Analysis Overview
SHA256
8cfa5d067e6ea8774f8ca3ddbfe86c17e3f06a76753910cefb04409af6099368
Threat Level: Known bad
The file Sigma Serial Changer (Temp).exe was found to be: Known bad.
Malicious Activity Summary
Blankgrabber family
A stealer written in Python and packaged with Pyinstaller
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
UPX packed file
Executes dropped EXE
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Checks installed software on the system
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: LoadsDriver
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 01:37
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 01:37
Reported
2024-06-03 01:40
Platform
win7-20240419-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2768 wrote to memory of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe | C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe |
| PID 2768 wrote to memory of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe | C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe |
| PID 2768 wrote to memory of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe | C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe
"C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe"
C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe
"C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI27682\python310.dll
| MD5 | 178a0f45fde7db40c238f1340a0c0ec0 |
| SHA1 | dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe |
| SHA256 | 9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed |
| SHA512 | 4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee |
memory/2596-24-0x000007FEF5B70000-0x000007FEF5FDE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 01:37
Reported
2024-06-03 01:40
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LagoFast = "C:\\Program Files (x86)\\LagoFast\\LagoFast.exe" | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LagoFast\driver\lwf\win7\i386\ndisrd.sys | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\lwf\win8\amd64\ndisrd.sys | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\e1\e15fd0adf57b3423b48dd3193a1d58f8 | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\Injectdll.exe | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\dbghelp.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\cef\swiftshader\libEGL.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\Network.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\cdnoption.ini | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\6b\6b8e7a77b6532bd0f0d542d60a943454 | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\lang_files\crashrpt_lang_KO.ini | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\Daemon.exe | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\cef\swiftshader\libGLESv2.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\driver_x64\JYNetFilter8.sys | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\zlib1.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\driver\driver_x86\processFilter8.sys | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\cert\JUNYUN_CA.crt | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\driver\lwf\win8\i386\ndisrd_lwf.inf | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\lwf\win8\i386\ndisrd_lwf.inf | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\Hardware.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\driver_x64 | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\fb\fb47da657132420da3b69c099387c017 | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\f9\f90c5ea331bcdbf996c33f8759b95fc0 | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\lwf\win10\i386\ndisrd.cat | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\cef\icudtl.dat | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\DuiLib.