Analysis Overview
SHA256
3625cb99d6cc874905d717eaf39b0ec82eb5879c2c7258e7cae8f235934bc84a
Threat Level: Shows suspicious behavior
The file 6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Checks computer location settings
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 05:04
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 05:04
Reported
2024-06-13 05:06
Platform
win7-20240508-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Q5VHMIHWsRqAId2.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\Q5VHMIHWsRqAId2.exe
C:\Users\Admin\AppData\Local\Temp\Q5VHMIHWsRqAId2.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\Q5VHMIHWsRqAId2.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\getmac.exe
"getmac"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
Files
memory/2904-1-0x0000000000350000-0x0000000000368000-memory.dmp
\Users\Admin\AppData\Local\Temp\Q5VHMIHWsRqAId2.exe
| MD5 | f32908d4944949b7c026a0421ce04879 |
| SHA1 | 54f01696973eb9cc63c5a0a08812c188dd5150df |
| SHA256 | 2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f |
| SHA512 | 8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8 |
C:\Windows\CTS.exe
| MD5 | a6749b968461644db5cc0ecceffb224a |
| SHA1 | 2795aa37b8586986a34437081351cdd791749a90 |
| SHA256 | 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2 |
| SHA512 | 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4 |
memory/2844-15-0x0000000000A80000-0x0000000000A98000-memory.dmp
memory/2904-12-0x0000000000350000-0x0000000000368000-memory.dmp
\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
| MD5 | d6baac92ade6ade86ac8b33179c13db8 |
| SHA1 | c2dfc428a02ffc2c3cc293423d38037ea75cfade |
| SHA256 | eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10 |
| SHA512 | 7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45 |
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
| MD5 | 010d94408fd5432563d51e416ba346b3 |
| SHA1 | 0041f1989b67b666ec0f0581f9e6ce0e94b55c55 |
| SHA256 | 0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d |
| SHA512 | d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1 |
memory/1036-130-0x0000000000330000-0x0000000000396000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
| MD5 | fc32f39277ebbe48d976c9970cdab5dd |
| SHA1 | 2d2e6eafd0d16ec8f577293f4903f2ae3453752f |
| SHA256 | 7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8 |
| SHA512 | 30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea |
memory/1036-134-0x00000000048F0000-0x0000000004A32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
| MD5 | d4fa5e438ff243a1da462726fb4ea164 |
| SHA1 | 7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd |
| SHA256 | fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0 |
| SHA512 | 8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b |
memory/1036-138-0x0000000004710000-0x0000000004778000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
| MD5 | 015ef51b3e50cc182b323524e5296172 |
| SHA1 | f5e8cb54340c3f6f0c4876348193afd04bb10323 |
| SHA256 | 289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b |
| SHA512 | 8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5 |
memory/1036-146-0x00000000002D0000-0x00000000002D8000-memory.dmp
\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
| MD5 | a6076a6e981bc6c29f270d3919e722e8 |
| SHA1 | 739c1b7fe6ade740cd87aeb84a4ac10720b14a2a |
| SHA256 | 460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710 |
| SHA512 | 064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720 |
memory/1036-150-0x0000000000950000-0x0000000000976000-memory.dmp
\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
| MD5 | 7ef638cbd3200605fc15e7be7ea9fcb5 |
| SHA1 | 534f6176f10bc79b2655e535b7ac6a4df9f67855 |
| SHA256 | 467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a |
| SHA512 | c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373 |
memory/1036-142-0x0000000004BE0000-0x0000000004CCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Newtonsoft.Json.dll
| MD5 | 081d9558bbb7adce142da153b2d5577a |
| SHA1 | 7d0ad03fbda1c24f883116b940717e596073ae96 |
| SHA256 | b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3 |
| SHA512 | 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511 |
memory/1036-154-0x0000000005400000-0x00000000054B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
| MD5 | c510b1756eac53c62ba8c7279609357f |
| SHA1 | 953ee732da8c49d2ef97711f5b7220d5e2cea8d6 |
| SHA256 | 188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642 |
| SHA512 | 61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33 |
memory/1036-160-0x0000000000AA0000-0x0000000000AAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
| MD5 | 9a341540899dcc5630886f2d921be78f |
| SHA1 | bab44612721c3dc91ac3d9dfca7c961a3a511508 |
| SHA256 | 3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5 |
| SHA512 | 066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37 |
memory/1036-164-0x0000000000C80000-0x0000000000C88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
| MD5 | 2338953ae2ab47de1703f27e872e84ba |
