Analysis Overview
SHA256
6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614
Threat Level: Shows suspicious behavior
The file 6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks computer location settings
Indicator Removal: File Deletion
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 10:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 10:54
Reported
2024-11-13 10:56
Platform
win7-20240903-en
Max time kernel
20s
Max time network
132s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fdeploy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\framedyn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nlslexicons0018.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ds32gt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\kbdazel.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nlslexicons0007.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ir41_qcx.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\atmfd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ir50_32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\nlsdata000f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\iesysprep.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bitsprx2.exe | N/A |
Loads dropped DLL
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\fdeploy.exe | C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nlsdata000f.exe | C:\Windows\SysWOW64\ir50_32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iesysprep.exe | C:\Windows\SysWOW64\nlsdata000f.exe | N/A |
| File created | C:\Windows\SysWOW64\wevtapi.exe | C:\Windows\SysWOW64\bitsprx2.exe | N/A |
| File created | C:\Windows\SysWOW64\ir41_qcx.exe | C:\Windows\SysWOW64\nlslexicons0007.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wevtapi.exe | C:\Windows\SysWOW64\bitsprx2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\framedyn.exe | C:\Windows\SysWOW64\fdeploy.exe | N/A |
| File created | C:\Windows\SysWOW64\ds32gt.exe | C:\Windows\SysWOW64\nlslexicons0018.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ir50_32.exe | C:\Windows\SysWOW64\atmfd.exe | N/A |
| File created | C:\Windows\SysWOW64\nlslexicons0007.exe | C:\Windows\SysWOW64\kbdazel.exe | N/A |
| File created | C:\Windows\SysWOW64\atmfd.exe | C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe | N/A |
| File created | C:\Windows\SysWOW64\ir50_32.exe | C:\Windows\SysWOW64\atmfd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nlslexicons0007.exe | C:\Windows\SysWOW64\kbdazel.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe | C:\Windows\SysWOW64\ir41_qcx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ir41_qcx.exe | C:\Windows\SysWOW64\nlslexicons0007.exe | N/A |
| File created | C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe | C:\Windows\SysWOW64\ir41_qcx.exe | N/A |
| File created | C:\Windows\SysWOW64\bitsprx2.exe | C:\Windows\SysWOW64\iesysprep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bitsprx2.exe | C:\Windows\SysWOW64\iesysprep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ds32gt.exe | C:\Windows\SysWOW64\nlslexicons0018.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbdazel.exe | C:\Windows\SysWOW64\ds32gt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\atmfd.exe | C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe | N/A |
| File created | C:\Windows\SysWOW64\iesysprep.exe | C:\Windows\SysWOW64\nlsdata000f.exe | N/A |
| File created | C:\Windows\SysWOW64\fdeploy.exe | C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe | N/A |
| File created | C:\Windows\SysWOW64\framedyn.exe | C:\Windows\SysWOW64\fdeploy.exe | N/A |
| File created | C:\Windows\SysWOW64\nlslexicons0018.exe | C:\Windows\SysWOW64\framedyn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nlslexicons0018.exe | C:\Windows\SysWOW64\framedyn.exe | N/A |
| File created | C:\Windows\SysWOW64\nlsdata000f.exe | C:\Windows\SysWOW64\ir50_32.exe | N/A |
| File created | C:\Windows\SysWOW64\kbdazel.exe | C:\Windows\SysWOW64\ds32gt.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\cmcfg32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ir50_32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nlsdata000f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\kbdazel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsprx2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nlslexicons0018.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ds32gt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nlslexicons0007.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\iesysprep.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\fdeploy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ir41_qcx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\framedyn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\atmfd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe
"C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe"
C:\Windows\SysWOW64\fdeploy.exe
"C:\Windows\system32\fdeploy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe"
C:\Windows\SysWOW64\framedyn.exe
"C:\Windows\system32\framedyn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\fdeploy.exe"
C:\Windows\SysWOW64\nlslexicons0018.exe
"C:\Windows\system32\nlslexicons0018.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\framedyn.exe"
C:\Windows\SysWOW64\ds32gt.exe
"C:\Windows\system32\ds32gt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlslexicons0018.exe"
C:\Windows\SysWOW64\kbdazel.exe
"C:\Windows\system32\kbdazel.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\ds32gt.exe"
C:\Windows\SysWOW64\nlslexicons0007.exe
"C:\Windows\system32\nlslexicons0007.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdazel.exe"
C:\Windows\SysWOW64\ir41_qcx.exe
"C:\Windows\system32\ir41_qcx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlslexicons0007.exe"
C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe
"C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\ir41_qcx.exe"
C:\Windows\SysWOW64\atmfd.exe
"C:\Windows\system32\atmfd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.exe"
C:\Windows\SysWOW64\ir50_32.exe
"C:\Windows\system32\ir50_32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\atmfd.exe"
C:\Windows\SysWOW64\nlsdata000f.exe
"C:\Windows\system32\nlsdata000f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\ir50_32.exe"
C:\Windows\SysWOW64\iesysprep.exe
"C:\Windows\system32\iesysprep.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlsdata000f.exe"
C:\Windows\SysWOW64\bitsprx2.exe
"C:\Windows\system32\bitsprx2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\iesysprep.exe"
C:\Windows\SysWOW64\wevtapi.exe
"C:\Windows\system32\wevtapi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\bitsprx2.exe"
C:\Windows\SysWOW64\neth.exe
"C:\Windows\system32\neth.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wevtapi.exe"
C:\Windows\SysWOW64\inseng.exe
"C:\Windows\system32\inseng.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\neth.exe"
C:\Windows\SysWOW64\lpk.exe
"C:\Windows\system32\lpk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\inseng.exe"
C:\Windows\SysWOW64\d3d10_1.exe
"C:\Windows\system32\d3d10_1.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\lpk.exe"
C:\Windows\SysWOW64\dciman32.exe
"C:\Windows\system32\dciman32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\d3d10_1.exe"
C:\Windows\SysWOW64\bwcontexthandler.exe
"C:\Windows\system32\bwcontexthandler.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dciman32.exe"
C:\Windows\SysWOW64\kbdinori.exe
"C:\Windows\system32\kbdinori.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\bwcontexthandler.exe"
C:\Windows\SysWOW64\stclient.exe
"C:\Windows\system32\stclient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdinori.exe"
C:\Windows\SysWOW64\msdadiag.exe
"C:\Windows\system32\msdadiag.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\stclient.exe"
C:\Windows\SysWOW64\kbdbgph1.exe
"C:\Windows\system32\kbdbgph1.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msdadiag.exe"
C:\Windows\SysWOW64\kbdth0.exe
"C:\Windows\system32\kbdth0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdbgph1.exe"
C:\Windows\SysWOW64\sti.exe
"C:\Windows\system32\sti.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdth0.exe"
C:\Windows\SysWOW64\scarddlg.exe
"C:\Windows\system32\scarddlg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\sti.exe"
C:\Windows\SysWOW64\mfc100fra.exe
"C:\Windows\system32\mfc100fra.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\scarddlg.exe"
C:\Windows\SysWOW64\kbdinbe1.exe
"C:\Windows\system32\kbdinbe1.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mfc100fra.exe"
C:\Windows\SysWOW64\kbdsmsno.exe
"C:\Windows\system32\kbdsmsno.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdinbe1.exe"
C:\Windows\SysWOW64\tsworkspace.exe
"C:\Windows\system32\tsworkspace.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdsmsno.exe"
C:\Windows\SysWOW64\actioncenter.exe
"C:\Windows\system32\actioncenter.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\tsworkspace.exe"
C:\Windows\SysWOW64\kbdtajik.exe
"C:\Windows\system32\kbdtajik.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\actioncenter.exe"