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\HttpLib.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\vpn_client.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\lwf\win10\i386\ndisrd.sys | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\lwf\vista\i386 | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\driver\lwf\vista\i386\ndisrd_lwf.inf | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\ChromeBase.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\cef\d3dcompiler_43.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\KeyboardHook.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\NTKHelper.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\lwf\win8\amd64 | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\cef\cef.pak | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\cef\locales\zh-CN.pak | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\driver\lwf\vista\amd64\ndisrd_lwf.inf | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\cef\d3dcompiler_47.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\driver_x86\JYWinRing0.sys | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\lang_files\crashrpt_lang_RU.ini | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\cef\swiftshader\libEGL.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\proxy.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\driver_x64\JYWinRing0.sys | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\wiresockapi.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\44\44552cc7e64ec17b062009edb2712d1d | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\http-filter.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\driver\lwf\win8\i386\ndisrd.sys | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\73\73ed913cf776fab5391b475b014e3e41 | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\driver\lwf\win7\i386\ndisrd.cat | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\driver\lwf\win8\amd64\ndisrd.cat | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\mbrowser.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\65\653efd4f745f10e699dfbd36be720ae4 | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\cert\squidV2.crt | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\cef\d3dcompiler_43.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\91\91299dbaca5a0daf80b86196b57e0c4b | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\cef\cef_200_percent.pak | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\cef\locales\en-US.pak | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\85\8558e1c52ceb7f3fcc9eb8a3f52e89c7 | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\nfapi.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\de\dec2bace74a31b6b2888f8dac10db008 | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| File opened for modification | C:\Program Files (x86)\LagoFast\KeyboardHook.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\NTKHelper.dll | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| File created | C:\Program Files (x86)\LagoFast\temp\9a\9ae7396ff346763bd018a3d9aeaeaadb | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LagoFast.exe = "11000" | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lagofast | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lagofast\URL Protocol | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lagofast\shell\open\command | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lagofast\shell | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lagofast\shell\open | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lagofast\shell\open\command\ = "C:\\Program Files (x86)\\LagoFast\\LagoFast.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\LagoFast\LagoFast.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe
"C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe"
C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe
"C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sigma Serial Changer (Temp).exe'
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\ChannelIstaller.exe
-pipename=\\.\pipe\autoupdate_pipe_lagofast_3304 -silent -auto-start -install-path "C:\Program Files (x86)\LagoFast"
C:\Program Files (x86)\LagoFast\LagoFast.exe
"C:\Program Files (x86)\LagoFast\LagoFast.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" interface portproxy delete v4tov4 listenaddress=127.0.0.12 listenport=80
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" interface portproxy delete v4tov4 listenaddress=127.0.0.12 listenport=443
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s FDResPub
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s XblAuthManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s XboxNetApiSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-pcek8.in | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.lagofast.com | udp |
| US | 163.181.154.239:443 | static.lagofast.com | tcp |
| US | 8.8.8.8:53 | 239.154.181.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | events.appsflyer.com | udp |
| DE | 18.66.2.25:443 | events.appsflyer.com | tcp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | 25.2.66.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cbs.lagofast.com | udp |
| US | 8.8.8.8:53 | static.lagofast.com | udp |
| US | 163.181.154.239:443 | static.lagofast.com | tcp |
| US | 163.181.154.239:443 | static.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 8.8.8.8:53 | 237.154.181.163.in-addr.arpa | udp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.239:443 | static.lagofast.com | tcp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 47.88.58.86:1883 | tcp | |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| N/A | 239.255.255.250:3702 | udp | |
| US | 8.8.8.8:53 | 86.58.88.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| N/A | 127.0.0.1:50263 | tcp | |
| N/A | 127.0.0.1:50265 | tcp | |
| US | 8.8.8.8:53 | lagofast-online-static.oss-us-west-1.aliyuncs.com | udp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | report.lagofast.com | udp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.239:443 | static.lagofast.com | tcp |
| US | 163.181.154.239:443 | static.lagofast.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.254.94.51:443 | report.lagofast.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 163.181.154.237:443 | cbs.lagofast.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | 45.111.88.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.94.254.47.in-addr.arpa | udp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 163.181.154.239:443 | static.lagofast.com | tcp |
| US | 163.181.154.239:443 | static.lagofast.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| N/A | 127.0.0.1:50283 | tcp | |
| N/A | 127.0.0.1:50285 | tcp | |
| N/A | 127.0.0.1:50287 | tcp | |
| N/A | 127.0.0.1:50289 | tcp | |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| N/A | 127.0.0.1:50295 | tcp | |
| N/A | 127.0.0.1:50297 | tcp | |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| N/A | 127.0.0.1:50302 | tcp | |
| N/A | 127.0.0.1:50304 | tcp | |
| N/A | 127.0.0.1:50306 | tcp | |
| N/A | 127.0.0.1:50308 | tcp | |
| N/A | 127.0.0.1:50310 | tcp | |
| N/A | 127.0.0.1:50312 | tcp | |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| US | 47.88.111.45:443 | lagofast-online-static.oss-us-west-1.aliyuncs.com | tcp |
| N/A | 127.0.0.1:50317 | tcp | |
| N/A | 127.0.0.1:50319 | tcp | |
| N/A | 127.0.0.1:50327 | tcp | |
| N/A | 127.0.0.1:50329 | tcp | |
| N/A | 127.0.0.1:50360 | tcp | |
| N/A | 127.0.0.1:50362 | tcp | |