| SHA1 | 2765b2f2cd04a0e1df7556da551ce9d763bc5c4d |
| SHA256 | bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7 |
| SHA512 | 417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872 |
memory/1036-170-0x0000000002290000-0x000000000229E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
| MD5 | ed2315668a0dda422f463d27c8110838 |
| SHA1 | ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe |
| SHA256 | 0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa |
| SHA512 | e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7 |
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.json
| MD5 | ecd028adc95c8ae1a92db26c5fdedb09 |
| SHA1 | a0b505a8ba954147e33542de25fdbd54ef3c5304 |
| SHA256 | 94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3 |
| SHA512 | 0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6 |
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\vs_setup_bootstrapper.config
| MD5 | 0e4ebc00f6099b2e065d9015fb53977d |
| SHA1 | 7542e6ecbd4fe9c018f1875126f72159a14369d8 |
| SHA256 | 2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828 |
| SHA512 | 2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e |
memory/1036-181-0x0000000004E70000-0x0000000004E7A000-memory.dmp
memory/1036-180-0x0000000004E70000-0x0000000004E7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a1268a15a76d01447652\vs_bootstrapper_d15\detection.json
| MD5 | 782f4beae90d11351db508f38271eb26 |
| SHA1 | f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c |
| SHA256 | c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9 |
| SHA512 | 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4 |
memory/1036-184-0x0000000004E70000-0x0000000004E7A000-memory.dmp
memory/1036-185-0x0000000004E70000-0x0000000004E7A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 05:04
Reported
2024-06-13 05:06
Platform
win10v2004-20240611-en
Max time kernel
141s
Max time network
106s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wVIgqddaNGMmacM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wVIgqddaNGMmacM.exe | N/A |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\vs_setup_bootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6091e5353873fa898f5cafa67c92fb60_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\wVIgqddaNGMmacM.exe
C:\Users\Admin\AppData\Local\Temp\wVIgqddaNGMmacM.exe
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\wVIgqddaNGMmacM.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\getmac.exe
"getmac"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | az667904.vo.msecnd.net | udp |
| US | 152.199.19.161:443 | az667904.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | az700632.vo.msecnd.net | udp |
| US | 152.199.19.161:443 | az700632.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | targetednotifications-tm.trafficmanager.net | udp |
| US | 20.42.128.98:443 | targetednotifications-tm.trafficmanager.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.128.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4532-0-0x0000000000CB0000-0x0000000000CC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wVIgqddaNGMmacM.exe
| MD5 | f32908d4944949b7c026a0421ce04879 |
| SHA1 | 54f01696973eb9cc63c5a0a08812c188dd5150df |
| SHA256 | 2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f |
| SHA512 | 8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8 |
C:\Windows\CTS.exe
| MD5 | a6749b968461644db5cc0ecceffb224a |
| SHA1 | 2795aa37b8586986a34437081351cdd791749a90 |
| SHA256 | 720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2 |
| SHA512 | 2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4 |
memory/4532-9-0x0000000000CB0000-0x0000000000CC8000-memory.dmp
memory/1724-11-0x00000000002C0000-0x00000000002D8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 9dd8963ce8db34152fb668cbe07868d4 |
| SHA1 | be3a4fe81425b272d680e1c633926a4f18a2e79c |
| SHA256 | 7a3f2b12db5daeb680ecdbd96b9bc374125dac0f36216a6c2223a50e08db10a3 |
| SHA512 | 2ecee7acec8534361b0602f35701a273eae11476858920c300cf3e965922e1413416c438d4826b3c7dc2ce6b30396a076fc73bf0e6af0018ce569d5844734a4d |
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
| MD5 | d6baac92ade6ade86ac8b33179c13db8 |
| SHA1 | c2dfc428a02ffc2c3cc293423d38037ea75cfade |
| SHA256 | eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10 |
| SHA512 | 7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45 |
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
| MD5 | 010d94408fd5432563d51e416ba346b3 |
| SHA1 | 0041f1989b67b666ec0f0581f9e6ce0e94b55c55 |
| SHA256 | 0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d |
| SHA512 | d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1 |
memory/2676-147-0x0000000072C6E000-0x0000000072C6F000-memory.dmp
memory/2676-149-0x00000000007F0000-0x0000000000856000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
| MD5 | fc32f39277ebbe48d976c9970cdab5dd |
| SHA1 | 2d2e6eafd0d16ec8f577293f4903f2ae3453752f |
| SHA256 | 7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8 |
