udp |
| US | 104.22.58.199:443 | services.vlitag.com | tcp |
| US | 104.22.58.199:443 | services.vlitag.com | udp |
| US | 8.8.8.8:53 | dsp.vlitag.com | udp |
| US | 8.8.8.8:53 | cmp.inmobi.com | udp |
| US | 8.8.8.8:53 | s3.vlitag.com | udp |
| US | 8.8.8.8:53 | imasdk.googleapis.com | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | c.amazon-adsystem.com | udp |
| GB | 216.58.213.2:443 | securepubads.g.doubleclick.net | tcp |
| GB | 18.172.89.107:443 | cmp.inmobi.com | tcp |
| GB | 142.250.187.202:443 | imasdk.googleapis.com | tcp |
| GB | 3.162.21.19:443 | c.amazon-adsystem.com | tcp |
| GB | 216.58.213.2:443 | securepubads.g.doubleclick.net | udp |
| GB | 216.58.213.2:443 | securepubads.g.doubleclick.net | udp |
| GB | 18.172.89.107:443 | cmp.inmobi.com | tcp |
| US | 8.8.8.8:53 | api.cmp.inmobi.com | udp |
| DE | 18.185.232.25:443 | api.cmp.inmobi.com | tcp |
| GB | 3.162.21.19:443 | c.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | config.aps.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | aax.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | px.vliplatform.com | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| GB | 18.165.160.104:443 | config.aps.amazon-adsystem.com | tcp |
| GB | 18.172.93.140:443 | aax.amazon-adsystem.com | tcp |
| GB | 18.172.93.140:443 | aax.amazon-adsystem.com | tcp |
| GB | 18.172.93.140:443 | aax.amazon-adsystem.com | tcp |
| GB | 18.172.93.140:443 | aax.amazon-adsystem.com | tcp |
| GB | 18.172.93.140:443 | aax.amazon-adsystem.com | tcp |
| DE | 141.101.120.10:443 | px.vliplatform.com | tcp |
| DE | 141.101.120.10:443 | px.vliplatform.com | tcp |
| DE | 141.101.120.10:443 | px.vliplatform.com | tcp |
| DE | 141.101.120.10:443 | px.vliplatform.com | tcp |
| DE | 141.101.120.10:443 | px.vliplatform.com | tcp |
| DE | 141.101.120.10:443 | px.vliplatform.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| DE | 141.101.120.10:443 | px.vliplatform.com | udp |
| US | 8.8.8.8:53 | script.4dex.io | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 8.8.8.8:53 | useast.quantumdex.io | udp |
| US | 104.26.9.169:443 | script.4dex.io | tcp |
| US | 8.8.8.8:53 | prebid-eu.creativecdn.com | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 8.8.8.8:53 | shb.richaudience.com | udp |
| US | 8.8.8.8:53 | ap.lijit.com | udp |
| US | 104.22.37.96:443 | useast.quantumdex.io | tcp |
| US | 104.22.37.96:443 | useast.quantumdex.io | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| NL | 185.89.210.20:443 | ib.adnxs.com | tcp |
| NL | 185.89.210.20:443 | ib.adnxs.com | tcp |
| IE | 34.253.101.178:443 | ap.lijit.com | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| US | 104.26.9.169:443 | script.4dex.io | tcp |
| US | 8.8.8.8:53 | cadmus.script.ac | udp |
| US | 104.18.22.145:443 | cadmus.script.ac | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| US | 104.22.37.96:443 | useast.quantumdex.io | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| US | 8.8.8.8:53 | aax-eu.amazon-adsystem.com | udp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| IE | 67.220.226.233:443 | aax-eu.amazon-adsystem.com | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| US | 8.8.8.8:53 | 20c7c0877fe768b65fc6e207f0704c8b.safeframe.googlesyndication.com | udp |
| US | 8.8.8.8:53 | a.teads.tv | udp |
| BE | 23.55.97.75:443 | a.teads.tv | tcp |
| GB | 142.250.187.193:443 | 20c7c0877fe768b65fc6e207f0704c8b.safeframe.googlesyndication.com | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| DE | 157.90.0.38:443 | shb.richaudience.com | tcp |
| US | 8.8.8.8:53 | s.ad.smaato.net | udp |
| US | 8.8.8.8:53 | csync.loopme.me | udp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | trace-eu.mediago.io | udp |
| US | 8.8.8.8:53 | match.prod.bidr.io | udp |
| US | 8.8.8.8:53 | b1sync.zemanta.com | udp |
| DE | 51.89.9.251:443 | onetag-sys.com | tcp |
| US | 8.8.8.8:53 | match.sharethrough.com | udp |
| US | 8.8.8.8:53 | sync-amz.ads.yieldmo.com | udp |
| NL | 35.214.179.39:443 | csync.loopme.me | tcp |
| GB | 13.224.81.69:443 | s.ad.smaato.net | tcp |
| US | 8.8.8.8:53 | bh.contextweb.com | udp |
| IE | 52.210.242.228:443 | match.prod.bidr.io | tcp |
| US | 50.31.142.223:443 | b1sync.zemanta.com | tcp |
| US | 8.8.8.8:53 | ssbsync.smartadserver.com | udp |
| NL | 35.214.168.80:443 | trace-eu.mediago.io | tcp |
| IE | 54.229.195.20:443 | sync-amz.ads.yieldmo.com | tcp |
| NL | 208.93.169.131:443 | bh.contextweb.com | tcp |
| US | 8.8.8.8:53 | eb2.3lift.com | udp |
| DE | 3.67.74.124:443 | match.sharethrough.com | tcp |
| NL | 89.149.192.76:443 | ssbsync.smartadserver.com | tcp |
| DE | 3.67.74.124:443 | match.sharethrough.com | tcp |
| US | 76.223.111.18:443 | eb2.3lift.com | tcp |
| US | 8.8.8.8:53 | ce.lijit.com | udp |
| IE | 18.203.106.185:443 | ce.lijit.com | tcp |
| US | 8.8.8.8:53 | adsystem.pocpoc.io | udp |
| US | 8.8.8.8:53 | px.pocpoc.io | udp |
| US | 8.8.8.8:53 | cm.g.doubleclick.net | udp |
| NL | 208.93.169.131:443 | bh.contextweb.com | tcp |
| US | 8.8.8.8:53 | pixel-eu.rubiconproject.com | udp |
| US | 8.8.8.8:53 | image8.pubmatic.com | udp |
| IE | 67.220.226.233:443 | aax-eu.amazon-adsystem.com | tcp |
| IE | 67.220.226.233:443 | aax-eu.amazon-adsystem.com | tcp |
| US | 104.26.14.167:443 | px.pocpoc.io | tcp |
| US | 104.26.14.167:443 | px.pocpoc.io | tcp |
| US | 104.26.14.167:443 | px.pocpoc.io | tcp |
| US | 104.26.14.167:443 | px.pocpoc.io | tcp |
| IE | 67.220.226.233:443 | aax-eu.amazon-adsystem.com | tcp |
| NL | 69.173.156.149:443 | pixel-eu.rubiconproject.com | tcp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| GB | 142.250.187.194:443 | cm.g.doubleclick.net | tcp |
| GB | 142.250.187.194:443 | cm.g.doubleclick.net | tcp |
| US | 104.26.15.167:443 | px.pocpoc.io | tcp |
| US | 104.26.15.167:443 | px.pocpoc.io | tcp |
| US | 104.26.15.167:443 | px.pocpoc.io | tcp |
| US | 104.26.15.167:443 | px.pocpoc.io | tcp |
| NL | 89.149.192.76:443 | ssbsync.smartadserver.com | tcp |
| IE | 67.220.226.233:443 | aax-eu.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | bttrack.com | udp |
| NL | 198.47.127.18:443 | image8.pubmatic.com | tcp |
| US | 8.8.8.8:53 | s.amazon-adsystem.com | udp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| US | 192.132.33.67:443 | bttrack.com | tcp |
| IE | 67.220.226.233:443 | aax-eu.amazon-adsystem.com | tcp |
| US | 52.46.130.91:443 | s.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | pixel-sync.sitescout.com | udp |
| US | 8.8.8.8:53 | creativecdn.com | udp |
| US | 8.8.8.8:53 | sync.1rx.io | udp |
| US | 8.8.8.8:53 | data.adsrvr.org | udp |
| US | 52.223.40.198:443 | data.adsrvr.org | tcp |
| NL | 185.184.8.90:443 | creativecdn.com | tcp |
| US | 34.36.216.150:443 | pixel-sync.sitescout.com | tcp |
| NL | 46.228.174.117:443 | sync.1rx.io | tcp |
| US | 8.8.8.8:53 | ads.yieldmo.com | udp |
| IE | 52.209.4.159:443 | ads.yieldmo.com | tcp |
| IE | 52.209.4.159:443 | ads.yieldmo.com | tcp |
| US | 8.8.8.8:53 | static.vliplatform.com | udp |
| US | 8.8.8.8:53 | ad.turn.com | udp |
| US | 104.26.14.167:443 | px.pocpoc.io | udp |
| US | 104.26.15.167:443 | px.pocpoc.io | udp |
| US | 8.8.8.8:53 | odb.outbrain.com | udp |
| NL | 46.228.164.11:443 | ad.turn.com | tcp |
| GB | 146.75.74.132:443 | odb.outbrain.com | tcp |
| US | 8.8.8.8:53 | sync.targeting.unrulymedia.com | udp |
| NL | 46.228.174.117:443 | sync.targeting.unrulymedia.com | tcp |
| US | 8.8.8.8:53 | widgets.outbrain.com | udp |
| US | 8.8.8.8:53 | images.outbrainimg.com | udp |
| US | 8.8.8.8:53 | log.outbrainimg.com | udp |
| US | 8.8.8.8:53 | mcdp-chidc2.outbrain.com | udp |
| US | 50.31.142.223:443 | log.outbrainimg.com | tcp |
| US | 23.53.113.140:443 | widgets.outbrain.com | tcp |
| US | 23.53.113.140:443 | widgets.outbrain.com | tcp |
| US | 184.30.158.108:443 | images.outbrainimg.com | tcp |
| US | 64.74.236.223:443 | mcdp-chidc2.outbrain.com | tcp |
| GB | 146.75.74.132:443 | odb.outbrain.com | tcp |
