Analysis Overview
SHA256
810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224
Threat Level: Shows suspicious behavior
The file 810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Indicator Removal: File Deletion
Drops file in System32 directory
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 09:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 09:51
Reported
2024-11-13 09:53
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\odbcjt32.exe | C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\clfsw32.exe | C:\Windows\SysWOW64\kbdtajik.exe | N/A |
| File created | C:\Windows\SysWOW64\cryptsvc.exe | C:\Windows\SysWOW64\kbdfa.exe | N/A |
| File created | C:\Windows\SysWOW64\pcwum.exe | C:\Windows\SysWOW64\vss_ps.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wiadss.exe | C:\Windows\SysWOW64\appidpolicyengineapi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmpeffects.exe | C:\Windows\SysWOW64\eappcfg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbdinben.exe | C:\Windows\SysWOW64\msvcr120_clr0400.exe | N/A |
| File created | C:\Windows\SysWOW64\fwremotesvr.exe | C:\Windows\SysWOW64\cpfilters.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pla.exe | C:\Windows\SysWOW64\wsmsvc.exe | N/A |
| File created | C:\Windows\SysWOW64\stobject.exe | C:\Windows\SysWOW64\pla.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wsnmp32.exe | C:\Windows\SysWOW64\itss.exe | N/A |
| File created | C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.exe | C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\portabledevicetypes.exe | C:\Windows\SysWOW64\kbdintam.exe | N/A |
| File created | C:\Windows\SysWOW64\atmfd.exe | C:\Windows\SysWOW64\kbdinben.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msdtcvsp1res.exe | C:\Windows\SysWOW64\msrd2x40.exe | N/A |
| File created | C:\Windows\SysWOW64\cpfilters.exe | C:\Windows\SysWOW64\dnscmmc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\capiprovider.exe | C:\Windows\SysWOW64\kbdpl.exe | N/A |
| File created | C:\Windows\SysWOW64\dwmcore.exe | C:\Windows\SysWOW64\umdmxfrm.exe | N/A |
| File created | C:\Windows\SysWOW64\kbdinben.exe | C:\Windows\SysWOW64\msvcr120_clr0400.exe | N/A |
| File created | C:\Windows\SysWOW64\iscsidsc.exe | C:\Windows\SysWOW64\kbdth0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\certpoleng.exe | C:\Windows\SysWOW64\nlslexicons0046.exe | N/A |
| File created | C:\Windows\SysWOW64\itss.exe | C:\Windows\SysWOW64\kbdlt.exe | N/A |
| File created | C:\Windows\SysWOW64\samlib.exe | C:\Windows\SysWOW64\devicedisplaystatusmanager.exe | N/A |
| File created | C:\Windows\SysWOW64\kbdycl.exe | C:\Windows\SysWOW64\nlsdata003e.exe | N/A |
| File created | C:\Windows\SysWOW64\portabledeviceconnectapi.exe | C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\schannel.exe | C:\Windows\SysWOW64\appidapi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cpfilters.exe | C:\Windows\SysWOW64\dnscmmc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msmpeg2adec.exe | C:\Windows\SysWOW64\winbio.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vss_ps.exe | C:\Windows\SysWOW64\authfwwizfwk.exe | N/A |
| File created | C:\Windows\SysWOW64\iassdo.exe | C:\Windows\SysWOW64\vcomp120.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.exe | C:\Windows\SysWOW64\nlsdata001a.exe | N/A |
| File created | C:\Windows\SysWOW64\msmpeg2adec.exe | C:\Windows\SysWOW64\winbio.exe | N/A |
| File created | C:\Windows\SysWOW64\wsmsvc.exe | C:\Windows\SysWOW64\iscsidsc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spwmp.exe | C:\Windows\SysWOW64\wsnmp32.exe | N/A |
| File created | C:\Windows\SysWOW64\kbdlt.exe | C:\Windows\SysWOW64\certpoleng.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\authfwwizfwk.exe | C:\Windows\SysWOW64\nlslexicons0c1a.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ir32_32.exe | C:\Windows\SysWOW64\dciman32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dwmcore.exe | C:\Windows\SysWOW64\umdmxfrm.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc100ita.exe | C:\Windows\SysWOW64\audiokse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbdlt.exe | C:\Windows\SysWOW64\fwremotesvr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nlsdata001a.exe | C:\Windows\SysWOW64\oleacchooks.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nlslexicons0046.exe | C:\Windows\SysWOW64\stobject.exe | N/A |
| File created | C:\Windows\SysWOW64\kbdpl.exe | C:\Windows\SysWOW64\davhlpr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eappcfg.exe | C:\Windows\SysWOW64\ir32_32.exe | N/A |
| File created | C:\Windows\SysWOW64\msrd2x40.exe | C:\Windows\SysWOW64\helppaneproxy.exe | N/A |
| File created | C:\Windows\SysWOW64\oleacchooks.exe | C:\Windows\SysWOW64\kbdlt.exe | N/A |
| File created | C:\Windows\SysWOW64\wiadss.exe | C:\Windows\SysWOW64\appidpolicyengineapi.exe | N/A |
| File created | C:\Windows\SysWOW64\eappcfg.exe | C:\Windows\SysWOW64\ir32_32.exe | N/A |
| File created | C:\Windows\SysWOW64\kbdth0.exe | C:\Windows\SysWOW64\dxva2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wsmsvc.exe | C:\Windows\SysWOW64\iscsidsc.exe | N/A |
| File created | C:\Windows\SysWOW64\davhlpr.exe | C:\Windows\SysWOW64\netutils.exe | N/A |
| File created | C:\Windows\SysWOW64\schannel.exe | C:\Windows\SysWOW64\appidapi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbdfa.exe | C:\Windows\SysWOW64\atmfd.exe | N/A |
| File created | C:\Windows\SysWOW64\devicedisplaystatusmanager.exe | C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\appidpolicyengineapi.exe | C:\Windows\SysWOW64\kbdycl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\devrtl.exe | C:\Windows\SysWOW64\portabledevicetypes.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mssvp.exe | C:\Windows\SysWOW64\pcwum.exe | N/A |
| File created | C:\Windows\SysWOW64\nlsdata001a.exe | C:\Windows\SysWOW64\oleacchooks.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe | C:\Windows\SysWOW64\msmpeg2adec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\samlib.exe | C:\Windows\SysWOW64\devicedisplaystatusmanager.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wsmplpxy.exe | C:\Windows\SysWOW64\devrtl.exe | N/A |
| File created | C:\Windows\SysWOW64\capiprovider.exe | C:\Windows\SysWOW64\kbdpl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc100ita.exe | C:\Windows\SysWOW64\audiokse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dnscmmc.exe | C:\Windows\SysWOW64\msdtcvsp1res.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mfds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msvcr120_clr0400.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbcjt32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vcomp120.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\atmfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wsmplpxy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cpfilters.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certpoleng.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\portabledeviceconnectapi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mssvp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\iscsidsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\portabledevicetypes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\acctres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\fwremotesvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wmpeffects.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\devenum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\clfsw32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\stobject.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nlslexicons0046.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\itss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\davhlpr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nlsdata000f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nlslexicons001d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wsmsvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\samcli.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\portabledevicetypes.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe
"C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe"
C:\Windows\SysWOW64\odbcjt32.exe
"C:\Windows\system32\odbcjt32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe"
C:\Windows\SysWOW64\samcli.exe
"C:\Windows\system32\samcli.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\odbcjt32.exe"
C:\Windows\SysWOW64\mfds.exe
"C:\Windows\system32\mfds.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\samcli.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 800
C:\Windows\SysWOW64\acctres.exe
"C:\Windows\system32\acctres.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mfds.exe"
C:\Windows\SysWOW64\nlsdata000f.exe
"C:\Windows\system32\nlsdata000f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\acctres.exe"
C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.exe
"C:\Windows\system32\api-ms-win-core-misc-l1-1-0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlsdata000f.exe"
C:\Windows\SysWOW64\dciman32.exe
"C:\Windows\system32\dciman32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\api-ms-win-core-misc-l1-1-0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 180
C:\Windows\SysWOW64\ir32_32.exe
"C:\Windows\system32\ir32_32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dciman32.exe"
C:\Windows\SysWOW64\eappcfg.exe
"C:\Windows\system32\eappcfg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\ir32_32.exe"
C:\Windows\SysWOW64\wmpeffects.exe
"C:\Windows\system32\wmpeffects.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\eappcfg.exe"
C:\Windows\SysWOW64\umdmxfrm.exe
"C:\Windows\system32\umdmxfrm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpeffects.exe"
C:\Windows\SysWOW64\dwmcore.exe
"C:\Windows\system32\dwmcore.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\umdmxfrm.exe"
C:\Windows\SysWOW64\vcomp120.exe
"C:\Windows\system32\vcomp120.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dwmcore.exe"
C:\Windows\SysWOW64\iassdo.exe
"C:\Windows\system32\iassdo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\vcomp120.exe"
C:\Windows\SysWOW64\audiokse.exe
"C:\Windows\system32\audiokse.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\iassdo.exe"
C:\Windows\SysWOW64\mfc100ita.exe
"C:\Windows\system32\mfc100ita.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\audiokse.exe"
C:\Windows\SysWOW64\fdwcn.exe
"C:\Windows\system32\fdwcn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mfc100ita.exe"
C:\Windows\SysWOW64\kbdtajik.exe
"C:\Windows\system32\kbdtajik.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\fdwcn.exe"
C:\Windows\SysWOW64\clfsw32.exe
"C:\Windows\system32\clfsw32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdtajik.exe"
C:\Windows\SysWOW64\winsyncmetastore.exe
"C:\Windows\system32\winsyncmetastore.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\clfsw32.exe"
C:\Windows\SysWOW64\appidapi.exe
"C:\Windows\system32\appidapi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winsyncmetastore.exe"
C:\Windows\SysWOW64\schannel.exe
"C:\Windows\system32\schannel.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\appidapi.exe"
C:\Windows\SysWOW64\msvcr120_clr0400.exe
"C:\Windows\system32\msvcr120_clr0400.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\schannel.exe"
C:\Windows\SysWOW64\kbdinben.exe
"C:\Windows\system32\kbdinben.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msvcr120_clr0400.exe"
C:\Windows\SysWOW64\atmfd.exe
"C:\Windows\system32\atmfd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdinben.exe"
C:\Windows\SysWOW64\kbdfa.exe
"C:\Windows\system32\kbdfa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\atmfd.exe"
C:\Windows\SysWOW64\cryptsvc.exe
"C:\Windows\system32\cryptsvc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdfa.exe"
C:\Windows\SysWOW64\peerdistsh.exe
"C:\Windows\system32\peerdistsh.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\cryptsvc.exe"
C:\Windows\SysWOW64\helppaneproxy.exe
"C:\Windows\system32\helppaneproxy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\peerdistsh.exe"
C:\Windows\SysWOW64\msrd2x40.exe
"C:\Windows\system32\msrd2x40.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\helppaneproxy.exe"
C:\Windows\SysWOW64\msdtcvsp1res.exe
"C:\Windows\system32\msdtcvsp1res.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msrd2x40.exe"
C:\Windows\SysWOW64\dnscmmc.exe
"C:\Windows\system32\dnscmmc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msdtcvsp1res.exe"
C:\Windows\SysWOW64\cpfilters.exe
"C:\Windows\system32\cpfilters.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dnscmmc.exe"
C:\Windows\SysWOW64\fwremotesvr.exe
"C:\Windows\system32\fwremotesvr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\cpfilters.exe"
C:\Windows\SysWOW64\kbdlt.exe
"C:\Windows\system32\kbdlt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\fwremotesvr.exe"
C:\Windows\SysWOW64\oleacchooks.exe
"C:\Windows\system32\oleacchooks.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdlt.exe"
C:\Windows\SysWOW64\nlsdata001a.exe
"C:\Windows\system32\nlsdata001a.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\oleacchooks.exe"
C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.exe
"C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlsdata001a.exe"
C:\Windows\SysWOW64\nlslexicons001d.exe
"C:\Windows\system32\nlslexicons001d.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 180
C:\Windows\SysWOW64\dxva2.exe
"C:\Windows\system32\dxva2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlslexicons001d.exe"
C:\Windows\SysWOW64\kbdth0.exe
"C:\Windows\system32\kbdth0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dxva2.exe"
C:\Windows\SysWOW64\iscsidsc.exe
"C:\Windows\system32\iscsidsc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdth0.exe"
C:\Windows\SysWOW64\wsmsvc.exe
"C:\Windows\system32\wsmsvc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\iscsidsc.exe"
C:\Windows\SysWOW64\pla.exe
"C:\Windows\system32\pla.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmsvc.exe"
C:\Windows\SysWOW64\stobject.exe
"C:\Windows\system32\stobject.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\pla.exe"
C:\Windows\SysWOW64\nlslexicons0046.exe
"C:\Windows\system32\nlslexicons0046.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\stobject.exe"
C:\Windows\SysWOW64\certpoleng.exe
"C:\Windows\system32\certpoleng.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlslexicons0046.exe"
C:\Windows\SysWOW64\kbdlt.exe
"C:\Windows\system32\kbdlt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\certpoleng.exe"
C:\Windows\SysWOW64\itss.exe
"C:\Windows\system32\itss.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdlt.exe"
C:\Windows\SysWOW64\wsnmp32.exe
"C:\Windows\system32\wsnmp32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\itss.exe"
C:\Windows\SysWOW64\spwmp.exe
"C:\Windows\system32\spwmp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsnmp32.exe"
C:\Windows\SysWOW64\l2nacp.exe
"C:\Windows\system32\l2nacp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\spwmp.exe"
C:\Windows\SysWOW64\winbio.exe
"C:\Windows\system32\winbio.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\l2nacp.exe"
C:\Windows\SysWOW64\msmpeg2adec.exe
"C:\Windows\system32\msmpeg2adec.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winbio.exe"
C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.exe
"C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msmpeg2adec.exe"
C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.exe
"C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 180
C:\Windows\SysWOW64\devicedisplaystatusmanager.exe
"C:\Windows\system32\devicedisplaystatusmanager.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 180
C:\Windows\SysWOW64\samlib.exe
"C:\Windows\system32\samlib.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\devicedisplaystatusmanager.exe"
C:\Windows\SysWOW64\nlsdata003e.exe
"C:\Windows\system32\nlsdata003e.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\samlib.exe"
C:\Windows\SysWOW64\kbdycl.exe
"C:\Windows\system32\kbdycl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlsdata003e.exe"
C:\Windows\SysWOW64\appidpolicyengineapi.exe
"C:\Windows\system32\appidpolicyengineapi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdycl.exe"
C:\Windows\SysWOW64\wiadss.exe
"C:\Windows\system32\wiadss.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\appidpolicyengineapi.exe"
C:\Windows\SysWOW64\devenum.exe
"C:\Windows\system32\devenum.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wiadss.exe"
C:\Windows\SysWOW64\uexfat.exe
"C:\Windows\system32\uexfat.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\devenum.exe"
C:\Windows\SysWOW64\kbdintam.exe
"C:\Windows\system32\kbdintam.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\uexfat.exe"
C:\Windows\SysWOW64\portabledevicetypes.exe
"C:\Windows\system32\portabledevicetypes.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdintam.exe"
C:\Windows\SysWOW64\devrtl.exe
"C:\Windows\system32\devrtl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\portabledevicetypes.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 896
C:\Windows\SysWOW64\wsmplpxy.exe
"C:\Windows\system32\wsmplpxy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\devrtl.exe"
C:\Windows\SysWOW64\sdiageng.exe
"C:\Windows\system32\sdiageng.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsmplpxy.exe"
C:\Windows\SysWOW64\netutils.exe
"C:\Windows\system32\netutils.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\sdiageng.exe"
C:\Windows\SysWOW64\davhlpr.exe
"C:\Windows\system32\davhlpr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\netutils.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 892
C:\Windows\SysWOW64\kbdpl.exe
"C:\Windows\system32\kbdpl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\davhlpr.exe"
C:\Windows\SysWOW64\capiprovider.exe
"C:\Windows\system32\capiprovider.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdpl.exe"
C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.exe
"C:\Windows\system32\api-ms-win-core-synch-l1-1-0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\capiprovider.exe"
C:\Windows\SysWOW64\portabledeviceconnectapi.exe
"C:\Windows\system32\portabledeviceconnectapi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\api-ms-win-core-synch-l1-1-0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 180
C:\Windows\SysWOW64\nlslexicons0c1a.exe
"C:\Windows\system32\nlslexicons0c1a.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\portabledeviceconnectapi.exe"
C:\Windows\SysWOW64\authfwwizfwk.exe
"C:\Windows\system32\authfwwizfwk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlslexicons0c1a.exe"
C:\Windows\SysWOW64\vss_ps.exe
"C:\Windows\system32\vss_ps.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\authfwwizfwk.exe"
C:\Windows\SysWOW64\pcwum.exe
"C:\Windows\system32\pcwum.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\vss_ps.exe"
C:\Windows\SysWOW64\mssvp.exe
"C:\Windows\system32\mssvp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\pcwum.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 800
C:\Windows\SysWOW64\comsvcs.exe
"C:\Windows\system32\comsvcs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mssvp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | best-targeted-traffic.com | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | www.ip2location.com | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww25.best-targeted-traffic.com | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | tcp |
Files
memory/1680-0-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1680-14-0x0000000003AC0000-0x0000000003AD3000-memory.dmp
memory/1680-13-0x0000000003AC0000-0x0000000003AD3000-memory.dmp
C:\Windows\SysWOW64\odbcjt32.exe
| MD5 | 2547dc4888a0f7cb8e8a8e9ea2a1ece4 |
| SHA1 | 7420e2b6828aa2d8f2fecad4ac3759d026b2a908 |
| SHA256 | 516c5a7bf27cd1ed7ade834d995bf6787ef87c10e7037010c13f445c53168f29 |
| SHA512 | 7cce1c051ecebdf03bcace21e84a2d9b7cef4871314edcf4d91449a42961764c9b490656be52874662adb5d86de73a9e66bc41f16adc00a3c7a9e88ffc2435ee |
memory/1680-21-0x0000000003B10000-0x0000000003B23000-memory.dmp
memory/1680-24-0x0000000003B10000-0x0000000003B20000-memory.dmp
memory/3008-23-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1680-25-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V96R1K00.txt
| MD5 | 16bf00677f21090f750201f9c2ddf580 |
| SHA1 | d7319b42ed5aee03941f2d47ffbc8eb51f38dceb |
| SHA256 | e33a61790ddda3da484762fe9f1fe128ae704de31c36fab4aaebb0ae8e230b8e |
| SHA512 | 8bf3b113b5db98ed3fcb1476db9a8d2b437ae8f42fa37227e61780de83a3ea87e66aefacd7d4924ecdb8c9f3904e64f4c15f6979b5e7d5fb1ce5b83ef0b0a59c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GR0WMGOA.txt
| MD5 | c7a86b928442801ff2f793266dff14b8 |
| SHA1 | da32fdf4f6a25dd6f79b4d11356fcc10c42ef30b |
| SHA256 | 7d6c7ae683541238805368b3612032314157ebd9d8855ea68026a90532b0404a |
| SHA512 | db1e9ef9202f9c8a000a2d1f30cd23fd40a1ec2ece9fb205189635d7c791f10a891b2899e300d4c5e9dc009ce5e70d4023cca8d48256ea2937c8a0a463c2be8e |
memory/3008-41-0x0000000003E00000-0x0000000003E13000-memory.dmp
memory/3008-40-0x0000000003E00000-0x0000000003E13000-memory.dmp
\Windows\SysWOW64\samcli.exe
| MD5 | eb95ce5e787a7a6913d5ffba09ab7ddd |
| SHA1 | 4994e5cbaa0e03cca64f50ac55bb7e9e5d4b97eb |
| SHA256 | aa57f8a1f776f66b6235af28da1497f6b200777b884d15ad45f726ad84264056 |
| SHA512 | 0e058362d03ffb76ede817ad2b8e8e23de544d4874247e4c19436f3203bbcd4c454d3ec7feba72974d38fbf67422cb80b9ed1fe38b1460ed2b5aa538a6efaed3 |
memory/3008-48-0x0000000003E00000-0x0000000003E13000-memory.dmp
memory/3008-52-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3008-51-0x0000000002510000-0x0000000002520000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CETPJRTS.txt
| MD5 | 980e60057715c2e9924752a1a63fc016 |
| SHA1 | ee96fd0e8bc239eb10fb9420cd8b5493ff8f3bfa |
| SHA256 | ab11d101c6c42e79c4164010b9619fe0a2fa2ce9376b1485a608a2d959bd9908 |
| SHA512 | fd9a01951e5d73ba459f45c03a76085b32a16a73cf982165337cfd53efc3b1ff70ec2e8000578c38927bb1295483cbdc3b0562926d296c6322507d80446ccce2 |
\Windows\SysWOW64\mfds.exe
| MD5 | af50694d4d3262b1020b0d44d79657c2 |
| SHA1 | 3f67e00c4b5c6a39c95205ed807739fe70177d88 |
| SHA256 | 9f6c4ae34786aa289426a8c86a77207935d2cf4ab4a72f7e954437614a2aa2a5 |
| SHA512 | a823fa408c22e990bab90810ce3e24c45499d03245e622a89c845d9eec401a9b5575452b9b75560fe40c4ff4f07cef0c5ae2864772071fb7c228db90762904f7 |
memory/2884-73-0x0000000003BF0000-0x0000000003C03000-memory.dmp
memory/2884-72-0x0000000003BF0000-0x0000000003C03000-memory.dmp
memory/2884-76-0x00000000035E0000-0x00000000035F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\install[1].htm
| MD5 | 9463ba07743e8a9aca3b55373121b7c5 |
| SHA1 | 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f |
| SHA256 | d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d |
| SHA512 | 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7 |
\Windows\SysWOW64\acctres.exe
| MD5 | 4f3510d88f634002a8676a493e44a37a |
| SHA1 | 9b6431c9fdec422749a05342debd104ba21ff899 |
| SHA256 | a518c41d273440f30feb66f6b195fa9a2c77fc8bfd4d34eca6c46a9b95499d08 |
| SHA512 | 855c7779a1b6e0bf6181d14a0cebb8037cfe2358371ec572f16b67300a322e8cfb7fa1f0225fe76dfe1f748aa8993ee464a965ae77ff0278e513114866dca627 |
memory/2044-103-0x0000000000400000-0x0000000000413000-memory.dmp
memory/896-102-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2884-99-0x0000000000400000-0x0000000000413000-memory.dmp
memory/896-98-0x0000000003250000-0x0000000003263000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0D8AXKCA.txt
| MD5 | ebfa343f12a042621a161aa41965db1e |
| SHA1 | 405c129082abd328c8f8e3f9e8f54f39c848200c |
| SHA256 | 6ec223b1f600f482c6ec0b7158fccb8e839eb5ee42e9ebb7d94f712d1cb4c309 |
| SHA512 | 06a85f29f2eace94e46ca23e8c116fbc4f35efa03fc9f1f54e199aa21791d3fc869a280b6f69bc37b25453c4308cc43adbe42e0cbae7ad72d5f44f0080cdd342 |
\Windows\SysWOW64\nlsdata000f.exe
| MD5 | 3bb69ed0336011aafe7481572ae69842 |
| SHA1 | d2f0e144dca0191274f8309195c27c293ca814c4 |
| SHA256 | 3f5f8eb34b10b37f112518571aa33950e94ff092a2383e65b55017b769349be0 |
| SHA512 | 565e79c501c24476ab27dcb63e8224aaf86b409aa192a5f556ab7747a25bf4214e62e6cbf85b98846908bd2a1c29d86a4f13f0ff4beaed9a7d74364c451c6cd8 |
memory/2044-122-0x00000000035A0000-0x00000000035B3000-memory.dmp
memory/2044-127-0x00000000035B0000-0x00000000035C0000-memory.dmp
memory/2044-124-0x0000000003B70000-0x0000000003B83000-memory.dmp
memory/2044-123-0x0000000003B70000-0x0000000003B83000-memory.dmp
memory/2044-129-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KABVUVCS.txt
| MD5 | 03e74951e486918146de6a8812decdaa |
| SHA1 | f61314aec08c8990d1ff2daf00bef0471e4538d3 |
| SHA256 | 1fd79da80e4a4b09d1380f8feee093e965e283dccc1dda1dce5baecf9910d146 |
| SHA512 | 81fc11287a83541de2028e5ac746f5961de9d0c9037f8cf5218f6c8378a413c0c2f13b692b8e0b5dd7d9ef1f702c13ce6ebd9ca54da707664e25128ee15dd8bc |
\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.exe
| MD5 | c782d255c5cc473f6002f643538e0a5a |
| SHA1 | ddfa489c6ee7e8433ca6113542179fdcf3dc6f6a |
| SHA256 | 20312dff6c7c864bb5e2db7b0e4ca2833eed85db8c230cb19a4012e16d5eed17 |
| SHA512 | a26e2eaa1c4af5e2f9a3be1c5584d8ef007d1a727c869ce3ba4792f7c726f88611d8aa7672e8a270f877562d047b56d44acf9f2b8e63f963b128b2cde16ca3e5 |
memory/464-151-0x0000000003FE0000-0x0000000003FF3000-memory.dmp
memory/464-150-0x0000000003FE0000-0x0000000003FF3000-memory.dmp
memory/464-143-0x0000000003FE0000-0x0000000003FF3000-memory.dmp
memory/464-142-0x0000000003FE0000-0x0000000003FF3000-memory.dmp
memory/464-155-0x0000000000400000-0x0000000000413000-memory.dmp
memory/464-154-0x0000000003FE0000-0x0000000003FF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2BTQMWXD.txt
| MD5 | 2c7eed14a6d56abcb747a5575c05f17c |
| SHA1 | 71863779248c118f45920a9c862c3dcfe81dc63e |
| SHA256 | a1bc693294743b5c5d148b55be9ed88cca7d34e61f85322cd20f89ce9aba4324 |
| SHA512 | bc7077f7520cda5b463a814a799cf734a60f307e6ccd03cc668c96f3bf9f1671d8c384a078ef3514680d123b573283b5289c5b021677af8c351a88b896bd0525 |
\Windows\SysWOW64\dciman32.exe
| MD5 | 39a0f29802724917e629efb44f797f0c |
| SHA1 | f0e5517c05bb24a7824793d418aba7bf81e6db69 |
| SHA256 | 2b74659650d4216ca7c7b846b87f8a9ec7088c583ac5717750c90f84d06179ef |
| SHA512 | 155e2f3561e3980431abe098ae0ebe709ec4b4b26b317276004e2688d5d2a2e206d0e9b16d69a9f86ed2fe7f277c00b5c668c7a35564c4a8d3778591f90bf591 |
memory/348-174-0x0000000004120000-0x0000000004133000-memory.dmp
memory/348-175-0x0000000004220000-0x0000000004233000-memory.dmp
memory/348-179-0x0000000004220000-0x0000000004230000-memory.dmp
memory/348-176-0x0000000004220000-0x0000000004233000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QGEWC2ZX.txt
| MD5 | 9d4752b1f2036da9b04ffdc6b125e6d8 |
| SHA1 | e7362b2877002afd314031febb304804142c2059 |
| SHA256 | 275152f6dc24534ca0c8f47bbd67edada460fbc0a5bf938f20a5362d26424c62 |
| SHA512 | f5cf98e81d6803fbf6b82d55cbb2494f106c54e4c98e9e530dd23491a2022fc5718e2396170e15550e0a860b255ca93be281b0a5c0ff8f74fb7e0e2c022a7cd5 |
\Windows\SysWOW64\ir32_32.exe
| MD5 | 7ee7819ffb61d6e6213b73a5fb32e14b |
| SHA1 | 8e9bfa0204516625cae3ccbb9780468af19151e3 |
| SHA256 | bcb17ff9c40ac3f33e2ab2019e2c3582115a2933831d0277e1affab04dbc7d0e |
| SHA512 | 25ca8d7c7557123b6003ba580e8891d483989170c0370c145bc103a2d8712ae4537aa8fce39adda40711ade8dcf5ac4a1c795f8d63e017a9f3cb60e1511d4597 |
memory/2368-196-0x0000000003E80000-0x0000000003E93000-memory.dmp
memory/348-201-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2368-206-0x00000000039A0000-0x00000000039B0000-memory.dmp
memory/2368-202-0x0000000003E80000-0x0000000003E93000-memory.dmp
memory/348-205-0x0000000004220000-0x0000000004233000-memory.dmp
memory/348-204-0x0000000004220000-0x0000000004233000-memory.dmp
memory/348-203-0x0000000004120000-0x0000000004133000-memory.dmp
memory/2368-207-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2400-223-0x0000000003FE0000-0x0000000003FF3000-memory.dmp
memory/2400-222-0x0000000003FE0000-0x0000000003FF3000-memory.dmp
memory/2400-221-0x0000000003EE0000-0x0000000003EF3000-memory.dmp
memory/2400-224-0x0000000004120000-0x0000000004130000-memory.dmp
memory/2400-225-0x0000000000400000-0x0000000000413000-memory.dmp
memory/772-239-0x0000000004030000-0x0000000004043000-memory.dmp
memory/772-238-0x0000000004030000-0x0000000004043000-memory.dmp
memory/772-240-0x0000000003500000-0x0000000003510000-memory.dmp
memory/772-241-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1452-256-0x0000000004140000-0x0000000004153000-memory.dmp
memory/1452-255-0x0000000004140000-0x0000000004153000-memory.dmp
memory/1452-257-0x00000000032C0000-0x00000000032D0000-memory.dmp
memory/1452-258-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2740-269-0x00000000034C0000-0x00000000034D3000-memory.dmp
memory/2740-273-0x0000000003430000-0x0000000003440000-memory.dmp
memory/2740-274-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2768-285-0x0000000004010000-0x0000000004023000-memory.dmp
memory/2768-289-0x0000000004120000-0x0000000004133000-memory.dmp
memory/1872-290-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2768-291-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1872-304-0x00000000033B0000-0x00000000033C3000-memory.dmp
memory/1872-307-0x00000000033B0000-0x00000000033C3000-memory.dmp
memory/1872-306-0x00000000033B0000-0x00000000033C3000-memory.dmp
memory/1872-305-0x00000000033B0000-0x00000000033C3000-memory.dmp
memory/1872-308-0x00000000033B0000-0x00000000033C0000-memory.dmp
memory/1872-309-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1424-323-0x00000000032A0000-0x00000000032B3000-memory.dmp
memory/1424-324-0x0000000003220000-0x0000000003230000-memory.dmp
memory/1424-325-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2984-332-0x00000000040C0000-0x00000000040D3000-memory.dmp
memory/2984-340-0x00000000040C0000-0x00000000040D3000-memory.dmp
memory/2984-341-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1896-355-0x0000000003E80000-0x0000000003E93000-memory.dmp
memory/1896-356-0x0000000003E80000-0x0000000003E93000-memory.dmp
memory/1896-357-0x0000000003560000-0x0000000003570000-memory.dmp
memory/1896-358-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2648-368-0x0000000003E50000-0x0000000003E63000-memory.dmp
memory/2648-372-0x0000000003E50000-0x0000000003E63000-memory.dmp
memory/2648-373-0x0000000003430000-0x0000000003440000-memory.dmp
memory/2648-374-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2660-391-0x0000000003CA0000-0x0000000003CB3000-memory.dmp
memory/2660-390-0x0000000003CA0000-0x0000000003CB3000-memory.dmp
memory/2660-389-0x0000000003CA0000-0x0000000003CB3000-memory.dmp
memory/2660-388-0x0000000003CA0000-0x0000000003CB3000-memory.dmp
memory/2552-392-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2660-393-0x0000000003CA0000-0x0000000003CB0000-memory.dmp
memory/2660-394-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2552-410-0x0000000002330000-0x0000000002343000-memory.dmp
memory/2552-409-0x0000000002330000-0x0000000002343000-memory.dmp
memory/2552-408-0x0000000002320000-0x0000000002333000-memory.dmp
memory/2552-407-0x0000000002320000-0x0000000002333000-memory.dmp
memory/2552-411-0x0000000002330000-0x0000000002340000-memory.dmp
memory/2552-412-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2308-426-0x0000000003600000-0x0000000003613000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 09:51
Reported
2024-11-13 09:53
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\windows.staterepositoryclient.exe | C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windows.staterepositoryclient.exe | C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3856 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3856 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3856 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe
"C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\810ecbdbb48266d2ea1526e9a5d6cb42b4d9746fe8c0dd93004086925e622224.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | best-targeted-traffic.com | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww25.best-targeted-traffic.com | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | www.ip2location.com | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.172.224.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.148.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3856-0-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3856-4-0x0000000000400000-0x0000000000413000-memory.dmp