Analysis Overview
SHA256
6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc
Threat Level: Known bad
The file 6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc was found to be: Known bad.
Malicious Activity Summary
Vidar
Detect Vidar Stealer
Lumma Stealer
Stealc
Downloads MZ/PE file
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 10:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 10:01
Reported
2024-07-09 10:04
Platform
win10v2004-20240704-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Stealc
Vidar
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\JJJKEHCAKF.exe | N/A |
| N/A | N/A | C:\ProgramData\KJECFHCBKK.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4728 set thread context of 2036 | N/A | C:\Users\Admin\AppData\Local\Temp\6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3464 set thread context of 4340 | N/A | C:\ProgramData\JJJKEHCAKF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4444 set thread context of 1684 | N/A | C:\ProgramData\KJECFHCBKK.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc.exe
"C:\Users\Admin\AppData\Local\Temp\6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\JJJKEHCAKF.exe
"C:\ProgramData\JJJKEHCAKF.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\KJECFHCBKK.exe
"C:\ProgramData\KJECFHCBKK.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CFCBKKKJJJKK" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.131.75:443 | steamcommunity.com | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | 75.131.82.104.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | 167.27.217.95.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 77.105.132.27:80 | 77.105.132.27 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | stationacutwo.shop | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 8.8.8.8:53 | 27.132.105.77.in-addr.arpa | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 8.8.8.8:53 | 239.172.67.172.in-addr.arpa | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | tea.arpdabl.org | udp |
| NL | 185.107.56.204:80 | tea.arpdabl.org | tcp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.226:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 204.56.107.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.131.75:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
memory/4728-0-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
memory/2036-1-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2036-3-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2036-5-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2036-10-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2036-11-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2036-13-0x0000000021ED0000-0x000000002212F000-memory.dmp
memory/2036-27-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2036-42-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2036-44-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2036-45-0x0000000000400000-0x0000000000648000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2036-69-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2036-70-0x0000000000400000-0x0000000000648000-memory.dmp
C:\ProgramData\JJJKEHCAKF.exe
| MD5 | 5dcb471423fbb62d7c218760aee4936d |
| SHA1 | 7d72a2295639a8702ecdb77cc020b7a9eef48b04 |
| SHA256 | 837340da10b33b25bca1c15db3b273bfde18110b46949e8c545f31756e7b44bd |
| SHA512 | d8febe1cc91bbacd1b0298eb88d0d25f7789ee962f4d4717cb74ca1d1081ecab78a4062923b31386bcae141900ee99c182836e52bbb4b9f362cd8bdf687dc736 |
memory/4340-86-0x0000000000400000-0x000000000044F000-memory.dmp
memory/4340-89-0x0000000000400000-0x000000000044F000-memory.dmp
memory/4340-88-0x0000000000400000-0x000000000044F000-memory.dmp
C:\ProgramData\KJECFHCBKK.exe
| MD5 | 0b4cc01ce62da8ed72b98a896c11c1dd |
| SHA1 | eb87a11df4f7a0066389094ee9ba8a4e189794ad |
| SHA256 | 6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc |
| SHA512 | b24fb55140210cc3c8d5f2dec84f36314a93397351a7109701b05dcb47cfbaf437c74fcafb551d8a96e845ea656a5c618b4a229c6acba8c2d0ed3849ccc48b8d |
memory/2036-106-0x0000000000400000-0x0000000000648000-memory.dmp
memory/2036-107-0x0000000000400000-0x0000000000648000-memory.dmp
memory/4340-108-0x0000000000400000-0x000000000044F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JYV3O38W\76561199735694209[1].htm
| MD5 | d41546361fc5d8efb9ef0a151ddbc2e4 |
| SHA1 | d43f31db4244c8eda55b91dfd6be25a42a0c3415 |
| SHA256 | b4d2865be2f8c1d9f9cc4011620fa154ca467f68deb664e1763b7de40c880f45 |
| SHA512 | e2d49777b980b7a1810574eb1fa8d37725a1e0629d6e274b3913e106faa80ea3cdc1f179fe7fc66235d049b7dd688e7d743feb6adb9622230eb79fb0417c5104 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
| MD5 | 056c13bb6c143c1af59a3cf11c006aef |
| SHA1 | 8b208f2b1b85a85d0649598bb2cbfee0e3da67b2 |
| SHA256 | 1aa740fa6d2ab0533084abd0184654c1a119b2e4162c9ad52cdb98175611c685 |
| SHA512 | 357ad0708b56a8b73ece6b9935230681afbf6a9e0e31da1e0a26420023fbb8c95206f7967a0d6653d44b0a4f5a09e3cf1b248655a73f1c7f7d724425e6fc7014 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
| MD5 | 1305873efa734e66700f192fa3ba5a71 |
| SHA1 | 89057c196af68b84ca883d9bad0b032f1aa02250 |
| SHA256 | db9a3ea3f1c769d9a03f663b39f11532c57eaa5a63cd9703dea1ff3c78627f80 |
| SHA512 | 6bd0cf4ec9e1cb3d8b03a0edfd39ab0401ef9fb671b9cd9bc59accec55eed1833dfe1a399274da51918e99624529ad3d38c0f101bc2e1ce2d9296bb631162ccf |
memory/1684-113-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1684-114-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1684-115-0x00000000224F0000-0x000000002274F000-memory.dmp
