Analysis Overview
SHA256
804ceedb4da459b12a480e99c2de2f2b0d248c0e9a928ce8746bd970e745fb8c
Threat Level: Shows suspicious behavior
The file 4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Indicator Removal: File Deletion
Drops file in System32 directory
Program crash
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 21:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 21:12
Reported
2024-11-13 21:14
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\cryptbase.exe | C:\Windows\SysWOW64\kbdfa.exe | N/A |
| File created | C:\Windows\SysWOW64\kbd101a.exe | C:\Windows\SysWOW64\dpnhpast.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\expsrv.exe | C:\Windows\SysWOW64\searchfolder.exe | N/A |
| File created | C:\Windows\SysWOW64\radarrs.exe | C:\Windows\SysWOW64\msafd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\odbc32gt.exe | C:\Windows\SysWOW64\loghours.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\odexl32.exe | C:\Windows\SysWOW64\magnification.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\radarrs.exe | C:\Windows\SysWOW64\msafd.exe | N/A |
| File created | C:\Windows\SysWOW64\cmutil.exe | C:\Windows\SysWOW64\catsrvps.exe | N/A |
| File created | C:\Windows\SysWOW64\loghours.exe | C:\Windows\SysWOW64\kbdlt2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jsintl.exe | C:\Windows\SysWOW64\tvratings.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\actioncentercpl.exe | C:\Windows\SysWOW64\msieftp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbd101a.exe | C:\Windows\SysWOW64\dpnhpast.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winsrpc.exe | C:\Windows\SysWOW64\cmutil.exe | N/A |
| File created | C:\Windows\SysWOW64\actioncentercpl.exe | C:\Windows\SysWOW64\msieftp.exe | N/A |
| File created | C:\Windows\SysWOW64\dinput.exe | C:\Windows\SysWOW64\actioncentercpl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\racengn.exe | C:\Windows\SysWOW64\dpwsockx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fthsvc.exe | C:\Windows\SysWOW64\wscproxystub.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wkscli.exe | C:\Windows\SysWOW64\wmdmlog.exe | N/A |
| File created | C:\Windows\SysWOW64\odbc32gt.exe | C:\Windows\SysWOW64\loghours.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\samcli.exe | C:\Windows\SysWOW64\uianimation.exe | N/A |
| File created | C:\Windows\SysWOW64\wmdmlog.exe | C:\Windows\SysWOW64\oleacchooks.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rdpendp.exe | C:\Windows\SysWOW64\wkscli.exe | N/A |
| File created | C:\Windows\SysWOW64\wscproxystub.exe | C:\Windows\SysWOW64\pid.exe | N/A |
| File created | C:\Windows\SysWOW64\winsrpc.exe | C:\Windows\SysWOW64\cmutil.exe | N/A |
| File created | C:\Windows\SysWOW64\searchfolder.exe | C:\Windows\SysWOW64\resampledmo.exe | N/A |
| File created | C:\Windows\SysWOW64\catsrvps.exe | C:\Windows\SysWOW64\fthsvc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cmutil.exe | C:\Windows\SysWOW64\catsrvps.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe | C:\Windows\SysWOW64\f3ahvoas.exe | N/A |
| File created | C:\Windows\SysWOW64\odexl32.exe | C:\Windows\SysWOW64\magnification.exe | N/A |
| File created | C:\Windows\SysWOW64\oleacchooks.exe | C:\Windows\SysWOW64\odexl32.exe | N/A |
| File created | C:\Windows\SysWOW64\mfc120ita.exe | C:\Windows\SysWOW64\eapqec.exe | N/A |
| File created | C:\Windows\SysWOW64\radarrs.exe | C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\radarrs.exe | C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\loghours.exe | C:\Windows\SysWOW64\kbdlt2.exe | N/A |
| File created | C:\Windows\SysWOW64\catsrvps.exe | C:\Windows\SysWOW64\winsrpc.exe | N/A |
| File created | C:\Windows\SysWOW64\msdmo.exe | C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbdlt2.exe | C:\Windows\SysWOW64\vccorlib140.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uianimation.exe | C:\Windows\SysWOW64\msfeeds.exe | N/A |