| N/A | 127.0.0.1:50364 | tcp | |
| N/A | 127.0.0.1:50366 | tcp | |
| N/A | 127.0.0.1:50372 | tcp | |
| N/A | 127.0.0.1:50375 | tcp | |
| N/A | 239.255.255.250:3702 | udp | |
| N/A | 127.0.0.1:50390 | tcp | |
| N/A | 127.0.0.1:50392 | tcp | |
| N/A | 127.0.0.1:50394 | tcp | |
| N/A | 127.0.0.1:50396 | tcp | |
| N/A | 127.0.0.1:50398 | tcp | |
| N/A | 127.0.0.1:50400 | tcp | |
| N/A | 127.0.0.1:50402 | tcp | |
| N/A | 127.0.0.1:50404 | tcp | |
| N/A | 127.0.0.1:50406 | tcp | |
| N/A | 127.0.0.1:50408 | tcp | |
| N/A | 127.0.0.1:50410 | tcp | |
| N/A | 127.0.0.1:50412 | tcp | |
| N/A | 127.0.0.1:50414 | tcp | |
| N/A | 127.0.0.1:50416 | tcp | |
| N/A | 127.0.0.1:50418 | tcp | |
| N/A | 127.0.0.1:50420 | tcp | |
| N/A | 127.0.0.1:50422 | tcp | |
| N/A | 127.0.0.1:50424 | tcp | |
| N/A | 127.0.0.1:50429 | tcp | |
| N/A | 127.0.0.1:50432 | tcp | |
| N/A | 127.0.0.1:50448 | tcp | |
| N/A | 127.0.0.1:50450 | tcp | |
| N/A | 127.0.0.1:50452 | tcp | |
| N/A | 127.0.0.1:50454 | tcp | |
| N/A | 127.0.0.1:50458 | tcp | |
| N/A | 127.0.0.1:50460 | tcp | |
| N/A | 127.0.0.1:50462 | tcp | |
| N/A | 127.0.0.1:50464 | tcp | |
| N/A | 127.0.0.1:50466 | tcp | |
| N/A | 127.0.0.1:50468 | tcp | |
| N/A | 127.0.0.1:50477 | tcp | |
| N/A | 127.0.0.1:50479 | tcp | |
| N/A | 127.0.0.1:50483 | tcp | |
| N/A | 127.0.0.1:50485 | tcp | |
| N/A | 127.0.0.1:50487 | tcp | |
| N/A | 127.0.0.1:50489 | tcp | |
| N/A | 127.0.0.1:50493 | tcp | |
| N/A | 127.0.0.1:50495 | tcp | |
| N/A | 127.0.0.1:50501 | tcp | |
| N/A | 127.0.0.1:50503 | tcp | |
| N/A | 127.0.0.1:50505 | tcp | |
| N/A | 127.0.0.1:50507 | tcp | |
| N/A | 127.0.0.1:50510 | tcp | |
| N/A | 127.0.0.1:50512 | tcp | |
| N/A | 127.0.0.1:50515 | tcp | |
| N/A | 127.0.0.1:50517 | tcp | |
| N/A | 127.0.0.1:50531 | tcp | |
| N/A | 127.0.0.1:50533 | tcp | |
| N/A | 127.0.0.1:50536 | tcp | |
| N/A | 127.0.0.1:50538 | tcp | |
| N/A | 127.0.0.1:50545 | tcp | |
| N/A | 127.0.0.1:50547 | tcp | |
| N/A | 127.0.0.1:50549 | tcp | |
| N/A | 127.0.0.1:50551 | tcp | |
| N/A | 127.0.0.1:50559 | tcp | |
| N/A | 127.0.0.1:50561 | tcp | |
| N/A | 127.0.0.1:50564 | tcp | |
| N/A | 127.0.0.1:50566 | tcp | |
| N/A | 127.0.0.1:50573 | tcp | |
| N/A | 127.0.0.1:50575 | tcp | |
| N/A | 127.0.0.1:50578 | tcp | |
| N/A | 127.0.0.1:50580 | tcp | |
| N/A | 127.0.0.1:50583 | tcp | |
| N/A | 127.0.0.1:50585 | tcp | |
| N/A | 127.0.0.1:50594 | tcp | |
| N/A | 127.0.0.1:50596 | tcp | |
| N/A | 127.0.0.1:50601 | tcp | |
| N/A | 127.0.0.1:50603 | tcp | |
| N/A | 127.0.0.1:50608 | tcp | |
| N/A | 127.0.0.1:50610 | tcp | |
| N/A | 127.0.0.1:50613 | tcp | |
| N/A | 127.0.0.1:50615 | tcp | |
| N/A | 127.0.0.1:50620 | tcp | |
| N/A | 127.0.0.1:50622 | tcp | |
| N/A | 127.0.0.1:50624 | tcp | |
| N/A | 127.0.0.1:50626 | tcp | |
| N/A | 127.0.0.1:50634 | tcp | |
| N/A | 127.0.0.1:50636 | tcp | |
| N/A | 127.0.0.1:50641 | tcp | |
| N/A | 127.0.0.1:50643 | tcp | |
| N/A | 127.0.0.1:50650 | tcp | |
| N/A | 127.0.0.1:50652 | tcp | |
| N/A | 127.0.0.1:50655 | tcp | |
| N/A | 127.0.0.1:50657 | tcp | |
| N/A | 127.0.0.1:50661 | tcp | |
| N/A | 127.0.0.1:50663 | tcp | |
| N/A | 127.0.0.1:50667 | tcp | |
| N/A | 127.0.0.1:50670 | tcp | |
| N/A | 127.0.0.1:50676 | tcp | |
| N/A | 127.0.0.1:50678 | tcp | |
| N/A | 127.0.0.1:50680 | tcp | |
| N/A | 127.0.0.1:50682 | tcp | |
| N/A | 127.0.0.1:50684 | tcp | |
| N/A | 127.0.0.1:50687 | tcp | |
| N/A | 127.0.0.1:50697 | tcp | |
| N/A | 127.0.0.1:50699 | tcp | |
| N/A | 127.0.0.1:50704 | tcp | |
| N/A | 127.0.0.1:50706 | tcp | |
| N/A | 127.0.0.1:50709 | tcp | |
| N/A | 127.0.0.1:50711 | tcp | |
| N/A | 127.0.0.1:50718 | tcp | |
| N/A | 127.0.0.1:50720 | tcp | |
| N/A | 127.0.0.1:50723 | tcp | |
| N/A | 127.0.0.1:50725 | tcp | |
| N/A | 127.0.0.1:50727 | tcp | |
| N/A | 127.0.0.1:50729 | tcp | |
