Malware Analysis Report

2025-06-15 20:03

Sample ID 240530-3y9z2aga73
Target https://disk.yandex.ru/d/7gd7nkrbQw6sQQ
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

Threat Level: Shows suspicious behavior

The file https://disk.yandex.ru/d/7gd7nkrbQw6sQQ was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 23:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 23:56

Reported

2024-05-30 23:57

Platform

win10v2004-20240508-en

Max time kernel

34s

Max time network

38s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/7gd7nkrbQw6sQQ

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\Recovery\WindowsRE\conhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\e1ef82546f0b02 C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\L2Schemas\Idle.exe C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
File opened for modification C:\Windows\L2Schemas\Idle.exe C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
File created C:\Windows\L2Schemas\6ccacd8608530f C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
File created C:\Windows\Cursors\RuntimeBroker.exe C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
File created C:\Windows\Cursors\9e8d7a4ca61bd9 C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
File created C:\Windows\ja-JP\RuntimeBroker.exe C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
File created C:\Windows\ja-JP\9e8d7a4ca61bd9 C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\Downloads\NEVERLOSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\Downloads\NEVERLOSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
N/A N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
Token: SeDebugPrivilege N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\conhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: 35 N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 4040 N/A C:\Users\Admin\Downloads\NEVERLOSE.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 4040 N/A C:\Users\Admin\Downloads\NEVERLOSE.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 4040 N/A C:\Users\Admin\Downloads\NEVERLOSE.exe C:\Windows\SysWOW64\WScript.exe
PID 5216 wrote to memory of 5256 N/A C:\Users\Admin\Downloads\NEVERLOSE.exe C:\Windows\SysWOW64\WScript.exe
PID 5216 wrote to memory of 5256 N/A C:\Users\Admin\Downloads\NEVERLOSE.exe C:\Windows\SysWOW64\WScript.exe
PID 5216 wrote to memory of 5256 N/A C:\Users\Admin\Downloads\NEVERLOSE.exe C:\Windows\SysWOW64\WScript.exe
PID 4040 wrote to memory of 5308 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 5308 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 5308 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5308 wrote to memory of 5360 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesMonitor\Blockcontainerproviderdhcp.exe
PID 5308 wrote to memory of 5360 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesMonitor\Blockcontainerproviderdhcp.exe
PID 5360 wrote to memory of 5548 N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe C:\Windows\System32\cmd.exe
PID 5360 wrote to memory of 5548 N/A C:\SavesMonitor\Blockcontainerproviderdhcp.exe C:\Windows\System32\cmd.exe
PID 5548 wrote to memory of 5604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 5548 wrote to memory of 5604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 5548 wrote to memory of 5620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5548 wrote to memory of 5620 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5256 wrote to memory of 5668 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5256 wrote to memory of 5668 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5256 wrote to memory of 5668 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5668 wrote to memory of 5720 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesMonitor\Blockcontainerproviderdhcp.exe
PID 5668 wrote to memory of 5720 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesMonitor\Blockcontainerproviderdhcp.exe
PID 5548 wrote to memory of 5800 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 5548 wrote to memory of 5800 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/7gd7nkrbQw6sQQ

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3776,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4880,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5256,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5248,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5772,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5692,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=5784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6132,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5704,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6616,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6924,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:8

C:\Users\Admin\Downloads\NEVERLOSE.exe

"C:\Users\Admin\Downloads\NEVERLOSE.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\SavesMonitor\RmK92.vbe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\NEVERLOSE.exe

"C:\Users\Admin\Downloads\NEVERLOSE.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\SavesMonitor\RmK92.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat" "

C:\SavesMonitor\Blockcontainerproviderdhcp.exe

"C:\SavesMonitor/Blockcontainerproviderdhcp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bza2MO65mN.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat" "

C:\SavesMonitor\Blockcontainerproviderdhcp.exe

"C:\SavesMonitor/Blockcontainerproviderdhcp.exe"