| SHA512 | 30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea |
memory/2676-153-0x00000000051C0000-0x0000000005302000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
| MD5 | d4fa5e438ff243a1da462726fb4ea164 |
| SHA1 | 7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd |
| SHA256 | fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0 |
| SHA512 | 8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b |
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
| MD5 | 015ef51b3e50cc182b323524e5296172 |
| SHA1 | f5e8cb54340c3f6f0c4876348193afd04bb10323 |
| SHA256 | 289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b |
| SHA512 | 8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5 |
memory/2676-161-0x00000000056E0000-0x00000000057CA000-memory.dmp
memory/2676-165-0x0000000005530000-0x0000000005538000-memory.dmp
memory/2676-169-0x00000000055F0000-0x0000000005616000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
| MD5 | a6076a6e981bc6c29f270d3919e722e8 |
| SHA1 | 739c1b7fe6ade740cd87aeb84a4ac10720b14a2a |
| SHA256 | 460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710 |
| SHA512 | 064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720 |
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
| MD5 | 7ef638cbd3200605fc15e7be7ea9fcb5 |
| SHA1 | 534f6176f10bc79b2655e535b7ac6a4df9f67855 |
| SHA256 | 467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a |
| SHA512 | c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373 |
memory/2676-157-0x0000000005580000-0x00000000055E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\Newtonsoft.Json.dll
| MD5 | 081d9558bbb7adce142da153b2d5577a |
| SHA1 | 7d0ad03fbda1c24f883116b940717e596073ae96 |
| SHA256 | b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3 |
| SHA512 | 2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511 |
memory/2676-173-0x0000000005B80000-0x0000000005C30000-memory.dmp
memory/2676-182-0x00000000056C0000-0x00000000056C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
| MD5 | 9a341540899dcc5630886f2d921be78f |
| SHA1 | bab44612721c3dc91ac3d9dfca7c961a3a511508 |
| SHA256 | 3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5 |
| SHA512 | 066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37 |
memory/2676-178-0x0000000072C60000-0x0000000073410000-memory.dmp
memory/2676-177-0x0000000005680000-0x000000000568E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
| MD5 | c510b1756eac53c62ba8c7279609357f |
| SHA1 | 953ee732da8c49d2ef97711f5b7220d5e2cea8d6 |
| SHA256 | 188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642 |
| SHA512 | 61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33 |
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
| MD5 | 2338953ae2ab47de1703f27e872e84ba |
| SHA1 | 2765b2f2cd04a0e1df7556da551ce9d763bc5c4d |
| SHA256 | bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7 |
| SHA512 | 417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872 |
memory/2676-186-0x0000000005E40000-0x0000000005E4E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
| MD5 | ed2315668a0dda422f463d27c8110838 |
| SHA1 | ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe |
| SHA256 | 0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa |
| SHA512 | e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7 |
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\vs_setup_bootstrapper.config
| MD5 | 0e4ebc00f6099b2e065d9015fb53977d |
| SHA1 | 7542e6ecbd4fe9c018f1875126f72159a14369d8 |
| SHA256 | 2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828 |
| SHA512 | 2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e |
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\vs_setup_bootstrapper.json
| MD5 | ecd028adc95c8ae1a92db26c5fdedb09 |
| SHA1 | a0b505a8ba954147e33542de25fdbd54ef3c5304 |
| SHA256 | 94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3 |
| SHA512 | 0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6 |
memory/2676-194-0x0000000006130000-0x0000000006152000-memory.dmp
memory/2676-195-0x0000000006160000-0x00000000064B4000-memory.dmp
memory/2676-196-0x0000000006BF0000-0x0000000006C56000-memory.dmp
memory/2676-197-0x0000000007350000-0x00000000073E2000-memory.dmp
memory/2676-198-0x0000000007AA0000-0x0000000008044000-memory.dmp
memory/2676-199-0x00000000079E0000-0x0000000007A9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e2b6d473a5bf453f22cc0b\vs_bootstrapper_d15\detection.json
| MD5 | 782f4beae90d11351db508f38271eb26 |
| SHA1 | f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c |
| SHA256 | c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9 |
| SHA512 | 0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4 |
memory/2676-203-0x000000000A2E0000-0x000000000A2E8000-memory.dmp
memory/2676-204-0x000000000A360000-0x000000000A368000-memory.dmp
memory/2676-205-0x000000000B8C0000-0x000000000B8F8000-memory.dmp
memory/2676-206-0x000000000A3B0000-0x000000000A3BE000-memory.dmp
memory/2676-213-0x0000000072C6E000-0x0000000072C6F000-memory.dmp
memory/2676-214-0x0000000072C60000-0x0000000073410000-memory.dmp