| N/A | 127.0.0.1:50739 | tcp | |
| N/A | 127.0.0.1:50741 | tcp | |
| N/A | 127.0.0.1:50746 | tcp | |
| N/A | 127.0.0.1:50748 | tcp | |
| N/A | 127.0.0.1:50753 | tcp | |
| N/A | 127.0.0.1:50755 | tcp | |
| N/A | 127.0.0.1:50758 | tcp | |
| N/A | 127.0.0.1:50760 | tcp | |
| N/A | 127.0.0.1:50763 | tcp | |
| N/A | 127.0.0.1:50762 | tcp | |
| N/A | 127.0.0.1:50774 | tcp | |
| N/A | 127.0.0.1:50776 | tcp | |
| N/A | 127.0.0.1:50781 | tcp | |
| N/A | 127.0.0.1:50783 | tcp | |
| N/A | 127.0.0.1:50788 | tcp | |
| N/A | 127.0.0.1:50790 | tcp | |
| N/A | 127.0.0.1:50793 | tcp | |
| N/A | 127.0.0.1:50795 | tcp | |
| N/A | 127.0.0.1:50802 | tcp | |
| N/A | 127.0.0.1:50804 | tcp | |
| N/A | 127.0.0.1:50807 | tcp | |
| N/A | 127.0.0.1:50809 | tcp | |
| N/A | 127.0.0.1:50812 | tcp | |
| N/A | 127.0.0.1:50814 | tcp | |
| N/A | 127.0.0.1:50823 | tcp | |
| N/A | 127.0.0.1:50825 | tcp | |
| N/A | 127.0.0.1:50828 | tcp | |
| N/A | 127.0.0.1:50830 | tcp | |
| N/A | 127.0.0.1:50836 | tcp | |
| N/A | 127.0.0.1:50838 | tcp | |
| N/A | 127.0.0.1:50842 | tcp | |
| N/A | 127.0.0.1:50844 | tcp | |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI33522\python310.dll
| MD5 | 178a0f45fde7db40c238f1340a0c0ec0 |
| SHA1 | dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe |
| SHA256 | 9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed |
| SHA512 | 4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
memory/4736-26-0x00007FF9D6310000-0x00007FF9D677E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI33522\base_library.zip
| MD5 | ee93ce2f8261ba7510f041619bb2b6f2 |
| SHA1 | f1d5d2f4c0b10e862b4b0a5ea65c47645901f894 |
| SHA256 | 41ce839465cf935b821cafc3a98afe1c411bf4655ad596442eb66d140ccd502e |
| SHA512 | c410a0b9eb43b2d0b190f453ea3907cdc70bfcf190ecf80fb03ed906af381853153270fd824fe2e2ba703bceed79e973f330d5ec31dfabff0f5a9f0f162136e9 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\_ctypes.pyd
| MD5 | 813fc3981cae89a4f93bf7336d3dc5ef |
| SHA1 | daff28bcd155a84e55d2603be07ca57e3934a0de |
| SHA256 | 4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06 |
| SHA512 | ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc |
memory/4736-31-0x00007FF9E7730000-0x00007FF9E7754000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI33522\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\_queue.pyd
| MD5 | 0e7612fc1a1fad5a829d4e25cfa87c4f |
| SHA1 | 3db2d6274ce3dbe3dbb00d799963df8c3046a1d6 |
| SHA256 | 9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8 |
| SHA512 | 52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\_ssl.pyd
| MD5 | 081c878324505d643a70efcc5a80a371 |
| SHA1 | 8bef8336476d8b7c5c9ef71d7b7db4100de32348 |
| SHA256 | fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66 |
| SHA512 | c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\_sqlite3.pyd
| MD5 | bb4aa2d11444900c549e201eb1a4cdd6 |
| SHA1 | ca3bb6fc64d66deaddd804038ea98002d254c50e |
| SHA256 | f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f |
| SHA512 | cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\_lzma.pyd
| MD5 | 6f810f46f308f7c6ccddca45d8f50039 |
| SHA1 | 6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea |
| SHA256 | 39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76 |
| SHA512 | c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\select.pyd
| MD5 | 666358e0d7752530fc4e074ed7e10e62 |
| SHA1 | b9c6215821f5122c5176ce3cf6658c28c22d46ba |
| SHA256 | 6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841 |
| SHA512 | 1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\_hashlib.pyd
| MD5 | 4ae75c47dbdebaa16a596f31b27abd9e |
| SHA1 | a11f963139c715921dedd24bc957ab6d14788c34 |
| SHA256 | 2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d |
| SHA512 | e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\_decimal.pyd