| File created | C:\Windows\SysWOW64\samcli.exe | C:\Windows\SysWOW64\uianimation.exe | N/A |
| File created | C:\Windows\SysWOW64\kbdusr.exe | C:\Windows\SysWOW64\samcli.exe | N/A |
| File created | C:\Windows\SysWOW64\fdpnp.exe | C:\Windows\SysWOW64\expsrv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fdpnp.exe | C:\Windows\SysWOW64\expsrv.exe | N/A |
| File created | C:\Windows\SysWOW64\xpssvcs.exe | C:\Windows\SysWOW64\fdpnp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\duser.exe | C:\Windows\SysWOW64\cryptbase.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netcenter.exe | C:\Windows\SysWOW64\duser.exe | N/A |
| File created | C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe | C:\Windows\SysWOW64\f3ahvoas.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pid.exe | C:\Windows\SysWOW64\mfc120ita.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xpssvcs.exe | C:\Windows\SysWOW64\fdpnp.exe | N/A |
| File created | C:\Windows\SysWOW64\wshelper.exe | C:\Windows\SysWOW64\sqmapi.exe | N/A |
| File created | C:\Windows\SysWOW64\kbdfa.exe | C:\Windows\SysWOW64\kbdusr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shimgvw.exe | C:\Windows\SysWOW64\iprtrmgr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbdmlt48.exe | C:\Windows\SysWOW64\taskcomp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eapqec.exe | C:\Windows\SysWOW64\racengn.exe | N/A |
| File created | C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0.exe | C:\Windows\SysWOW64\xpssvcs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vccorlib140.exe | C:\Windows\SysWOW64\wshelper.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sechost.exe | C:\Windows\SysWOW64\jsintl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\magnification.exe | C:\Windows\SysWOW64\kbdmlt48.exe | N/A |
| File created | C:\Windows\SysWOW64\msafd.exe | C:\Windows\SysWOW64\vdsbas.exe | N/A |
| File created | C:\Windows\SysWOW64\oleacc.exe | C:\Windows\SysWOW64\msvcp140_1.exe | N/A |
| File created | C:\Windows\SysWOW64\puiapi.exe | C:\Windows\SysWOW64\oleacc.exe | N/A |
| File created | C:\Windows\SysWOW64\rdpendp.exe | C:\Windows\SysWOW64\wkscli.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc120ita.exe | C:\Windows\SysWOW64\eapqec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc100.exe | C:\Windows\SysWOW64\rdpendp.exe | N/A |
| File created | C:\Windows\SysWOW64\vdsbas.exe | C:\Windows\SysWOW64\mfc100.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\kbdusr.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\wscproxystub.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\eapqec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\puiapi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\kbdfa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\actioncentercpl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\fdpnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\samcli.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\duser.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\jsintl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\winsrpc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\odbc32gt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mfc100.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\catsrvps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dpwsockx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\searchfolder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dpnhpast.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sechost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\catsrvps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rdpendp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nlslexicons0003.