| US | 50.31.142.223:443 | log.outbrainimg.com | tcp |
| US | 64.74.236.223:443 | mcdp-chidc2.outbrain.com | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | gum.criteo.com | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| US | 8.8.8.8:53 | id.a-mx.com | udp |
| IE | 34.253.101.178:443 | ap.lijit.com | tcp |
| US | 8.8.8.8:53 | sync.quantumdex.io | udp |
| US | 8.8.8.8:53 | sync.richaudience.com | udp |
| US | 8.8.8.8:53 | acdn.adnxs.com | udp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| US | 151.101.1.108:443 | acdn.adnxs.com | tcp |
| DE | 162.19.138.119:443 | id5-sync.com | tcp |
| NL | 79.127.227.46:443 | id.a-mx.com | tcp |
| DE | 168.119.72.236:443 | sync.richaudience.com | tcp |
| US | 104.22.37.96:443 | sync.quantumdex.io | tcp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| IE | 18.203.106.185:443 | ce.lijit.com | tcp |
| DE | 168.119.72.236:443 | sync.richaudience.com | tcp |
| NL | 89.149.192.76:443 | ssbsync.smartadserver.com | tcp |
| NL | 46.228.174.117:443 | sync.targeting.unrulymedia.com | tcp |
| NL | 208.93.169.131:443 | bh.contextweb.com | tcp |
| NL | 185.184.8.90:443 | creativecdn.com | tcp |
| IE | 52.210.242.228:443 | match.prod.bidr.io | tcp |
| IE | 67.220.226.233:443 | aax-eu.amazon-adsystem.com | tcp |
| NL | 185.89.210.20:443 | ib.adnxs.com | tcp |
| GB | 13.224.81.69:443 | s.ad.smaato.net | tcp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| US | 8.8.8.8:53 | cs.krushmedia.com | udp |
| US | 8.8.8.8:53 | aorta.clickagy.com | udp |
| US | 8.8.8.8:53 | t.adx.opera.com | udp |
| US | 8.8.8.8:53 | pixel-us-east.rubiconproject.com | udp |
| US | 8.8.8.8:53 | cms.quantserve.com | udp |
| US | 8.8.8.8:53 | ads.pubmatic.com | udp |
| US | 34.36.216.150:443 | pixel-sync.sitescout.com | tcp |
| US | 52.223.40.198:443 | data.adsrvr.org | tcp |
| US | 8.2.110.134:443 | cs.krushmedia.com | tcp |
| DE | 162.19.138.82:443 | lb.eu-1-id5-sync.com | tcp |
| US | 69.173.151.100:443 | pixel-us-east.rubiconproject.com | tcp |
| US | 8.8.8.8:53 | um.simpli.fi | udp |
| US | 23.53.112.234:443 | ads.pubmatic.com | tcp |
| DE | 91.228.74.159:443 | cms.quantserve.com | tcp |
| NL | 82.145.213.8:443 | t.adx.opera.com | tcp |
| US | 34.228.72.166:443 | aorta.clickagy.com | tcp |
| US | 8.8.8.8:53 | ssum-sec.casalemedia.com | udp |
| NL | 34.91.62.186:443 | um.simpli.fi | tcp |
| US | 34.228.72.166:443 | aorta.clickagy.com | tcp |
| NL | 82.145.213.8:443 | t.adx.opera.com | tcp |
| US | 69.173.151.100:443 | pixel-us-east.rubiconproject.com | tcp |
| DE | 91.228.74.159:443 | cms.quantserve.com | tcp |
| US | 23.53.112.234:443 | ads.pubmatic.com | tcp |
| DE | 51.89.9.251:443 | onetag-sys.com | tcp |
| US | 76.223.111.18:443 | eb2.3lift.com | tcp |
| US | 104.18.36.155:443 | ssum-sec.casalemedia.com | tcp |
| NL | 34.91.62.186:443 | um.simpli.fi | tcp |
| DE | 3.67.74.124:443 | match.sharethrough.com | tcp |
| DE | 162.19.138.119:443 | lb.eu-1-id5-sync.com | tcp |
| US | 8.8.8.8:53 | sync.adkernel.com | udp |
| NL | 77.245.57.72:443 | sync.adkernel.com | tcp |
| US | 8.8.8.8:53 | cs-server-s2s.yellowblue.io | udp |
| US | 8.8.8.8:53 | us-u.openx.net | udp |
| US | 8.8.8.8:53 | ads.betweendigital.com | udp |
| GB | 142.250.187.194:443 | cm.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | ssp.disqus.com | udp |
| US | 52.0.142.82:443 | cs-server-s2s.yellowblue.io | tcp |
| US | 35.244.159.8:443 | us-u.openx.net | tcp |
| NL | 188.42.189.231:443 | ads.betweendigital.com | tcp |
| US | 34.202.80.166:443 | ssp.disqus.com | tcp |
| NL | 69.173.156.149:443 | pixel-eu.rubiconproject.com | tcp |
| US | 8.8.8.8:53 | x.bidswitch.net | udp |
| NL | 35.214.149.91:443 | x.bidswitch.net | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 162.159.136.232:443 | discord.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | api.anonfiles.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| GB | 142.250.187.206:443 | play.google.com | udp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 172.217.16.238:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| GB | 142.250.180.3:80 | www.gstatic.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| GB | 216.58.201.99:443 | www.recaptcha.net | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| GB | 142.250.187.227:443 | recaptcha.net | tcp |
| GB | 142.250.187.227:443 | recaptcha.net | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 172.217.169.10:443 | content-autofill.googleapis.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| GB | 172.217.169.10:443 | content-autofill.googleapis.com | udp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 142.250.200.3:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.200.46:443 | google.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| GB | 142.250.200.3:443 | beacons.gcp.gvt2.com | udp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 172.217.16.238:443 | clients2.google.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| GB | 142.250.178.4:443 | www.google.com | udp |
| PL | 209.25.141.181:40489 | tcp | |
| GB | 142.250.200.46:443 | google.com | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| GB | 172.217.16.238:443 | clients2.google.com | udp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| GB | 142.250.200.3:443 | beacons.gcp.gvt2.com | udp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 8.8.8.8:53 | e2c79.gcp.gvt2.com | udp |
| IN | 34.0.0.42:443 | e2c79.gcp.gvt2.com | tcp |
| IN | 34.0.0.42:443 | e2c79.gcp.gvt2.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| GB | 172.217.169.35:443 | beacons.gvt2.com | tcp |
Files
memory/2596-32-0x000007FEFB170000-0x000007FEFB1A4000-memory.dmp
memory/2596-31-0x000000013F4E0000-0x000000013F5D8000-memory.dmp
memory/2596-34-0x000007FEFBBE0000-0x000007FEFBBF8000-memory.dmp
memory/2596-36-0x000007FEFB150000-0x000007FEFB161000-memory.dmp
memory/2596-35-0x000007FEFB500000-0x000007FEFB517000-memory.dmp
memory/2596-38-0x000007FEF6CF0000-0x000007FEF6D01000-memory.dmp
memory/2596-39-0x000007FEF6CD0000-0x000007FEF6CED000-memory.dmp
memory/2596-37-0x000007FEF6D10000-0x000007FEF6D27000-memory.dmp
memory/2596-40-0x000007FEF6CB0000-0x000007FEF6CC1000-memory.dmp
memory/2596-33-0x000007FEF62C0000-0x000007FEF6574000-memory.dmp
memory/2596-53-0x000000013F4E0000-0x000000013F5D8000-memory.dmp
memory/2596-55-0x000007FEF62C0000-0x000007FEF6574000-memory.dmp
memory/2596-54-0x000007FEFB170000-0x000007FEFB1A4000-memory.dmp
memory/2596-49-0x000007FEF5010000-0x000007FEF5210000-memory.dmp
memory/2596-41-0x000007FEF5210000-0x000007FEF62BB000-memory.dmp
memory/2596-56-0x000007FEF5210000-0x000007FEF62BB000-memory.dmp
memory/1084-75-0x0000000001390000-0x00000000015D4000-memory.dmp
\Users\Admin\AppData\Local\Temp\mxfix.EXE
| MD5 | b4ec612c441786aa614ce5f32edae475 |
| SHA1 | 3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d |
| SHA256 | e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd |
| SHA512 | c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16 |
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
| MD5 | 3926c7b8fdfb0ab3b92303760b14d402 |
| SHA1 | b33e12ef4bdcd418139db59d048609c45fe8f9eb |
| SHA256 | c101904ec19b45612213c2b398892a4523f63862bb3e24c245509db2417585e7 |
| SHA512 | 4a022be27f58b1735f3a0ac9abdedbd769adb4e3ca1dacdcdc98700b17e138b647f9059585c8ef37fdd7072ad6283e95f10def171584097eb8c70e7d1212ce0e |
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
| MD5 | 228a69dc15032fd0fb7100ff8561185e |
| SHA1 | f8dbc89fed8078da7f306cb78b92ce04a0bdeb00 |
| SHA256 | 920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709 |
| SHA512 | 373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1 |
memory/1516-98-0x000000001B580000-0x000000001B862000-memory.dmp
memory/1516-99-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
memory/1912-100-0x0000000002230000-0x000000000228C000-memory.dmp
memory/1912-101-0x0000000000280000-0x000000000028E000-memory.dmp