memory/1684-129-0x0000000000400000-0x0000000000648000-memory.dmp
C:\ProgramData\HCBGDGCAAKJE\AKJDAE
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
memory/1684-130-0x0000000000400000-0x0000000000648000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 10:01
Reported
2024-07-09 10:04
Platform
win11-20240704-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\DGDBFBFCBF.exe | N/A |
| N/A | N/A | C:\ProgramData\EGDBAFHJJD.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3468 set thread context of 236 | N/A | C:\Users\Admin\AppData\Local\Temp\6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2056 set thread context of 3216 | N/A | C:\ProgramData\DGDBFBFCBF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1148 set thread context of 1476 | N/A | C:\ProgramData\EGDBAFHJJD.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc.exe
"C:\Users\Admin\AppData\Local\Temp\6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\DGDBFBFCBF.exe
"C:\ProgramData\DGDBFBFCBF.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\EGDBAFHJJD.exe
"C:\ProgramData\EGDBAFHJJD.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHDBAFIIECBF" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.131.75:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 75.131.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 77.105.132.27:80 | 77.105.132.27 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| NL | 185.107.56.204:80 | tea.arpdabl.org | tcp |
| US | 199.59.243.226:80 | survey-smiles.com | tcp |
| GB | 104.82.131.75:443 | steamcommunity.com | tcp |
| FI | 95.217.27.167:443 | tcp | |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
| FI | 95.217.27.167:443 | 95.217.27.167 | tcp |
Files
memory/3468-0-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/236-1-0x0000000000400000-0x0000000000648000-memory.dmp
memory/236-4-0x0000000000400000-0x0000000000648000-memory.dmp
memory/236-5-0x0000000000400000-0x0000000000648000-memory.dmp
memory/236-12-0x0000000000400000-0x0000000000648000-memory.dmp
memory/236-13-0x0000000000400000-0x0000000000648000-memory.dmp
memory/236-14-0x0000000020010000-0x000000002026F000-memory.dmp
memory/236-29-0x0000000000400000-0x0000000000648000-memory.dmp
memory/236-30-0x0000000000400000-0x0000000000648000-memory.dmp
memory/236-46-0x0000000000400000-0x0000000000648000-memory.dmp
memory/236-47-0x0000000000400000-0x0000000000648000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/236-71-0x0000000000400000-0x0000000000648000-memory.dmp
memory/236-72-0x0000000000400000-0x0000000000648000-memory.dmp
C:\ProgramData\DGDBFBFCBF.exe
| MD5 | 5dcb471423fbb62d7c218760aee4936d |
| SHA1 | 7d72a2295639a8702ecdb77cc020b7a9eef48b04 |
| SHA256 | 837340da10b33b25bca1c15db3b273bfde18110b46949e8c545f31756e7b44bd |
| SHA512 | d8febe1cc91bbacd1b0298eb88d0d25f7789ee962f4d4717cb74ca1d1081ecab78a4062923b31386bcae141900ee99c182836e52bbb4b9f362cd8bdf687dc736 |
memory/3216-88-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2056-89-0x0000000003180000-0x0000000003181000-memory.dmp
memory/3216-91-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3216-92-0x0000000000400000-0x000000000044F000-memory.dmp
C:\ProgramData\EGDBAFHJJD.exe
| MD5 | 0b4cc01ce62da8ed72b98a896c11c1dd |
| SHA1 | eb87a11df4f7a0066389094ee9ba8a4e189794ad |
| SHA256 | 6ab0929361ee1a7fdc900bb0f6e50e999183a7c1aef1f44951b7847e86dfd3bc |
| SHA512 | b24fb55140210cc3c8d5f2dec84f36314a93397351a7109701b05dcb47cfbaf437c74fcafb551d8a96e845ea656a5c618b4a229c6acba8c2d0ed3849ccc48b8d |
memory/1148-102-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/1476-107-0x0000000000400000-0x0000000000648000-memory.dmp
memory/236-108-0x0000000000400000-0x0000000000648000-memory.dmp
memory/3216-109-0x0000000000400000-0x000000000044F000-memory.dmp
memory/236-110-0x0000000000400000-0x0000000000648000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DI8KDIS\76561199735694209[1].htm
| MD5 | 07bf77a0f7474d322185fe88161f83c4 |
| SHA1 | e9bf63affe9d6eb2637cd1679807f73abdc3d1c2 |
| SHA256 | 9f9b4785932c65f5846923f163016057edbe25164e32ff219375b28830bc3058 |
| SHA512 | 7381c6ec40691a825affc31421f9fc259ca43653a308c480dc232c5ec217df20994da82569170c53de9b3eeace1ef30fedea7ec7dd2630f120a984fc451b9c73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
| MD5 | 436645322b97ab0a7d4c76538bbd98b8 |
| SHA1 | e98a886c6727aba5b1d4d24f38481a6d7acef0af |
| SHA256 | 2dbed8545145056f9cf0decef0cd3d60d90709e4b0396d299cd576594ede7045 |
| SHA512 | afcc62be8201880119d7ed25e001c89028cefc1139eca59dd4725cd033d50c548415f492ae53a05186e66c53c4a2517c9e7b541a2d89cb45c02bb056348955e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
| MD5 | 1305873efa734e66700f192fa3ba5a71 |
| SHA1 | 89057c196af68b84ca883d9bad0b032f1aa02250 |
| SHA256 | db9a3ea3f1c769d9a03f663b39f11532c57eaa5a63cd9703dea1ff3c78627f80 |
| SHA512 | 6bd0cf4ec9e1cb3d8b03a0edfd39ab0401ef9fb671b9cd9bc59accec55eed1833dfe1a399274da51918e99624529ad3d38c0f101bc2e1ce2d9296bb631162ccf |
memory/1476-115-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1476-116-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1476-117-0x000000001FFD0000-0x000000002022F000-memory.dmp
C:\ProgramData\GIIDBGDAFHJD\CFCBFB
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
memory/1476-131-0x0000000000400000-0x0000000000648000-memory.dmp
memory/1476-133-0x0000000000400000-0x0000000000648000-memory.dmp