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wshelper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\kbdlt2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\oleacchooks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\kbd101a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vdsbas.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cryptbase.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskcomp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\uianimation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\radarrs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\racengn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wmdmlog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe
"C:\Users\Admin\AppData\Local\Temp\4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe"
C:\Windows\SysWOW64\msfeeds.exe
"C:\Windows\system32\msfeeds.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe"
C:\Windows\SysWOW64\uianimation.exe
"C:\Windows\system32\uianimation.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msfeeds.exe"
C:\Windows\SysWOW64\samcli.exe
"C:\Windows\system32\samcli.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\uianimation.exe"
C:\Windows\SysWOW64\kbdusr.exe
"C:\Windows\system32\kbdusr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\samcli.exe"
C:\Windows\SysWOW64\kbdfa.exe
"C:\Windows\system32\kbdfa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdusr.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 48
C:\Windows\SysWOW64\cryptbase.exe
"C:\Windows\system32\cryptbase.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdfa.exe"
C:\Windows\SysWOW64\duser.exe
"C:\Windows\system32\duser.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\cryptbase.exe"
C:\Windows\SysWOW64\netcenter.exe
"C:\Windows\system32\netcenter.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\duser.exe"
C:\Windows\SysWOW64\dpnhpast.exe
"C:\Windows\system32\dpnhpast.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\netcenter.exe"
C:\Windows\SysWOW64\kbd101a.exe
"C:\Windows\system32\kbd101a.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dpnhpast.exe"
C:\Windows\SysWOW64\tvratings.exe
"C:\Windows\system32\tvratings.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbd101a.exe"
C:\Windows\SysWOW64\jsintl.exe
"C:\Windows\system32\jsintl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\tvratings.exe"
C:\Windows\SysWOW64\sechost.exe
"C:\Windows\system32\sechost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\jsintl.exe"
C:\Windows\SysWOW64\f3ahvoas.exe
"C:\Windows\system32\f3ahvoas.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\sechost.exe"
C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.exe
"C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\f3ahvoas.exe"
C:\Windows\SysWOW64\radarrs.exe
"C:\Windows\system32\radarrs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 180
C:\Windows\SysWOW64\iprtrmgr.exe
"C:\Windows\system32\iprtrmgr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\radarrs.exe"
C:\Windows\SysWOW64\shimgvw.exe
"C:\Windows\system32\shimgvw.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\iprtrmgr.exe"
C:\Windows\SysWOW64\taskcomp.exe
"C:\Windows\system32\taskcomp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\shimgvw.exe"
C:\Windows\SysWOW64\kbdmlt48.exe
"C:\Windows\system32\kbdmlt48.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\taskcomp.exe"
C:\Windows\SysWOW64\magnification.exe
"C:\Windows\system32\magnification.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdmlt48.exe"
C:\Windows\SysWOW64\odexl32.exe
"C:\Windows\system32\odexl32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\magnification.exe"
C:\Windows\SysWOW64\oleacchooks.exe
"C:\Windows\system32\oleacchooks.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\odexl32.exe"
C:\Windows\SysWOW64\wmdmlog.exe
"C:\Windows\system32\wmdmlog.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\oleacchooks.exe"