| MD5 | f65d2fed5417feb5fa8c48f106e6caf7 |
| SHA1 | 9260b1535bb811183c9789c23ddd684a9425ffaa |
| SHA256 | 574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8 |
| SHA512 | 030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\_bz2.pyd
| MD5 | 93fe6d3a67b46370565db12a9969d776 |
| SHA1 | ff520df8c24ed8aa6567dd0141ef65c4ea00903b |
| SHA256 | 92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b |
| SHA512 | 5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\unicodedata.pyd
| MD5 | 7a462a10aa1495cef8bfca406fb3637e |
| SHA1 | 6dcbd46198b89ef3007c76deb42ab10ba4c4cf40 |
| SHA256 | 459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0 |
| SHA512 | d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\sqlite3.dll
| MD5 | bd2819965b59f015ec4233be2c06f0c1 |
| SHA1 | cff965068f1659d77be6f4942ca1ada3575ca6e2 |
| SHA256 | ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec |
| SHA512 | f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\_socket.pyd
| MD5 | 7a31bc84c0385590e5a01c4cbe3865c3 |
| SHA1 | 77c4121abe6e134660575d9015308e4b76c69d7c |
| SHA256 | 5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36 |
| SHA512 | b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\libssl-1_1.dll
| MD5 | eac369b3fde5c6e8955bd0b8e31d0830 |
| SHA1 | 4bf77158c18fe3a290e44abd2ac1834675de66b4 |
| SHA256 | 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c |
| SHA512 | c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\libcrypto-1_1.dll
| MD5 | daa2eed9dceafaef826557ff8a754204 |
| SHA1 | 27d668af7015843104aa5c20ec6bbd30f673e901 |
| SHA256 | 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914 |
| SHA512 | 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\bound.blank
| MD5 | d236052267a629b5c4285d4388d5dbec |
| SHA1 | d716f939c72a0ba83a90707c3e999c9ac5d5656f |
| SHA256 | 41af3b6bc7f1041a8d173776abc7d006e1fe3ff65bdef1d9aaad590f13e1532a |
| SHA512 | 2bd3e83fdc9f029c8e2e3af644aaa8934475821edc733a39e1e7061778555f2f2265ed666743d7ec936d1d326d58193247bd9dbb4980818ce1cbdf806dd6f3a5 |
C:\Users\Admin\AppData\Local\Temp\_MEI33522\blank.aes
| MD5 | 37fdeaa9cd0df6abb9a34c7bcb68fa61 |
| SHA1 | 9c878012fca6244278f89968418d4ab0334c2016 |
| SHA256 | 8db7875dac5b302631341847e045d7888843a70c9ca028c31f5826c28382dc01 |
| SHA512 | 7491f319b40ac71da97471cce368a496ac4d77642640a15d597be71dc5fb37b7929aa6345bf3f42675f6b97e96e1761aa0294da2227c1f8c2c480fbaf3881c7e |
memory/4736-33-0x00007FF9E7A70000-0x00007FF9E7A7F000-memory.dmp
memory/4736-56-0x00007FF9E72C0000-0x00007FF9E72ED000-memory.dmp
memory/4736-58-0x00007FF9E71B0000-0x00007FF9E71C9000-memory.dmp
memory/4736-60-0x00007FF9E7190000-0x00007FF9E71AF000-memory.dmp
memory/4736-62-0x00007FF9D6190000-0x00007FF9D6301000-memory.dmp
memory/4736-64-0x00007FF9E7170000-0x00007FF9E7189000-memory.dmp
memory/4736-66-0x00007FF9E7970000-0x00007FF9E797D000-memory.dmp
memory/4736-69-0x00007FF9D6310000-0x00007FF9D677E000-memory.dmp
memory/4736-71-0x00007FF9E6CE0000-0x00007FF9E6D98000-memory.dmp
memory/4736-70-0x00007FF9E6EF0000-0x00007FF9E6F1E000-memory.dmp
memory/4736-75-0x00007FF9D5E10000-0x00007FF9D6185000-memory.dmp
memory/4736-76-0x000002A8DC660000-0x000002A8DC9D5000-memory.dmp
memory/4736-74-0x00007FF9E7730000-0x00007FF9E7754000-memory.dmp
memory/4736-78-0x00007FF9E6AD0000-0x00007FF9E6AE4000-memory.dmp
memory/4736-80-0x00007FF9E7720000-0x00007FF9E772D000-memory.dmp
memory/4736-83-0x00007FF9E72C0000-0x00007FF9E72ED000-memory.dmp
memory/4736-84-0x00007FF9E69B0000-0x00007FF9E6AC8000-memory.dmp
memory/5080-85-0x0000019E30020000-0x0000019E30042000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hhyctowy.j0m.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\bound.exe
| MD5 | 89f815cd773179f8c4109d1c5dae1da1 |
| SHA1 | 5611bf68de7a79515864e800ffe67876b72ec495 |