C:\Windows\SysWOW64\ndfetw.exe
"C:\Windows\system32\ndfetw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdtajik.exe"
C:\Windows\SysWOW64\glu32.exe
"C:\Windows\system32\glu32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\ndfetw.exe"
C:\Windows\SysWOW64\dinput.exe
"C:\Windows\system32\dinput.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\glu32.exe"
C:\Windows\SysWOW64\xpsrasterservice.exe
"C:\Windows\system32\xpsrasterservice.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dinput.exe"
C:\Windows\SysWOW64\oleaut32.exe
"C:\Windows\system32\oleaut32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\xpsrasterservice.exe"
C:\Windows\SysWOW64\kbdpo.exe
"C:\Windows\system32\kbdpo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\oleaut32.exe"
C:\Windows\SysWOW64\dmrc.exe
"C:\Windows\system32\dmrc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdpo.exe"
C:\Windows\SysWOW64\kbdcr.exe
"C:\Windows\system32\kbdcr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dmrc.exe"
C:\Windows\SysWOW64\devmgr.exe
"C:\Windows\system32\devmgr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdcr.exe"
C:\Windows\SysWOW64\wmpencen.exe
"C:\Windows\system32\wmpencen.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\devmgr.exe"
C:\Windows\SysWOW64\msieftp.exe
"C:\Windows\system32\msieftp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmpencen.exe"
C:\Windows\SysWOW64\console.exe
"C:\Windows\system32\console.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msieftp.exe"
C:\Windows\SysWOW64\nci.exe
"C:\Windows\system32\nci.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\console.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1809346686217281912-1154530889-18416250302691622611559537168140216277-1497360474"
C:\Windows\SysWOW64\devicepairingfolder.exe
"C:\Windows\system32\devicepairingfolder.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nci.exe"
C:\Windows\SysWOW64\unimdmat.exe
"C:\Windows\system32\unimdmat.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\devicepairingfolder.exe"
C:\Windows\SysWOW64\wvc.exe
"C:\Windows\system32\wvc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\unimdmat.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\SysWOW64\winsyncproviders.exe
"C:\Windows\system32\winsyncproviders.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvc.exe"
C:\Windows\SysWOW64\kbdsg.exe
"C:\Windows\system32\kbdsg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winsyncproviders.exe"
C:\Windows\SysWOW64\perfcentercpl.exe
"C:\Windows\system32\perfcentercpl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdsg.exe"
C:\Windows\SysWOW64\mmcshext.exe
"C:\Windows\system32\mmcshext.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\perfcentercpl.exe"
C:\Windows\SysWOW64\iscsied.exe
"C:\Windows\system32\iscsied.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mmcshext.exe"
C:\Windows\SysWOW64\chtbrkr.exe
"C:\Windows\system32\chtbrkr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\iscsied.exe"
C:\Windows\SysWOW64\msjtes40.exe
"C:\Windows\system32\msjtes40.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\chtbrkr.exe"
C:\Windows\SysWOW64\wlansec.exe
"C:\Windows\system32\wlansec.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msjtes40.exe"
C:\Windows\SysWOW64\mfds.exe
"C:\Windows\system32\mfds.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlansec.exe"
C:\Windows\SysWOW64\mfc110esn.exe
"C:\Windows\system32\mfc110esn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mfds.exe"
C:\Windows\SysWOW64\wsecedit.exe
"C:\Windows\system32\wsecedit.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mfc110esn.exe"
C:\Windows\SysWOW64\quartz.exe
"C:\Windows\system32\quartz.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wsecedit.exe"
C:\Windows\SysWOW64\rasadhlp.exe
"C:\Windows\system32\rasadhlp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\quartz.exe"
C:\Windows\SysWOW64\oledlg.exe
"C:\Windows\system32\oledlg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\rasadhlp.exe"
C:\Windows\SysWOW64\mscories.exe
"C:\Windows\system32\mscories.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\oledlg.exe"
C:\Windows\SysWOW64\dmloader.exe
"C:\Windows\system32\dmloader.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mscories.exe"
C:\Windows\SysWOW64\wpdsp.exe
"C:\Windows\system32\wpdsp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dmloader.exe"
C:\Windows\SysWOW64\kbdsg.exe
"C:\Windows\system32\kbdsg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wpdsp.exe"
C:\Windows\SysWOW64\dmvdsitf.exe
