Malware Analysis Report

2025-01-22 09:00

Sample ID 240522-yktnnsed24
Target Nursultan 1.16.5 (Creator Shake).exe
SHA256 9b5dc34e2808725b6b2c131d2a0ce4d2f4525269b9da6c60fcfcd93e83d40f27
Tags
redline 1139456900_99 discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b5dc34e2808725b6b2c131d2a0ce4d2f4525269b9da6c60fcfcd93e83d40f27

Threat Level: Known bad

The file Nursultan 1.16.5 (Creator Shake).exe was found to be: Known bad.

Malicious Activity Summary

redline 1139456900_99 discovery infostealer spyware stealer

RedLine payload

RedLine

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 19:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 19:51

Reported

2024-05-22 19:59

Platform

win11-20240419-en

Max time kernel

197s

Max time network

201s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "143" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 948 -ip 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 784

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe

"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a33855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
GB 92.123.128.171:443 tcp
GB 51.104.15.253:443 browser.pipe.aria.microsoft.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.129:443 r.bing.com tcp
NL 23.62.61.131:443 www.bing.com tcp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
US 104.20.4.235:443 pastebin.com tcp
FI 65.21.63.6:3306 trafsell.top tcp
GB 92.123.128.171:443 tcp
US 150.171.69.254:443 mcr-ring.msedge.net tcp
SE 92.123.135.89:443 ow1.res.office365.com tcp
US 13.107.49.254:443 q-ring.msedge.net tcp
NL 23.62.61.129:443 r.bing.com tcp

Files

memory/948-0-0x00000000008A0000-0x00000000008C2000-memory.dmp

memory/948-4-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 18951ad4190ed728ba23e932e0c6e0db
SHA1 fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0
SHA256 66607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915
SHA512 a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff

memory/2596-14-0x0000000001660000-0x0000000001682000-memory.dmp

memory/2596-18-0x0000000005A30000-0x0000000005A96000-memory.dmp

memory/2596-19-0x0000000006540000-0x0000000006B58000-memory.dmp

memory/2596-20-0x0000000005F90000-0x0000000005FA2000-memory.dmp

memory/2596-21-0x00000000060C0000-0x00000000061CA000-memory.dmp

memory/2596-22-0x0000000007020000-0x000000000705C000-memory.dmp

memory/2596-23-0x0000000007060000-0x00000000070AC000-memory.dmp

memory/2596-24-0x0000000007380000-0x0000000007542000-memory.dmp

memory/2596-25-0x0000000007A80000-0x0000000007FAC000-memory.dmp

memory/2596-26-0x0000000007550000-0x00000000075E2000-memory.dmp

memory/2596-27-0x0000000008560000-0x0000000008B06000-memory.dmp

memory/2596-28-0x00000000075F0000-0x0000000007666000-memory.dmp

memory/2596-29-0x0000000007670000-0x000000000768E000-memory.dmp

memory/2596-30-0x00000000078F0000-0x0000000007940000-memory.dmp

memory/4328-35-0x0000000000F30000-0x0000000000F52000-memory.dmp

memory/1932-39-0x0000000000750000-0x0000000000772000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 32187696b66da17688a541b3e3dab127
SHA1 0006eb3805253dc2723b7ee7ea8b1394db2c67f0
SHA256 99f86281eb8dd1014e99844434e21d7a43ec66422e24e615282cbd1ef7b4c37a
SHA512 12248261d83a406176cfaa76410d095ca6ccb5aa3fd7853755c35c78dcc4cd9d4bc27e07da2f349868b7be7b7a754be5630090376ee93a7f2c957b2f41bb3332

memory/3452-47-0x00000000016B0000-0x00000000016D2000-memory.dmp

memory/3912-52-0x0000000000F40000-0x0000000000F62000-memory.dmp

memory/4328-54-0x0000000000160000-0x00000000001DA000-memory.dmp

memory/1932-56-0x0000000000160000-0x00000000001DA000-memory.dmp

memory/1484-57-0x00000000011D0000-0x00000000011F2000-memory.dmp

memory/3452-62-0x0000000000160000-0x00000000001DA000-memory.dmp

memory/4780-67-0x0000000001190000-0x00000000011B2000-memory.dmp

memory/3912-69-0x0000000000160000-0x00000000001DA000-memory.dmp

memory/2068-74-0x0000000000900000-0x0000000000922000-memory.dmp

memory/4744-77-0x00000000009B0000-0x00000000009D2000-memory.dmp

memory/2052-86-0x0000000000F00000-0x0000000000F22000-memory.dmp

memory/3392-91-0x0000000000720000-0x0000000000742000-memory.dmp

memory/2212-92-0x0000000000880000-0x00000000008A2000-memory.dmp

memory/3824-100-0x00000000013B0000-0x00000000013D2000-memory.dmp

memory/2972-105-0x0000000000C90000-0x0000000000CB2000-memory.dmp

memory/4724-110-0x00000000010E0000-0x0000000001102000-memory.dmp

memory/904-115-0x00000000007C0000-0x00000000007E2000-memory.dmp

memory/1900-120-0x0000000001340000-0x0000000001362000-memory.dmp