| SHA256 | 05565ce15b0e78bd6044da662dff37aa6dd0bed94de861994cbfffefad38e36e |
| SHA512 | 4ae85fdf668192b40ad9d7487cceb85c3683e9ad26bb23f5385378c6408c6b676f1a39181cce43e0da34ae63b7e18754a077ae1e8b18d4c3701ec7a495eef613 |
memory/4736-128-0x00007FF9E6AD0000-0x00007FF9E6AE4000-memory.dmp
memory/4736-121-0x00007FF9E7190000-0x00007FF9E71AF000-memory.dmp
memory/4736-127-0x00007FF9D5E10000-0x00007FF9D6185000-memory.dmp
memory/4736-130-0x00007FF9E69B0000-0x00007FF9E6AC8000-memory.dmp
memory/4736-129-0x00007FF9E7720000-0x00007FF9E772D000-memory.dmp
memory/4736-126-0x00007FF9E6CE0000-0x00007FF9E6D98000-memory.dmp
memory/4736-125-0x00007FF9E6EF0000-0x00007FF9E6F1E000-memory.dmp
memory/4736-124-0x00007FF9E7970000-0x00007FF9E797D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI33522\blank.aes
| MD5 | f827e82d09ceaeaf8998457fd9a3a81e |
| SHA1 | 47909ac4d4186a438dbba1089ecc96c858d187a4 |
| SHA256 | 6233dd012f485d60aef71ca04bf18ed056a2c3b21f326563a177eb9e10be9f33 |
| SHA512 | 651f1a74d94b63f0f22751b2ef9ade6cc2e895b3b2a7d790d29d3d2dff6f6f035e027c439f5691797dbd3792cd3db9f719ad5ede80edcef5fe2efef56a7fb093 |
memory/4736-123-0x00007FF9E7170000-0x00007FF9E7189000-memory.dmp
memory/4736-122-0x00007FF9D6190000-0x00007FF9D6301000-memory.dmp
memory/4736-120-0x00007FF9E71B0000-0x00007FF9E71C9000-memory.dmp
memory/4736-119-0x00007FF9E72C0000-0x00007FF9E72ED000-memory.dmp
memory/4736-118-0x00007FF9E7A70000-0x00007FF9E7A7F000-memory.dmp
memory/4736-117-0x00007FF9E7730000-0x00007FF9E7754000-memory.dmp
memory/4736-116-0x00007FF9D6310000-0x00007FF9D677E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59d97011e091004eaffb9816aa0b9abd |
| SHA1 | 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b |
| SHA256 | 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d |
| SHA512 | d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6 |
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 4f8997114eb4929daa5eb2bc27765879 |
| SHA1 | 4d373181aa669f164e2ecbce5166527c2a479fe5 |
| SHA256 | c23e78fa31e87b8775dc05421a41c1e11b8cc8d0b973e5f33116e302892666d9 |
| SHA512 | 3f56248cf6776878575bb60551ff8a1fe6b520e952dfb674b8254a0e00be75df811e88e08d8f2dec00d94f987aa1b9f7e7f7330835eec8c4be2f2a928ad042d5 |
C:\Program Files (x86)\LagoFast\driver\lwf\win7\amd64\ndisrd_lwf.inf
| MD5 | 594d8fca1306a345056e4ee299d3ca98 |
| SHA1 | 86332a69361ec9676eb07f33fbf841f9e057a70f |
| SHA256 | 9344e5652e449b4e722d8a00f666cda147d5305b913102195bd7255124a413bc |
| SHA512 | ad01e07cb158c16ce88aa8e5636e3056d61dd295dce35db36cfc766b4518fe00a98f10064b99bffb691b701ff522f9bc1571d825fdbb8049cabdbc4ce3f2c64a |
C:\Program Files (x86)\LagoFast\LagoFast.exe
| MD5 | 2fe11875836e15ea960bc71985772655 |
| SHA1 | c137a9379c529ec00f718f17118d1dd6ff9f696c |
| SHA256 | 8f21351eb5be8159e7c3054569246e60d96246eff3308f54efbd5935354a83db |
| SHA512 | 5eb4c4bb09ebfa79e090df13d882c95ca75e31ecc61faf558143302878b655a0aa65917febc90cf1d3f7f8c6ccd8e2cfc6705238d3a05affd83e96355c098921 |
C:\Program Files (x86)\LagoFast\ChromeBase.dll
| MD5 | c7634be8d6d7f9ed5f135e837275a5b6 |
| SHA1 | 9a192bbe5dd5ca60359d2e46eebc7d6ed6272792 |
| SHA256 | bcfc5fd9219dd54e93067f7ca7fdf1c7c9b56b43de4fe0cc2625e47c92c45b50 |
| SHA512 | 5d83b2ac9baf799660ba096a753bb834e9d770a16c1383b883863e4d88c1530f614669e0cfecc6d2d831259357c6efedb6097868fb22aa9e6391ac71899f6c6e |
C:\Program Files (x86)\LagoFast\dbghelp.dll
| MD5 | 4bd7fde53c455f180234afa78a7a25f6 |
| SHA1 | cc5f52748af96926a057306b95ab664c1ede33fd |
| SHA256 | d3fe92da1bdfd219c0a9f8151d995f91cfb293fb733ee9fadbafb4bd53a7d9d6 |
| SHA512 | 901cb96aa0d0c80c65e37b2259637c03a2bd9e19ce45f3c511b95765cf316ed41760e26fb055b278bcda48ae511acd7a5a2d390e45a7d7b3ad59c42e37504a1e |
C:\Program Files (x86)\LagoFast\MSVCR120.dll
| MD5 | f1d2b8eb716d0655e7daa0c269b206e4 |
| SHA1 | fe1462af2bac51153cba49672db8f020f6ee4814 |