C:\Windows\SysWOW64\wkscli.exe
"C:\Windows\system32\wkscli.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wmdmlog.exe"
C:\Windows\SysWOW64\rdpendp.exe
"C:\Windows\system32\rdpendp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkscli.exe"
C:\Windows\SysWOW64\mfc100.exe
"C:\Windows\system32\mfc100.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\rdpendp.exe"
C:\Windows\SysWOW64\vdsbas.exe
"C:\Windows\system32\vdsbas.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mfc100.exe"
C:\Windows\SysWOW64\msafd.exe
"C:\Windows\system32\msafd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\vdsbas.exe"
C:\Windows\SysWOW64\radarrs.exe
"C:\Windows\system32\radarrs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msafd.exe"
C:\Windows\SysWOW64\dpwsockx.exe
"C:\Windows\system32\dpwsockx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\radarrs.exe"
C:\Windows\SysWOW64\racengn.exe
"C:\Windows\system32\racengn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dpwsockx.exe"
C:\Windows\SysWOW64\eapqec.exe
"C:\Windows\system32\eapqec.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\racengn.exe"
C:\Windows\SysWOW64\mfc120ita.exe
"C:\Windows\system32\mfc120ita.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\eapqec.exe"
C:\Windows\SysWOW64\pid.exe
"C:\Windows\system32\pid.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mfc120ita.exe"
C:\Windows\SysWOW64\wscproxystub.exe
"C:\Windows\system32\wscproxystub.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\pid.exe"
C:\Windows\SysWOW64\fthsvc.exe
"C:\Windows\system32\fthsvc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wscproxystub.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 548
C:\Windows\SysWOW64\catsrvps.exe
"C:\Windows\system32\catsrvps.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\fthsvc.exe"
C:\Windows\SysWOW64\cmutil.exe
"C:\Windows\system32\cmutil.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\catsrvps.exe"
C:\Windows\SysWOW64\winsrpc.exe
"C:\Windows\system32\winsrpc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\cmutil.exe"
C:\Windows\SysWOW64\catsrvps.exe
"C:\Windows\system32\catsrvps.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\winsrpc.exe"
C:\Windows\SysWOW64\msieftp.exe
"C:\Windows\system32\msieftp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\catsrvps.exe"
C:\Windows\SysWOW64\actioncentercpl.exe
"C:\Windows\system32\actioncentercpl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msieftp.exe"
C:\Windows\SysWOW64\dinput.exe
"C:\Windows\system32\dinput.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\actioncentercpl.exe"
C:\Windows\SysWOW64\nlslexicons0003.exe
"C:\Windows\system32\nlslexicons0003.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\dinput.exe"
C:\Windows\SysWOW64\resampledmo.exe
"C:\Windows\system32\resampledmo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\nlslexicons0003.exe"
C:\Windows\SysWOW64\searchfolder.exe
"C:\Windows\system32\searchfolder.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\resampledmo.exe"
C:\Windows\SysWOW64\expsrv.exe
"C:\Windows\system32\expsrv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\searchfolder.exe"
C:\Windows\SysWOW64\fdpnp.exe
"C:\Windows\system32\fdpnp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\expsrv.exe"
C:\Windows\SysWOW64\xpssvcs.exe
"C:\Windows\system32\xpssvcs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\fdpnp.exe"
C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0.exe
"C:\Windows\system32\api-ms-win-security-sddl-l1-1-0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\xpssvcs.exe"
C:\Windows\SysWOW64\msdmo.exe
"C:\Windows\system32\msdmo.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\api-ms-win-security-sddl-l1-1-0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 180
C:\Windows\SysWOW64\msvcp140_1.exe