memory/1676-102-0x0000000000C60000-0x0000000000E0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1
| MD5 | 5d792fc7c4e2fd3eb595fce4883dcb2d |
| SHA1 | ee2a88f769ad746f119e144bd06832cb55ef1e0f |
| SHA256 | 41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb |
| SHA512 | 4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e |
\??\c:\Users\Admin\AppData\Local\Temp\cyfbcaag.cmdline
| MD5 | 903ffa65ebc15022b326cd77aa6e448a |
| SHA1 | 9db89cb7a7307f031b940019b450386329c748aa |
| SHA256 | c9ab956aec1fc7ed1d118fe762f60f7ccee3c498cab05d48619ce0fad356929f |
| SHA512 | cea2183d2bcbe8f7f9cb5095d2a6afcdf0519a1dc084a2c0ae059a0414c3f051dc4dbcbde3263d97905d8e142aa497fed0ad5211bb5fad11b3422582f9ba92ac |
\??\c:\Users\Admin\AppData\Local\Temp\cyfbcaag.0.cs
| MD5 | c555d9796194c1d9a1310a05a2264e08 |
| SHA1 | 82641fc4938680519c3b2e925e05e1001cbd71d7 |
| SHA256 | ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a |
| SHA512 | 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCFBEC.tmp
| MD5 | 583399aa9fa08349dcfbbabf2de3d83e |
| SHA1 | 241e66317e8a3a613160ce2714353cebbedee922 |
| SHA256 | 40df0790c7f7d2df7967637f596f4f695a33b8b3203b15ae0a9bfd0c56d7404f |
| SHA512 | d90989f4bf0958b1b80224d354b3ab6b34152e4dc846a0d7f0eab0e2bb24327b6329887238b355072f2f97c752b732c1b9a04ae8d1ca7c959dd3c1f6482d06f5 |
memory/1912-116-0x0000000002090000-0x00000000020A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cyfbcaag.dll
| MD5 | 57dbaf4311f8f3cbe01908404276cdd2 |
| SHA1 | 8e634bd9132f8f9bc7a6cc762ec1502dd10aeacc |
| SHA256 | d818e077c7087edf5fa5c96ff2f033213d70f51d3579b931ced2e97c9d73573c |
| SHA512 | a0d1b72f264c56a009a23412b6320f40e57de3e02c8773382589008ef28f2af72b182f4aa3ca95ea038e3a724628fd58714ece3e26165d7463fd60ffcacdc644 |
C:\Users\Admin\AppData\Local\Temp\RESFBED.tmp
| MD5 | 238f93df98fd5e1dca94d04eeea3ed1d |
| SHA1 | e3f2708648bad1cc08c863ce3e92786b928da0df |
| SHA256 | 059fea1c3716dae21169b93717a678f628ccbc6b98dd513efe8f993bc3578d18 |
| SHA512 | b7da0dce0df640ed05b40f21624dbe4b64100eef7faa77a2f96423a8c1c9ee7d242924fd7996481247a54778584298362c16812e0831197893db1b61dd52355b |
memory/1676-118-0x0000000005150000-0x0000000005342000-memory.dmp
memory/1912-119-0x00000000002C0000-0x00000000002D2000-memory.dmp
memory/1912-120-0x0000000000490000-0x0000000000498000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/1676-132-0x0000000073ED0000-0x0000000073F07000-memory.dmp
memory/1676-133-0x0000000074200000-0x0000000074280000-memory.dmp
memory/1676-134-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-135-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-137-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-139-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-141-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-143-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-147-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-151-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-153-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-155-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-157-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-159-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-163-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-165-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-167-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-169-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-173-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-175-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-177-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-179-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-171-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-161-0x0000000005150000-0x000000000533E000-memory.dmp
memory/2516-214-0x0000000001270000-0x000000000127C000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/1676-149-0x0000000005150000-0x000000000533E000-memory.dmp
memory/1676-145-0x0000000005150000-0x000000000533E000-memory.dmp
memory/2100-11802-0x00000000003D0000-0x00000000004CC000-memory.dmp
memory/2100-11803-0x0000000000610000-0x0000000000622000-memory.dmp
memory/2100-11804-0x000000001AB80000-0x000000001ABCE000-memory.dmp
memory/2100-11805-0x000000001A790000-0x000000001A7A8000-memory.dmp
memory/2100-11806-0x000000001ABD0000-0x000000001ABE0000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/3428-11816-0x0000000001050000-0x0000000001058000-memory.dmp
memory/1676-11822-0x0000000073ED0000-0x0000000073F07000-memory.dmp
\??\pipe\crashpad_3064_OJMGLWIOZHHVVAAW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | eb25ca1f4e0bccbba7961f4462c151aa |
| SHA1 | e2c4cdca01e3751e124518e1129bea0c6064bc04 |
| SHA256 | 036b2b701428bd6f9885a7e4fdd6a499e59196489b861d3aa72e7340471f503f |
| SHA512 | 4d6982d1f8774fdf8e51a7183b2ccffa175c3ac1222ecb2a8b74991bfb171abdf7b208267d18a6373ed72a7f83c78c8fa86e9048d34fbfaf00b49cd437186155 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 754ad149a55fdf3847213e5d90bceea6 |
| SHA1 | 1b3801e5eb414426f06e41ef69d4a521b17c6391 |
| SHA256 | 572c0181964f16fb3021be88a24e761fec84dbf9fd348137791d8f6ffcc248e9 |
| SHA512 | e27dc3ce7a03c86e3249b3c307445c9566bd3d52c01a1f34ff2f36a2a523000f604ee14e44c3af11ffabb02282bdc7c33171952f83482d5f89628a12b9038893 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | de21682c847f49bab6f6e324a9fc024f |
| SHA1 | 02f6d0c0ead804e2b9b27ffce080b2375aab3575 |
| SHA256 | e32d44dabc6d0733c266e54335193c07cef0e95e286053f8ea760c37212bd8ef |
| SHA512 | b779de9ff0a18bff5e4e5d516725aad94ae4946f2d3d3d401af88634503a060112d5a5cc1096dad227a85c19688bbbe284586cbc1934b9d4ed1ed20269d34939 |
C:\Users\Admin\AppData\Local\Temp\TarC69F.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | fd4201108aff9d990d581cfbf10659c8 |
| SHA1 | 4f0bb9298a1298ced1f41602afba26ffb9d2714e |
| SHA256 | ac35ce0a9bcf0db1f36190c5e6ef3c053b13f9e4155b35b03b572448d33af19f |
| SHA512 | 82cd7553ecab76d0d39c633e9082483824d99948125224717599817ee15b8bbd80b79e362e6877a35459b84616125502b4280b80a1eea1390ee8984060fe8358 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a11638a906c9dc02b580285ea46ef04 |
| SHA1 | e1efdca661a701dab36322ccbeabcfc0f1b4eab6 |
| SHA256 | b4b601c4fe50395e9ddc280050a18cf8eb374696b169e4c181ee69c127c8947a |
| SHA512 | a4be1145e5745333962124212b11f1334fad3b2c0652a666fcf37b9dc25dc76fad9e7f65abf0eca8db2c6c2e1e17ab11e6b61292591b127d1b5e6d2f01669bf2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
| MD5 | f2705d594a598dce1fd856ae41209def |
| SHA1 | 43d9f6a3e44ab8b2843ff1ae559d143a3fdef871 |
| SHA256 | b835ea9da08c1638751a8b8a95d197c4febc92beed9c58b7da3a0a9d9ed9b9b9 |
| SHA512 | e8a3073b83c65a0592baee317a7de6bbe04afcd9e628e719c42cbae81646a6cce2f096396cf547c2b309d1a4d55a0ee108baaf64a61e1d632f05ef115c8c18f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
| MD5 | 55540a230bdab55187a841cfe1aa1545 |
| SHA1 | 363e4734f757bdeb89868efe94907774a327695e |
| SHA256 | d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb |
| SHA512 | c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bdabc72614904e3520037e3163921086 |
| SHA1 | 849513ec51be8bb067bb257361ceb4a85f98e77c |
| SHA256 | ef335d03ac42535b32b1c5883499bd414dfe5246cbb76d12252c913106002d7a |
| SHA512 | 0aed86eb8684b35588c6aaa3d17de4055d0a4d3809d1443a7d0c3406db28056c4bc8fcf836f29f56d2291953765432bb9193cbf9b3560b16b8b91ec6b22f5470 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef509745ffa4d049f0095b1698957352 |
| SHA1 | 8ff37d90bb150dde5f83cff347a145a1aac25023 |
| SHA256 | 4575faa0751fa586a8ad58dbb707ab8ee4e04037e8b927b93084a5c483800d7e |
| SHA512 | acc41cb692137f0c554c97ba3cef9b5bae87031834f2a343372d862268987252341645e294bf05bb039391ef7dec789ab5e05b9fb8bbb5cb21179a6b807626b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49470176cfa1f13a8e50109f3309eabf |
| SHA1 | 4cbfc05c5f1f9df25fddbd9ee9b8af8e53e73c22 |
| SHA256 | 1460d37e96a25de465e35837b58ef939cd2d35ffeaa21cf1336f0c4a6966977a |
