Analysis Overview
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
Threat Level: Known bad
The file nursultan nexgen fix.exe was found to be: Known bad.
Malicious Activity Summary
DCRat payload
DcRat
Dcrat family
Process spawned unexpected child process
DCRat payload
Disables Task Manager via registry modification
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 15:19
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 15:19
Reported
2024-05-31 15:32
Platform
win10v2004-20240508-en
Max time kernel
590s
Max time network
601s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\portagentbrowserweb\Containerruntime.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\portagentbrowserweb\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\portagentbrowserweb\Containerruntime.exe | N/A |
| N/A | N/A | C:\portagentbrowserweb\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NursuItanLoader_1.16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MemZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Cookies\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\portagentbrowserweb\cmd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Temp\lsass.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\121e5b5079f7c0 | C:\portagentbrowserweb\Containerruntime.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\lsass.exe | C:\portagentbrowserweb\Containerruntime.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\6203df4a6bafc7 | C:\portagentbrowserweb\Containerruntime.exe | N/A |
| File created | C:\Program Files\Common Files\DESIGNER\upfc.exe | C:\portagentbrowserweb\Containerruntime.exe | N/A |
| File created | C:\Program Files\Common Files\DESIGNER\ea1d8f6d871115 | C:\portagentbrowserweb\Containerruntime.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe | C:\portagentbrowserweb\Containerruntime.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\29c1c3cc0f7685 | C:\portagentbrowserweb\Containerruntime.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe | C:\portagentbrowserweb\Containerruntime.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\portagentbrowserweb\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\portagentbrowserweb\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\portagentbrowserweb\Containerruntime.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\portagentbrowserweb\cmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Cookies\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\portagentbrowserweb\cmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Google\Temp\lsass.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe
"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "
C:\portagentbrowserweb\Containerruntime.exe
"C:\portagentbrowserweb\Containerruntime.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\portagentbrowserweb\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\portagentbrowserweb\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
C:\portagentbrowserweb\cmd.exe
"C:\portagentbrowserweb\cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\NursuItanLoader_1.16.exe
"C:\Users\Admin\AppData\Local\Temp\NursuItanLoader_1.16.exe"
C:\Users\Admin\AppData\Local\Temp\MemZ.exe
"C:\Users\Admin\AppData\Local\Temp\MemZ.exe"
C:\Users\Admin\Cookies\RuntimeBroker.exe
C:\Users\Admin\Cookies\RuntimeBroker.exe
C:\portagentbrowserweb\cmd.exe
C:\portagentbrowserweb\cmd.exe
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe"
C:\Program Files (x86)\Google\Temp\lsass.exe
"C:\Program Files (x86)\Google\Temp\lsass.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a0987415.xsph.ru | udp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| US | 8.8.8.8:53 | 26.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.90.14.23.in-addr.arpa | udp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
| RU | 141.8.192.26:80 | a0987415.xsph.ru | tcp |
Files
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe
| MD5 | 61a07f2f9e8e9b1f5175b2d60c3e3f18 |
| SHA1 | e695b0c2b43c786453bf3f6ae504f0626951d281 |
| SHA256 | 5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1 |
| SHA512 | 8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d |
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat
| MD5 | c8f8a078dace2ff4cb106803c9199643 |
| SHA1 | a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5 |
| SHA256 | 1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d |
| SHA512 | efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999 |
C:\portagentbrowserweb\Containerruntime.exe
| MD5 | 5887a563351ca99247b7e2c448bd9f2e |
| SHA1 | b24695e88143863297535989900bb7521ea86d67 |
| SHA256 | e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390 |
| SHA512 | b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107 |
memory/2688-12-0x00007FFF5D873000-0x00007FFF5D875000-memory.dmp
memory/2688-13-0x00000000008F0000-0x0000000000A22000-memory.dmp
memory/2688-14-0x0000000002AB0000-0x0000000002ACC000-memory.dmp
memory/2688-15-0x000000001B5A0000-0x000000001B5F0000-memory.dmp
memory/2688-16-0x000000001B550000-0x000000001B566000-memory.dmp
memory/2688-17-0x000000001B570000-0x000000001B57C000-memory.dmp
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 340b78795385833955856bbc35168ab4 |
| SHA1 | 0eff6d3568a4c0a08fa63e64270a8e992e608323 |
| SHA256 | 73200e842ffedcd51958171143f85dacfca98a4719cb10ffa71a34c65b026032 |
| SHA512 | 21f2883dde27c6520116f4000ea7b4dfb8c7b8be8de953d13bc1a6caa55000176710b7e166ac9cc31bc786f3b23049d957f1f9167d99f6e4ebfc6670f6e95846 |
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 6fcf80bf6c7e2cf9dad0f8b61f4e4671 |
| SHA1 | bf0083943118dfeed0e76748cdc395cf73e3433b |
| SHA256 | 1e049f0db03a3cc3f563452a87a041f587e96ee745aca5600a9fd13955816897 |
| SHA512 | b49f7af780edaa9a3d0d4108d9ca5f2662e17b5e886ed5d617f1f981d54947eb2f661e121ff76fc44afb4004bed01a18b61f0f01cf59640cb5d47ca24ed11fa5 |
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | d943abc80ab89c23a92a39dfb4c236af |
| SHA1 | fc0ed0290513c33bca1297beba7b36c6ca245391 |
| SHA256 | 8a18b888142322b3be37ff134d87fa49b88f14fb762348d30f1590547b1de11a |
| SHA512 | 41ce434ca1c1805c179098c893205f218b190418ef528d85efd594a903edf8960da11f11565d435c7ab67e7e3c60efb4b0afede66bead5e77c9cf66e8b86d52b |
C:\Users\Admin\AppData\Local\Temp\NursuItanLoader_1.16.exe
| MD5 | c79991b2359aede893bcd2e0a962378d |
| SHA1 | 80ae9ddcdebe17c2af22c33ac1137d1811dbb0af |
| SHA256 | 5b706a3df72925ddcde585b41a82d76dda513d86b81d7d527f2990d5fd5218b6 |
| SHA512 | 51f9274d30ba40a434fbc7930a8bbb0f9b75bb9184bcb35bf227761df71587bbfde28157a4e7ac29e1d119509dfd5882bef478d1bd3f6cbe813748077dbfcdb6 |
memory/736-116-0x00000000009B0000-0x0000000000A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MemZ.exe
| MD5 | 424755b9f13cdb742d503836bf09e63e |
| SHA1 | b4cdc234fdca58519edf14fa3b0bb3a522249440 |
| SHA256 | e0e95c4be30bc2199018c4a44b4df874ee991665d0aff048e39b1c905cc9da56 |
| SHA512 | 29dd79ca6d2e451da0b0597c1d6b4cd860a8641438f139dcd3ecc02ecd0a638feb28e41b2088fc2e360b27f5c343b1843889686070307bdb26077593791972b7 |
memory/2960-129-0x0000000000A30000-0x0000000000A38000-memory.dmp