C:\Recovery\WindowsRE\conhost.exe

"C:\Recovery\WindowsRE\conhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SDRSVC

Network

Country Destination Domain Proto
US 8.8.8.8:53 disk.yandex.ru udp
US 8.8.8.8:53 disk.yandex.ru udp
US 8.8.8.8:53 disk.yandex.ru udp
RU 87.250.250.50:443 disk.yandex.ru tcp
RU 87.250.250.50:443 disk.yandex.ru tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
SE 184.31.15.40:443 bzib.nelreports.net tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.250.250.87.in-addr.arpa udp
US 8.8.8.8:53 158.6.107.13.in-addr.arpa udp
US 8.8.8.8:53 40.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 yastatic.net udp
RU 87.250.250.119:443 mc.yandex.ru tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
RU 178.154.131.217:443 yastatic.net tcp
US 8.8.8.8:53 disk.yandex.ru udp
US 8.8.8.8:53 disk.yandex.ru udp
US 8.8.8.8:53 disk.yandex.ru udp
US 8.8.8.8:53 disk.yandex.ru udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 mc.yandex.com udp
US 8.8.8.8:53 mc.yandex.com udp
US 8.8.8.8:53 yandex.ru udp
US 8.8.8.8:53 yandex.ru udp
RU 77.88.55.88:443 yandex.ru tcp
RU 77.88.55.88:443 yandex.ru tcp
US 8.8.8.8:53 119.250.250.87.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.55.88.77.in-addr.arpa udp
US 8.8.8.8:53 217.131.154.178.in-addr.arpa udp
US 8.8.8.8:53 avatars.mds.yandex.net udp
US 8.8.8.8:53 avatars.mds.yandex.net udp
US 8.8.8.8:53 ads.adfox.ru udp
US 8.8.8.8:53 ads.adfox.ru udp
RU 87.250.247.181:443 avatars.mds.yandex.net tcp
RU 77.88.21.179:443 ads.adfox.ru tcp
US 8.8.8.8:53 an.yandex.ru udp
US 8.8.8.8:53 an.yandex.ru udp
RU 213.180.193.90:443 an.yandex.ru tcp
RU 213.180.193.90:443 an.yandex.ru tcp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 yastatic.net udp
US 8.8.8.8:53 disk.yandex.ru udp
US 8.8.8.8:53 storage.mds.yandex.net udp
US 8.8.8.8:53 storage.mds.yandex.net udp
RU 178.154.131.217:443 yastatic.net tcp
RU 213.180.204.158:443 storage.mds.yandex.net tcp
RU 213.180.193.90:443 an.yandex.ru tcp
US 8.8.8.8:53 yandex.ru udp
US 8.8.8.8:53 yandex.ru udp
US 8.8.8.8:53 ysa-static.passport.yandex.ru udp
US 8.8.8.8:53 ysa-static.passport.yandex.ru udp
RU 5.255.255.77:443 yandex.ru tcp
US 8.8.8.8:53 ysa-static.passport.yandex.ru udp
RU 213.180.193.90:443 an.yandex.ru tcp
US 8.8.8.8:53 ysa-static.passport.yandex.ru udp
US 8.8.8.8:53 ysa-static.passport.yandex.ru udp
US 8.8.8.8:53 favicon.yandex.net udp
US 8.8.8.8:53 favicon.yandex.net udp
RU 93.158.134.36:443 favicon.yandex.net tcp
US 8.8.8.8:53 downloader.disk.yandex.ru udp
US 8.8.8.8:53 downloader.disk.yandex.ru udp
US 8.8.8.8:53 downloader.disk.yandex.ru udp
US 8.8.8.8:53 disk.yandex.ru udp
RU 77.88.21.127:443 downloader.disk.yandex.ru tcp
US 8.8.8.8:53 179.21.88.77.in-addr.arpa udp
US 8.8.8.8:53 181.247.250.87.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 90.193.180.213.in-addr.arpa udp
US 8.8.8.8:53 158.204.180.213.in-addr.arpa udp
US 8.8.8.8:53 36.134.158.93.in-addr.arpa udp
US 8.8.8.8:53 77.255.255.5.in-addr.arpa udp
US 8.8.8.8:53 s356sas.storage.yandex.net udp
US 8.8.8.8:53 s356sas.storage.yandex.net udp
US 8.8.8.8:53 s356sas.storage.yandex.net udp
RU 37.9.68.79:443 s356sas.storage.yandex.net tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 dl-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 127.21.88.77.in-addr.arpa udp
US 8.8.8.8:53 79.68.9.37.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 mc.yandex.ru udp
RU 93.158.134.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 app-edge.smartscreen.microsoft.com tcp
BE 88.221.83.187:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.134.158.93.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 690000cm.n9shteam3.top udp
US 104.21.79.128:80 690000cm.n9shteam3.top tcp
US 8.8.8.8:53 128.79.21.104.in-addr.arpa udp
US 104.21.79.128:80 690000cm.n9shteam3.top tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