| SHA512 | ff06a3fc0ee34100cc27ff30a51b7e505970b752e954f937c866b8cb16a4349dcb27c681d5e5cf3045eacad3755a73be1e95164dcbdcab4e90d415435af682e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2eaffb68347f3583363b4e51e88dfe6f |
| SHA1 | 26021d1a205edd4fcd8fa2d0d14345bea299d471 |
| SHA256 | 3de22151652dbc3e3bdbd06b7a95660b10e3357b8e7c0d4d448858d5e5c73fae |
| SHA512 | c77f69fb973d8c6b2afd8108019d5eb3c471bf493695d82eb01fdd110ffff54b6bac23cb634063adeda1a71a55b83079996ef413c54606623dceb60d1acd2328 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac75f9b74db7f89f2d95bddb50ef7db7 |
| SHA1 | 0064e91035ef15e0f3267910e64b12864403fbef |
| SHA256 | f400d8ec35786de79b58b7b06894c855420edfcb312655047e86bc390929cdda |
| SHA512 | d2554d0b74e639412d6451b5e53b7aa3e72c1a8627f54d453cdd834316d9a8cd2bc4fd136bc631556542be99994b022c6a5fa11563db95bce96aca5acf8485b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 64540c123035aa8302ccf63adcb89987 |
| SHA1 | 6ced9070e97bb7073869c8028cbf78ca7bd300d1 |
| SHA256 | 3f18bf6625ab6f50bcb6fc3cb43a0fa41fce82c76e44ab50f99fa906433e5ff1 |
| SHA512 | b782a82d5a6c4342799fde8247b07a2b8112d0473f374129c157aa73d09a5e136be667d85e24424160f20c52f9f822849729d6dac613d0d04d905442c9d4e7e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3b619ebf74a4bdad15b964ca3fb79b2 |
| SHA1 | 465612205397afbb42c1011e65dd5799f2e0b313 |
| SHA256 | d9766c24f67ce672381271a7713273655ab96cab8bcc6093d703cf6c489dd801 |
| SHA512 | 84fc319d64d2a24d131f8f7c4193dd22a29c4572919fc68e5c1f614fff0d23df30a0201d1fa757c599d2a024f965502c0a80637540844ecff15a33cecb2172f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39b27a9437606a1fa7668aa47481edf2 |
| SHA1 | fd4ea87faa2f355da7d2a00f7e92be9e094ce7f4 |
| SHA256 | 097bab3e08e5037ae36e972827e63f6b675a6f3d3f4f498730cf02ad2fb528fb |
| SHA512 | 545305b65081c0fa3cf3f68898d550b87428ab5b4369291ef9ceab20243dba4372eb9b6ecf17c5369c4fec9f781e4fc1e8baf4f5605535263c0732778760747d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 15d8df609441e190838fb227b4ba0efa |
| SHA1 | 8230f9bdde3e4786767241b237116694ba24f7c0 |
| SHA256 | 38454f95327a7fcefed6a8cfcc5686f8e56cba46a6ac0caba615d72328e1b5c6 |
| SHA512 | e777d990e11ab2034c9d1af13e40343cf546e8487fa4167d53bb3127f64440fc36f7230a8e0f10a775705d3e6dd8b29d18cc92015ea9e098535cea66a065eb84 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b0285cb4d0d46b669cc26b4d76e62542 |
| SHA1 | 84de2a6210a3b5b1305ac8a5ed030806ec02ae62 |
| SHA256 | 99ccfbb60214802b11d7c4f90be641a02b4a926d0b6073cd0b4aae7ad4e7709d |
| SHA512 | 2dcbacbc5bc68171e27191045f2af168e7e5f8dc2d8a91203ce033855142352d35fb9b727396664e852accef3abcf0f6893b42483ae8397f71e326060c20fb87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 92799521e9594cbea75c6d36bac065bd |
| SHA1 | edd52467652ff6e6a28aea2300891085e5e5d750 |
| SHA256 | b6b98fdb59dbefbe8c5d920ebbb14f34b5104f5ea6827ddc7b001b6ea1bad0ae |
| SHA512 | 6352333279765bef0845bf7c463196584077900c189ca67d631b4df3d9edb70181292e07b55d86bdd749fe53e47f0de824f0d7692dbb11543df45575b203aa0f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004
| MD5 | 47edefe61b20751d8a4627be8bc0497a |
| SHA1 | eea6ffd2e1f1b6e87fbbab83f5b2fd5cc81b79ba |
| SHA256 | 6bcaa27876393730459362c0f92a79075ee80c40d33d6353eca96aa63f5ebfef |
| SHA512 | f011bed709b4be284a21ffbb4f9e294aa394492176d06c5d1cd95a67e9e43e88dc35382148dce01814a73cf295af54ddc647dde2d566f2aad675a4a4e8fb2cf0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
| MD5 | e569b5f6f14852ff50ff8b6020799f68 |
| SHA1 | 17cdeb1d710c8011cfe932c31bfe0913373f39ff |
| SHA256 | 9ffec84a0d845309dd4c4b19fc797375f97ecf0773729cd12c7eaafae877e384 |
| SHA512 | 2a41d1f2af7c1fd30e9370f37d1807bece58d11d3e33b9325e13062f9a3bc3b73ff47729a0a09936d40fc91f8af09f37447a20cffb3ff4b144eb7b42f63cd820 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009
| MD5 | f0294193402ccb8b595417fc83c9a311 |
| SHA1 | 7d0e8ee14bd97a95cd4d75b4fc538650a80bb007 |
| SHA256 | 582e9c8c6d28f9598fc54b31fed5440e69964d7f938f2f907cbc39b17c764b37 |
| SHA512 | 22b9a5bdd97a24747521700818dbe2977a5568006bc4511c82f94ff7a30f933cff9bb1bcde7f7d3b89fe9c87bf5e6f66b41eb72b4fb51b67cd36585389b91790 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 29d36aff62b850b8b70cbdefdd092092 |
| SHA1 | 2a4361921173720b2725d6641442abf52d086eee |
| SHA256 | e626d0d5ded0caafeccb1cbe576d19ef08e0acf84440756aa365ae6ea53b5938 |
| SHA512 | 6be85e10228c0f23c5a5b76d8858b39959079fabde21cae82052b6d45ca5a72bfa046d79ebb1168d223ee0dbbb64b71bf4068904b434390d652a15d7598c2b50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ddea068ecc57cc79a669649b659ff86f |
| SHA1 | 007714af76fd6b6e2c7561614d59a1649ca1f972 |
| SHA256 | 846d1fee123cca860b740acd6640c77142edd1f2eab9f6be1c4cf9903a2f25cc |
| SHA512 | 564915cb53b59dc65eb2df262d14cf04f5fa5b5d45a794999b2993d1cbf4e329b18ba0c4c0b65da30e8ff21a48cd9affdda859f4d36ec0afc3b97d7d405f6fb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cde7d6661e464287934d2aa7660a4c9f |
| SHA1 | 730f61b531950ddd8d3a5a011616c1af4310d63b |
| SHA256 | 93b386191456de015a2ae90f241214e827ce60409207376587c3080b97284e88 |
| SHA512 | b097272185dde630f9d6f7bd10e2d9901ed99619b0ef69bedc18efdfe58c1a9b333143d6d0b14c7ed7c3c17ca73eff3743cee3cf5edb8ddb9edeb129e0a21874 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
| MD5 | 182ecaff22c95f2da5c161338b234083 |
| SHA1 | 948333d09d27c1a1983ca6a312a499c6cb8a0013 |
| SHA256 | e56e3528c9e6e0c2d9db06c7177f38ace8670f347dd239e00aa81de7014770bb |
| SHA512 | 38f5f3f651949cf9f92aea11eea78ec70f5c8c35698835ef9d82753734ab9859b2910f6b0c605e8136c749d4eaf963ac3de081617cff9a3a654f06643159b8a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
| MD5 | f55da450a5fb287e1e0f0dcc965756ca |
| SHA1 | 7e04de896a3e666d00e687d33ffad93be83d349e |
| SHA256 | 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0 |
| SHA512 | 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cfc4a407bb358135499a76c954acc1de |
| SHA1 | 09a41f491c58d06eab442e3adf7f8bb12ecff522 |
| SHA256 | 526915149e26f09246f768c0ce74413144c10c3948b44a61f43abc8b6d747074 |
| SHA512 | 195f4f3348257d0caf7d97829c6cee1a3e0312319080c50db4ac87ce0362b797a0bc78aba4face1751f4b016f57635e867f158e941ee0ebb589ec90716a808d0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69936a1d30b0836b7d60ff3483c29302 |
| SHA1 | 62fe58e20cebdffc39ba6c2c9fb9c92c1ade4ebf |
| SHA256 | 74b8fc10d6f938637612695175913fdbd847da34ba082b0bc07c078129a20190 |
| SHA512 | 6e76a395ba24673027afa1ea2942721ac98e7d50c59decf8ada54324363753ef6f90b6ae94b6bc5100cc55420e2336d1249945d61696bc47d14ea7447e0150d1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8c1d40a2e9446831cbf4c2c5fbc5c05 |
| SHA1 | b12cffc125dbedcec42a8ad6ec8a4451697365a5 |
| SHA256 | e6490f594d02ba2b9a557983e38572f31d2e3915206ba030ee07580bc53454d9 |
| SHA512 | b34da90d659e4754404fe40e75503e3be4002474e5efd93ec36771fdc53b380035c202930df68144a0c205c293cc78657f4081e7bfe0fe4caed6906cae6bd682 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 3cc112506b2ba752ebaf21a2a7a155dd |
| SHA1 | af7b0b0fb7a009273bc2e20cb36e1e5681243088 |
| SHA256 | 3a565a7ceaf38d5b70d11248d1a65cd8eb96d31c58d0232cb7d44fc9d960acec |
| SHA512 | 8f8ed7e95cfa870a999171f5fc872d6f755c63262757159d653084aaca37deaae2664067e6d0f60899514813c88949fec9f879cd4a3ec0bbe693b1abd1fe8f24 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b58f8c95fb588b4b5d4be8af6ddd730 |
| SHA1 | 326f5642a01e910c545fe518b4022237cd2beb64 |
| SHA256 | 0dd2579cab6d27091df7a96e0d061b1ec6dbed05e74c1d8904da6b1a7d6910a5 |
| SHA512 | ade8717e36a45fbc586cea8a4f984b427ccce4dadec89537df855cc9bc586bec50a435cce6fd229af5a69d67531c33215160611aaf7d87d5786af84257ba2a8e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 041bf7ab548fe220c439abb2660db47f |
| SHA1 | 0bb18a3d364037021a3d6b03df9027f441bc1527 |
| SHA256 | fc692ae005f8cb6bb65a0a1345fe8756d47b80af8d63c3a1614a352fbbfa3196 |
| SHA512 | 23da714f98dcd872e0384379dbfe375dfc0ccd4a127899bbec571593b66f337754d68bff3133196fc1da78c3daf09efda278da6207dc91eb1b90ac0936347627 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4ee30cd170c58fbf1557ba7bedd8a7a |