"C:\Windows\system32\msvcp140_1.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msdmo.exe"
C:\Windows\SysWOW64\oleacc.exe
"C:\Windows\system32\oleacc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\msvcp140_1.exe"
C:\Windows\SysWOW64\puiapi.exe
"C:\Windows\system32\puiapi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\oleacc.exe"
C:\Windows\SysWOW64\sqmapi.exe
"C:\Windows\system32\sqmapi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\puiapi.exe"
C:\Windows\SysWOW64\wshelper.exe
"C:\Windows\system32\wshelper.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\sqmapi.exe"
C:\Windows\SysWOW64\vccorlib140.exe
"C:\Windows\system32\vccorlib140.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wshelper.exe"
C:\Windows\SysWOW64\kbdlt2.exe
"C:\Windows\system32\kbdlt2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\vccorlib140.exe"
C:\Windows\SysWOW64\loghours.exe
"C:\Windows\system32\loghours.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdlt2.exe"
C:\Windows\SysWOW64\odbc32gt.exe
"C:\Windows\system32\odbc32gt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\loghours.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | best-targeted-traffic.com | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww25.best-targeted-traffic.com | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | www.ip2location.com | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 103.224.182.247:80 | tcp | |
| US | 13.248.148.254:80 | tcp |
Files
memory/3024-0-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3024-13-0x00000000035B0000-0x00000000035C3000-memory.dmp
memory/3024-12-0x00000000035B0000-0x00000000035C3000-memory.dmp
C:\Windows\SysWOW64\msfeeds.exe
| MD5 | a726763ce1c6542d5a0c44b53c9b96e4 |
| SHA1 | ff46ef97a85a3a646eb2349636cd323efb5ac71a |
| SHA256 | a6c02ddecfeb3b9ec88d30fdb246ad2ffd9b6184eff21c48791601c5a1a237be |
| SHA512 | a922ab4f52382a349be8b910459ce1f996ba091dfb449753478c91132a73d2dae3b6b376cf4f41653fdb6270cf09d35dd73bb4c9a8c1dc2cb0635e7d52091107 |
memory/3024-20-0x00000000035B0000-0x00000000035C3000-memory.dmp
memory/2220-22-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3024-23-0x00000000032B0000-0x00000000032C0000-memory.dmp
memory/3024-25-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4HEIPII3.txt
| MD5 | 2c4e3886f351e67b636f195b21c5fec8 |
| SHA1 | d112c6862783307ba59b55d13b8b5d75d845ecac |
| SHA256 | 67322f1f1f4415c9f91b4c228e26b3a4c7dedd19707d359e5efc986f87f4e87c |
| SHA512 | 0a6e6dce2975667a76fa20c72e75050588d0e062171640fbf6daf36e98d79331f45a5a275e4914facbcab69c0e9261cd7dbbf65ce7d2bf6f0c2327729b93e6ee |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M9UKJPG1.txt
| MD5 | 07df445db7b0a81eeafbe243dc02747f |
| SHA1 | 2cd09dce93482341fe91b18557b1965f5e2452c8 |
| SHA256 | f6c8e17aefb1500706ba5458a33cf0ac15dd1551f9618868ad8e5fcdddf2473b |
| SHA512 | cc07f6d648b04e0d69ebd9f8be28cbce9ccfcc6b3a8219feed9c86d677000dca49ff22e10f48645dc838db31680f9b028cf1ea61f3290466e4cf03ed4a0efd79 |
memory/2220-39-0x0000000000BD0000-0x0000000000BE3000-memory.dmp
\Windows\SysWOW64\uianimation.exe
| MD5 | 3e9e1ef3420ba1e964099994eea8cbd5 |
| SHA1 | 0855aa87fcb462c11b9b2bd12d1f9bee65288e59 |
| SHA256 | 15700f4a2ef1db155acf48ebf174e087252ae2d6da92dd984d887876a9300634 |
| SHA512 | ad85a9b85992cb1414ba07cef075fdde9cd6bf1f2ffd371ce77746d9df25dc3458afafb7089b46260934f93737b42ae44c1df36f38d89f63e1b29953a372c4eb |
memory/2220-40-0x0000000000BD0000-0x0000000000BE3000-memory.dmp
memory/2220-51-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2220-47-0x0000000003190000-0x00000000031A3000-memory.dmp
memory/2220-50-0x0000000000BE0000-0x0000000000BF0000-memory.dmp
\Windows\SysWOW64\samcli.exe
| MD5 | 05724841383f8ebaf2418ae3091d29e1 |
| SHA1 | 9e2182e2a4ac404479d6a8dc8ad36b225e6c4852 |
| SHA256 | 41e78f3e5fb63d3851ad2709477270656fa69716db3dcdcd43a79ade40a8618b |