| SHA256 | ad466849a3a4a29202aeee78a886a11632db2c0d1c53fea7d7c2a83a1d8406fb |
| SHA512 | 18bfbc35d8d414d17c9be7f953843c3cb9d1bb1e925293b05dc75b6541a6492055929e7558241f6cffeb86eab5060e15898b0cb02fa64ff0fedc884ca7ef50c2 |
C:\Program Files (x86)\LagoFast\msvcp120.dll
| MD5 | b88e716c57c6c80f73e9f7c67e7e75c1 |
| SHA1 | 83196632fa202c63be9a25c1109d0e59b4ed49af |
| SHA256 | 57f133e1c10b53e4ec02128b88efda9b4c8cfac607f36b298f81b689f70ac7c6 |
| SHA512 | aa519ddbb24f64c8f96f72a70930c2355dd647010172565f150a8a65f54885a0105b9558e2fcc85da4eb845cc3afa2ca6813c81306c7651ea51c87932f6d429d |
C:\Program Files (x86)\LagoFast\Network.dll
| MD5 | 336678ff6cd595508faa6a85300bce82 |
| SHA1 | c3d7743a499b6f6bb1bab39002af22f7bf1c9d98 |
| SHA256 | 32cf6639efb045ecea818c21cd3cd1c2865e61a91fb2cca882c079af46d21ed4 |
| SHA512 | 3b38390afb96ad37a620421768990d97033bb0813c0195c785dfc9ef6dd5be1031407c9a160f6a21b5dfd611bb5486f59b77c1c72e142c5e8c69396a6c182027 |
C:\Program Files (x86)\LagoFast\DuiLib.dll
| MD5 | 6a01dda0273e2e74d4f9592d1544eeac |
| SHA1 | bfb94213463e48ae125069976408793bf4f5f730 |
| SHA256 | 0591978d3a638da4775d310dff4b8ae43979886d8376df8c7a00cd6eb8667f86 |
| SHA512 | 29ba3a52e850cdd072a6a7b889dd24de2528934a35821acd35f7d98bee16b3932b8b6a340e8c295a589bdf62a04b8d8f7041841ce5ce3ecb7e23996404647f8b |
C:\Program Files (x86)\LagoFast\CrashRpt1403.dll
| MD5 | 7784d6985987d574d7077afbf4eb44e3 |
| SHA1 | 7755fdf54d46e592fb426b8c18d4fe533bfbd24f |
| SHA256 | 797489b845a715a6222b439fe5383c20817927b849a5fbfa2e0de938f17b5b48 |
| SHA512 | 051dcbcfa45e678e486c42b99a3e9a384e402f4ed11a8ff22104a1ec14b8925db086fe0c310781871a3f713ff0a22f47b59337d80521778074ac7391ba1ac000 |
memory/1568-423-0x0000000067A40000-0x00000000696C8000-memory.dmp
C:\Users\Admin\AppData\Local\LagoFast\user.ini
| MD5 | 4879ea3944aa6ab1244356b684033649 |
| SHA1 | 8b63b95c4c27ca5085d787d680f0b8b30718adef |
| SHA256 | 5d7e311e4269bcee7ff9a0cf77c5c655b6226c7e0df829cf9ce2fe0386e82029 |
| SHA512 | 4695f905f94a74fe024e6aeb2a3e8cc4c446849fadb5488c816b271e1ddbf5be1a532974fee2c52f09947e6f966788cb68b4d9f51490237ca378f750a5daad4e |
C:\Program Files (x86)\LagoFast\QCenterConfig.json_tmp
| MD5 | 1225564978ad72365892a9e952161910 |
| SHA1 | 8c4e3908e802821e3f044cd4d9fe318e51b53a37 |
| SHA256 | f0b3d7d8c2234b16e1bb70af280b073517718b2330bbb8b1f1449011cb371099 |
| SHA512 | a5992642173c36aa75008a355eb37c6902d68c6bc724a139e3279e83dc5aaf67530629e2d5324c937e3100a96722e0da0821f1b7467eca1888ce95b260d42081 |
C:\Users\Admin\AppData\Local\LagoFast\user.ini
| MD5 | 1a389a82d7b0dc6681b039262456d967 |
| SHA1 | 6c7b971427961f051231a48a6423c35c951c8b80 |
| SHA256 | 137328afa29d62fa18d77328a9f49f6c2b10b8789c05ccec39354a88f12d4deb |
| SHA512 | 7f69556749ff738897ae178cb94ad33f738b182d93190672f164a998f6dc2888ad51c570fb29c9d6ff1a2f49588f2673fdb0f830d008b48fec1e5897606dd4ac |
C:\Users\Admin\AppData\Local\LagoFast\user.ini
| MD5 | 6325aca900097e9c82f4a09d384026ba |
| SHA1 | 26cea4dc43b176bc3a7045e3411524ed7a9cfb64 |
| SHA256 | 23572c6ff782d442c19413bb6e06fde9d6842e3c57d27265d2929641a8ab4b25 |
| SHA512 | aa723bafc31e0b203119f274822506da1392eaaa856d38f6e944a36e84ca87b101067efbc268bb7e60370882b09427e700f3be69cb246ed0ea87dbed23c515a6 |
memory/1568-477-0x0000000067A40000-0x00000000696C8000-memory.dmp
C:\Users\Admin\AppData\Local\LagoFast\user.ini
| MD5 | 647a98a9e57adee4bb1b96984abffe8c |
| SHA1 | ed46bd8c01daa35a97de8f32b7bb1670f4a955e5 |
| SHA256 | 4ae67c56c34e5e1f096adcfc3cda5102c3a1a1d3cd9bc73a15780f41353b59b2 |
| SHA512 | 1abb5f63c588ec6d01dd9bb213cfd663dac8b481f2eef1ad4e9e4dbbeed4c60e7a1ea7782e7b25c673845d0ee37c18ce215a9024d7f8fb9e61907031dbcd61af |
memory/1568-615-0x0000000037C00000-0x0000000037D02000-memory.dmp
memory/1568-616-0x0000000038AE0000-0x0000000038C6F000-memory.dmp
memory/1568-614-0x0000000067A40000-0x00000000696C8000-memory.dmp