| SHA1 | 2e169b311d34affc15bed37b1f8913209dea2780 |
| SHA256 | 2dc27f2c3e9d211d226f35dd873d681b6318fa29c5b622e275db855ea603a625 |
| SHA512 | ab31e607a2292b01472fdf9c6c94eeea0753ad4edbc6694a61fc7804486eb130d192f5c24e5fdcbd8eaf24c54ca083ddc38a528f1bf4ad16a5f3d1f03c9ee65c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 644563f1e3074f561876c72dc1bbc586 |
| SHA1 | ea9d0fdab1436c6d9d9294aabb5bf61c1ee53637 |
| SHA256 | 3d14d491ba492181f37829ad6fc01d6a46d2255d97c743c9e528a8ca7a79bb99 |
| SHA512 | b22545fef1bed1882790bd80f2a70a847cac2373f7a78731e86e17c7e5b20092559e04d48eec56cf87fb19208c72c1fd5974f47908ddd09ecf7ecc27fc763bb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 476fd982244164fda2b2bd2e1c30592b |
| SHA1 | beaf2e8bf052c56e5c1d86da2b63926459bc8c93 |
| SHA256 | 2702b6ccaf8e677da0f9765f331a956ec2ab9c69d3c7367a052c2063d78599bb |
| SHA512 | 6a8fe8d30464fca4d4c69b13c6e43576e432c6730f00860914c3509bc65252c54e021efd474989e2a3b491634484b5b73ece608b36c939030004e62d9677d21f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 329e006644fcdb7f31b955dae6d7cfa3 |
| SHA1 | bb29f12df65b0fc9734bcdc2c6f96bb6d0dbca87 |
| SHA256 | 95f1cbdfbfe6e2eb4d09d744dba7d295e1e463da42ee9b186eb3028466a628f6 |
| SHA512 | effe970762e753dd93d1ce27ab32543b53ab0b128289cb3234b8ef2d692fe5d39f98805d448761535cae8f34919c4271b358b578721c981b4ea383231bd9d0c2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8fa28489fdbb1ccd8f09327292e3e250 |
| SHA1 | 474839dd5779f8064cb883682c49228a237bbb6a |
| SHA256 | 766c3980778a51d514d1ff19ccab0444b1f96ed1f029ac94f6ef1479944f7895 |
| SHA512 | 40647fb073084ad4a00365c87ac25a9b475aeb320af076066d5d11ba8874a55c83de163fc189137f272e3534c8227da895f94d44a13b8e1a0de2a52ef4a99107 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e084413d562bbe6c1f836e38dbe581b6 |
| SHA1 | 423620742a8b8943129298881d46361ffde55534 |
| SHA256 | e2ccd4ac044a35e17f128aec160bf287579ae1fd21ce5cdb495e3cc3bdb2f366 |
| SHA512 | 444135070500bef13eb83bb7f81c6c7115e3c400fe7dbd798ef3f35ad9f7185d6deba00c03242a1fe583e7bdf40b86ff95fd4618bdf7a161c2a67aa008409536 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 613c80cee2c4a2a88f0a283dc4bd5e32 |
| SHA1 | f5e47fba4be196603222d1e680989afea7b5480b |
| SHA256 | 3223cb21e69423a3682bcc65f0b7b727863c1479d8aac1fad9ba2f7c9950715c |
| SHA512 | 7f95838d1b2c3cec49fd71db495dcbd120f32f4cd43206432a56067daf8e9be03b84f36c83b839deec52a4c5869ea7d8d52d8a6a95eb81aae4ec7c9e6ef7d620 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff8f3703f619823c371e3dabc1c32727 |
| SHA1 | 46302cc63a75252d013754d53d0025045ad656ca |
| SHA256 | cd431d2d34647ab07bd32c0af6cacc9d6015bc64172d43feb7d24c1e28c28143 |
| SHA512 | 783cb95b8060a2e36f21f9febdf240c02c629f88c93d16fdf83fde32aeb39281a414fbc0a66820a6aee25ebc52758c9de1321d4ce37364fdeadb75069d64f3ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e43b343b2a013ce1cb94058ea6809581 |
| SHA1 | 9277b2b6e09cddb4f6748a4c1cd1b46c26090677 |
| SHA256 | e2a8510d3e1aa387d323fadca4a4fe9c3df90342e81eec175982f06f7c320f5a |
| SHA512 | 03b4344e66f5c31529f6bf58e9af15e3d049f9b4d1606a0e39c680ef1343a2228d393011df4dbffefd24d712a878af39932b559a81ec9d5b651874c9113ac938 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 991760b39a7c22e06dc4ababb04af914 |
| SHA1 | abeb7b6f76f248a63c934c32d1fd732dd586e3a5 |
| SHA256 | 6a3ed844a284eacc3cc3b4f1da0563f60efc21e1f623924b9ab09a8d922c25c0 |
| SHA512 | 163a6c5e6b63eb643167bb58f045108424d3dd36241954482ff00afbb31735bcee2cb9d8a1065bf88151eb6e5a74cc0de7ff0063f04c53a42660654cd5c25988 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7014f897-4662-4248-929e-343a9d5fb590.tmp
| MD5 | bd6bf374a98ddbc59e057599ac68a316 |
| SHA1 | da128a2376fc6040db18fb120ee654918b9e7eba |
| SHA256 | 0ac17cc72ae156688f9a4d257c028f4b4cf1a8c57b9f37424484e81fbd74172e |
| SHA512 | 0b3c962e677c50ea422cca3157089fbf17c43745004e5448500d01053b3d741e3f41e598c7f260843651bc4ffcc36f51be8cdd61f2b0533279efba2698b52859 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6b3bc255fef4adc10c010dd5a55bf3ef |
| SHA1 | 0c05d47d708e5e1638455eba466f37d56a1e4a10 |
| SHA256 | 2a7a70d5ad1ad1dd77b369c6586733f37de4babcd47ade73d55df9c6d8c0171a |
| SHA512 | 7397a1d156b0fe9da009420071f2954d808762b746f21e93e97fd976c93287fc4b75a074059c185ab3c2f145b897c005e9ae6e301563313fdcba0e08698fe31c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 596f518d0fa7bde3fc57a3be1738dfb5 |
| SHA1 | 591277dc5f032cf25cefdcff46ed057b4e9c7060 |
| SHA256 | a299efbea15cc65fba1712958f7ba335f3afb15b7e3328d345d53984eecfe9a6 |
| SHA512 | 16f3384b7e4fa2dfd026e3003174180e83f4575fb05e36777e3a00047cc2eacda4799f91fc94f75b1d6665091a0d63bff061bea7d93c248e549171fac3dc72b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | b79f48c042c8a3df8f9acc3aef37b4e4 |
| SHA1 | d7b09e40be76ecbb112e6e37391bc508e5c2f5bb |
| SHA256 | 01a3ebbf8485d7ea59afe12e96442fbb1d025501a55dc080070fe6c7962891c7 |
| SHA512 | 4288b8c322cedff41c3ec7ee1c25875be0f0117c1ee0a95da18f1233df94f1733635b705691113846e9e7975c316687751afd3edb3cc146fdd529c7ee044b6b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d514dc7164a73e9e60a2af2af543cbcf |
| SHA1 | 83b21dc25a9bbc7945404391f0cef2e976197d20 |
| SHA256 | 55e6598432567d530ae3652fcdf35ed2df8cd413bfaa126b087c4b53807945fd |
| SHA512 | 91eec00ac9ec386fb396afc7ad8aac2a520d5a2deb9432c905faeb12fc798171cea55416eceb6b29df192b1b4422d7b5a4b994aa50bb024d313adfaea8143bf0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6bfb23ff7e71afef45b0eafec09ad713 |
| SHA1 | 22dcec213c6ee34b25ab263fe02b4845b0961fac |
| SHA256 | 8a74109f36370bf580e67ae199f026f7f80f69f90ee08a0bc0bc7caa7610b2b4 |
| SHA512 | 774b13e7f2867f8324eb22dd6c0814240f0df63dd0003f59371495dbffec33225ca59d3c7ee3d71140c7d41bf7026fd775d1ae7be03973c74085146c120201e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac78c767e7f9d87eb8add065d964c9c2 |
| SHA1 | 07b1fa4aa56a7335cf18d01b760fdef9a87feb3f |
| SHA256 | 0faaee6addc4453d9afcec4b82f2bd68f5acef44012911e703d5531253b3ad26 |
| SHA512 | 9ae0d0684c911fcd4ac1316d59460e4c24bc1f0b424138a00e93395b91cc8e58bff96a6172b519bb2773f9883b3537e7d644aea3ec00f462cf62ada958e96a73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c15c5937c7d7936d6fdec056e8a1bd02 |
| SHA1 | 05bbc22617f93c27f369161b09af14395a6a452a |
| SHA256 | 1ad983668817349da87e541b07bd18b505a86fbf28d0f5f1e9073196efe7fa2d |
| SHA512 | 7b29617ca34860dad80487b382886c0a0fb185157689f585a5eb939b869dab90ec57a0b854e53e6afed6bd146415268c3aa9b0c41da08f9e9e8da5db99a5695e |
memory/1676-15189-0x0000000004890000-0x000000000489A000-memory.dmp
memory/1676-15190-0x00000000048A0000-0x00000000048BA000-memory.dmp
memory/1676-15191-0x0000000005FE0000-0x00000000060FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe.config
| MD5 | 6a0a831fba3c5a04bce851e38546bc52 |
| SHA1 | dfc14076e9041eb96508c4aa20b52c56d1e4f778 |
| SHA256 | cf432948fe1a0ec9dbebd13843f427b9e9b370c700271d6c502656d3dbd9db47 |
| SHA512 | ff31041b5eb093f77bc3919b8347228eec0714773d66d0ed131f5b493a13e99a773bb029b4be35be4869e4e14f9a9386f367d7406d23edd304efb38557461ce8 |
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe.config
| MD5 | 276f9b2cdca697a3f97a85fc0c4d031a |
| SHA1 | dc1e7945b7634aeec24be26d1b41e2996a689ce6 |
| SHA256 | 69ab52d618e780fab15ffbbc1e3f453d5bf07890b38ff8d7633e53f2e45fcda1 |
| SHA512 | a04b8e1fc76b11eba67ba9a4872c88be235e564a1611d8e860af478240d4f3486a346b468f71671ce778971f70292e362a28876d88df95d659e4b13282631b21 |
\??\c:\Users\Admin\AppData\Local\Temp\vxktrpxy\vxktrpxy.cmdline
| MD5 | f1a272bc371ce683a8ccb92dc7b860a8 |
| SHA1 | 920d27fc80be3fcde58f47109baa88a9cf99ce70 |
| SHA256 | 8682e74b98b0b98f2c84798cf3400407417f373a67f3b77e05b226a75ea550db |
| SHA512 | d5d7af197c6d3fa751903aec9529ba7d97aa36315ec15f83697f5eebfe6fe4336e1974ee0cfc6d16be099d5dd6d61a2a44f1a778cbcd81c2b67912412c3568a3 |
\??\c:\Users\Admin\AppData\Local\Temp\vxktrpxy\vxktrpxy.5.cs
| MD5 | a1c961e6ecc514cd083ca5a78b65ee4a |