C:\SavesMonitor\RmK92.vbe

MD5 252c8a936c61108036239630f110d0b9
SHA1 765fa5076b12b640ab968cc5279b540e9f161341
SHA256 d16aa2383787258cc998e0f6a1d48f62ceb3c11068355c2eed26cdd74dc97b34
SHA512 d333fa3186c904c52b5685bb3e9197f25a0a4980955d973e1e99a84433821ebf5dcdb1faad21e5554eea940bd219fb92cf92e77e6be72d187692ae22e3856de5

C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat

MD5 a65e78a870380ac9c4ba083569959d4a
SHA1 8d6c9d55106b4ac275b873db16c069a27b79609f
SHA256 d82e913f336059d8b7e9adf0832357d82b746230c75a997613b00714e86ddf30
SHA512 9021e5dc54bff72ccb2b62d6c13f44dbb90c04f4b88513bbee04b559290bf93f149cdfb574cc8ce6d645237e9f7effb0b5e267d33db1d0ecafe2da7a159e2b44

C:\SavesMonitor\Blockcontainerproviderdhcp.exe

MD5 6c43270f19233761545141a2175d00bc
SHA1 2af739400dd238badc0b7e9ce3d45e1eb0023e48
SHA256 27b5ff20a635463564a1b19868af62916c29453654d703aee7482b391b554de4
SHA512 b43a8964c58fb933a80bcdd8b688d8ffda33a832e831ae8c2b54323908c5fe7c87953f24836ee987802d9429f1cd313947d3df988a90817f651edcf89c6586d6

memory/5360-12-0x0000000000610000-0x00000000007EA000-memory.dmp

memory/5360-14-0x000000001B3A0000-0x000000001B3AE000-memory.dmp

memory/5360-16-0x000000001B420000-0x000000001B43C000-memory.dmp

memory/5360-17-0x000000001B490000-0x000000001B4E0000-memory.dmp

memory/5360-19-0x000000001B440000-0x000000001B458000-memory.dmp

memory/5360-21-0x000000001B400000-0x000000001B40C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bza2MO65mN.bat

MD5 572e5b8ad26a8182890e47673d0b5654
SHA1 61165e46d11316ac42010ca9fe9a6fa782872f32
SHA256 3dc183225d21b68ead3d658bb1d2f20920ff32ef25d70e1463de199691a9f793
SHA512 a872d2731acb541877ef1ecb1f9ea62ecb71b22647fdd4a3b4aff40e348a25ff02d3311c8e59d3e615931393519724d7baa956951e353cb512f8f1515312fd53

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Blockcontainerproviderdhcp.exe.log

MD5 1eff74e45bb1f7104e691358cb209546
SHA1 253b13ffad516cc34704f5b882c6fa36953a953f
SHA256 7ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc
SHA512 44163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e