| SHA512 | 2ed90a959c9cfcd0bc074cf1d83fe922ca02d706b71a33013781073ddd9ddca0c87820cad7417685026b3dea5d52fc277573505374fca9e0909753aa20acb2b9 |
memory/2192-65-0x0000000002280000-0x0000000002293000-memory.dmp
memory/2192-73-0x0000000000400000-0x0000000000413000-memory.dmp
memory/484-74-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0XEF8RNY.txt
| MD5 | be41ac1bb8fc21bd45d1b059b297a420 |
| SHA1 | dfc6b6990c4de2d6205081adef8d24fc40b75103 |
| SHA256 | 85da0e984e791f7259db4b1bdd897756a1c64f0e73022f010ec34746ab7de9ba |
| SHA512 | c609b12221282e735507815602580f6256fe1c2f4c852ddb069ca1f0be5c940ccb391dcee5cbc49a8ee5ecf056f6fdbc9da3dfb332c13fcc510ed911933190c1 |
\Windows\SysWOW64\kbdusr.exe
| MD5 | 11790866f948b664e01fa02d8ae3fa63 |
| SHA1 | 10928d577ff48841c31854654bb9e3f143544fa2 |
| SHA256 | 45c0730ff0959777944d80eac0783ce0db9e1a414fc9d7c4541621f7be2805ed |
| SHA512 | 9f2d2f8a0c8466fb342cc65924f25814547f2a2385b9cce613a7f5cbdc363363d3337b8e2bae786e49c19258d80af0198ef8c55ffa80abcfe35681214fe25596 |
memory/484-95-0x0000000003620000-0x0000000003633000-memory.dmp
memory/484-94-0x0000000003620000-0x0000000003633000-memory.dmp
memory/484-93-0x0000000003620000-0x0000000003633000-memory.dmp
memory/484-99-0x0000000000400000-0x0000000000413000-memory.dmp
memory/484-98-0x0000000003620000-0x0000000003630000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G7TUPXNY.txt
| MD5 | f2fbf6f723b14416be2b080e4512744f |
| SHA1 | 7789b815f93177d7439d3240352cf64e7cec53da |
| SHA256 | 3e4d3de4fc7309c41bb8dd2d68d975213a432fa3b51c79ccdfca45382409a9f6 |
| SHA512 | bd201703b852d581c677d380513c78ee08155ccd560408ef555bd037cbb1e5be0761ccb2ab68571c30e18b73a1c862620cc526f34270eff99090862a7bc08111 |
\Windows\SysWOW64\kbdfa.exe
| MD5 | ab147374768f8bb700d019b05b4bec09 |
| SHA1 | 11a5248818173b9119c84c3b4107a6e7ece63811 |
| SHA256 | fd5bf78bc6d26f534d20b6451c655324e97c8eee3e95ec13ae3ab8be4c19f8ab |
| SHA512 | a905fff81a57547dcddc57c4cd09b93aeb77efe306ec34037f3a8af3bd92db3b757909f44062d2a78dd9311d20dc6547331f664769a42216ba7a2ab72d319401 |
memory/2388-114-0x00000000035B0000-0x00000000035C3000-memory.dmp
memory/2388-116-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2388-121-0x00000000035B0000-0x00000000035C3000-memory.dmp
memory/2388-124-0x00000000035B0000-0x00000000035C0000-memory.dmp
memory/2388-129-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\install[1].htm
| MD5 | 9463ba07743e8a9aca3b55373121b7c5 |
| SHA1 | 4fdd121b2d2afd98881ab4cdb2d2a513ff5bb26f |
| SHA256 | d5319a00eb7542e02c1e76cb20e2073c0411cd918e32094bc66f9147a0bfae6d |
| SHA512 | 6a1a97f37a5e607a3dc7f5fae343911a7f75d371a34ec27deb2971ee47388891f001d80959d37609d1c909af1674b4962da739e8a2cfce07e3d2ce6abf0c6ad7 |
\Windows\SysWOW64\cryptbase.exe
| MD5 | 029eaf890c453cae6c60cd48b98abaf0 |
| SHA1 | a18c321b57197127558ff2515ff2ef80b29534db |
| SHA256 | 8c6add07b1d86829757bb6c3af348fc7f59cc04da6db876add636f35747ddba8 |
| SHA512 | 7db928365cc543f5d3013e1e9204ac4251a60bd8b2ff12769c813fd4f5829fd0c1d2918d64acafa504de2d92c99166309b838ab1837e2998d32f5ed97a3ffbd4 |
memory/1944-137-0x00000000021F0000-0x0000000002203000-memory.dmp
memory/1944-150-0x0000000002200000-0x0000000002213000-memory.dmp
memory/1944-149-0x0000000002200000-0x0000000002213000-memory.dmp
memory/1944-154-0x0000000002200000-0x0000000002210000-memory.dmp
memory/536-153-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1944-148-0x00000000021F0000-0x0000000002203000-memory.dmp
memory/1944-156-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RQXRNJSM.txt
| MD5 | 15ed9c206e89f11fbd3cf5f99b94384b |
| SHA1 | 7c6b80ce651d09fbedb53df5c1a27bebf624d23b |
| SHA256 | 6f9b1e7984896a941c18d17166e01e4d6acd5705d852689654863f4ed673d74b |
| SHA512 | 65bcc0c691c2de986508bb1860fb4e1f63c290c101a4fb4e8c038ff179813c732fe3dddff4907aef39601ca52c336c160348d4f0943248f3b7a1ce23a6997370 |
\Windows\SysWOW64\duser.exe
| MD5 | 96a09a8b2c1fa687add65cb4c147b954 |
| SHA1 | be9feb244c7948b33253bc441ad9aed874c8c14e |
| SHA256 | b28d2dbb805b4c070ce03cee396a61219989adec36350ae728b22b745ec4a0bb |
| SHA512 | 98d45d19d1ebd76a551639979f2b4c0fa410c503b3972b75ac6ea7e06f994269da9428daeb182894bbb5b8c9b43c74ca00f71d47d863f2f21c64d07b74c0f850 |
memory/536-167-0x0000000003D20000-0x0000000003D33000-memory.dmp
memory/536-178-0x0000000003D30000-0x0000000003D40000-memory.dmp
memory/536-179-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZL76BRXQ.txt
| MD5 | 672f0451bee5a718ca52d109d79d73bf |
| SHA1 | 1d8e7940fc660650462621a1f8641c80fb7a09a1 |
| SHA256 | 434451400d6cb8e79e16e79443f96f6bfbe9e14ee47f7f5334ff154b81386e02 |
| SHA512 | dd9345a8ff8c7f32439fe6c44ac240ce121402cf7b2ecb1c5ac732895d70cbb6de2762c7470544b1ae1fe15af20caa0615ed6d4f8d551904e00f22c3ac1b1218 |
\Windows\SysWOW64\netcenter.exe
| MD5 | ee57504adb4874db9e18924883950630 |
| SHA1 | aaf6873cec0eee59af441fc3d48563ed7d81a005 |
| SHA256 | 2ca274b59d90861c988ce699b3341f6f5bc7199a079d60d3545fcfb3c266d89b |
| SHA512 | 6a2a10b7c4a2f498339e0a351f7621d4db340fbce4ac6cb1bc2ba492421cea344141cd79717758319b861c7a084a23d43f8b88e65b2777fd4cb718a5d9e9c065 |
memory/2180-194-0x0000000004130000-0x0000000004143000-memory.dmp
memory/2180-201-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2180-200-0x0000000004130000-0x0000000004143000-memory.dmp
memory/2180-204-0x00000000040E0000-0x00000000040F0000-memory.dmp
memory/2180-205-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2676-220-0x0000000003CE0000-0x0000000003CF3000-memory.dmp
memory/1776-221-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2676-223-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2676-222-0x00000000035F0000-0x0000000003600000-memory.dmp
memory/1776-237-0x0000000003CE0000-0x0000000003CF3000-memory.dmp
memory/1776-238-0x0000000003CE0000-0x0000000003CF3000-memory.dmp
memory/1776-239-0x0000000003690000-0x00000000036A0000-memory.dmp
memory/1776-240-0x0000000000400000-0x0000000000413000-memory.dmp
memory/796-256-0x0000000003520000-0x0000000003533000-memory.dmp
memory/796-255-0x0000000003520000-0x0000000003533000-memory.dmp
memory/796-252-0x0000000003520000-0x0000000003533000-memory.dmp
memory/796-258-0x0000000000400000-0x0000000000413000-memory.dmp
memory/796-257-0x0000000003520000-0x0000000003530000-memory.dmp
memory/1288-269-0x0000000000560000-0x0000000000573000-memory.dmp
memory/1288-274-0x0000000000560000-0x0000000000573000-memory.dmp
memory/1288-273-0x0000000000560000-0x0000000000573000-memory.dmp
memory/1288-275-0x0000000000560000-0x0000000000570000-memory.dmp
memory/1288-276-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1624-287-0x0000000000AC0000-0x0000000000AD3000-memory.dmp
memory/1624-292-0x0000000000AC0000-0x0000000000AD3000-memory.dmp
memory/1796-293-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1624-291-0x0000000000AC0000-0x0000000000AD3000-memory.dmp
memory/1624-294-0x0000000000AC0000-0x0000000000AD0000-memory.dmp
memory/1624-295-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1796-305-0x00000000005D0000-0x00000000005E3000-memory.dmp
memory/1796-309-0x0000000003940000-0x0000000003953000-memory.dmp
memory/1796-310-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2056-327-0x00000000035B0000-0x00000000035C3000-memory.dmp
memory/2056-326-0x00000000035B0000-0x00000000035C3000-memory.dmp
memory/2056-322-0x00000000035B0000-0x00000000035C3000-memory.dmp
memory/2056-320-0x00000000035B0000-0x00000000035C3000-memory.dmp
memory/2056-329-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2056-330-0x0000000002300000-0x0000000002310000-memory.dmp
memory/1796-328-0x0000000003940000-0x0000000003953000-memory.dmp
memory/1580-344-0x00000000005C0000-0x00000000005D3000-memory.dmp
memory/1580-347-0x00000000005C0000-0x00000000005D3000-memory.dmp
memory/1580-346-0x0000000003230000-0x0000000003243000-memory.dmp
memory/1580-345-0x0000000003230000-0x0000000003243000-memory.dmp
memory/1580-348-0x00000000005D0000-0x00000000005E0000-memory.dmp
memory/1580-349-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2412-364-0x0000000004260000-0x0000000004273000-memory.dmp
memory/2412-363-0x0000000004260000-0x0000000004273000-memory.dmp
memory/2412-366-0x0000000004260000-0x0000000004273000-memory.dmp
memory/2412-365-0x0000000004260000-0x0000000004273000-memory.dmp
memory/2412-367-0x0000000004260000-0x0000000004270000-memory.dmp
memory/2412-368-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2056-370-0x0000000002300000-0x0000000002310000-memory.dmp
memory/2780-386-0x00000000031C0000-0x00000000031D3000-memory.dmp
memory/2780-385-0x00000000031C0000-0x00000000031D3000-memory.dmp
memory/2780-384-0x00000000031C0000-0x00000000031D3000-memory.dmp
memory/2780-383-0x00000000031C0000-0x00000000031D3000-memory.dmp
memory/2676-387-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2780-388-0x0000000002480000-0x0000000002490000-memory.dmp
memory/2780-389-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2676-403-0x00000000031F0000-0x0000000003203000-memory.dmp
memory/2676-402-0x00000000031F0000-0x0000000003203000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 21:12
Reported
2024-11-13 21:14
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mfcm120.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mfcm120.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mfcm120.exe | C:\Users\Admin\AppData\Local\Temp\4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfcm120.exe | C:\Users\Admin\AppData\Local\Temp\4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe | N/A |
| File created | C:\Windows\SysWOW64\windows.devices.printers.exe | C:\Windows\SysWOW64\mfcm120.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windows.devices.printers.exe | C:\Windows\SysWOW64\mfcm120.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\mfcm120.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mfcm120.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe
"C:\Users\Admin\AppData\Local\Temp\4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe"
C:\Windows\SysWOW64\mfcm120.exe
"C:\Windows\system32\mfcm120.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\4d2e23a579e1cac93ec8986e9dd88f6b640b36aa918952eed78ec7c62b8c79bfN.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\mfcm120.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1816 -ip 1816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1668
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | best-targeted-traffic.com | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww25.best-targeted-traffic.com | udp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | www.ip2location.com | udp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | ww38.best-targeted-traffic.com | udp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.172.224.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.148.248.13.in-addr.arpa | udp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 199.59.243.227:80 | ww25.best-targeted-traffic.com | tcp |
| US | 34.224.172.222:80 | www.ip2location.com | tcp |
| US | 103.224.182.247:80 | best-targeted-traffic.com | tcp |
| US | 13.248.148.254:80 | ww38.best-targeted-traffic.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/3052-0-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Windows\SysWOW64\mfcm120.exe
| MD5 | 279274e22627fb1d5e87c16b8a554d6c |
| SHA1 | fc0611102c83e329a241e97d6203d0570a0cd51a |
| SHA256 | d1f03bbc944614fce1e3a111b7c4881eeafb34c0da278d8019e40dea5d1f2fa2 |
| SHA512 | dc22472be6aa18403a27953b88887f28519eb4de600e229c1000d4d3c9ebd3011f11d1ce26d836bf31c62d357ad28cecbbc1507979cf481633993c23049ab155 |
memory/3052-11-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1816-15-0x0000000000400000-0x0000000000413000-memory.dmp