| SHA1 | 45c8dd6bdd0ecf2f0de15ac46dbe14d9b432110a |
| SHA256 | 1c6dc3335cea66271b2664e27763a489a8c7a512d33bafc1fc5fe96b365374e6 |
| SHA512 | 8ddd224ba1bfed8ed1121c8de71d716548c67b58ff20255c89383472e1f5bee44e004abf267c5edc8744263a3c84f0198aaaab02a2f401429cef06e929b61341 |
\??\c:\Users\Admin\AppData\Local\Temp\vxktrpxy\vxktrpxy.4.cs
| MD5 | 352d6180624651e5e63204b496c425f8 |
| SHA1 | a04c3b97c47e45c7c82dca858a0f412a03bf7770 |
| SHA256 | 325c6b2edabd42db57da63ab71c81cbac37084d970f6abeba016f10fcb62b2c7 |
| SHA512 | f6b6c6a7730c84dc2c6dc9152dd5243e974df2474385b1059d8c5c1b473274158fb335d21affefcbe93bab7e8fd7db8d1168839ba1210c7b912c2cd9937509f8 |
\??\c:\Users\Admin\AppData\Local\Temp\vxktrpxy\vxktrpxy.3.cs
| MD5 | c774d493985f78439a8d3d4eefb51ec4 |
| SHA1 | 145c27b9d54c60d99d7a9e537a809485beb0996d |
| SHA256 | 39ea9ecc5a70cb1a96d2ac19c2680d669972b09e93082de80f55744134528fe4 |
| SHA512 | 3ed9cf0c589ae20e31a852de7ca3400d22f55cd24ae1aa1414253dfcd7d19441147dc221a961f86e998eeaeddce8f58e94530aa8f65a8271c541d0f952e7585b |
\??\c:\Users\Admin\AppData\Local\Temp\vxktrpxy\vxktrpxy.2.cs
| MD5 | 6bd7373e97899b748db753f17019ac92 |
| SHA1 | da6f42c0c6e705c043f2e563d2281714065613d4 |
| SHA256 | 5f87a2cfb7d70d61c6ebf97b172a58c0e961e8226f42561b7bdb5566ea7598a9 |
| SHA512 | 94539a2188490c82bd036d8265759880dbf6d2bf049214041373444791f98af4051a2aa5ca7071f0fe2d0d8927a4e31479ac5a854e66deb2a4c0462cfd3984fc |
\??\c:\Users\Admin\AppData\Local\Temp\vxktrpxy\vxktrpxy.1.cs
| MD5 | 0ff1482c094460751d73107f122e6deb |
| SHA1 | a2a84554099aaaf52a53a689aee58b91ae394b0f |
| SHA256 | 5c9b048ce69f99a8c752bd182ef159871df675b638220954669b0006e5ff4ade |
| SHA512 | fbd8c092afa7aea79ed7ba3cd85c7847c2a2c02fe88a245928ff2e48107d10d14082b1eb2334a631b6135b72b67719848d69bc64ae1bd272bdd628ff9bf02142 |
\??\c:\Users\Admin\AppData\Local\Temp\vxktrpxy\vxktrpxy.0.cs
| MD5 | ebc5b4cae2ec717225f3245deba905ba |
| SHA1 | 704707f363f6f265a95ea3bfb290264e6f0bd4fd |
| SHA256 | fa8f470f87f014de54f94685614849e3812ebe13bcbd93e833a17bc4986d3e37 |
| SHA512 | b6707caf4cfb92760de93ee854f2a0281aef818c08872354cb5d6fdc8157c41371dd26d97cf486a7096ec01eeaa5cd2980cda32f2a0cbc566b51d4e542a3b820 |
memory/3820-15233-0x0000000000A00000-0x0000000000A7A000-memory.dmp
memory/3820-15234-0x0000000004A40000-0x0000000004B7E000-memory.dmp
memory/1676-15236-0x0000000004BE0000-0x0000000004BE8000-memory.dmp
memory/1748-15238-0x0000000000C00000-0x0000000000D1C000-memory.dmp
memory/1748-15239-0x00000000004F0000-0x000000000050A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\passwords.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
memory/3412-15264-0x00000000009D0000-0x0000000000AF6000-memory.dmp
memory/3412-15265-0x0000000000510000-0x000000000052A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2FF8.tmp.dat
| MD5 | 1f59f53b703566c0ec6495764dbf5a31 |
| SHA1 | ae2998c4e29800a62d1a9309eda578d660e554c9 |
| SHA256 | e9019cb44b1fa86732c2d97c69416600a174b15521a8f204e0bdaeb6ddbf1fdb |
| SHA512 | 9f230661b8c9e85d63ecb0614b87571293be9d7bf28d899b60bfeafbec401f58a8f86e0aea571b8e847366901fc8a811532bd369a2c9aa768bcc85d5be1bfdfd |
memory/2748-15290-0x0000000001020000-0x0000000001264000-memory.dmp
memory/4304-15307-0x000000001B7F0000-0x000000001BAD2000-memory.dmp
memory/4352-15308-0x0000000000A70000-0x0000000000C1C000-memory.dmp
memory/4304-15324-0x0000000001E00000-0x0000000001E08000-memory.dmp
memory/4352-15323-0x0000000074CA0000-0x0000000074CD7000-memory.dmp
memory/1996-26973-0x00000000004A0000-0x00000000004B6000-memory.dmp
memory/4352-26982-0x0000000074CA0000-0x0000000074CD7000-memory.dmp
memory/4352-26984-0x00000000048B0000-0x00000000048CA000-memory.dmp
memory/4176-27021-0x0000000000F80000-0x0000000000FFA000-memory.dmp
memory/4352-27023-0x0000000004FA0000-0x0000000004FA8000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | cc224701d3988dd5549f5d4adbf10fe4 |
| SHA1 | bf7837f102c82b785f087208d907c86f3de96bb4 |
| SHA256 | ab4b477c15da3d33fd048de6a07bc97f38cb55f647a7cbb9c39ccbe56e18cb21 |
| SHA512 | da48b8a59c7a8434d277f18dff52557066aea503d889b4c06a840e0412afc0732ad8958a95f5d14d92b7cbf503ae0d1a32c5da87027c5df69591e85a973724d9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp
| MD5 | 60e3f691077715586b918375dd23c6b0 |
| SHA1 | 476d3eab15649c40c6aebfb6ac2366db50283d1b |
| SHA256 | e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee |
| SHA512 | d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp
| MD5 | 979c29c2917bed63ccf520ece1d18cda |
| SHA1 | 65cd81cdce0be04c74222b54d0881d3fdfe4736c |
| SHA256 | b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53 |
| SHA512 | e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6284a8a4-e7db-4998-b283-e37818b42522.tmp
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000008.dbtmp
| MD5 | 589c49f8a8e18ec6998a7a30b4958ebc |
| SHA1 | cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e |
| SHA256 | 26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8 |
| SHA512 | e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7276034aaea178158397d538c2ac1b23 |
| SHA1 | e02cb6c4fb66f1d1c828d5ff2756eea488bc8794 |
| SHA256 | 8f22282c587e36db24cc0fd261438442f1f37286252db1b36eff5cb1feda964b |
| SHA512 | 0dcafded9b1a1333a5d02a6696bd200bb8de7e0158ecefa3f4837632a30658dbff676c746d3c615f4308d6b9b6696bcacbabe32d09435326426c5915bfafb0d3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 56c0addb03e9021238f6e775d10a14af |
| SHA1 | 7b9bc5515c93866ef0162f75fb810b763ccb2c10 |
| SHA256 | aaca7bd7256e88a1fb8fce82a832020c70a0264b02208d0c9a99c5c8332a5692 |
| SHA512 | 2611f041ed3bea306d0843975f0278df6aa10a6c57a04c5a568d193d92ed3c4eee26b056d0598e98973e5d42453728d36b04ab5b081168c79aa3e5c20483b9aa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c
| MD5 | a484f2f3418f65b8214cbcd3e4a31057 |
| SHA1 | 5c002c51b67db40f88b6895a5d5caa67608a65ce |
| SHA256 | 79cbe928773386d07f0127f256f383debed5ccea5ff230465bf46ec7c87319d6 |
| SHA512 | 0be1bb8db08f6e6041a85cfee90cd36a5b595afbca34d52a125465454fc806b4bb7ae569eaf4c882922fb1b962b6060534e597791cd0ad23483be5981d9be85c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf7cf631.TMP
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 16eae0464be117ce7d8e833a454449d9 |
| SHA1 | 69960a5e4524884b9177db9fee6fee3dd1b5fb02 |
| SHA256 | 16985d5e845625d71893a8d14418e68f9684349d9fc5734435cb67b9563d9977 |
| SHA512 | acdb1d6655348f77dc9786600a603bfd53589f7467aac0d0b2160436d78e5a59da5d6535be9d0838569fc8b46f6c5837fca0aa056e6eecdadcb876cf3f79c167 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d8ce5100b17db33ff5941e7f54cca9e3 |
| SHA1 | 2f231a9153381136e7813318daad59f99af7f4e2 |
| SHA256 | 3a1f65c615dcdc9c9135fab26d817611b26bb6bf6f7d14126fd6078bcabd6b7d |
| SHA512 | 30ec0d37db14150c8d05fd53de7de086677eaaadc4e381cad2891a180592925cc16a7c75b7635d0652a87d4cf448abda3d14064aa8d3439069b240a6f39af8f0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d50c6140e9dc85076b85964442096d4f |
| SHA1 | dc30e0ffc2180f75d390c613759e3ba235500823 |
| SHA256 | 7cffc8cf6f77a922dd8132923fb07011e15352f74b1f29a92391a961e0c95158 |
| SHA512 | 488e1992a6b1140e7a2cd885cd5642b05e2b37e86bc78b2de4328121c09c47a1d0d6fc5e49a230d6024ea1940ce8eaf249f333cad2671e445a1c7fe4ef1596f9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e672d36e-46c5-483e-9aca-67951248d721.tmp
| MD5 | 1ad13b21a17490d7decf3db0c9b5f139 |
| SHA1 | 5d2ba1151241a37e6986e2f51ea36ae398675445 |
| SHA256 | 513174fca32cbc093ae753fa5dfe85431afda2ed9178318044ce7b9dac949947 |
| SHA512 | 57cb6058afdf49cc9758b0a5f642b66d8db7c4626c594a0f92dfb079005073fc24cd5875603c1698b996cc742a7b80895bcb34fec537b649b588b07aab056415 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b
| MD5 | f782de7f00a1e90076b6b77a05fa908a |
| SHA1 | 4ed15dad2baa61e9627bf2179aa7b9188ce7d4e1 |
| SHA256 | d0b96d69ee7f70f041f493592de3805bfb338e50babdee522fcf145cb98fc968 |
| SHA512 | 78ec6f253e876d8f0812a9570f6079903d63dd000458f4f517ec44c8dd7468e51703ea17ecce2658d9ea1fdb5246c8db5887a16be80115bbf71fe53f439d8766 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 755e94f74f9f4bdc283150f559216e70 |