"C:\Windows\system32\dmvdsitf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdsg.exe"
C:\Windows\SysWOW64\adprovider.exe
"C:\Windows\system32\adprovider.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dmvdsitf.exe"
C:\Windows\SysWOW64\framedynos.exe
"C:\Windows\system32\framedynos.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\adprovider.exe"
C:\Windows\SysWOW64\ndfhcdiscovery.exe
"C:\Windows\system32\ndfhcdiscovery.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\framedynos.exe"
C:\Windows\SysWOW64\kbdvntc.exe
"C:\Windows\system32\kbdvntc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\ndfhcdiscovery.exe"
C:\Windows\SysWOW64\kbdal.exe
"C:\Windows\system32\kbdal.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdvntc.exe"
C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.exe
"C:\Windows\system32\api-ms-win-core-profile-l1-1-0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdal.exe"
C:\Windows\SysWOW64\twext.exe
"C:\Windows\system32\twext.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\api-ms-win-core-profile-l1-1-0.exe"
C:\Windows\SysWOW64\msorcl32.exe
"C:\Windows\system32\msorcl32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\twext.exe"
C:\Windows\SysWOW64\cmcfg32.exe
"C:\Windows\system32\cmcfg32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msorcl32.exe"
C:\Windows\SysWOW64\winusb.exe
"C:\Windows\system32\winusb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\cmcfg32.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 812
C:\Windows\SysWOW64\apphelp.exe
"C:\Windows\system32\apphelp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winusb.exe"
C:\Windows\SysWOW64\scripto.exe
"C:\Windows\system32\scripto.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\apphelp.exe"
C:\Windows\SysWOW64\netutils.exe
"C:\Windows\system32\netutils.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\scripto.exe"
C:\Windows\SysWOW64\wdi.exe
"C:\Windows\system32\wdi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\netutils.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | best-targeted-traffic.com | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww25.best-targeted-traffic.com | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | www.ip2location.com | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 76.223.26.96:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
Files
memory/2260-0-0x0000000000400000-0x0000000000413000-memory.dmp
\Windows\SysWOW64\fdeploy.exe
| MD5 | 747a17c92da6bcb67d6e68cb41472074 |
| SHA1 | a81c70a350e35b3d10ea0027e6d9034ffd524402 |
| SHA256 | d60b7e00786a618edaba8da79ddb98fa71b483ac9e73760550859e0e88e6d78f |
| SHA512 | 9a5cc7006df519def6b7ca4baf71fd9fb2b4ef2d755e236a554b94ea96c69aae719c680c4510cadab52de416744df572f8b0b47dae93ea5bca0cbdcde18b07d9 |
memory/2260-21-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2260-20-0x0000000002440000-0x0000000002450000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0BL4HFHD.txt
| MD5 | 0b71313278d7485199492d44916ed962 |
| SHA1 | 2a78d78145810b74dfcd6cb0e27457e626da1718 |
| SHA256 | e05b238fa5bee1129038430ad5d3cc9943a51c5c2957a087dbef98d677c19910 |
| SHA512 | 1e8239e37fe50fdeed481a093e4ab310552931e8cf51afa4e604fdee9aca95ef10e5a7da86c5b8ec2b445ba4c9bcd0a6fb4085381568d1ca15b04070b9fc9ef9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0KH2P5GH.txt
| MD5 | 0a12f388b0b3220eb2ae9adddcb1fc61 |
| SHA1 | a68a70d2ec0b93dafba61e8b09b31e0f3c3bcdf7 |
| SHA256 | 1cf7467cc2f7578debef725069dae849462708f0a7ee3830b13b2607cfbefa98 |
| SHA512 | ba69aa0a24863c5e735b39798f19de1f69f9cb35d350276fd9fe57ee7a59b2d67f08669eaff3791063b88bdf273a581165e256de9d7c42ed688bc989cd25dd3a |
\Windows\SysWOW64\framedyn.exe
| MD5 | 8633ef5b7146317c0df63c57cf77ba4d |
| SHA1 | 41f67dbaf2062be423da5072131e63b44a1b7860 |
| SHA256 | fafe8d7de62de0bbda3f9936f9c8c6ba6b385e28cdcac3708d569008db136882 |
| SHA512 | 8e36851dd2bb8cc18eedf7b10c1d41ff4d534fae5bc6d7713a5235e386b18544d038b1507cc06d14994cd5ef72cd929d4029e5905267969e5b2cb5944ac5c1fd |
memory/2788-47-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/2788-48-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2788-44-0x00000000031E0000-0x00000000031F3000-memory.dmp
memory/2788-43-0x00000000031E0000-0x00000000031F3000-memory.dmp
memory/2788-37-0x00000000031E0000-0x00000000031F3000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4L749N25.txt
| MD5 | 80e63b91c1971ba00f7b4af76fcb111f |
| SHA1 | f0ad6f7c5bae63093a2a60d11d3138d24cc45407 |
| SHA256 | 6cc94283451106341946a1d9d404d29ed13e3b17c6f4c6c90fc654628c9ebd8c |
| SHA512 | 0b32f446fc3027c329636854480362b93ad03a59e565de74c2af706520d5263928be75fb71fd4ca24d26b0236d3aaefc736a30e7b2a451bd3baf027b5433713f |
\Windows\SysWOW64\nlslexicons0018.exe
| MD5 | fd03f297d9976e224dec013df6b40d60 |
| SHA1 | b78cd6aaf14487aac4309787a4eae09e874952ad |
| SHA256 | c6ea1d472b19283d2c0c212209a4173a32c2e4d2d292f6c052081639825363ba |
| SHA512 | 1792f0d75fbcda67cbf8ef2d7e4da1eb35f05386fca6043ab432bd86c299adcb969bed27685524bb1a7733f0beb51c9fa344a7bac2cc639abb4c61b68df7b92f |
memory/3040-72-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3040-69-0x00000000035C0000-0x00000000035D3000-memory.dmp
memory/3040-63-0x0000000003590000-0x00000000035A3000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QIWKY297.txt
| MD5 | 819f9667bb90727c1d3d449aa3230a16 |
| SHA1 | 05fe546e085f43da7322ac615cd7f82034fbedec |
| SHA256 | 8806e79eaace4227d4863dd7ca9d31c66f36c3ebfa9e755d20fd19a7e2656e3b |
| SHA512 | 949500a11fb7ee4560605e63de52acd54096f40b767f367a39c846a39eb4c39e448dee51af43713ba1d0731fb4c261c546f35f1c5e0464a161753e26c93b41a1 |
\Windows\SysWOW64\ds32gt.exe
| MD5 | 7b71efc0250d4489f8916f9b3e641f0d |
| SHA1 | 00cbdb278739b6e810997cd88da057bbfee0dec1 |
| SHA256 | 1e28e6b419b468e83394f8dd9f3cb55e8d588aece346c8dddca6ed75e1101325 |
| SHA512 | 2eb5d92072841819dfafe11d1a537c9d7e04619937d105586ce99ab4d9ff85e9a5d81662202d905fa37c5ea556db873f567d7ff36dec15748926be3ed9a6ea52 |
memory/1964-93-0x0000000003790000-0x00000000037A3000-memory.dmp
memory/1964-97-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1964-96-0x0000000003790000-0x00000000037A0000-memory.dmp
memory/1964-92-0x0000000003790000-0x00000000037A3000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9N5FD8VV.txt
| MD5 | 36553a7d121de922133128b4e146ff86 |
| SHA1 | d0e3f6a8da7fcc358b85510b85017479f5bfae1f |
| SHA256 | e20189e62b455cfe1b5b3152eacaa054eaccad58ebe71123165edc9ae02a2b49 |
| SHA512 | a15ca56bac90fe7bf95f9a0a0ceca1032d6026d541c6044c1b3aeb69240e7c1b9a8d853ae969c7f49879850a35ad695622fc0b8c14ac39f3bf077eb816aa58b8 |
\Windows\SysWOW64\kbdazel.exe
| MD5 | 468b65cf00a0789bb86c7e85eb0754aa |
| SHA1 | a720cb7bc83704836d48cf94e8eb98d8984c3607 |
| SHA256 | 4ab95f2e780288ad983f991155ac9a56447930917ab1b858605397c54b1b2376 |
| SHA512 | 2bb1dbf71729d0ee2c8267aee23e93872430b069fa48bafe7c6177467758fd395418a8a2f01dc89ef365d0a164b3c120ccecb81001225bc68d27ee1b77c441f2 |
memory/1624-119-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1624-109-0x0000000004020000-0x0000000004033000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1DLIZ31I.txt
| MD5 | 9ead613d0981a7161167d055b8bba70f |
| SHA1 | 1209a23a5ef48be3f36c229ceb04da472ecd41ca |
| SHA256 | cc40c6864a1b4f4b6869d7647a83e0bc82051e2a9b7fc636bbc3f063d64d4029 |
| SHA512 | 7dbde8263692ed4d4aa503eaa855073c126e7cbfdaf278d752c2e8441d8465ebaec53133a03ca63e9e0316a2294fef9eca39c48c96a1aff197d8713f5c9c10b6 |
\Windows\SysWOW64\nlslexicons0007.exe
| MD5 | 8adcd275f22ac45ad177b6f62f7c2fbc |
| SHA1 | 91fa33bfbaf47dd1b2a65a8f6deb83c104943387 |
| SHA256 | 1709106f8087718606dce8860f9d62411a3f952184fc3c414d20f80666ea510a |
| SHA512 | 2997ad513e0789c0265adb6106c035d0f678309579a09d57a80f95bb181a91c28fc6d304bff29c4df150d16799944e37b6aa6bb5aed6375477c66a38dee53565 |
memory/1100-144-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1100-141-0x0000000003DE0000-0x0000000003DF3000-memory.dmp
memory/1100-140-0x0000000003DE0000-0x0000000003DF3000-memory.dmp
memory/1100-134-0x0000000003DE0000-0x0000000003DF3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\install[1].htm
| MD5 | 9463ba07743e8a9aca3b55373121b7c5 |
| SHA1 | 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f |
| SHA256 | d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d |
| SHA512 | 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7 |
memory/564-163-0x0000000004240000-0x0000000004253000-memory.dmp
C:\Windows\SysWOW64\ir41_qcx.exe
| MD5 | d6490baa06efdb9e06fe61833d45ae71 |
| SHA1 | 98495a0aa19b527ee882781287654fe2a41efb9a |
| SHA256 | 838b1a06fe248ef214262e4f22a761d260cfd9d485bbcc762f1a88a10e643dd8 |
| SHA512 | ec2544b248394ae9c01545538d3352713c7f3c2b069d6b5dbc87ab0b81be8969d2ace52abbc99fdf2cfe00fb3f0c75d599ae21e247998344d1b24ace08677d11 |
memory/564-168-0x0000000000400000-0x0000000000413000-memory.dmp
memory/564-167-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/1296-166-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NAAR1IRX.txt
| MD5 | 35f0b951c4993542271e97a17aa79f83 |
| SHA1 | 143c7789588f719473f0a1086fd273deee41b38e |
| SHA256 | b66f1f88682c1fea5d8957624fcbf27f52d28fbf6ea369ffd34c06d159dc2ad8 |
| SHA512 | 203f744e2fb73a0ef2bd0dc6906295bd1f5da385df554f5eca3f9c3c186536399e0947f553ea08fc1100448d88144babfca3a2c973c62729657728a5ba3a94f2 |
\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.exe
| MD5 | ae242c89dde0b6d115b0cd348bc4d826 |
| SHA1 | b4377d7aa6392971e838785fad566ebaff8f71f6 |
| SHA256 | 001157f1351aff85bdf4a820261f85a335f7392e17bfbcd6b71b82bd9b66b243 |
| SHA512 | bc3dc423580f2e9f383f1693dabc3374fa60d50c05ebb3b97eab1b5ec72d583cfa293559e19ae8c6ed44e8bb5017e216aa5a4bd11be78db05fe170bf42ec2fa0 |
memory/1296-188-0x0000000003370000-0x0000000003383000-memory.dmp
memory/1296-191-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1296-182-0x0000000003370000-0x0000000003383000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1TJW0BV0.txt
| MD5 | 3629e61cbfd298f0adae09aea303fd04 |
| SHA1 | 8659dba99d50362acd3b1928347572c67cec4f69 |
| SHA256 | ccaf0289c96d8816f9cfbba6135021cab1f01df8b13105c26d4f7c60bba7a59d |
| SHA512 | 88bc0a17a7287350bbf6859545a2c97fd79d9062888a0dc2135e386feac785d8734bac0c43388216cedf467d95c911057b9f067769ea33137b67691887776a52 |
memory/1580-212-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1580-211-0x0000000000C50000-0x0000000000C60000-memory.dmp
memory/1580-210-0x0000000003400000-0x0000000003413000-memory.dmp
memory/1580-209-0x0000000003400000-0x0000000003413000-memory.dmp
memory/1580-204-0x0000000000C40000-0x0000000000C53000-memory.dmp
\Windows\SysWOW64\atmfd.exe
| MD5 | e3d816d6c4fde222c584b3abb3def12e |
| SHA1 | e39bb3c5cb3d5f26162f2f5b5838522221a268f3 |
| SHA256 | 61772203535b06574aebe595e5d415eb35ff133211786129f06388036c5830a3 |
| SHA512 | ab7db348d35c42e58b629b6e9b71c1fa9f5f7eb916eb370fbd4a5bf40818695aa87771d5d7f68d2804429a7ca6b635080767125aec040383f30a4b7c514a0f17 |
memory/2636-225-0x00000000032B0000-0x00000000032C0000-memory.dmp
memory/2636-226-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2644-243-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2644-242-0x00000000034A0000-0x00000000034B0000-memory.dmp
memory/1900-241-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2644-240-0x0000000003630000-0x0000000003643000-memory.dmp
memory/2644-239-0x0000000003630000-0x0000000003643000-memory.dmp
memory/1900-258-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1900-257-0x0000000003EF0000-0x0000000003F03000-memory.dmp
memory/2036-274-0x0000000004020000-0x0000000004033000-memory.dmp
memory/2036-273-0x0000000004020000-0x0000000004033000-memory.dmp
memory/2036-268-0x0000000004010000-0x0000000004023000-memory.dmp
memory/2036-275-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2848-291-0x0000000004120000-0x0000000004130000-memory.dmp
memory/2848-292-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2848-290-0x0000000004120000-0x0000000004133000-memory.dmp
memory/2848-285-0x0000000004010000-0x0000000004023000-memory.dmp
memory/2176-307-0x00000000035A0000-0x00000000035B3000-memory.dmp
memory/2176-306-0x00000000035A0000-0x00000000035B3000-memory.dmp
memory/2176-308-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1764-324-0x0000000002550000-0x0000000002563000-memory.dmp
memory/1764-325-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1764-323-0x0000000002550000-0x0000000002563000-memory.dmp
memory/1764-319-0x0000000002550000-0x0000000002563000-memory.dmp
memory/604-335-0x0000000003FD0000-0x0000000003FE3000-memory.dmp
memory/604-340-0x0000000003FE0000-0x0000000003FF3000-memory.dmp
memory/604-339-0x0000000003FE0000-0x0000000003FF3000-memory.dmp
memory/604-342-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1848-341-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1848-352-0x0000000003A30000-0x0000000003A43000-memory.dmp
memory/1848-357-0x0000000003A30000-0x0000000003A43000-memory.dmp
memory/1848-359-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1848-358-0x0000000003130000-0x0000000003140000-memory.dmp
memory/2704-367-0x0000000003F10000-0x0000000003F23000-memory.dmp
memory/2704-374-0x0000000004010000-0x0000000004023000-memory.dmp
memory/2704-375-0x00000000032F0000-0x0000000003300000-memory.dmp
memory/2704-376-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2788-388-0x0000000003ED0000-0x0000000003EE3000-memory.dmp
memory/2788-390-0x0000000003EE0000-0x0000000003EF0000-memory.dmp
memory/2788-391-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2376-407-0x00000000033A0000-0x00000000033B3000-memory.dmp
memory/2376-408-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2376-406-0x00000000033A0000-0x00000000033B3000-memory.dmp
memory/2376-401-0x00000000033A0000-0x00000000033B3000-memory.dmp
memory/2168-419-0x0000000003E60000-0x0000000003E73000-memory.dmp
memory/2168-424-0x0000000003E70000-0x0000000003E83000-memory.dmp
memory/2168-426-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2168-425-0x0000000003E70000-0x0000000003E80000-memory.dmp
memory/2168-423-0x0000000003E70000-0x0000000003E83000-memory.dmp
memory/2188-441-0x0000000003570000-0x0000000003583000-memory.dmp
memory/2188-437-0x0000000003570000-0x0000000003583000-memory.dmp
memory/2188-442-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2020-452-0x00000000032A0000-0x00000000032B3000-memory.dmp
memory/2020-457-0x0000000003380000-0x0000000003393000-memory.dmp
memory/2020-456-0x0000000003380000-0x0000000003393000-memory.dmp
memory/2020-458-0x00000000032B0000-0x00000000032C0000-memory.dmp
memory/2020-459-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3008-468-0x0000000003280000-0x0000000003293000-memory.dmp
memory/3008-475-0x0000000003280000-0x0000000003293000-memory.dmp
memory/3008-476-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3008-473-0x0000000003280000-0x0000000003293000-memory.dmp
memory/1752-491-0x0000000003DB0000-0x0000000003DC3000-memory.dmp
memory/1752-490-0x0000000003DB0000-0x0000000003DC3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 10:54
Reported
2024-11-13 10:56
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\msrating.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\credprovdatamodel.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\dmiso8601utils.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mp43decd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wlidprov.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rdpsharercom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\vcamp110.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msrating.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\credprovdatamodel.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dmiso8601utils.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mp43decd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlidprov.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rdpsharercom.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vcamp110.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\wlidprov.exe | C:\Windows\SysWOW64\mp43decd.exe | N/A |
| File created | C:\Windows\SysWOW64\vcamp110.exe | C:\Windows\SysWOW64\rdpsharercom.exe | N/A |
| File created | C:\Windows\SysWOW64\rdpsharercom.exe | C:\Windows\SysWOW64\wlidprov.exe | N/A |
| File created | C:\Windows\SysWOW64\mp43decd.exe | C:\Windows\SysWOW64\dmiso8601utils.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wlidprov.exe | C:\Windows\SysWOW64\mp43decd.exe | N/A |
| File created | C:\Windows\SysWOW64\credprovdatamodel.exe | C:\Windows\SysWOW64\msrating.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\credprovdatamodel.exe | C:\Windows\SysWOW64\msrating.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rdpsharercom.exe | C:\Windows\SysWOW64\wlidprov.exe | N/A |
| File created | C:\Windows\SysWOW64\windows.ui.xaml.maps.exe | C:\Windows\SysWOW64\vcamp110.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windows.ui.xaml.maps.exe | C:\Windows\SysWOW64\vcamp110.exe | N/A |
| File created | C:\Windows\SysWOW64\msrating.exe | C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msrating.exe | C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mp43decd.exe | C:\Windows\SysWOW64\dmiso8601utils.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vcamp110.exe | C:\Windows\SysWOW64\rdpsharercom.exe | N/A |
| File created | C:\Windows\SysWOW64\dmiso8601utils.exe | C:\Windows\SysWOW64\credprovdatamodel.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dmiso8601utils.exe | C:\Windows\SysWOW64\credprovdatamodel.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mp43decd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msrating.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\credprovdatamodel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vcamp110.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wlidprov.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rdpsharercom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dmiso8601utils.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe
"C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe"
C:\Windows\SysWOW64\msrating.exe
"C:\Windows\system32\msrating.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\6c1047573dbb7a6d5f98f2162467768f6965edc3574a5de1a1295e3655063614N.exe"
C:\Windows\SysWOW64\credprovdatamodel.exe
"C:\Windows\system32\credprovdatamodel.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msrating.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1148
C:\Windows\SysWOW64\dmiso8601utils.exe
"C:\Windows\system32\dmiso8601utils.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\credprovdatamodel.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 1448
C:\Windows\SysWOW64\mp43decd.exe
"C:\Windows\system32\mp43decd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dmiso8601utils.exe"
C:\Windows\SysWOW64\wlidprov.exe
"C:\Windows\system32\wlidprov.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mp43decd.exe"
C:\Windows\SysWOW64\rdpsharercom.exe
"C:\Windows\system32\rdpsharercom.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wlidprov.exe"
C:\Windows\SysWOW64\vcamp110.exe
"C:\Windows\system32\vcamp110.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\rdpsharercom.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\vcamp110.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | best-targeted-traffic.com | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww25.best-targeted-traffic.com | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | www.ip2location.com | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 247.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.172.224.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.148.248.13.in-addr.arpa | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4900-0-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\SysWOW64\msrating.exe
| MD5 | 0c514c02d1c5408661c996211e16a9d6 |
| SHA1 | 7f34d5e97f53dc9f878e0276297b930d9acab180 |
| SHA256 | a02246d3afa381a5771a021f7fac3fbd742e0dba2e42185416e65a565904324b |
| SHA512 | 112127cd3b6c573b244588d5c4b9d923ea77f76a6eaaa9656c2d3f9dbdea847a1bb8e0f7f8af0bebee7d0b4d5fd906c6bf68471fa61128f2f7a5716642206be2 |
memory/4900-11-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\SysWOW64\credprovdatamodel.exe
| MD5 | 69e9f809141160362c817adf5e27dd55 |
| SHA1 | 64dcb508e2ff56ef99483423d6f799cdffad640d |
| SHA256 | 95560e08c24a09b71ff7be4be3c81dff31927b3bd7aca711171195bd4b7ad5a3 |
| SHA512 | 95b382ecc4fb54cb5148613c0c3a2b84cb31e4432491bcee45bd96d29a470b9e8c6e46ca2064c6c211b28c5cfc6cd22f621deff2a357998852704103fb0a3141 |
memory/2064-21-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\SysWOW64\dmiso8601utils.exe
| MD5 | a69221fe0b0350953ae535e8d15d47d0 |
| SHA1 | cb16450e16babc6fb99299a47c24c1fe0dab3b96 |
| SHA256 | ff2061f6df18d13f36b7cf6d7b6d68630f06619c663bc16fac9bddc46f71da2f |
| SHA512 | 9193c2262f4155f8f0e603f1d3baba41aba161c98f650fda694a038dc5917c9a36cb915afffa34365e522dc56a438229fea186d33c9e498a28f9c391e0f687d0 |
memory/4204-33-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\SysWOW64\mp43decd.exe
| MD5 | 1c7a47fa40b5943e304982636c423175 |
| SHA1 | 081782c937f4ad3fb9aac01a3d2bc22a68c30a96 |
| SHA256 | cb5ae7da5299ab503258ff57816c2187fcf077510fe90266c379c18b6c1fa3fb |
| SHA512 | 08cbf742a46ab6284b9fb44242c877634fa6771cc3ffd018b8c97fdc637ccca7da736e8c03ab815bee5842dc3b2cf054eb46c1231196de9c4d34898c702d0c97 |
memory/1980-43-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\SysWOW64\wlidprov.exe
| MD5 | 247eea11477bd84b3f8dee4ea973e481 |
| SHA1 | e5a9a8f2a80fc067e2f747ef187a0003b4398460 |
| SHA256 | 5737e4fb2630dcae74e8f3cbace17b57d908fb53666076fc0487a6947fca9009 |
| SHA512 | a687e3c252827395d113c31eeb413fcd925392931a66097d7301c7f0706d35f52fae70355f9da4214c5c4d68c32e5ee4a66c6dcb335639f922e4a429e321b15b |
memory/4520-54-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\SysWOW64\rdpsharercom.exe
| MD5 | 688eabb334e5e9ea0c7c1ff646c4810e |
| SHA1 | 32b5fd91d1a4952929ebebc376f368782281524f |
| SHA256 | 0baf63c83df60238ffa28e2dc9010a9a3f7ac0bf5468d177c1fa0c34f38b6b81 |
| SHA512 | cee203478d517e7230505fa453594147e2f2ec8c4961d9a632f6511ea4e7c65646c96bfa9a16e3f8c4e70b6751e31e08ad2ff66f125f3a7863a06a1311e9bff5 |
memory/3848-64-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\v5[1].htm
| MD5 | 9463ba07743e8a9aca3b55373121b7c5 |
| SHA1 | 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f |
| SHA256 | d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d |
| SHA512 | 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7 |
C:\Windows\SysWOW64\vcamp110.exe
| MD5 | 3da832945b7f7de5c4c637f5c37b01dd |
| SHA1 | 0828f2960a130b92cf26cbb8c6aa035387b92b79 |
| SHA256 | 6df990e5462ee131a14543f0b616860f115cbe028f19c6dc704f482991d680b4 |
| SHA512 | a6b8767107b3ca248afc12459dbc91f13c84c310945b6bf22f6fd36afc12ff5a286273e68173ed04209242c593257d2de7df0ef5743063898d49e9b7652bee44 |
memory/4492-76-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2308-80-0x0000000000400000-0x0000000000413000-memory.dmp