| SHA1 | 11fb05b79340ad080abc9779bfa584dbe9d1cf4b |
| SHA256 | d72cb82c935f9a2d1227459084d48192c85fdcdabe692edfa91fa12eaa243689 |
| SHA512 | 639776bad6d58a202a48d528efb21e3d2048ae957bd865cb27d58aadf924d0c2ee8bc54a5daa638e140d525f16589a44f935c4a1a6750757bd76f8bc25293bac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f0ea3bf2819ae98f1cb4779720e9c995 |
| SHA1 | b3e10fb76cddb864added2d408fc405630e42e8f |
| SHA256 | 7e8134df8d412a919d1b6bb862279661a09ba405faf8cae49f1f42da0080fdfa |
| SHA512 | 1ac0ff3a5c7468abde6480aa6d6552836279b1702f2f421ff121e7f1214a071446b0671ac9c19f21ea99590bba3c1c1761a1d57dde2b15c09dd6754a2defd53d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c99e12cdac152894_0
| MD5 | 235be2fbb6d8f5b9c55220a824d413b0 |
| SHA1 | ec14b37d662731112c1de998b15d18e1cfa194c9 |
| SHA256 | 0b682533d3121807c93857c60714c27cad49e542ac82d39f858f1de6ec3344fa |
| SHA512 | c69fdf2a732f64b355d9a1320608cf37fa30e1c0e5117a70410a4e6bf9f37cdaa4ede41b594ef03b8a4009c4720c3340f0f62a19d331abf318050930ae33c17b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\19ce75c1d46bd599_0
| MD5 | 0f033f7857e60aa736579f02eda5914a |
| SHA1 | 16064a6cc3f0cdb33a4a42426087a08bc0e9b0bc |
| SHA256 | 2233543b14f6cbe74e3979b7d7b3ae75f56690941342dfd43f2d5f2a47ff8571 |
| SHA512 | 4427d3b17fbd61538213f2bf7eada46ede307b5e654b5aeec3927f7a7d9f8e28732000f85775a03e8c857a79011826a4419b9cebd9824cc65f41d40898afae14 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\311fb602-2c4a-42cf-bee7-1c888b3d9a2c.tmp
| MD5 | 31c461010fef6d360b5760682cc0b1ba |
| SHA1 | 62d1eba0030b9ae599ff3ef28cae6a8505ccedd4 |
| SHA256 | 69870cba83cb59fc1ed47ee55c782852e0a4da4ed1ab82950585af9f04d37684 |
| SHA512 | 79109e2c211a222dd10b2f7f6c0868ef13172027f43a05001fc0e3bbfe240d92354077a378387e6137200a3d4d105adf6e77eedf2181316bb7df09c1f10b23b8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1bb2bca766174e85f2832156fb4753bd |
| SHA1 | 90db0eac19da9b8a9cd65924d2a553968c166458 |
| SHA256 | b1e5195ad7fc49bcea07244f1b1707e0921a6215d208bc83ba88cbc57e120eae |
| SHA512 | b1bca4466003165ab16a72b6e76924831eb7cb81eacaa0ced8ce100e0b2cf985489e31709e7aae5ec8a3da795afc9ecbea884447c448ec7f3ece89c7f3f3b218 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\41f6efca-0ea5-4c2b-8289-94a36a1c0bbf.tmp
| MD5 | 71834956ad4c3988ddb41b50dfad5276 |
| SHA1 | 87ff87af623eadd8d764859c3bc0bad0985dd805 |
| SHA256 | fe8184e6eff9404afe13fadb139f7d9a3e542d7579aff0e5de95fe784bf60ac9 |
| SHA512 | 377068253b9f3fe27b14518f77f47df578f3bdc1d743ee466437bd93e021aee725f198b347a1f7e958863b88a455044c41df9592243f1f7bf187f0a525b3b900 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 631ce2d38280896ae09e4a5781b33fe6 |
| SHA1 | 21fb4b213f55c9d88dafe61da7c2dd1e69672913 |
| SHA256 | 432330ed37f5fbbe5cdbdceb3e936f45afc9427cff6f29e226584aadf31caf7e |
| SHA512 | 09661476394ec2b5b284a24cfbda35987cb4ab8fad4e3ead47822121b812605407d1cb4e98e6d9db5057a0dc7f2cb7734482a1865caadb601a41e53862937a43 |
memory/4544-27655-0x0000000001340000-0x000000000145C000-memory.dmp
memory/2504-27656-0x0000000000E70000-0x0000000000F96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp71A7.tmp.dat
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\Historicals.txt
| MD5 | c401522c6a73106ac8cca484081fd524 |
| SHA1 | 340b3bff829d98c9fae0973885a437959cacd1e6 |
| SHA256 | 6e2e507451d451bd8c0365b48528c761b6f53edff5f9c3132ba508032b474065 |
| SHA512 | efee149ff31f44578afdbd26a065e70361f8b905f7759724ec86f9ff347f006e02d1cb44604d33dd202fcfe7e0250c898947ebc93b9816b2bbd64f0e8f45068e |
C:\Users\Admin\AppData\Local\Temp\NordAccounts.txt
| MD5 | d5f3a22de66e2e5ae394d7fb2ff28f9d |
| SHA1 | a17d58d1c2ed96f1605ad2525bc373c3fefce5a0 |
| SHA256 | bfdaf06c736251290c0ca8bf4c28808cbcb9959e381ed2bf24bccf473382bb20 |
| SHA512 | 09d3b0fe75b28f782a19e8c83ce28bbe7892da32607035569447bea131990750a7ee8973d8e4a5296fb3b2f8db93bb8eae9ccffbb414a7925b9fc22603e56c63 |
C:\Users\Admin\AppData\Local\Temp\Historicals.txt
| MD5 | dcb3b04b4ae8e484edc42f8884baa1d9 |
| SHA1 | 605dd8737dcb9a6d8295f9d97162782d776f4dc4 |
| SHA256 | 0948650ef8141c4381e9626d69ddc729edd4949ca0547656c94533d7725a9c0a |
| SHA512 | d1a08ecde94257b0a1d5cfefde25a4392ce2d8ed854a0a3798211d67f84f3c86599452b9520e8402143841a1fe4361a1b055af481103cd3a75e8d6c89d16de52 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:37
Platform
win7-20240220-en
Max time kernel
614s
Max time network
617s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:38
Platform
win7-20231129-en
Max time kernel
613s
Max time network
616s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.anonfiles.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
Files
memory/2876-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp
memory/2876-1-0x00000000012F0000-0x0000000001306000-memory.dmp
memory/2876-2-0x0000000000580000-0x000000000058A000-memory.dmp
memory/2876-3-0x0000000000BA0000-0x0000000000BBA000-memory.dmp
memory/2876-4-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar2513.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Local\Temp\passwords.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
memory/2876-60-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:37
Platform
win10v2004-20240419-en
Max time kernel
446s
Max time network
450s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1320 -ip 1320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 872
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
Files
memory/1320-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp
memory/1320-1-0x0000000000750000-0x00000000007CA000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:37
Platform
win7-20240221-en
Max time kernel
614s
Max time network
617s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | api.anonfiles.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
memory/340-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp
memory/340-1-0x0000000001280000-0x0000000001296000-memory.dmp
memory/340-2-0x00000000003E0000-0x00000000003EA000-memory.dmp
memory/340-4-0x000007FEF5760000-0x000007FEF614C000-memory.dmp
memory/340-3-0x0000000000470000-0x000000000048A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar2840.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Local\Temp\passwords.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
memory/340-63-0x000007FEF5760000-0x000007FEF614C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:38
Platform
win10v2004-20240419-en
Max time kernel
451s
Max time network
453s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:38
Platform
win10v2004-20240419-en
Max time kernel
675s
Max time network
678s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mxfix.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\mxfix.EXE | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe"
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eoaairz1.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B7C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6B7B.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\ProgramData\Chrome\chromedriver.exe
"C:\ProgramData\Chrome\chromedriver.exe"
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 5712 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 5712 "/protectFile"
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 145.190.18.2.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp |
Files
memory/2528-0-0x00007FFFFA5E3000-0x00007FFFFA5E5000-memory.dmp
memory/2528-1-0x0000000000610000-0x0000000000854000-memory.dmp
memory/2528-4-0x00007FFFFA5E0000-0x00007FFFFB0A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
| MD5 | b4ec612c441786aa614ce5f32edae475 |
| SHA1 | 3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d |
| SHA256 | e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd |
| SHA512 | c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16 |
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
| MD5 | 3926c7b8fdfb0ab3b92303760b14d402 |
| SHA1 | b33e12ef4bdcd418139db59d048609c45fe8f9eb |
| SHA256 | c101904ec19b45612213c2b398892a4523f63862bb3e24c245509db2417585e7 |
| SHA512 | 4a022be27f58b1735f3a0ac9abdedbd769adb4e3ca1dacdcdc98700b17e138b647f9059585c8ef37fdd7072ad6283e95f10def171584097eb8c70e7d1212ce0e |
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
| MD5 | 228a69dc15032fd0fb7100ff8561185e |
| SHA1 | f8dbc89fed8078da7f306cb78b92ce04a0bdeb00 |
| SHA256 | 920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709 |
| SHA512 | 373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1 |
memory/5000-38-0x00007FFFF6FB5000-0x00007FFFF6FB6000-memory.dmp
memory/2528-39-0x00007FFFFA5E0000-0x00007FFFFB0A1000-memory.dmp
memory/3796-41-0x0000000000DF0000-0x0000000000F9C000-memory.dmp
memory/5000-40-0x00007FFFF6D00000-0x00007FFFF76A1000-memory.dmp
memory/3796-42-0x0000000005EE0000-0x0000000006484000-memory.dmp
memory/3796-43-0x0000000005840000-0x00000000058D2000-memory.dmp
memory/5000-44-0x000000001BD70000-0x000000001BDCC000-memory.dmp
memory/5000-47-0x000000001BF40000-0x000000001BF4E000-memory.dmp
memory/5000-48-0x000000001C480000-0x000000001C94E000-memory.dmp
memory/5000-49-0x000000001C9F0000-0x000000001CA8C000-memory.dmp
memory/3796-50-0x0000000005820000-0x000000000582A000-memory.dmp
memory/5000-51-0x00007FFFF6D00000-0x00007FFFF76A1000-memory.dmp
memory/3796-61-0x0000000005B90000-0x0000000005D82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hlsu11yz.chg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/3796-82-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-83-0x00000000711D0000-0x0000000071207000-memory.dmp
memory/3796-81-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-78-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-76-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-74-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-72-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-71-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-70-0x00000000734E0000-0x0000000073569000-memory.dmp
memory/896-62-0x000001F6FF640000-0x000001F6FF662000-memory.dmp
memory/3796-97-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-123-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-129-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-133-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-131-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-128-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-125-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-121-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-119-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-117-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-113-0x0000000005B90000-0x0000000005D7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1
| MD5 | 5d792fc7c4e2fd3eb595fce4883dcb2d |
| SHA1 | ee2a88f769ad746f119e144bd06832cb55ef1e0f |
| SHA256 | 41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb |
| SHA512 | 4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e |
memory/5000-525-0x000000001BF80000-0x000000001BF96000-memory.dmp
memory/4672-543-0x00000000003C0000-0x00000000003CC000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
memory/1908-552-0x000000001A6F0000-0x000000001A7FA000-memory.dmp
memory/4672-547-0x00000000024D0000-0x000000000250C000-memory.dmp
memory/4672-546-0x0000000000BA0000-0x0000000000BB2000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/5000-529-0x000000001CAC0000-0x000000001CAE0000-memory.dmp
memory/5000-528-0x0000000001650000-0x0000000001658000-memory.dmp
memory/5000-527-0x00000000016E0000-0x00000000016F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eoaairz1.dll
| MD5 | 3c65823c25ad33eb67d3596a49b667a8 |
| SHA1 | 6ffc81c6e276e3a94142d993f01c6c612c3ae873 |
| SHA256 | 6a7ac7103130a4ed5d26f11074911dc24c2f4327a61e070458af1357d983416e |
| SHA512 | d07bd1a3f4d329090b6f75d6a79aed1097fc1c560c0d5c4efb7a49518e9a945938a26df32b686d9c65bab611572c3e95270acd6ccc3ff43996487d1ad7f41d98 |
C:\Users\Admin\AppData\Local\Temp\RES6B7C.tmp
| MD5 | 507b4744c996490f15d1c6214c972546 |
| SHA1 | 7c5a85ecc9a3409a012adbcf2322105a27b8b915 |
| SHA256 | 066342e4b96b1f141882f8d4e31322f6acb9de03f439ec75bd3479c179572acc |
| SHA512 | 706be892ee87df278ed2d437531c5cc175e32327e0ca45532bba944f34d9930389470a6fad540fffabac20714ef97738e28f7698226353c1afa3d2a4bf4dc2ef |
\??\c:\Users\Admin\AppData\Local\Temp\CSC6B7B.tmp
| MD5 | d64405651e1a78ace775449346c32f64 |
| SHA1 | 81cc2796911d7ea1f758384a7ecf59687f8411f8 |
| SHA256 | daccc7c1fab626c5b03b31e42d65aa3261b7736912beb561efbb7c17c3718733 |
| SHA512 | 7adc13ce42d8f152db3744b6ab673b924eedc2a08137f0faf48564107e1c18cc360a6a5a5295cf153f41b2c55a491c3da555b7771be5fd071673ad8bad0afecf |
\??\c:\Users\Admin\AppData\Local\Temp\eoaairz1.0.cs
| MD5 | 3e7efdab60fff3188a5d068a201ae537 |
| SHA1 | 360a6b7269daec7ac020b46d854df6ce448e1bb1 |
| SHA256 | 0b447605d91f6a346cddc0c7cc457f174d1763c7c377d35905ecfa90a26cce5a |
| SHA512 | 28990a651d56769cdd53683d6cce966f5bac1a6f6a4790cbe14810c9c4eca81bc0bbebefdcf34b91164bec5934c56c10545a191ba6b55a12b38850428f7b6bd9 |
\??\c:\Users\Admin\AppData\Local\Temp\eoaairz1.cmdline
| MD5 | 95eae356ae8ad67ca11bf889c29dd565 |
| SHA1 | f6ae1738c7c8c031d30d7d1ee395261e5a2b2b13 |
| SHA256 | 505a970385762c53431251157b4e29aff6cd698466ece11816fcd1674472d9a4 |
| SHA512 | 2c27f61fd6564c749a368810f1a7c7555cb2164768c9fa1d692388f3c3acd281a63238bf3d2186e0b524ae45bb99a4bb0e2757e0da44cfcad9bc3c2ae7e31619 |
memory/3796-111-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-109-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-115-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-107-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-105-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-103-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-101-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-99-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-95-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-93-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-91-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-89-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-87-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/3796-85-0x0000000005B90000-0x0000000005D7E000-memory.dmp
memory/5000-1416-0x00007FFFF6D00000-0x00007FFFF76A1000-memory.dmp
memory/5712-1547-0x0000000000120000-0x000000000021C000-memory.dmp
memory/5712-1903-0x00000000023D0000-0x000000000241E000-memory.dmp
memory/5712-1902-0x0000000000A90000-0x0000000000AA2000-memory.dmp
memory/5712-2388-0x000000001AF30000-0x000000001AF48000-memory.dmp
memory/5712-2690-0x000000001B6C0000-0x000000001B882000-memory.dmp
memory/5712-2689-0x000000001AF60000-0x000000001AF70000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/5332-3243-0x0000000000280000-0x0000000000288000-memory.dmp
memory/3796-11807-0x0000000006A30000-0x0000000006ACC000-memory.dmp
memory/3796-11813-0x00000000711D0000-0x0000000071207000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chromedriver.exe.log
| MD5 | 9be3069b2cf9222dde6c28dd9180a35a |
| SHA1 | 14b76614ed5c94c513b10ada5bd642e888fc1231 |
| SHA256 | 5e4c38466764be178ea21ba3149d0580d25d035b57e081b3abb9c06a19cfd67a |
| SHA512 | 043256f38c20d8765ddf2f1d5912249bfbb017c0b630d24d9e4894f4a759dec66bf0ffaf878ac69e9dfd6db7ec5e090dd69de2333d83299ef43888c394398885 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:38
Platform
win10v2004-20240419-en
Max time kernel
449s
Max time network
452s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\APIFOR.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:38
Platform
win7-20240215-en
Max time kernel
613s
Max time network
616s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-05 17:25
Reported
2024-05-05 17:37
Platform
win10v2004-20240419-en
Max time kernel
454s
Max time network
457s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |