Analysis Overview
SHA256
17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd
Threat Level: Known bad
The file Batch_7.zip was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
CrypVault
Pony,Fareit
Detected Xorist Ransomware
Modifies security service
Process spawned unexpected child process
Windows security bypass
Crypvault family
Pony family
Xorist family
Modifies firewall policy service
Xorist Ransomware
Modifies WinLogon for persistence
UAC bypass
Warzonerat family
Renames multiple (4027) files with added filename extension
Deletes shadow copies
Renames multiple (2558) files with added filename extension
Warzone RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies boot configuration data using bcdedit
Drops file in Drivers directory
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Blocklisted process makes network request
Windows security modification
Checks computer location settings
Unsecured Credentials: Credentials In Files
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Indicator Removal: File Deletion
Accesses Microsoft Outlook accounts
Accesses cryptocurrency files/wallets, possible credential harvesting
Blocklisted process makes network request
Checks installed software on the system
Enumerates connected drives
Requests dangerous framework permissions
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Reads user/profile data of web browsers
Unsigned PE
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Interacts with shadow copies
Suspicious use of SendNotifyMessage
Views/modifies file attributes
System policy modification
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
outlook_win_path
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Kills process with taskkill
Modifies Internet Explorer Phishing Filter
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-22 03:25
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:09
Platform
win7-20240903-en
Max time kernel
570s
Max time network
362s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Dumped_.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Dumped_.exe
"C:\Users\Admin\AppData\Local\Temp\Dumped_.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dolores.cursopersona.com | udp |
Files
memory/3028-0-0x0000000000AC0000-0x0000000000AD2000-memory.dmp
memory/3028-4-0x0000000000AC0000-0x0000000000AD2000-memory.dmp
C:\ProgramData\hgybrtlyzvfoikl
| MD5 | 241ce528d53d871b6d1acc37205c2eae |
| SHA1 | 095f4255e244bdc9289483e901c4ecd3f348f1be |
| SHA256 | dbdd37ac8cf3d6eac875133b03690ca4fe030248a4732d3e95dac906fd42e29c |
| SHA512 | 6ec601a12efe4ea214d8413f5e4c64b33e2d7f27acdb596303391a3f5ca6d468576e9c6400fe852601c7612e26f205443b7e9d277d69517e1ed668ec8d738f0a |
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:10
Platform
win7-20241023-en
Max time kernel
600s
Max time network
581s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,,C:\\Program Files (x86)\\Mozilla Maintenance Service\\BMNNWfaO.exe" | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Program Files (x86)\\Mozilla Maintenance Service\\BMNNWfaO.exe" | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
Disables Task Manager via registry modification
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LNHcdsKW.exe | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LNHcdsKW.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LNHcdsKW.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LNHcdsKW.exe | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUEiLXib = "C:\\Users\\Admin\\AppData\\Local\\Google\\HIvlukUD.exe" | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUEiLXib = "C:\\Users\\Admin\\AppData\\Local\\Google\\HIvlukUD.exe" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirtyDecrypt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dirty\\DirtyDecrypt.exe\" /hide" | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\BMNNWfaO.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\BMNNWfaO.exe | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| File created | C:\Program Files (x86)\Dirty\DirtyDecrypt.exe | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Dirty\DirtyDecrypt.exe | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe
"C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"
C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe
"C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe"
C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
"C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| DE | 178.162.203.202:80 | viweabkkfe.com | tcp |
| DE | 178.162.203.202:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | sjytgtnkdl.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| DE | 169.50.13.61:80 | sjytgtnkdl.com | tcp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | vjuxtixi.com | udp |
| US | 8.8.8.8:53 | ntrshvquunyzxevkucs.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | ntrshvquunyzxevkucs.com | tcp |
| DE | 169.50.13.61:80 | ntrshvquunyzxevkucs.com | tcp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | okenhqzgxngnkbwouvfm.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | okenhqzgxngnkbwouvfm.com | tcp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | wxluitpliymeoirc.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| DE | 169.50.13.61:80 | wxluitpliymeoirc.com | tcp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | kcubcfuhwwn.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| DE | 178.162.203.226:80 | viweabkkfe.com | tcp |
| DE | 178.162.203.226:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| DE | 178.162.203.226:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| DE | 178.162.203.226:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| DE | 178.162.203.211:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| DE | 178.162.203.211:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| DE | 178.162.203.202:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| NL | 5.79.71.225:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| DE | 178.162.203.202:80 | viweabkkfe.com | tcp |
| DE | 178.162.203.202:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| DE | 178.162.203.202:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| NL | 85.17.31.122:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| NL | 85.17.31.122:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| NL | 85.17.31.122:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| NL | 85.17.31.122:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | viweabkkfe.com | udp |
| NL | 85.17.31.122:80 | viweabkkfe.com | tcp |
| NL | 85.17.31.122:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | cpejcogzznpudbsmaxxm.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | nuepdkau.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| NL | 85.17.31.122:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| NL | 85.17.31.122:80 | viweabkkfe.com | tcp |
| US | 8.8.8.8:53 | wowsfhnnvlwhlotryvh.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | ltcfpuctidqqqxxzpikz.com | udp |
| US | 8.8.8.8:53 | lscyqrjofqmtn.com | udp |
| US | 8.8.8.8:53 | linbzxpkmdtngnbdg.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | zkkfpkbbfnmihohix.com | udp |
| US | 8.8.8.8:53 | pjgnhujlmwtgf.com | udp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | pvqwziehrqscosb.com | udp |
| US | 8.8.8.8:53 | qxcrbliabignczlmuc.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | mzwfwjayhom.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | kvmihtamuopvagdlrwzg.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | rtlwqvhwuisfnery.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xzfqmrfmyuaxs.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | bfgtwvhgsibiufmcerl.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | dxkirxfzwhnnah.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| US | 8.8.8.8:53 | vyeaukkyszhdeug.com | udp |
| DE | 169.50.13.61:80 | kcubcfuhwwn.com | tcp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | zvwbjvhfrkqciz.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | pnqclaedmavju.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | lxpcmncky.com | udp |
| US | 8.8.8.8:53 | oismeark.com | udp |
| US | 8.8.8.8:53 | xtvklujmo.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | qwtzjokvjfvecysgypbd.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | kwsrmhroj.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | towhyechciopdte.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | tmgskmvaxftffa.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | eiiveuuptweirgz.com | udp |
| US | 8.8.8.8:53 | fryqhsblmvzsal.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | ohrpszrfydauhfuzyzbk.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | owsxylebhmuzver.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | avcctrnrxx.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | vgcdinjoj.com | udp |
| US | 8.8.8.8:53 | zbzxolintzi.com | udp |
| US | 8.8.8.8:53 | fidkjesxq.com | udp |
| US | 8.8.8.8:53 | izaubgigwfl.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | hqihrutpabwndvldae.com | udp |
| US | 8.8.8.8:53 | yievjaklo.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | rjpkxiywinyhjoqltq.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | worazowxtkdznvvz.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | fzzxkhmkfunhotpjmdoy.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | kuyfpapjundhcit.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
| US | 8.8.8.8:53 | nxcyhbauwgvdryyz.com | udp |
| US | 8.8.8.8:53 | ajfdmjbywzibf.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe
| MD5 | d224637a6b6e3001753d9922e749d00d |
| SHA1 | bacb2313289e00a1933b7984dd1cbef01c8019ee |
| SHA256 | 9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263 |
| SHA512 | 08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0 |
C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
| MD5 | 1d27a7210f54a047264f23c7506e9506 |
| SHA1 | 4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527 |
| SHA256 | 431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9 |
| SHA512 | 077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700 |
memory/2524-25-0x0000000000560000-0x0000000000574000-memory.dmp
memory/2524-27-0x0000000000560000-0x0000000000574000-memory.dmp
memory/1544-32-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Desktop\SubmitRestore.docx
| MD5 | 4446612912a5ec8d5d8cd95f9509ce70 |
| SHA1 | 366a195c1a924229370a4bd8560a6e39f3cc8aa4 |
| SHA256 | 4fc6806875418bead9760fb9c509454187fc27010e992401cb517302cda3503e |
| SHA512 | c3c9a12f7cf45e0e4d31176bf4d2114a7bda022f73a714f06fdc1935aa913e37dcf2d7b920bbbaacf79bcab2f6e3b72f455b123380b1f26612796f630963b723 |
C:\Users\Admin\Desktop\JoinAssert.xlsx
| MD5 | 9f5c80903acba638dd3378dfbf1dd4d8 |
| SHA1 | 28497eb0083eab2fd2333d1ec416991d94b60647 |
| SHA256 | 8e336acd36fa58c52bb0e31d74c05798ec5ebe32a03517109888cf4f36608386 |
| SHA512 | 3d56d5505843e7209c349426d0ec4a20474ce7baa296981e51a2d25201a291fa71043140187ce237614ae0f26384630ca899199eab1c88931e08f34fb4c1ce9b |
C:\Users\Admin\Desktop\ProtectOpen.jpeg
| MD5 | cb54fdcec39b06b8a0d8ad9a7d15277f |
| SHA1 | c132d948b9eb84218146030a242be84dacaf0164 |
| SHA256 | 86237bb49cf8e599d0ed25888f52824c0252769e11b6ab1469ca6514bba16b48 |
| SHA512 | 58830d9751172e47700adc47dd35cfcbc322439c6a1b89510468eabdfcd1413b6d59eedfb7d896336f40dc3c2f862ea1cccc66095f931c41fb6633fa14b2dfe9 |
C:\Users\Admin\Documents\AssertGroup.doc
| MD5 | c0fb2b2ac91ee80444a2e217a06223e2 |
| SHA1 | 6d175d49a3189d166e8872879460c700673093c2 |
| SHA256 | d609444710b4d168fe9d73c553b5b3bc6d7365d955626e4974b611b042c8c186 |
| SHA512 | 1a8cf8b33edddcdecfd245b4a8b0976bd8919dab71b436c3c0fe7f1434a3d237d056c4877cfb171bdb6283c78305b97ea6a95615b946ddda2ab866718293f40c |
C:\Users\Admin\Documents\ConvertToSplit.rtf
| MD5 | 6d6378d05a3007f8832799060d9fea65 |
| SHA1 | 1c43561323710792bf743093e8e7fbaecc78d6a9 |
| SHA256 | da15ef2a93668ea7018378be023e5935d8532238af6213ef7afb46d863d1bac2 |
| SHA512 | 98fcb18c8df98760478acb35b8ae5e637eb87522224d78e2c6a9d258b587f3c2335dda0a273424f573227ed4df252bd79156cca11cb663ded1cb7fce3c9cb1a7 |
C:\Users\Admin\Documents\RegisterDismount.xls
| MD5 | 95d34c5a89e4c47af4091c10204ef64e |
| SHA1 | 808bbe8f54d5d1074a7c7cbe9c238178238aa43f |
| SHA256 | 53b53dfa2935552953d3dd3f3faedec83b21072c431486e2656b5df999a1e697 |
| SHA512 | df008ed997949756dc0bda7ade5015b0352ed7a0a17eb1599c7ca9b6ffd5f2a512c592fecae1bc8f0f92737fb55251f7133f16d681b3989d7221c4408c9bb66f |
C:\Users\Admin\Documents\ShowUpdate.docm
| MD5 | cfba4c7fb5729350d59b76e28a94392f |
| SHA1 | 67f66f41d581e5f69cc87c88ec24707625afc180 |
| SHA256 | fbb11cd10f2dfade3409743102b87cf8c5d58a94f6060781ab3bddebc2ec040e |
| SHA512 | 15ed14139385bddfbe7a76db78ac60f2c30610f0fcc8a208bf1e6fb4c492588762ef95cb738cb70dfc31a97b222c358c2b2d7092725da7366a728adf363b3661 |
C:\Users\Admin\Downloads\FindMerge.zip
| MD5 | 6ce6ae1f0d89cce9550fef820039f565 |
| SHA1 | d1cf05034bafdd9de877218240fcabed1c33ca0e |
| SHA256 | f10a43c8fa4acbd67533d9aa43d39a79b541ee09d1e093b640499213bf137a7f |
| SHA512 | 77fe4910ff5fdbb76733b2f6b007f3600fe3dff9b7c6a715d986f3e6d25c90ca0921cf1892c9f98c93c062a52b46c2a3849879adf91b76c137b10c0200b856a8 |
C:\Users\Admin\Downloads\PushRedo.xlsm
| MD5 | 285ec44441eb5fc7786bb15aee6d225b |
| SHA1 | d14c09ce5374212ced30a15abfe87d52f1814200 |
| SHA256 | 0e4f15361f21eaf86a9fec68ca0235c85e2084cd368c12d219591df35f1bb711 |
| SHA512 | 07df721b34b21789aa3a4bbb4b357bf93ada104a937e04bf1c4f44a781de3e3662d7fdbbb02a4c4bf5a9642d7b4f264952f95af67aa5779187efcc82ea2e795f |
memory/1544-186-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Music\TestWatch.pdf
| MD5 | 3759f2af5beab4c66a061a6a46e5b2dc |
| SHA1 | 0eabae664d3a38ac57693dabafc75f80b144bd51 |
| SHA256 | f5b0e654f76eaf7c376e11309ea94807d4b35339995b70a564dbf3e092152132 |
| SHA512 | 206ce46f187be0df586c1ba48fe0c9c35cb271110767627710e6b99b87999425ebb95ee095d2b820647f46c8a4cab274f7d21c2c8ea65a214bd21a51e931a436 |
C:\Users\Admin\Music\DebugSelect.doc
| MD5 | 5267c8ab6be78c8b0c850382fbf80b66 |
| SHA1 | 23fb9aa85c177e8bd204619f9e743cd3c6bd8777 |
| SHA256 | 5b6a8591689486e39e2b27e6ac0270290655b09d2b2368750c6173079fe823e8 |
| SHA512 | 22c3cbf3fc53688a47fb54040a50b9fa6e9b851e2b3100a440898bbcbe13a1555a614082436c36dc32e29a46822dc263f50f5f6f38b48dfef037d91c7b5f4830 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:17
Platform
win7-20240729-en
Max time kernel
357s
Max time network
358s
Command Line
Signatures
Renames multiple (4027) files with added filename extension
Drops file in Drivers directory
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Drops file in System32 directory
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Rondo\\WallpapeR.bmp" | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\THMBNAIL.PNG.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_OFF.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.XML.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\PREVIEW.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityLetter.Dotx.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR13F.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14655_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\include\win32\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL075.XML.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\AUTHORS.txt.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\db\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lij.txt.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\VisualElements\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\THANKS.txt.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\COMPUTER.ICO.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03014_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\SUCTION.WAV.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1248d52c93fe6e31\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_b724a267c2ccea7a\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7600.16385_en-us_83a96f16be1ecf82\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..t-starter.resources_31bf3856ad364e35_6.1.7601.17514_it-it_9aff0a0726ff98b6\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e73ca319a82aa327\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e31d2d92828b5ec3\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_efed75e2fbac9517\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_it-it_068a8aa70d654920\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx40_IIS_schema_update.xml.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_en-us_91a2a3662d8ffd41\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1041\eula.rtf.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\diagnostics\index\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_netfx-aspnet_common_sql_b03f5f7f11d50a3a_6.1.7600.16385_none_9b5d3c5138868587\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_es-es_2db40b99b2736660\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cb41e15d1e0fe8c0\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_be5cbd3b6b3e4c5c\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v3.5\SQL\es\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe.config.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe.config.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_289b855890d86e62\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_25d4ec0b90e21a29\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_it-it_dd8dde728f4e7060\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\Rotate8.ico.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_netfx-weblowtrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_b282c116d6e6d47e\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\Speech\Engines\SR\ja-JP\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_11.2.9600.16428_none_dde9296580ccbddf\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_eee4e052cd1adbab\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-xwizards_31bf3856ad364e35_6.1.7600.16385_none_77fe6053a02b5dc7\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fcb2dd5d6182f5ae\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_61da96604705f464\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1aca4d46a08df107\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe.config.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bc7b845ad586d402\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c1ae04d6b2f5d213\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_de-de_71d9774db1afe542\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_de-de_559eb6a7b33ef039\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_minimaltrust.config.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\inf\PERFLIB\0409\perfh.dat.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8d33546de1c5ef03\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-powerdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_9654ef966755d06f\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..l-wallpaper-starter_31bf3856ad364e35_6.1.7600.16385_none_f08164982f2fecda\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.1.7601.17514_none_81fa0191bdd08961\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_es-es_959ec7b53a342ec3\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e9c2f754efcb477f\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_es-es_f5f7b0a614550298\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8a445b750021d88a\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_it-it_16b2136334d4d376\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9b3b900d1741a8cd\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonyntsc_31bf3856ad364e35_6.1.7600.16385_none_d75d6085d60aa50d\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dd95cd2390bb17bc\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c82940e03ac63534\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_1f13ba22df0a61ce\ReadMe.html | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\inf\TAPISRV\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.h.jaff | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_es-es_8f1f29d5a784472a\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\winsxs\amd64_wiabr00a.inf_31bf3856ad364e35_6.1.7600.16385_none_1ff46c750309ff30\ReadMe.bmp | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1046\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2632 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2632 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2632 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2632 wrote to memory of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fkksjobnn43.org | udp |
Files
C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.html
| MD5 | b92b5c1b1159a4b56f5ebf5d8112b622 |
| SHA1 | 5ac4bcd88117003caa5f330c0cde8450252f87cc |
| SHA256 | 767b55d49a37655e186ed1b71f69218da846a945ff00e902baa778840dda6736 |
| SHA512 | a5599fc6f2330db6c5541ba8af8737b4816dd1171d9d40c6f2404e71754feffd35b34c8c9ae1fbfa88a88810d594da9e0de119342cc5d8e29e66e7ea45de2fdf |
C:\Program Files (x86)\Common Files\Services\ReadMe.bmp
| MD5 | d9d46f5c1d462e6fa986c08b89e8223d |
| SHA1 | e237a3843427f183ac8cbd6ac91c3d53fc0e64dd |
| SHA256 | 4036e1539be43744284758f08b6bd8039bcb9ddb12aeff01f8aa2f5619b94268 |
| SHA512 | 3a6e661e9000ce290f0082838bc6dc33e1d2187aaf6c0c7bf360eec1c0140bb0f00b9283ffc725f85e890e0527651198a3ff8dfb1e68fc09dd1afb0f18fbc226 |
C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.txt
| MD5 | cfbd7fa17c72a3b5c84e940dcca2b69d |
| SHA1 | 9c7cf35fb08fc0c086cdc64acbb19605e42fbf03 |
| SHA256 | ba42b3018667de48aacc23c8a634712907148431998993691296bb1b09818afc |
| SHA512 | cb41f5e7a43879fb2ec495bc8c658c43421da7da271b25c56ec89136ac2723b1a8d2173e65506cf9bd404ca8a22f5945fd11254985c752b722cc79bcb25f5ca5 |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.jaff
| MD5 | 719d2e28cc0eb103a53658c1f7011212 |
| SHA1 | 92fd0ba6c44c5629990589616883db478086545b |
| SHA256 | c245f3e5643eef8a3204814b4f952513a2d222b88b0ce378e795fde939e37362 |
| SHA512 | 7bcfb177bc65fcd36f33d5f5bbb65a201f9563012b4c26c803bd6ec062020269c105644ec6cd758f2a5cbab96705af9086a0cc62cf347b668088c4719726ad1c |
C:\Windows\SysWOW64\es-ES\ReadMe.bmp.jaff
| MD5 | 4d38dea841ca9f71cb65a019e9176174 |
| SHA1 | a9825d4b5e867d374a13203eaff9823049b6f429 |
| SHA256 | 587b0216fab3da5f24c74804652bdbf3c2d6abc167a7d89df31c8b7f7773a67a |
| SHA512 | affefcbe5c38ffd09a7154f5221841fffdcc4353573457621905c73bcaf618fc7dd998688e9c81e4d6a7d5aa6aac17b205d0c210f7cfad428e48d9f7d458fd85 |
C:\Windows\SysWOW64\en-US\ReadMe.txt.jaff
| MD5 | d75f21f4fb4d700f99478a850819d433 |
| SHA1 | f733d27085b4f60259b8d90bb6be3915e77681bd |
| SHA256 | 73ae60cc2c1db3ee6661a12b456bb6f8318268e12f3aef86656d8d8504f29ef2 |
| SHA512 | 4e201ca0fa854afca6eed3dd80c2a40d6f50cef757d7985694a661ea5ba6e4b4c0db30ecf38eaeb47b3c5b474f33b73c3734393473a59d6ea4d26746b74666d7 |
C:\Windows\SysWOW64\fr-FR\ReadMe.html.jaff
| MD5 | 2e911d7e542fa28f0b15844b9bc528ad |
| SHA1 | 577c451b2bbfa7d9a805b42271b1f64ed8351517 |
| SHA256 | 836e86c04d9852a952f7a6ee325a173901ed2a277572fc3602a7a82a76bbb25a |
| SHA512 | ec3279ef4df2f02377d743373ced7bca463dca6a11cdc1fdab7c71a1e5674deb93b10f8b73658dfa651569d89f49aba754c6fdc4c2885102cd13c8e065edf113 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe.config.jaff
| MD5 | a75eba1447e17b50c9e0f0754784b60a |
| SHA1 | f0bd406c093e8b59d06b17d44e6aad3822c7eae4 |
| SHA256 | dee969c26cffcc3c82edb7f93722480fa47b167dae04b27287352ce7d79bd2ad |
| SHA512 | dd942e8fba8517a244def3e92613f9cba7cd801e983c266f35c3a5f5e8d82fb4a46327f0200c6a3cad4e62ed79b99782335b4e565e1e1b81655f25e50ff7c48d |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe.config.jaff
| MD5 | 62da3f21f8e04931ec3f86e8c542c51f |
| SHA1 | 9d93a1ff13bef961d3c43e4373beb3f025abfc35 |
| SHA256 | 7eb9d3bde2e13802a9d2410a7c7dbb7a5e797c8d9a69721488f0d734a4bc2e0f |
| SHA512 | 8a4a246be5846946711fc739b9055a22113b7d7336f388ce891b6bef1e1b89743c9f652b4ce3d90494eb00f05fd81e6a910877e32cf3e9862c53fb4d566d5178 |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe.config.jaff
| MD5 | 425c04b51a0f822b6af7ac8b33996cc4 |
| SHA1 | 25517b380acf31802896d9e89ca71af6c6e1412c |
| SHA256 | 3ce3a2e9a8699404d07013bcefc03a2d225fb6d1f41273144f91aaf6e1ccb73a |
| SHA512 | 7510057c3a4c5a7b8cb000f912d2f898d9b833b4ee39b46930b1039c59951f7a2011218d00902d8d31b6ab86ff257f8de6bfbe2bfdf52b460e19c3848902bad2 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe.config.jaff
| MD5 | 18fd144384a2d6f9a333900735718877 |
| SHA1 | 449aa74a92ec3166ca6ac2def916a9cbfbe3cfd5 |
| SHA256 | d8d5ed8018b5a260b092fa55ffe93785ccfbc9ab126092e1a81139a871f0119b |
| SHA512 | d71cb68280f8417a928037e0c4e5440e2b6ea9ec98a671476c7fce4a7b9df9fa4457e60fc85c3fc8761f253890ee2feafe4675865692c5b845a4c9a11147c4e2 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe.config.jaff
| MD5 | d349d0906757d5e13735d96625fcf4fb |
| SHA1 | d5f5c895a6e00e51606124a558ccd6eecb9a0935 |
| SHA256 | 5e537de45e625976038311ce2d90a1a12284cd3ab4aaf48923e91711cdc0f98b |
| SHA512 | f3fccbe7f1ea7228482161f943678c30c9ffe0c15cba6f5f90fd2aed2a2484fe32b11b582fa62c8cc85aaa3bc3cec69a3d443d8611ef9999e0b3387319f26541 |
C:\Windows\inf\PERFLIB\0411\perfc.dat.jaff
| MD5 | 91db1195f345f74e19dd6142f58dd92a |
| SHA1 | d516dee4cf8d491e593bd33591e17d641f1fe1e2 |
| SHA256 | 22f097cbb47c5368ef27cf63489c1e07ebc78dfd2a2678ac43729961b0026972 |
| SHA512 | 618e69dba5b94f77285d2494926e306f1227c764c612c78c4fd5e40e8f689bf828cf47a2d20bd498eddd3647cf0c67ee0ae8da7d52fbbbced91463918453bdad |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF.jaff
| MD5 | a6ae0cfbf3eb596a81371089167227ee |
| SHA1 | adff680a7fa080b2ea13224253c15668d4659b90 |
| SHA256 | fdf0e2af89ab6a8b65948dbb25ccdeb915fd30431673fd8bb4440e084debd3e5 |
| SHA512 | d97944dc1e5cff2fbf2b2e5c1a69a65240926107286e5f492c0810a355c30fe094714c280ed98024790b12115f249935048348a882ba33253370fe03e03173b7 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF.jaff
| MD5 | 05304a96ee2be2cb1fd9eb29ec1278a4 |
| SHA1 | c576782af8839787d371b7aa0748e7e81696aff4 |
| SHA256 | 5889d5d344df5a3caa626d159c7a77e6e55711d5313ca8d58d8ef8971960c7db |
| SHA512 | d409e65b3249ab48d1daf45b8171c14110cac73bb12b4054d5d24db9895d643d8f8043a4f81a8a99af61f48f3ffaad6be3a84a2276146e9bbd833d1b90ee335b |
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\es\DropSqlPersistenceProviderLogic.sql.jaff
| MD5 | 52a574894ec27a429adc17be53f4be84 |
| SHA1 | fc6ae101209aa25b2fc466191dc1d0dca76fb5b2 |
| SHA256 | 673d9149f3f18e343ce75402e7bdff10b877963f06ecba4c0b321dcd6d0e4925 |
| SHA512 | ccfe74320714ce3ff644c3ef3ce0e1a28fd7ab89fa4f62969c0606f9a372cca68d425db7425b1986e9c03f378648535cffd1efd6461cf1a44ccb5e8f708fd967 |
C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\de\SqlPersistenceProviderLogic.sql.jaff
| MD5 | 3ad51f035ffa279262656c07de6a5fbb |
| SHA1 | d2251978a502b0df6b70d7f4efe202608a544b3a |
| SHA256 | 514c27022884e03c78a8d4ca0b24160362b51c98612cad7c1a4573330c1e7202 |
| SHA512 | 9311948f4be78c71859eb11e934d87c1b26ecf77ccc048ac86e6f80d583753d9d5e09348bc6ea2070f44d6493e4175a56f6bf51af81444a905e4d819518cf8fc |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif.jaff
| MD5 | e30d4b277a21e0088a76a47193cfbf86 |
| SHA1 | 7e0e9cae1b58623b909b70623ec5a5bce887b3b4 |
| SHA256 | 2d01e4dd7e6c291c1a3403de755833a3eef37e4512fccbe9698f72ce96fb9c6c |
| SHA512 | 54e5a1d4b055df27d73497084a2e7413a6a7e034da3bafc3df9557692418365ba6d8fc460aa7c38d2166c09c304e5839a80468b5e286ae3c3569ef74e64c4a78 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif.jaff
| MD5 | ec47905ef9b69bb4d2ed683e96428584 |
| SHA1 | 5b1e55734030c03af0c8eb1911828440cf719576 |
| SHA256 | 45e39dadd592dd9a876282b754f6d30f47b863ebdaeb631b8229fead59cfbce6 |
| SHA512 | a52ed5fa15e14d33dcff8041f469e01af5bdefefba9bbbdc7cfa8f43575bd99351bba90f9ba610b382635bb3ce01464c89a32f06a720d65d195a060adc9ec5e6 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif.jaff
| MD5 | 188b6fa25b8b362a7c622737e04af95c |
| SHA1 | 631ffc66ca28bdf719b7fff06aabfffb95346b81 |
| SHA256 | f13dbcfb41875c953edac474d7311e5ac7ceb078db29cb85c1b700d633056351 |
| SHA512 | 3df9cf103b5aabac0db31eec0200224d364cc6de9befa0515fe4e2f11d17f6c77c584dbb8f7e2f5c802f0a98988549a2440dba6855d88829b515b864f3aff7fb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000006.log.jaff
| MD5 | cb0caa7a31faad958e1336f27bba6500 |
| SHA1 | d60eae58767222d839963ebb869f7b222b547c28 |
| SHA256 | 32ef903dbfbe32450ce7ff64aa143fb397ffab67bc230740f71f9ceb13c41cec |
| SHA512 | 2047eb41b0ae5d321ff3ac5c901193f6c2f96296ffcadb2d40aa6eb17cba688fa95727386e2b9dada6a10943c40d0f3440d84202c2d908905c4638a3a0c6ef88 |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.jaff
| MD5 | 1cbe2e58157a22882cb05e3f88c48bb6 |
| SHA1 | f842aef3198367b7cd52e3ee91508e5bfbbfc49c |
| SHA256 | 3a0033dabc65867d7ce2853951e9e4b01a705453b8afe7b06e63fe3ec91e7392 |
| SHA512 | 96212f5927fcc5916d1d0a085fed350300def7a816a48befc9dcb015a7c8b5fb36e6c21c1596820a01d83e2f9296611d32815985af2d67b3f4501ceb3a506358 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.jaff
| MD5 | f82fc43f5af424cb3ef4db466e16326d |
| SHA1 | 742b20773687eec8a9280d17781a5404ac1ec4d8 |
| SHA256 | 691762dc8c26b0390d1446bb36c01ac011b65248d94e8bb457baadfdd040efb0 |
| SHA512 | 8d35595bf678e1d1348792c9f72983b94ceeb97c55c3c1981f36d91b579d51cc6630e18289e7fa651f9057de5972269bb6833b6186770544a8f837135ebb8823 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.jaff
| MD5 | e1dd2c95265f33c04b153699fb25260e |
| SHA1 | 9336b504a5fb20a0e2d41703261e54e62fc81ba0 |
| SHA256 | a58317f522f073a2b45e079445544e36055cf326466991208df4db8bf0d4a94f |
| SHA512 | 68b4f85387fd914eede17b27baecd3c84acb1cfc4115dc995356ab48b978c514b0ee84ad359ed2ceff1b4225235de25b244214febf195d8498ff3f9752c3bdd6 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF.jaff
| MD5 | 2352c1e232f2d1937e2fc3e644de24f8 |
| SHA1 | 5ca092a056e1170afd94c244cf89461faa7ba548 |
| SHA256 | 5857a28d90dfb5d07597b0aa336512d474459ede117b82fc7fddb459e852edec |
| SHA512 | d88638c77024a99a386a9d8ce75d80613f077d91ef2356be8257047ad40872e8e45bb80f2844efd02b0b3556c06180b328278631a0592fd9d8dee4a5029c3cc6 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.jaff
| MD5 | b8885404aed05928f9c493470fdb95f0 |
| SHA1 | 22c3442a540a57e5772953a64a3deeb2bbee3535 |
| SHA256 | 38abd0d4d00329468b3dd182685ec0dc9e12c55a3eeb18dcee528669cd0e284e |
| SHA512 | 34be47cfd9f22bb63fd0696d1ce3d79aabb273f884454c6e85d57fc91b68a34d85100d35d8d80ea70cd61217fdc4a226627e8c209525baf2c91f9461be61291f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_ON.GIF.jaff
| MD5 | a16200564cdcb588ca540f93a53a7dc1 |
| SHA1 | 53cdea292ef0db1305bbdeb74c6568b3986bdffa |
| SHA256 | c59bba269d2169380b5076250cdbdb576d73cf7a5964bcf86b06351d80ab42f8 |
| SHA512 | 9b40aa6bb4b9f8c9da1279e91d575b474da881cbd724f3e80e6d7e3a2bbddbb876d304e2a7f0a8a1de0bf6535c3b7404e9cc1d6af487133cdba3fa0517144594 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jaff
| MD5 | 1a42d75f6972f0eb5903096f7b297c9b |
| SHA1 | 1ee4d288ac113a37881be956012751dc86243489 |
| SHA256 | 417a5e929c97bf9732b39ac798532cea07ccb84fb136e07fcce45638317249de |
| SHA512 | 967d0dadad75d364da8334b297a21c16c8e63a468ef9b1bd0b57e0a123b531961157cbdb90b962b6f6dbe219a82ff36e15202d7a441948040ef195b03c088f0e |
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:11
Platform
win7-20240903-en
Max time kernel
58s
Max time network
59s
Command Line
Signatures
Detected Xorist Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xorist Ransomware
Xorist family
Renames multiple (2558) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bdx48saERp3j6l1.exe" | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\InfDefaultInstall.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_try_catch_finally.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmdsi.inf_amd64_neutral_e77f438012239042\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmusrk1.inf_amd64_neutral_19cdebd3e1182874\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\Dism\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_neutral_adc3e4acb1046b4b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\ko-KR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shutdown.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_neutral_54948be2bc4bcdd1\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_debuggers.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_parameters.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ph6xib64c0.inf_amd64_neutral_a43df8f7441e1c61\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wiaep003.inf_amd64_neutral_c2a98813147bf34e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_locations.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\ar-SA\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_neutral_bc1469ba40fe2114\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wialx005.inf_amd64_neutral_5304c93e2193f237\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\zh-CN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rekeywiz.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_jobs.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\brmfcmdm.inf_amd64_neutral_af49d2f3ffa12116\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\esentutl.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\replacementmanifests\WindowsSearchEngine\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Assignment_Operators.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmzyxel.inf_amd64_neutral_ed1f16b3d0cae908\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_neutral_423894ded0ba8fdf\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wiahp001.inf_amd64_neutral_aee49cdf3b352e58\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_neutral_a8e9a41983d33a0b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ph3xibc11.inf_amd64_neutral_bb18e5f134c40c68\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dllhost.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\angelu64.inf_amd64_neutral_3d6079dd78127f5e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\pt-PT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmaiwa4.inf_amd64_neutral_6e97842bb8d9e6a8\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_neutral_82f4c743c8996d67\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\windowssideshowenhanceddriver.inf_amd64_neutral_184a2ef2a8f57c33\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ipconfig.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_internationalization.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_try_catch_finally.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_neutral_cf52485bed804e02\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\SysWOW64\Recovery\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\atiriol6.inf_amd64_neutral_bde34ad5722cca75\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_neutral_10ce25bbc5a9cc43\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncihmbejmpladfin.bmp" | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01750_.GIF | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\WinMail.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files\Windows Journal\Templates\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wabmig.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10289_.GIF | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files\Windows Mail\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Groove.gif | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\http\requests\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02077_.GIF | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..-mdac-rds-shape-dll_31bf3856ad364e35_6.1.7600.16385_none_2c0460a5d6cf99aa\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Bears.jpg | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1bbd91348b28fbd\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-e..ntication.resources_31bf3856ad364e35_6.1.7600.16385_es-es_af29a5cb947bb312\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7ff30646d8c5721f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-wlangpui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_75b8a5c3d25e2a01\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_netl1c64.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0290a272487a6be\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_11.2.9600.16428_none_3bb1024f1e6bc086\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8f95e98467a98e5e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_net8187se64.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_26a869f069f08dc4\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_wsdprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b7256a767543d30d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_02b53e1d98470ee8\erofflps.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-s..g-jscript.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_1109fb9951b8f80b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_e2ebaa32abd84c8f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-dpapi-keys.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9bf0da4150b60702\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-r..tance-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a3356af4d9adcae1\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-b..trics-cpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9c8da1aa88db9946\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-j..buggeride.resources_31bf3856ad364e35_8.0.7600.16385_es-es_8a689fd92c8b700f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..s-service.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ff2f11062d6c5d92\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\system.workflow.componentmodel.resources\3.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\06d363f8e85281d0f70f2c88d1a0e667\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ipnat.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6f0da6cf6309ed22\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-s..ativehost.resources_31bf3856ad364e35_6.1.7600.16385_it-it_24d0deee1ac49b0e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\MICROSOFT.VISUALBASIC.COMPATIBILITY.DATA.resources\8.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-i..ngsupport.resources_31bf3856ad364e35_8.0.7600.16385_en-us_ad729b320c691eac\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Balloon.wav | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\blank.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_181a1bc5e35bb95e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_netfx-shfusion_res_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_7a97f0ca887d1f24\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\Media\Calligraphy\Windows Hardware Remove.wav | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\msil_msbuild.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_0f2251f715f14f5f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.1.7600.16385_none_5bfb623d555cccb6\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Narrator\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8b317f4ba16d3507\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_If.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-help-gamesp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0a4908dad3d0a5db\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..-mdac-rds-shape-rll_31bf3856ad364e35_6.1.7600.16385_none_3239c529d2d1d90c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_6.1.7600.16385_none_5e9e78a6dd413413\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-w..ystemassessmenttool_31bf3856ad364e35_6.1.7601.17514_none_d9bafd47cdf9833b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0e32b701c9788fec\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_taskschedulersettings.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f34361298f0b5882\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\Boot\Fonts\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\passport.png | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_scripts.help.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\msil_comsvcconfig.resources_b03f5f7f11d50a3a_6.1.7601.17514_ja-jp_2a37215727b5d00e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-ie-setup_31bf3856ad364e35_11.2.9600.16428_none_1f77d330a4790dae\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-m..oledb-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_774f231c5b0ae344\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.Design\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-i..-platform.resources_31bf3856ad364e35_8.0.7600.16385_de-de_9953c1c53c7a8c94\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-u..re-atmini.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4dbe3af629c49981\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-opengl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9ee9341436547754\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-deltapackageexpander_31bf3856ad364e35_6.1.7601.17514_none_c8049b9e4ba7658c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-iis-bpa.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_251746b074c94113\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_server-help-chm.reliab.resources_31bf3856ad364e35_6.1.7600.16385_de-de_75c5fd0bb9b184d9\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_setup-uxwizard-clientimages_31bf3856ad364e35_6.1.7600.16385_none_48ada01d8ff36e68\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..35wpfcomp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_67ecd7388fa46002\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..meworkapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_04346e25ffbfe92d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_tr-tr_9e98e8587a93bcd6\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-h..putername.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0202957a15d38086\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-netplwiz.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2dd66c79c7e4f8e2\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-isoburn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_27d3aa8ba7b1db61\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_6.1.7600.16385_none_6ff39cfbb8057a05\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-whhelper.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_70e8a62da42e1401\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.Boom\ = "SSTWIPNUVDUSGRM" | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\ = "CRYPTED!" | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell\open\command | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell\open | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bdx48saERp3j6l1.exe" | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.Boom | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\DefaultIcon | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bdx48saERp3j6l1.exe,0" | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell | C:\Users\Admin\AppData\Local\Tempsvchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe
"C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe"
C:\Users\Admin\AppData\Local\Tempsvchost.exe
"C:\Users\Admin\AppData\Local\Tempsvchost.exe"
C:\Windows\system32\taskkill.exe
taskkill /IM explorer.exe /F
C:\Windows\system32\shutdown.exe
shutdown -s -t 6
C:\Windows\system32\taskkill.exe
taskkill /IM explorer.exe /F
C:\Windows\system32\shutdown.exe
shutdown -s -t 6
C:\Windows\system32\taskkill.exe
taskkill /IM explorer.exe /F
C:\Windows\system32\shutdown.exe
shutdown -s -t 6
C:\Windows\system32\taskkill.exe
taskkill /IM explorer.exe /F
C:\Windows\system32\shutdown.exe
shutdown -s -t 6
C:\Windows\system32\taskkill.exe
taskkill /IM explorer.exe /F
C:\Windows\system32\shutdown.exe
shutdown -s -t 6
C:\Windows\system32\taskkill.exe
taskkill /IM explorer.exe /F
C:\Windows\system32\shutdown.exe
shutdown -s -t 6
C:\Windows\system32\taskkill.exe
taskkill /IM explorer.exe /F
C:\Windows\system32\shutdown.exe
shutdown -s -t 6
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\taskkill.exe
taskkill /IM explorer.exe /F
C:\Windows\system32\shutdown.exe
shutdown -s -t 6
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2212-0-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp
memory/2212-1-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/2212-2-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/2212-4-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
C:\Users\Admin\AppData\Local\Tempsvchost.exe
| MD5 | e40c6c092f093bd84544c46b75136212 |
| SHA1 | 4e572fb842cbe318f6387d254741045f7bf5b230 |
| SHA256 | 0eff6a71d9bd1549d4c12bc984ed722b9139f75615d4adcb49f9ec240afe9d7d |
| SHA512 | d4f2c0f2f9dab7349036f73310b8a6d07e663ed664b9b14333f463d14cc9aa2c35759c3714419101787b3d0204d522948f893d649f6edb0e5efe8a847da9117f |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt
| MD5 | 2efe72d837aed462e887ad524a404ebd |
| SHA1 | 44f65243eb459429e9d211db025e6cfc0ae9a67e |
| SHA256 | 35ee67934b321d71018d810616bda2b0b1687ca155a9a1654f82417d9b241e89 |
| SHA512 | 9c49721f11d486212f42764e8fc857a65a3e80aabc7901ab0df6b860b8151ab1a8cd6b8e6cf6402f907aa12f28d6c4e900094b9db05927d850b255e8c51a4a46 |
memory/2212-24-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/2516-38-0x0000000000400000-0x00000000006F6000-memory.dmp
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif
| MD5 | f1b3fc5195c30349ce13afc21a40a06f |
| SHA1 | 1f51ed442a823175c935406748cae8c6d618027f |
| SHA256 | 2d6962dbb761594623f60e895127dc123f9e246f8845c9fdbd4dee8f945f6069 |
| SHA512 | 6ab381d3d462308e2dcb73d04732340ca137c8464677d9ec0db43002e406d847f588e7ec15a164d93b557aacc06f149e92ad65de2d419f81f5a75703920f8ca0 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
| MD5 | 1d6c8d00aae68da0789330109f33c6a3 |
| SHA1 | 5b6a622e617269a8fbe591f988ce9b6aecc3baa7 |
| SHA256 | f6eb04d8760c6d01bf408c45507fa182d2465800e46c2dc3cf8b71b59f511a81 |
| SHA512 | 827685142c40781f9a4e0ccf68dbe4ab784a05cbeb1c7df1d6dffdadbc2a8de4b09e47eed31aae62e195081f6698cc27b520127b489dac11bb2f38d283faeaa2 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
| MD5 | fec64b0080be113f3a329fbb2185a7ef |
| SHA1 | 9babc7facc8b38ab97344d61b735febde815b5c5 |
| SHA256 | 6b1285f0594ae2551ccc66f1ba35ac410ecaecc58645ed375b7b56cfe3a98b56 |
| SHA512 | 26a81b6de96119f0323de19933805086f6f58eea7b0f44eb8a5b35897264cc28cd2f8e35d38b2f4469afe4b1a782f1a4e8903abcf663e2326afc97df8a05166c |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
| MD5 | f344d4dba1cabd6f821a8b6260e44b0e |
| SHA1 | 30368cc2682f144b87713686ca60caddb989d222 |
| SHA256 | b9fab55ff249d16a87165233fd38a1d34214dde7003f8c5c319deb81cd514e36 |
| SHA512 | 545686dfe13a4ce8de9a434877c238535fef6d1f4e9e03e75722e96803cf487efee20e1923ec74a27608cf1dacd3b20067a9aa39213f32494505f4c81f06d8f7 |
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
| MD5 | 7a0f570f1b04a822d4af7097b552861f |
| SHA1 | 1db485335ec5f38905a82a322994abf5881e3e9c |
| SHA256 | 586e03ac9aba339dbe88a0160a41ad292ae5865a393731027ccbb58334b43dfb |
| SHA512 | 7c6684f7143f82e71a69589f90d1a7af704786463f7d4624e27206dd4918cdab3dfcb00f5a24b03d37aa14b46d20b11161c7069c0138c011cf9ae08473cfc2cc |
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
| MD5 | 8a1a404d61b0c743b8ae97c9c849bf85 |
| SHA1 | adbb3e748b098560abb944ad8a862c26d4eed194 |
| SHA256 | 3500ab5c93050534edcfa67ddaa080caf02ac1ddb7de820fc7bcba460f3f1c87 |
| SHA512 | b343073abf4890b7ab81b18657c04a9773744dad0f6e412eab975aa80f70d054fe210cd60e77aa443fef8a2ed4965cdea0b1048c81612af5e0534085d56592c1 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF
| MD5 | 87cefb82e0c0c8de490420228457e396 |
| SHA1 | da019e578d776573005db4b33282dd1b0b9a1707 |
| SHA256 | 9b74ff61803ba2db58a442814e1b079a2b19590a8a23e6c9724468e94c3697e7 |
| SHA512 | a7de442e22dabeaab1d1813022c501d55cd1b40da0273f8777d14975337fcbb46a982729bc5578ad0494dac550298b7fc9e71d290fe306fde43244c6300a30e9 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF
| MD5 | 18dae81d6188757aff0bb5cd8db1acf2 |
| SHA1 | b424f6fa01a505b4b2b63b5a9eddcc1118b1f3b9 |
| SHA256 | 982903208613c73959b691bd447d9c051bf8203fa6cd1908e3c741b164bcc11a |
| SHA512 | 49c6e2ad3892ef4e2e8bd9781bc7f09155899602b76346934be75afe2c3a72e43ff5527f6916fc6da34ba0e9ff8333f167e9eb99e26b80c3174f15470d118af0 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF
| MD5 | dd267901fc9b2d13f272b569ca981f55 |
| SHA1 | 52bba02b91956301ce96eff538b14abb2fe72487 |
| SHA256 | b668671fabe95bd8fa99e14c155d8bd6d57b18d12ae0576881195577ba995d4f |
| SHA512 | 28a6c31ffdcd253fb2da59662c87930c2774020b39bed4e7ed9fded27b40a31ab669eae78c127c4b7c96824bfbe8d75a8e44bd538d94de4b447ecab00403b760 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif
| MD5 | 7c57732204c9ae51038991d4bc23984e |
| SHA1 | b1b5686453f759fd6bd006027298ce0efe926bd8 |
| SHA256 | ea43998179bad0fcbd951eb9e7dcfeb2bad5ba73146df11141f1a91b9a8261ff |
| SHA512 | 84b58a93f97a6d1866bcb8835bfad37f28d371c8db8f30669b7685b01285556ecc548e30796a89725893b47b7374031e53a8e116f82eecae199e05724b5b3ab9 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif
| MD5 | bfa5645f12b664a8c4a19873dacb7891 |
| SHA1 | 518eccf24ad3d4862d43ffa85baf0ceb2ccc9fd0 |
| SHA256 | 64f8be06ee33e3ac44c03d367b3a903ff016cc7d978e52fe8b1c3b9fb5945a50 |
| SHA512 | 123e74de5f063e48f9eb009fcc2c18ba247209b9db94b74e267c7738d023504a41e6db599a3dfb11a9da2cac8e88f03a2cfa2d1a3ef3d0cd2247e3e41872d61d |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif
| MD5 | bf23aaaf4ac0ef0c6d29187155053036 |
| SHA1 | f35e77988728501a7695371f342bf7f5492de486 |
| SHA256 | aef7531ca1b1c41269f845949d2a33de6adfe4ee0fcdca9129fb11d37897c37f |
| SHA512 | dd10bb54f8d70060fef2227c1a4bfdff5e178e598324a55f24f46ee57c57f069a8ce6cc45adab9a802bdd244243577b195d8511d1277ef837530debd7c260357 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif
| MD5 | dca47a4816b9334dfafc73ac42f8412a |
| SHA1 | 5b94865a1aeec4a0a0116ad7aea41ae8b50d363a |
| SHA256 | c52e6c9d36b1b41cefe234549b2f96f7a65e8281851c8112607052c4c0ab3b82 |
| SHA512 | 1ab316f2c0a1cac59c298e77260867642156488e84d1bad53507aad68e464490c0101b6ea0408cb8e1d38c27fe820fcbd4602830b134b497ced52a9c5e8730ec |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif
| MD5 | d31084eeb5e748028faf01f67a60643b |
| SHA1 | 99db7519c1c7edc14dec8fd453f698ad8a3dcdda |
| SHA256 | 98cb91a681d204a66740fbb9868aee363df4307e367077ab887fcb03485d64a8 |
| SHA512 | 30c9d6c6070e395b8df8b27e460c5047647f7e214de9b43bfd51a67cba99f03149debcef45083424516b9d797caffb214f1131bc1cf319a8a25d0a9a30f5a362 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif
| MD5 | ab12094e7f872f1e7b0e926ca89da5b2 |
| SHA1 | f4af21df4859564188b66026c2591f53f50b2e98 |
| SHA256 | 27dd924dbe93065f82dd434c06ba059185170a1ccf22c2b568e4f5ac33e9539b |
| SHA512 | 3f843f5fa467df7315a860d60d2d937970484602a282c282403a769fc02aa476ab060040a5d7cdad8d1a2fc6bba249a214d985c472b3368d4eb26264cad9f276 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif
| MD5 | 2e8dc82a584dd87bee445d490cbce817 |
| SHA1 | ae9ef7384c22b231c1283ba96a848a8ca059cf46 |
| SHA256 | a15b3f04e031ba60201b262d5516d4f16df3fa5017be2302d7f60e7a72e55bd1 |
| SHA512 | d272b0d201a9abb01605f31ffb9e8d345613c2b900bba3bdd99f4703cf2990d583093c5b3f8e86fe256d3a8dcaab9695437ffcd1814db5f4855c39eb4813b51f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif
| MD5 | eeb0af363dc6edc8fad362e743b47936 |
| SHA1 | 93e4fa04a75258b611693326d3383133060e8528 |
| SHA256 | 4de94df4aaccc940cda249c329ccfd5489bdf595b887e2ba665671428d76faaa |
| SHA512 | 70748623f5073d0687a79459f94a637b45878da5d9e6bce25fce049d36e3855dae3f840253f3a570058224dc4c697109e6af53afe6113c2ad8871409ef561e0e |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif
| MD5 | fc0f397f9ed2fbde4d3c82868d84f592 |
| SHA1 | b923563bfa7a687d2af4a754e6a611be1c87671a |
| SHA256 | 0922cd587ea1cabab2726f8b2402ada0f389fff78dc55635035feeb218313cac |
| SHA512 | bc1ea69af54f5c81ee8ec485458347a27141a7ec3872fc63720f6357f68a99746291e350c3c74920d147eb53833d8104f08e2fce55960dbea0f3ca97ae9c648d |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif
| MD5 | 7e8e32dda4d20382a8cc6e92d330033d |
| SHA1 | 6fa9837e64c9208c1415fcc205001871169a5b28 |
| SHA256 | 70d44907de4fe1b01d15a4b8d27811cbaa0e3aa6333a2461bf70affc15b68c32 |
| SHA512 | 9e70f8fa92ee1dbb392cd0cd80bb380877502d5afacfbd2d587d0e29acd617b264d2aeedec78e98c3031012df227ff71764c485aa8b8a9b23c5a26d2aa4eff30 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif
| MD5 | 421a25d5fe24ef64034274056f0a4758 |
| SHA1 | ec9a767dabe20bb26da3955e69aa0ae5a8968368 |
| SHA256 | f4d56c3e6ead47049942110404d6697d9c074913649ffa111baf10dcb5c987a7 |
| SHA512 | e945fee0c83fc653ef98b5b9e857df272d1d9d599799184850a0aee6eb9a24fd9633b185f6ddd7ec4179d172ecef021e64641b9409917164e48137546595c9c4 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF
| MD5 | 7fa34541619d37be4f0d2ed9342fd8ca |
| SHA1 | b1dba7c212e36a8fd518308787b661ab7ba66e1b |
| SHA256 | 2486eb734ed2de398ccde861d201036860b7bbd26f94243ec692cceb3c0804da |
| SHA512 | 12d4da96ff5e89683b5d67bded100932cd265e86a787ff2365563eb77b25df528e5714be5497c0f320e5ae0a052f50366cb12408cb153e28fee5bee7addba722 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF
| MD5 | 9262de6465e67e232093f1b69c6308f5 |
| SHA1 | 1c8ac6443c46975afb12824a191ea3991e82ac2e |
| SHA256 | e2f5835a7b30b9d92f34178436a979eb0c7c597e42366da14c6743570b5c4e7d |
| SHA512 | 4d0424ed55caac930d9f02e0c6b7a69d0f6d3d17e76430a1e6e2deef4e07a40017e3377f348194db29293a79f07c9a369a7a800ddcad9dc982fb4427ed8dc346 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF
| MD5 | 23764a6b4a9412af319c5eda693f6f23 |
| SHA1 | 634a9dec011deb1bf7f2fe9538993fa5bb1087f6 |
| SHA256 | ff05d2c86af5a5e3ce3a4583e6b78abcee64f4279b27e4e8581f1ddeeb4b4315 |
| SHA512 | 6b943546ce9acaab30349265d085c8c3f77ae96c4e516bc5ee68b62ea14d42f0fa61302cb028358dc3f45c3c4ccc205b603d55bce38d025d096ea87722e0bfae |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif
| MD5 | cd5af548414f41d080df08313fb849b0 |
| SHA1 | f56d0478479fc5379e1d136f235950793fb8c730 |
| SHA256 | 890310e10b9e252cfc072f580a1a4ac250e7ebd86a86717d26be294fb71abb9f |
| SHA512 | 024a50788ebca411fd3a3bc80d2faaf2cf401119cf1ccffaf0d06f4f3e7e840e47b68a18878475b721dc0257f1bbd3af1f2c21d1e6055ccb1a211a704a317d8b |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif
| MD5 | 473b80c4bc025e928153a52d7521d4d5 |
| SHA1 | b697417dd29db6217148359c429900558c2c1c2f |
| SHA256 | da8858b39bc2118c958a437911df15a147dfc36a5a09cf2524e83b93e13037e2 |
| SHA512 | aa23f43b3df33a814e86996ccd8f0c051e3b945c586493daae307827d8c37a4e7ddbf352765d85e043ad1223c9ee9a89ff19e1743d76c3eb85e744d855dde50f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg
| MD5 | 5ad43b1349f8908a8cb047d5af02bbed |
| SHA1 | ecb458c989c3bfd571358abcf4587a792205b488 |
| SHA256 | f4f46e26f7306ce4df20c08423d8b37668c375a208547ebe08f740c9a93f067c |
| SHA512 | 1d9032e347033b1adc55239b8859fd9ff4500c109414ca5399e5c9ad1b7f77e55621617ee1fd55f81581c68e83e084e6db3e68ea5d972f9f854a62812b32b529 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp
| MD5 | 0baa41df5300cf3d169dc7c7674e703c |
| SHA1 | 491aa98464b5142920026768b6fa6dd5ef1fe8fd |
| SHA256 | b1dd0f4261ae43ba437e6c5c569372165358dae0d19382094cf7c59b6a3d0c17 |
| SHA512 | e89f9632245a028f0670a646bc9445040aca1f4de8253c302c052a71a50f98e81cb19e3b22770953d2223c92360dff4493e54a4f7509b317e28a9b6423720ef2 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif
| MD5 | a1ffdb4a65e45f547055139c5c597925 |
| SHA1 | 0bcb6798800e46b15257c2e98ee382982211808b |
| SHA256 | 52b1df2cce3df9619e1673df58b8bf3a69acc1343e27d63b325cec40b9584878 |
| SHA512 | 7cbacf8faa5d727691d6eda1abd67ecff51f53da4e6e722719cb4aa94abd72bdee6dca9911d1c53e3f2c5d53c8aba497fb30d7d7ea2586a48327b819fdd12381 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif
| MD5 | 9ee8f0948ebb035fedd89f64887da142 |
| SHA1 | 12531d6d282df98fd80c478379d282776e264ebd |
| SHA256 | 2f828d2e3ed7813ed93c2dcb7b6c8e7d714ac0a9890fd8d700ed6b214c504122 |
| SHA512 | 8eeaa59bec3b973e86651b3997e32fa86dbb88dda9844108de2fd688ca8eb4856646f30319b41b56d02a8eb5bc4fe3f9b1b98be5456ea5296c3d80be38cbd8b5 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF
| MD5 | 48df60fea6f30037d3de7330157aba12 |
| SHA1 | 313e4b669fe319d075995fec9f17391e760310d3 |
| SHA256 | 56f25a02278bc29561bec799bc3791293284883dcac99afa3114c112d9b6bd0c |
| SHA512 | a639d22f6f524232fb50df254cb5ce9b8c4b70686424f9596646e9ec7f7825a9e90585a08c5601b78a1d572791f1c31801a1590d9cbdb2c04886de783caaf4e8 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif
| MD5 | 07df3b3b575cc49e5573cdde9f5dcc9e |
| SHA1 | e6a516e5d5345f9a6d8c9ccd6b723a047e7a6b4c |
| SHA256 | 6be3af459f07154a136fe3aa491331a939a437a22dcf6504f5ee02c2c67e1a5e |
| SHA512 | 23b7bfc185d09477a7b21c0f5f07c6b2ccbabe377c95d30074abf8bdd9a1606fab5dad47fc7c6f26e72aa182c0cde78bdabc60a214b34e9c0e469090ab426ce6 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF
| MD5 | 0a2977acc4e3560744244b7cbc497eda |
| SHA1 | 1cf8fef49e96008cf9403fa3bcc090cf26d154a9 |
| SHA256 | 1d6e2d40d8962b3b96d5c50482c7f09b48cea06630a8e79b9b6551cc347c8638 |
| SHA512 | 8f624cd51f49f1a74edd5465c7c3f4307afddd3fa6dedff1f1c0847dc10041881d5c4b0d75ec39da6499566f8e143f8d1f2998b4d25a9f2fca0b5d27891706e5 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF
| MD5 | 983b4875e0028e8f008c6ec0ab8381f0 |
| SHA1 | 381e4d70353b3a167a432879265a116bcca3e962 |
| SHA256 | 274a750cd51f8786bf5731ecfadbcd4fabbcd38cc501b483b0e9ec1d0de18344 |
| SHA512 | 04c0794bcee45558bb9f7d86e06cd85c5c98477ccb65151c81d9bcba39d2d5ad39cda2228bb08f6ed53ead64fd07a897120e08d8c383701cb0cce6bdf4e59c6d |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF
| MD5 | 94ab1d7d7d835d2622b8e944fde99909 |
| SHA1 | 1c5e12d48e18257b503bff391fa744dfcb93b589 |
| SHA256 | f9d0526b2b694d025cf67d99254387c2e0d3848786d7c1ed0aa6bb36fda11e08 |
| SHA512 | 4e6598b63d021c7bf33d6a0ef229944b5f41cb98289390593503957ef20e8051124c097fc82147cf6f5d5ec00c3c9fa343b506bf0bc46cf5a3451dcbcd303b75 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF
| MD5 | b92eea701474e53118121e86c4036bce |
| SHA1 | 002fe90bf7e448af7f26bcccc130cd1625c53583 |
| SHA256 | 50551988f7bffd873929cd3591e8b1431558955e6ea0ad6dac706bbf1f3a03d1 |
| SHA512 | a9ed6060494b7cd43955899026e5c2e4f98f6be70055ce7a98492752b56cddb3483d58ad8064dcb84b5d58e31c4d3b7848f7588b69986cfdc3e2edd47ed1490a |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF
| MD5 | c703c338fe74b0b88f22f0775a325c39 |
| SHA1 | 8f07a7294797faf2d259b98573f0479bb0d8d85a |
| SHA256 | e0b3214c217ee99ca5992236e599e59f3c5613b9ffc05f4b094232261948a0dc |
| SHA512 | da5cd0c1999bdf854e4f818d0e4af89b7b57d4ec22cb254b3ea6bfabf7f3ba80a7658406d86eca57135cc5a0bed42a8d3dcfcedf7765f8cfb1c9f2a5cf26ff73 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF
| MD5 | db4f6ca1582690e6f6efb57613ba5b36 |
| SHA1 | 5244d1dec5cda976f848bfaa7f7be38e0c7a6b19 |
| SHA256 | 63212f74691529483a97c1e24fde1e092a9354b0de65a90140537004c029ccfc |
| SHA512 | db1aa0f2320056e21cd3c4f09e84789fc06643cdde12ee2a50f5f046df39b98289a96cfd963f1bcd8397a711e510fa1c27adf41f6408d11ec2e030675dcbaa4f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF
| MD5 | bb39d747337310f374f2eb9fad53b7d4 |
| SHA1 | 980928f38dcebcd02f4d24aef644309369d1a9ac |
| SHA256 | 8af7331b547bd25ee1a6a76cb5ec4f3d4c8487a1ef9d934a4c2c43a3f0cddd3b |
| SHA512 | fe58dbca88cd5320897b05c45846f0a1e7d84d7232ec906a9b0a3616d2140eac06309e8b76a1982dd36ef04fae89ee2497380d6eddddde8f2123464172f3dd06 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF
| MD5 | 49709e2982d15fc59dd453762943cb78 |
| SHA1 | e6a2568f1a0941420e63f30ad2fed295a7aa80f9 |
| SHA256 | 5411026d13b25b541d98554422a112ec19a9c525d3b915c28de0e8ba755b14cf |
| SHA512 | 89a6a5e8ef720186b2dbd41f152562f31c5db321e555d599e1bb4604df920ab9b1e8cd98f1aea02614b2da91bbf3503e4a12fa989481f70fa6d20c24906331ac |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif
| MD5 | 0a0386e072d54f6f575c4490647921e1 |
| SHA1 | 88d3dd8d7636eb87370d2660a7f7525500ad2993 |
| SHA256 | a0ed803c79be15937007195fecebf222e256fa7f8aa9d93a72fd4b3293f8893b |
| SHA512 | acfc3f04c9a0280d00b33451cbea5918236f53098ed805f3c3d5bb6e15f20d1f596f0e6b192e9c787562e58babb9136247051bc67d072d961eda321ed9732f5e |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF
| MD5 | 0c5300cb08265748f1061fc958240e75 |
| SHA1 | 2df61123d62e92991c725fc5a21b90f67b264cc2 |
| SHA256 | 19dde572dede505071d1b92443a6f8547a8a47faa64ae7862d5df406aa3651d1 |
| SHA512 | 48e75b43066a3d9cc4912f9c7c3a8157b8698fe15499a2d706a99a27df8b81ade146eca729bae97283d81a1e247302a279852810ea62d9de473ecbd7a11adc80 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif
| MD5 | e92f23ed957ddc116b912df99f7d37e3 |
| SHA1 | f8d412e5a30529b8dda23712026d1b062843ae73 |
| SHA256 | edec601608772c6175756eaccf631b5142c0ab858ca00b9ab4b2e390fa5b8db5 |
| SHA512 | 880124f9adce776b824fe43c01e98761287de5b8b0b3c5fde8ac2131a86d00730f587695f836a5f968a0cfcdee0f3f13a72ccef9571ec8ff6f9417ccc4519b82 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif
| MD5 | 7e8046c69886eaa56355bea6824878cf |
| SHA1 | fdf50bf8bd76e3c6b5d086f263e703a6348f15b0 |
| SHA256 | 3220c8a9c345b211339721c1c8d42ae619d3515c42d9af1608e5ace9ed709174 |
| SHA512 | df1e4e13e5fd0de2f8bca7bac1939561ca131ff0fb356323b2ad6059f2e834bdf4d68dbb970f645a3cbb40d9fee58ee4311b16847f7a59f8d9438c6f6b16de08 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg
| MD5 | 1d840894829a3404e4bd7621e8a458f1 |
| SHA1 | 5b1f0a1dd735c2d08171a5ade21130ebdfdc29a0 |
| SHA256 | 72526b92f525eb5e878d0b2097945c2d820a3ee17e40f0b75f9b5b488db37866 |
| SHA512 | 4d2ab0d1f6a1f5cf40bb5e9af0d2e50487e6188d1ce1f2570fe85b57e2cad72daa0ff6d67d9a8537f95bca800e3de3153083f4f6e6704dedbde27d0125ac23b7 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF
| MD5 | e9265f3141870eb134a036c8aa958b75 |
| SHA1 | dc01b4fe82cfef423fe448238259921a44b5c336 |
| SHA256 | fce5045f82bbf3d23e070b64cdce17071db695726672a8c6d40965b473eed8a6 |
| SHA512 | fa10e77dc55d067beb0d826c28ea7015946e7238d0137e85c8898e52b646d0ce1701b633b0370cf8e63206e4c17cb19d0489423c7c94a5a713bb48f9df3a44bc |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif
| MD5 | 9f71b43e541891706cc6837144ce1b1a |
| SHA1 | 639837ea20667a90400e005bdf5145781580d3ec |
| SHA256 | 4ca4cfa3db7ea35e35d7698dd1a95913ee708e8715d3068313fa03046b718ed2 |
| SHA512 | b82e4fc6327d7e0f57244caaaace3b6c7da2d319a0a202983c1488a6c5cdf554830c2fc304eeec2aea5ddc7382772b32f35ef30cf5357ae455cf71a5c5d349c0 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif
| MD5 | 2b530f1909ef6508468793ca346af87a |
| SHA1 | 935d68ce79e38351351d09d5d7841c1bdb18180a |
| SHA256 | 35c942a98d878de8e4eefc1e6e9e308d3c6716fbfd2f595785b6b6223289b97e |
| SHA512 | 039539c55bd6458b0bd5dba7c0a6fe17d2615fa49a018f7b39a42b42311cfacfa528b2abd59aff85e508d1ec51086547ef3965bab59c5d1d1f9efd0068d7000f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif
| MD5 | 4773860ef2e8e093a305df240d32e441 |
| SHA1 | 9754d448cb861565ac1b7187f3699f37f81844cc |
| SHA256 | df6bd1ea4ba526fe89845a5b7088c2725951906037be3ece95a1d0065a8afae7 |
| SHA512 | a7164d72a593d89ef6102034ae89484b0131cfbeb004ca93664ec46178478fcfc50b9584ca4ffd855000e37643273aaaeb8d010972a7d0ee07edd54c4f22567d |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg
| MD5 | b2af7ea47b87d65c87882ddbadfa8007 |
| SHA1 | 9d80a199d967fbaa241f142855926f9e86c27a8d |
| SHA256 | e4f4e4ccbe43fb4c44e52fde90c54df0090c1ccff517323b151e6fe4a2f835be |
| SHA512 | 7ce9377ff7402bacca0567f202619e7684d2cd09e3aa7ab901ee03de64a465ecc9285430dd42289e177cddb61340a6c84ff827c2fa9305154bc5fcb1fed90ba3 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF
| MD5 | 0a1657a9cb30b999813f9c7e4263c9d3 |
| SHA1 | df186e26264921e7aa16b73b00417ad904cc5b1f |
| SHA256 | 4c36e153968d37979e51810188cd1d57f9f98251638afcfabc66af8f5b804a51 |
| SHA512 | f57432591a91fd5a44f66688c4ea59f73ecbee3a7d6f4dc9c838d16c361cc49ce32257a4448f18c8e30d8f905415d9a8c9860dc9a48f3830ad79d8e9b4a313f1 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF
| MD5 | ed3efceeb3c5fd9ec313e318834150fa |
| SHA1 | fa85130a4a31b320a5b71c16ee85f5a3f4ea9dc1 |
| SHA256 | ebafe72a269f51fd6639b895e320e0b6bea7fb308ec2b9f85cde4fc04132e143 |
| SHA512 | 371c960fb85435f60bc05b09036ecb1c162f9588e8c1eed39231357c648a3a92a7fe647f3df71feb565c711c74322b1d9ce74b8f71d44226a33fa617791eb16b |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF
| MD5 | ce0ff34a7234703bbbc75d035fae79f7 |
| SHA1 | a435a053fe6777c7081664337d03188e7a4044d1 |
| SHA256 | ad55192cf2dc42053b1a31e55fd94e69ed0207049fa091e19af1d3bd4a1ed4e1 |
| SHA512 | efe53dff066bb6a8f9a1b796e0a4a83c655622c0181ac151a6b29d5e0fafeacd1ae38b554b954767077fc1277fe15d1e7c9b63160b89cd2387f59e238ad71d8b |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF
| MD5 | cbe377fea6402a0b4a890ff1658fac7e |
| SHA1 | 1988481befd7adfe5e81326b7062dc3fb39069de |
| SHA256 | c49d5dda8ca6f54a2593a7dd3b8b42d61d9dd467934dad4447583423d2d04ddf |
| SHA512 | 54b8863a543ab8d0f720519b9a1263163887e3233ed763a027e727aaa091e8c4a582f902b43d2ce656cbc5de94381da2728d0380a004315d0d6179ad6ebdb1a2 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg
| MD5 | d11cc5e046c8cbf1454cabab853d76a4 |
| SHA1 | 1ee024df29955bb743f360dbaf194f825b9cf4fd |
| SHA256 | 2e9da456c3bd22655a6e23102bff3b81b1bfaf055223f727242d241c0d6a41ed |
| SHA512 | 007c341fc1609f76a8b4b4ba3ba821f92685c2e29a8b008971d0e56c4cf2c147cfbf8679ecf0153e208d93579dbc9aad92067f2e1e6c97b195b45bf3f5222433 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp
| MD5 | c81a127276890a5344c46b3bfde49d30 |
| SHA1 | 052ef19dd587873d7b73081d048b2246a009b44e |
| SHA256 | d1580acdc73a7e4a77be4f33cf7244426c4baf4f485c3b3d864ceeea63f8d286 |
| SHA512 | 69675b5fbdb74748e13687e897cb9b7b647390f9b25f5e1a7fa945ae8c9762fd93551d2a5e5e7ea26ad1a646480051c6d40635e3d777edee78d5c991b03523cd |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF
| MD5 | 531ae1c03a97556ee11aa29ce41f765a |
| SHA1 | ff557c5af3e4b508615e98e15bb9e98c4d1840ce |
| SHA256 | 694cd38dfdf1e890f9cea2506457e025b8c753dd7f68926146fa2c1f42ec0fe6 |
| SHA512 | 24b153c2b1807c143df68eb4ddf063150f3b8f7db1d841e1b2d5066f580156a51fa69b3a77d8aa581ab9937d7190bc8a380ea874798e74a8d56673b415552e37 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif
| MD5 | 96bb151c67c9bf58b86b83d37e2eb39c |
| SHA1 | 0e4d18e769bb3f53b0acc3faaf1202005ac1920b |
| SHA256 | 0ca47f7c5d37efc7d5542620d6d17b7b515506bcc8f4a4e9aa5008673554dc76 |
| SHA512 | 2bb69c57e96493658dd1f9d1681326334d0cdad4248c6208145ab83f17f47240928cd977a8a745caf9b2035aa0d8f1a9d185d4d9b9b2280ffb59ccc7f17d8ac9 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
| MD5 | 0fcbc6e2d85f1997c0804886e5411872 |
| SHA1 | df521fec1b914ddf0f7a3f8fb44e7d93c8fd0f6f |
| SHA256 | f2bc07b7406d3daf4bc0fdafe8b0ad8b18a9aeb34a57b6171de5ee4ad99d3040 |
| SHA512 | a089fafb0d302dc1eecf176ddcd6871ea75a05cc312dfd9336fd0b295a9587f6ac9ab9cdcd72e76b8fceb6d36af5c893234c50c68cafcb34b783ca3dc2c88f19 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif
| MD5 | 9209096d26a7584a446dfdada57b7a67 |
| SHA1 | 523bc3b4e8b96796e50583ffe7fa1aa27886c4cf |
| SHA256 | dce670ef8b5133bdb8aabb6a879781b9659b762d0f0bd8aabdfe2d98547ae295 |
| SHA512 | d429bc57ae8ec9f186916eb613c0047ad4d0ae5fcb5808a752bf6e4e765ac5504d07999ce2e2d4a4196611a3530fc750473329ba65e4e45a352971825945c8e3 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif
| MD5 | 6b360522c0a6d1ee55a67d089ddf0f29 |
| SHA1 | 1e2e5b665bedf137cc4e58f827fb7e9903cbf39e |
| SHA256 | b5a34b6bbad13d49c6f5e0793ab5bdac864a819861c8337c6d314290f707f171 |
| SHA512 | 4c3cdfd62e13c996ae66e21d110452f6c40f1aece8ea8761ae3bc6790d6e9cd63059844354d3d85b3dba8ea329b7da126809c380f41a8ba8a8d032bf7aee44c4 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif
| MD5 | 4b1cd6066e490abe16e551f1a42ee64b |
| SHA1 | 9c45228bfdc5625e52e89f2b5a6376aa8a090026 |
| SHA256 | 910719ba4e9b4ed7eb4ccf15d9871ac6005a45a89e97ce1853efd7df792a5377 |
| SHA512 | 69c151fea024d1e638b628ef2aaa118fa517ee66ed761b1fcf606730125452f766f4c86de05d0998a60a73c29305e3db75b3f375c462c87b9c42fe79799c4136 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif
| MD5 | 41991d08bd78f990c889d6db5a53003e |
| SHA1 | 1fe11ff2c51d62e580cdcd31e4e701c35607d456 |
| SHA256 | 3068f98d266e2261cab19df9faad1d43dc768699b7a1b84ac7837d21870c0b09 |
| SHA512 | 5fc7e42dba9cb4f8dafedf5f97e1cafc74e55d249132dbbe7f714803bf8c27cd520a7f1d360fd86c9d7706b92aaaf7a90ea4f52ce61cc1b106864089d7dc1615 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif
| MD5 | 67685085388206e7db1a49b9d4d6d82a |
| SHA1 | d046e3c3a38e4638f4618be3ab164b61d2644223 |
| SHA256 | f8b3624d659d696e22f893628d1f35e84ef2b2afd7ec80c580110c174dee3f3a |
| SHA512 | 0d2880efd1f05ad14aeb899a8ef4dd9a24bd96586992cc33fc7d17c0e5292dcc73a68f97754f5d316e8c62ca7240cc81872c259e6ddee7447a811fa709471bb2 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif
| MD5 | 6082b4e9de8e9d5e8f12ae41269f727a |
| SHA1 | 6db11244432f1852d5681c685562aeac7830edcb |
| SHA256 | a995aaf5ca5e61648038fd611aaf5d67bfcaab564e922d81a86167337fed7d0e |
| SHA512 | 0c6d0baccfdcb2d999fa39239a3a8768035d4453e8269229ae57a41ac38c68509e9fbd08ddc8ce938c90f327acf2f64540dd607640adde0ec3f4aadc02c30f6a |
memory/2212-5556-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
| MD5 | d26083f769cf85ce320f62a2be371418 |
| SHA1 | 425a4e8f050f6afd72115eae9d0ca05ec5602bda |
| SHA256 | 0391844bb9a47e9d00e29cf4bb8e3eee6cb1aa7dc0ac2e5f6e3800d6440dc65d |
| SHA512 | 26ceaf41d533d98564db6be827454849ecae324dba4c98345314dd04c8369a91c318637e7e0d6ecb9a5b3f69d201adc1be0e29a527e35c2a85ca0c7191710f91 |
memory/2212-6488-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg
| MD5 | c14d68797611f380bdd91c2ee4dcb1fc |
| SHA1 | 33226013b3898f453f0662f5cf2a06a8846466ea |
| SHA256 | 74307ffea174c4874e84e7ab40f3e0fe9940b303943f82a5e6253091056bb00d |
| SHA512 | 53f5b10ed55f115e26d43f36c054db0654aaca77956fcfc538c3a55d4c602410785c1d387e581aa64710e8bee398163cf2fc3bc6ba0d0ad28ef51cfaa20259df |
memory/2516-9285-0x0000000000400000-0x00000000006F6000-memory.dmp
memory/2516-9291-0x0000000000400000-0x00000000006F6000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif
| MD5 | a257ae0e33925d4ad8a41ea4d6ebb876 |
| SHA1 | efed317c1e5c5fc02cd29cf6a9e48ed71bce6fad |
| SHA256 | bc3152c6868f9864a33659ad773ea4e8f5caffd9a34fd2829e1795258a3ecdd5 |
| SHA512 | ead5bacf05bbf73770838e54000547f1708b8eb7959b25421c584dcd71dd9c4a0053f45900d52755b61e579835394a6ba79c858c5176d7321d8b90ab06f5235a |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg
| MD5 | 6e6959aab2ae07e740d996e389ebcc78 |
| SHA1 | 63ec7e084e0250a9de38cd28f96ce30036019b8e |
| SHA256 | bc4db6d8665f6e81b31ad715b88493b713098c4d23fe17d9e3adf8df0fe5ba40 |
| SHA512 | 6d270509e776314d0c9874622d7dc6a85f9374ed070bf19dbd4466486d92fd90599c5e3c9ce6428307878fd027cb2b3c6dc87fbcc5a14d1f9059347ace01ac93 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif
| MD5 | 78e808f7b1cadbb3ce9b0689836b8c5f |
| SHA1 | 4233a84cf60ac95bae40d9cda62db32849d35916 |
| SHA256 | d3a074bf3b73fe913ded4177522930d6fa0a3110d0787245625f0f5ca41de2bb |
| SHA512 | 71027d9fdff72760de3aaf412e4c73f716f1d93c7978ef0e8ff97123456f112d660d2d854cdf50c854408bb29784850bb0e00b93ba7c421e0337a22f09da46c7 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif
| MD5 | bb59186d7739d3e885fae242e255881b |
| SHA1 | a5e8ab8821196d3ac2fd1e46041b9edb06a8ef52 |
| SHA256 | 09327ade0bf59d34a0dfe0dc0586bcd72e6ecb0d3d3a878af1f8f3b65eac5863 |
| SHA512 | e9cfc4ba1bb6b505db93250368f457e1cbaae1de5ba575c673767f1674f584fb9f6bad9900589dfc489ff767351f21484124b7828357a0ee680cb372620b2949 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif
| MD5 | 8e7cbd8b583c6bcd24135bcb62e46b03 |
| SHA1 | cd33012c7a7a3cb0fa9f7b6b56bd781b80b4f6ee |
| SHA256 | de20764e8f93dc820da2733d29244cb1b9da250c705089432479df72e8c2d3dd |
| SHA512 | 012eb2a3f265369482215860fb42a555fc854d8a6e8c7fd045bf0ca68f48d81df5563bde02c060f324f075dc7fe3d0899e27d105b6daa15b69716f5cadd2e0fa |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif
| MD5 | a5307772b89c661fd285a7788d484c72 |
| SHA1 | ce1b7ab3b8e720bc45ebc99c0b33718205e245ae |
| SHA256 | 3b4b395fa09e5b7c3a3234fc6bda0798841608a8cd0f300c4d4aa93baf8038ac |
| SHA512 | 81c0b723e9b94db204bbcd8763e4d457799d2a85ed76631aa660350352a921cebe33cdb82ad3a02bb7fb8373a27d8e47a1b06e926ebbe5ddba03186eb1a03250 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif
| MD5 | 265d255c861ceca1c51afc43bcc59997 |
| SHA1 | 5763fc795427713b72319aba062201bf2160378a |
| SHA256 | c8320ab10e9c34ca32dab78628308d315323c0e0959d4071753d1c4f33c9916d |
| SHA512 | 6152438eaf457236375d8da32ac7dec0a74b11ff9fd66e096483c626d4883877b8bbf830190bdeea3931a04f7213aeea460cfedea079478d444fa33d8d1b76e5 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif
| MD5 | 2559bd03e2f2391c94bf6aaffb47b18a |
| SHA1 | 98c6423ebbbf262bc4f700108dba93e7afb221cc |
| SHA256 | 0827a735e5234c95a94b647846ee6cb6ff273cb297dd78c15f17758350589d6e |
| SHA512 | b680ad7ead5a0bfacb7e62e93b3ccb52c393a3ddf6cb770e29c295436066ff9c081bcdf388210fd9bddbce35e8282e39e166f36208df41d46cdf12700ccc1fdd |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif
| MD5 | a24c7c47ac991d4879649107b26dbf08 |
| SHA1 | 0dd1ee909ed32236d5e2868e26187076c6b24571 |
| SHA256 | 49231955e9830bd6b7470bb78c0bf56ea6a41f8f73559ca34008c6aa1249a2fd |
| SHA512 | 21b06adc8537e1e418c87fc6331e2456102501a881292657c7348ef124c21f7745f8a3d0945b678c7b67acc75aa50ce51649b2c363eddafdaa4ed17b962c89b8 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif
| MD5 | 7284c6d1ac8752859b6253dfe278cb3f |
| SHA1 | eab374c8f943ee98a89ccfb3e8fd5f0288f5982d |
| SHA256 | b332e638a13dd5a09ac24d12d042eec5128a535a7f405f1834f3edbc49e0650e |
| SHA512 | 0de716de80bf2c5fd9cb468898f954947d3e3c3b3011499e88a605ecda3f162cb8575f5d78495bda903b4f458a79ef9d2c6c224c91cccc9c95ff287522cfbead |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif
| MD5 | 333d615b962a856edbb59ad0fcb7b27e |
| SHA1 | 6cee1a1089910c52d0b5aa7a4dd29d5103a2fc69 |
| SHA256 | a8e9bc212948414d29515240329207cc22d3672a0afc0ff234cd06aba6a4964c |
| SHA512 | 66a0747444d4d5f3a941a4fb7c9325cfcb25522007395504560311b41b8c8f04af43f09aa365e261a2cfaf8f62d11189388d700e7af385f4c114083d5709f2ef |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg
| MD5 | 861c6c0a45151493d6602a391cabbe72 |
| SHA1 | 581949f56083c887f82ed67de5adb7cc01fed64f |
| SHA256 | 8b37301d4cb94ebd50a659f7e734e66e6b5be31c713b819f192ae8f532782861 |
| SHA512 | 3f921e1d1dd3c7a8d12c87dcd2d2fcb4d6122e109d767368482c899e5c1601edbbf874923a1c38dbe96e2f6ad61e8076985857b935d8efe49bcf1be1f64475ff |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif
| MD5 | 5803eced3d1c20b86108920207db1ef8 |
| SHA1 | 48e1ba14b2029c0a7c6bf3f4ef84238e2a918079 |
| SHA256 | 9dcae8f12a6faf5b1cf1aa790dbb8e6a9307af8770d7a49dce05523fa14f1fb1 |
| SHA512 | eca6d1ece5e367157d41227229a86997ac76f3dd822bc890518362a54be83f151dcac6c1e12c44c65f7b77cd9b447b83b5861f364779409f0be23115a4d5c004 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif
| MD5 | 7b05bb093991e39277442adf3e32c060 |
| SHA1 | 59480193ebee5e1a829c98b252d56ad929afaeb0 |
| SHA256 | d2f92bf5a025d3ed33b296cee1aeff8765d1287474122baa70fc368c1d7f3aa0 |
| SHA512 | 856b540bd7b8388da0f7dfa00ac88afad67c516d58a4335fcba5398a88a7836df2e9cd319554b2a3c5ae8d1a79d4ecf53ad867921549cacab1aab1c5ac468360 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif
| MD5 | 6d125cafce26d3dee20e631428a81a78 |
| SHA1 | 9eb4d460a2f3716ebea2a83415a2db9a52e65999 |
| SHA256 | 5488de1b83ac81a986b29a4c4696900367ab8f55bdceac4f6607834eecc37eb9 |
| SHA512 | e4cbe061169f70d206e7266e942139d336eb9ad1e8b15a82cb38b5a62bf1b89d6fe9586a095ab81d7e33606a5853137015bbb36641091245821466026e6ca83a |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif
| MD5 | 8eac0ec9ab95a16d67c01372822206f6 |
| SHA1 | b461a7b6e7c1e6c5f7b6f9f30588395fafc8bcdd |
| SHA256 | d5b6069c5d8eb2471b5daab07224fb4782beaeee76755da1a36d4454e71516d0 |
| SHA512 | 4dfac9d520d8a7c1b04e687a10c4be2f941accd3ef8c9a4811d8a84b78ad8426630d7475e7b16f8bbfb06bb01e9f93c0a35af92eeff9c74555398252a440b53c |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif
| MD5 | 1d3e3654200a3855c1fed467386bd564 |
| SHA1 | 59299952f8d64d6dfdbc81bcd5f11dd28e069d72 |
| SHA256 | c056f3fdf7f5d1ab521b1d90f6568ce402aaedfface03470b65a1754c9c199a9 |
| SHA512 | 5c97a90bad5fe3211b7d75ab4532009d8e2300a93c937595254cdacdde0efaed41265e4b2ddab7f804b4494767ad4b9764c9b2fa5f0f8bd9991e7d705cb8623c |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg
| MD5 | 99d73fde86fc47e6c535ac5f10311e35 |
| SHA1 | 562618cbab46da52af2fd59b23f3792a7e24468c |
| SHA256 | bc0764d4d45ab57c8b3b84bf23b6d42ea2a764066f3b210a66cd89bccb3d1904 |
| SHA512 | fddd08cbd2acd5865ff677a3100314d22609ebb240ef860075deca15cd90ffa0ce14861d38e4e56e6fa872ee759a5c88cc0e2e719f7b0c9220fcdafd914b6428 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif
| MD5 | dfeda6cfcf05d0fd48d2892f00f097ef |
| SHA1 | 89c3937ee224d27f31af79e6773b8d5417755ae6 |
| SHA256 | 974c9ca27dc6736ca339e65f7775d1c8551e05108bb6d97d92c3451ca991f973 |
| SHA512 | 32b419d2e8fdc14b1bd6033475a7414e3cb419f1f1ccfb13cf8d9c02dec67b2d456b87b4e3c8d018b64bf6d37f71d0968fd49e57b1bf46b6ac5d3c22cc07f216 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif
| MD5 | 98dd607a669919361f747fbb7a47c712 |
| SHA1 | 002ce46c900c64ede0b1c8160186f2800feb8e3d |
| SHA256 | 6eda0990cfee043b9382ded6e0dfae4f6e4321dff8cae138c64f8b7f00d56dc6 |
| SHA512 | 9eba15904ce14a96ff62ad5a03bf927f124e1fb8c525a2de8ec0e2c3bd93c7c7ca5c0867fbae9c8081aeb35d0bdfb659f7d488a62f6f8b596c16b1b194a19cca |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg
| MD5 | 3717e294bf32cef11f170bfd6358d1f9 |
| SHA1 | 3038e4d2da3273a8d3c9417e47308515c0d07d1e |
| SHA256 | e1689ac9b81cafa33998c3dafc3f773ef1580173be08f11705f28723b9e601f1 |
| SHA512 | a43ebf78153a07f5c4df809727d5a4e4ae2b45d4a67ee60199c2fdabde12c9094fa306e86ed17ff0b19bb2eb4fd030ea76c86aff9dac38b86a0d6e3e0d283bdf |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
| MD5 | de48aef1ce17546a84b0995e14b277eb |
| SHA1 | 87a43910a7c13b7caa5b26338a6b36bf27942444 |
| SHA256 | 00ca13d6dad70b2f65e3d2ab77e3c0f1642104a1bc08a8ecd1e86fbc875e0c84 |
| SHA512 | 0fea582ebff46fa0219e5257c97a388aaeb9351351aeb3cbb068c9c047ac6010ea4b42c9cf78515d12e7ce6d4821efffa649685019917e4bea7f3da81a66678d |
memory/2516-9900-0x0000000000400000-0x00000000006F6000-memory.dmp
memory/2516-9901-0x0000000000400000-0x00000000006F6000-memory.dmp
memory/2516-9904-0x0000000000400000-0x00000000006F6000-memory.dmp
memory/2212-9905-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:20
Platform
win7-20240903-en
Max time kernel
361s
Max time network
362s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2600 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe | C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe
"C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe"
C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe
"C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe"
Network
Files
memory/1360-0-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1360-8-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1360-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1360-4-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1360-2-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1360-12-0x0000000000400000-0x0000000000412000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:20
Platform
win7-20241023-en
Max time kernel
567s
Max time network
360s
Command Line
Signatures
Pony family
Pony,Fareit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\st.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\Documents\st.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\Documents\st.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js argument" | C:\Windows\system32\wscript.exe | N/A |
Checks installed software on the system
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\st.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\Documents\st.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows NT\Accessories\wordpad.exe | N/A |
| N/A | N/A | C:\Program Files\Windows NT\Accessories\wordpad.exe | N/A |
| N/A | N/A | C:\Program Files\Windows NT\Accessories\wordpad.exe | N/A |
| N/A | N/A | C:\Program Files\Windows NT\Accessories\wordpad.exe | N/A |
| N/A | N/A | C:\Program Files\Windows NT\Accessories\wordpad.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2652 wrote to memory of 2008 | N/A | C:\Windows\system32\wscript.exe | C:\Program Files\Windows NT\Accessories\wordpad.exe |
| PID 2652 wrote to memory of 2008 | N/A | C:\Windows\system32\wscript.exe | C:\Program Files\Windows NT\Accessories\wordpad.exe |
| PID 2652 wrote to memory of 2008 | N/A | C:\Windows\system32\wscript.exe | C:\Program Files\Windows NT\Accessories\wordpad.exe |
| PID 2652 wrote to memory of 2916 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\Documents\st.exe |
| PID 2652 wrote to memory of 2916 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\Documents\st.exe |
| PID 2652 wrote to memory of 2916 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\Documents\st.exe |
| PID 2652 wrote to memory of 2916 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\Documents\st.exe |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\Documents\st.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js
C:\Program Files\Windows NT\Accessories\wordpad.exe
"C:\Program Files\Windows NT\Accessories\wordpad.exe" "C:\Users\Admin\Documents\doc_attached_4QAyw"
C:\Users\Admin\Documents\st.exe
"C:\Users\Admin\Documents\st.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | startwavenow.com | udp |
| US | 8.8.8.8:53 | startwavenow.com | udp |
| US | 8.8.8.8:53 | startwavenow.com | udp |
Files
C:\Users\Admin\Documents\doc_attached_4QAyw
| MD5 | a1fa80f75ad4003549d27fc726e40b14 |
| SHA1 | 5fda8ead11d5bdcc51c29f9eb72aed29f2065d31 |
| SHA256 | 37ab62998175d3dc70763e2fcbfe1e5b38660ae59a1c21c0306f2470ea487364 |
| SHA512 | 34817bda5cbcb2e0a909d8652b2b82c3471696f4e4d533e8a1e3583811a60aa0365e4ceabd3d2ded506a577decf907bc6bead917ffef1317e758ea2f82c1c554 |
memory/2008-2-0x0000000002120000-0x0000000002121000-memory.dmp
memory/2008-3-0x0000000002120000-0x0000000002121000-memory.dmp
C:\Users\Admin\Documents\st.exe
| MD5 | 39c27aec900d0613e02b78df2333657c |
| SHA1 | 822bf6d0eb04df65c072b51100c5c852761e7c9e |
| SHA256 | dabee7680e09565154e7807c1ed362838ad6ee4e373ee97069e3b33db1ec10f7 |
| SHA512 | 316497a6973ea6c7883b3112b1d5a7f042f654f807ac8b2919e42719f384469cc5d7d39112982bee0d18900ee6f76dd00664d206f5f13d6448dd27a3c84c1880 |
memory/2916-10-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2916-9-0x0000000000250000-0x0000000000265000-memory.dmp
memory/2916-11-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2916-12-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2916-13-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2916-14-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2916-15-0x0000000000400000-0x000000000041A000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:10
Platform
win7-20240903-en
Max time kernel
550s
Max time network
362s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\ziylmpcea.exe" | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Disables Task Manager via registry modification
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ctfmon.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ctfmon.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ctfmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe
"C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe"
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe
C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 397110121001i83455512377.com | udp |
Files
memory/1628-2-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1628-1-0x0000000000240000-0x0000000000256000-memory.dmp
memory/1628-0-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1628-6-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2332-4-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/2332-3-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/2332-7-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe
| MD5 | f45f47edced7fac5a99c45ab4b8c2d54 |
| SHA1 | 9060189dd95635c5f75d7f91c9bd345200e83028 |
| SHA256 | 0529cdbc893fee664d3ac540b1e41e184797e0770808254058fc21de0a10b6c8 |
| SHA512 | ecf1ae299d0525f86b8c398d06b429164a10d6552caf08710567680ba670bc0c918bfff1807214b33a177202cbe8eeeeffa1396b91e697aed4da91fe81f523d3 |
memory/2332-17-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/2376-19-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2376-18-0x0000000000260000-0x0000000000276000-memory.dmp
memory/1900-22-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/2376-23-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2376-24-0x0000000000260000-0x0000000000276000-memory.dmp
memory/1900-25-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/1900-26-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
memory/1900-30-0x000000007EFA0000-0x000000007EFAF000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:10
Platform
win7-20240903-en
Max time kernel
598s
Max time network
600s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\decrypt_0000000000000020-000A0000.exe" | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\CIVQWTJLSD.BBF | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CIVQWTJLSD.BBF | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
| File created | C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
| File opened for modification | C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe
"C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | decimallightness.com | udp |
| US | 8.8.8.8:53 | craigslistlasvegascars.com | udp |
| US | 8.8.8.8:53 | deenislam.org | udp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 8.8.8.8:53 | dentistinnicaragua.com | udp |
| US | 8.8.8.8:53 | dedhamfoodpantry.org | udp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
| US | 192.124.249.157:80 | dedhamfoodpantry.org | tcp |
| HK | 34.92.46.178:80 | deenislam.org | tcp |
Files
memory/2428-3-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-4-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-5-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-6-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-7-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-8-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-9-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-10-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-11-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-12-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-13-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-14-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-15-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-16-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-17-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-18-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-19-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-20-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-21-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-22-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-23-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-24-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-25-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-26-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-27-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-28-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-29-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-30-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-31-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-32-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-33-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-34-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-35-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-36-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-37-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-38-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-39-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-40-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-41-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-42-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-43-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-44-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-45-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-46-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-47-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-48-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-49-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-50-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-51-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-52-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-53-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-54-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-55-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-56-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-57-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-58-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-59-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-60-0x0000000000400000-0x00000000004A0000-memory.dmp
memory/2428-61-0x0000000000400000-0x00000000004A0000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:16
Platform
win7-20240903-en
Max time kernel
361s
Max time network
362s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs"
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:27
Platform
win7-20240903-en
Max time kernel
357s
Max time network
358s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_THIS_TO_DECRYPT.html | C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe
"C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe"
Network
Files
C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html
| MD5 | 55764b80badcdfe4337f538993fc3aab |
| SHA1 | 049ebb79ca8e78a30318d9eef6b37992572e1034 |
| SHA256 | a53779746a2aec49c361f546b70a74508aac83c9ea8203af07f142abfa251b35 |
| SHA512 | b8a94d01ad1ca07fd08a890a5b55b71d97d0fc3df705704812c18993872d1ed7360aea6a5fb7e388fd8cedbc2baa7cfabf4207f59becee2927aa1030fa60689b |
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:30
Platform
win7-20241010-en
Max time kernel
313s
Max time network
319s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb8823e9494016f59ab25ec6cc0961da_api-ms-win-system-softpub-l1-1-0.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:10
Platform
win7-20240903-en
Max time kernel
600s
Max time network
363s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe
"C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B838.tmp\ExtraTools.bat "C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe""
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B838.tmp\ErOne.vbs"
C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe
chrst.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\B838.tmp\ExtraTools.bat
| MD5 | 8f07fa594d84c6e234b336def0b47cdc |
| SHA1 | 34b88980635c3f2367af03caedc01d50b5e4624a |
| SHA256 | dd79d7a80a9087e1fced76ade08394843eab01a8ce263dc2306f46435b451f77 |
| SHA512 | c33fd26b5399771f4bf9877d717bb730a8101b9f6bd24847084c50b066db7f6e43d56cbf44792eedc94d117c50a988f5d4a46127a34a2115c50fbb4a67ed2047 |
C:\Users\Admin\AppData\Local\Temp\B838.tmp\ErOne.vbs
| MD5 | a764fe63c6cc48c851f0d2a8ba73c2b7 |
| SHA1 | e16351bd38ebcac7e182905767f9b36e078fb5d5 |
| SHA256 | 8c4d90a5343cea107fad96e842404522aadfc416e7cf84adc58fe2ba72bbc919 |
| SHA512 | b0a93898c66c2ff97f9d8cb1f75364a6c4a0ad5cf3158815f94ffb900796065c8e0d384b392d59bf2b01419adb8c65d2dc846ddebaaea971d64c3300edc63571 |
C:\Users\Admin\AppData\Local\Temp\B838.tmp\firefox32.exe
| MD5 | 866604f3adb9207e29505012215f203f |
| SHA1 | 718b342c3bc42f3e73c4014c2b105c4d467b0ba6 |
| SHA256 | 978ed9b9c86653e8f10feb9e7f93eb32f2dadeec42ccce498403e96b7bb3e3c9 |
| SHA512 | cdcdd94e2a4c550a819a28085fe543ed944da298da1409ed111380fbde89f6976a4c7d040750307579b007b4551aa86182d453408436bd7aef35423c49b60f79 |
C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe
| MD5 | c657daf595b5d535ccc757ad837eebe8 |
| SHA1 | 894e953e86e54a830a14fac94e57569d184a9c09 |
| SHA256 | a02565ec78fa1221433e720bd57b044938345b8c65a73143bd9ff73529767526 |
| SHA512 | 21a26bc146dd2a915c17b268b13edc565e9a582d11c1714d89741f4156a880dfe35415d4920a6326d164519f4b28b6371ef9c7bfdb5e19080448bd77b4a20a4b |
memory/2640-44-0x000000007428E000-0x000000007428F000-memory.dmp
memory/2640-45-0x0000000000140000-0x0000000000168000-memory.dmp
memory/2640-46-0x000000007428E000-0x000000007428F000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:10
Platform
win7-20240708-en
Max time kernel
377s
Max time network
377s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bgckojpgggmcgnt = "C:\\ProgramData\\sungxqekykzeawigkuxf.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\bgckojpgggmcgnt = "C:\\ProgramData\\sungxqekykzeawigkuxf.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bgckojpgggmcgnt = "C:\\Windows\\sungxqekykzeawigkuxf.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\bgckojpgggmcgnt = "C:\\Windows\\sungxqekykzeawigkuxf.exe" | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sungxqekykzeawigkuxf.exe | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
| File opened for modification | C:\Windows\sungxqekykzeawigkuxf.exe | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe
"C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trybesmart.in | udp |
Files
C:\ProgramData\dhqiiylrjiashxnahpkvmwffwzdhxjak
| MD5 | 5643e2590826d85cd09f97dd6a8ec012 |
| SHA1 | 9424646c927693cc2d8b2d3ac21622f015fe1ed2 |
| SHA256 | fc9fbae8e11bd7c664a3a4203303fe43125e72db0d7c8d68d36a244e3293066d |
| SHA512 | 3ee054843470d3bb0b330d4b4dd07996195da1cbb131eec2125c2dbd6ab6576c2bf202af279c6432a4cfb2d3c623af7ce5205c567c94d096c1828068c31fe7d6 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:20
Platform
win7-20241010-en
Max time kernel
314s
Max time network
320s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d_Stealer.dll,#1
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:20
Platform
win7-20240903-en
Max time kernel
599s
Max time network
600s
Command Line
Signatures
Deletes shadow copies
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
"C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=2 get deviceid | findstr . > %tmp%\y
C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic logicaldisk where drivetype=2 get deviceid
C:\Windows\SysWOW64\findstr.exe
findstr .
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=3 get deviceid | findstr . > %tmp%\y
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic logicaldisk where drivetype=3 get deviceid
C:\Windows\SysWOW64\findstr.exe
findstr .
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=4 get deviceid | findstr . > %tmp%\y
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic logicaldisk where drivetype=4 get deviceid
C:\Windows\SysWOW64\findstr.exe
findstr .
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic path win32_physicalmedia get SerialNumber | findstr . > %tmp%\y && wmic cpu get ProcessorId | findstr . >> %tmp%\y && wmic path win32_BASEBOARD get Product | findstr . >> %tmp%\y
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_physicalmedia get SerialNumber
C:\Windows\SysWOW64\findstr.exe
findstr .
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get ProcessorId
C:\Windows\SysWOW64\findstr.exe
findstr .
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_BASEBOARD get Product
C:\Windows\SysWOW64\findstr.exe
findstr .
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | torproject.ip-connect.vn.ua | udp |
| UA | 91.236.251.35:80 | torproject.ip-connect.vn.ua | tcp |
| US | 8.8.8.8:53 | torproject.ip-connect.vn.ua | udp |
| UA | 91.236.251.35:80 | torproject.ip-connect.vn.ua | tcp |
| UA | 91.236.251.35:80 | torproject.ip-connect.vn.ua | tcp |
| UA | 91.236.251.35:80 | torproject.ip-connect.vn.ua | tcp |
| UA | 91.236.251.35:80 | torproject.ip-connect.vn.ua | tcp |
| UA | 91.236.251.35:80 | torproject.ip-connect.vn.ua | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\y
| MD5 | 730a1c06f8273df68828bbebb3e1fab0 |
| SHA1 | 1c269bdd515ca992df2c07c2b4c0eda26f1a6c91 |
| SHA256 | da51411ba8d69f112382c4ada4c02ad9e5ab3fcececca4bd50bb11122e473679 |
| SHA512 | 1d56e0d3704d75dff9f20347ff3e712c114a1d9e5383e6356a71a9705dd4a3bb311c174c6d026cc60707abc56f7bfda011293a8dbd7f79a299fb712d3ad33f30 |
C:\Users\Admin\AppData\Local\Temp\y
| MD5 | 445e94a8ece8238758d3a897fef6822b |
| SHA1 | 2c5e5cb3ce480d98d74fe5a0ed23d31848ebb407 |
| SHA256 | 543e763d191bc04c5564cf6521eeff6c154b74415575303c72b46f32bd24594b |
| SHA512 | c6347eb9214eab5b8e2f61358153244203480c11d4d83f83e1e37cdd3f922a6e50c5568618fb27cb2a70487d7b9bea44614a065631934fca5894a6daec1f82a6 |
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:20
Platform
win7-20240903-en
Max time kernel
359s
Max time network
361s
Command Line
Signatures
Deletes shadow copies
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\69srkdAG47tGigR4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe\" /SkipReg" | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_modules.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_neutral_7a5f47d3150cc0eb\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicE\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ksfilter.inf_amd64_neutral_86311fdf78a07678\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmsun2.inf_amd64_neutral_242c76ad2e288fb4\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\netk57a.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_data_sections.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_neutral_22118b1072f57433\netl1e64.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5300t.exp | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\Licenses\eval\StarterN\license.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\blbdrive.inf_amd64_neutral_1aa816fe7dc98c3f\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wiaep002.inf_amd64_neutral_0a982dec66379cb0\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateE\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\prnky307.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_If.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_transactions.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\lsi_fc.inf_amd64_neutral_a7088f3644ca646a\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmagm64.inf_amd64_neutral_ef322a8cc2738a9b\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\Licenses\_Default\Ultimate\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\mdmke.inf_amd64_neutral_3e4daa83122b1559\mdmke.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_data_sections.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_try_catch_finally.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\mdmnis3t.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_command_precedence.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_eventlogs.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ph3xibc0.inf_amd64_neutral_c24bcc939e6dfc23\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wiaca00a.inf_amd64_neutral_163313056d8f34ab\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\prnbr005.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WCN\de-DE\Add_a_device_or_computer_to_a_network_usb.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Automatic_Variables.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\cxraptor_philipstuv1236d_ibv64.inf_amd64_neutral_b6a3e57df5bad299\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_neutral_0383c5de75359695\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500nt.cfg | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_troubleshooting.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmsuprv.inf_amd64_neutral_31d10a1a73b4feaa\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumN\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\prngt002.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\license.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\LogFiles\AIT\AitEventLog.etl.005 | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterN\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicE\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4100t.exp | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasic\license.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_neutral_3c11362fa327f5a4\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_neutral_4c78da9e48068043\mdmgl003.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\mdmsmart.inf_amd64_neutral_829e8c7d1c8d5207\mdmsmart.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_try_catch_finally.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_providers.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\angel264.inf_amd64_neutral_04b54b6322607cce\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SpaceSelector.ico | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\GetExpand.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR18F.GIF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_over.gif | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\management-agent.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\az.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\inf\netbvbda.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UnInstallProfile.SQL | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\image2.gif | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_24090ddf20410f44\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_bd4d20299386f90e\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_es-es_76b445ae591253e2\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\inf\avmx64c.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\inf\mdmbr008.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Hardware Fail.wav | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_join.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_2c8a1d1c5da2edf8\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_notes-txt-background.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_it-it_67246ac68055bec8\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_98af26a5072718fa\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\inf\mdmbsb.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_c985fbedc9886bd1\license.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\square.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\23.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c82940e03ac63534\license.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-h..putername.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ec2a8bc0ed056604\OOBE_HELP_Change_Computer_Name.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_5d0f22c9e44cb6ed\license.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonyntsc_31bf3856ad364e35_6.1.7600.16385_none_d75d6085d60aa50d\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Scenes\img28.jpg | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp6.jpg | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_functions_advanced_methods.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_6f6cca095bde05bb\license.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-tapicore_31bf3856ad364e35_6.1.7600.16385_none_402eca316047a0fe\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\inf\wialx005.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\navSubpicture.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_job_details.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8a445b750021d88a\license.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_objects.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Windows_PowerShell_2.0.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_it-it_66b0580ce2717717\license.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\item_hover_docked.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\5.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_methods.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 06.wma | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_History.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp3.jpg | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\45.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Return.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_History.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_WS-Management_Cmdlets.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d34b7c772c3fe85c\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\12.png | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d2c0ff1e722cb495\license.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows Exclamation.wav | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_escape_characters.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\inf\mdmcdp.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\inf\mdmmct.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\inf\ql40xx.PNF | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Automatic_Variables.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_it-it_1e4d6c8ff7baeac6\readme_liesmich_encryptor_raas.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\SqlPersistenceProviderSchema.sql | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ab00b852533a224a\OOBE_HELP_What_is_HomeGroup.rtf | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Balloon.wav | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_pipelines.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_properties.help.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b661d7abc4d159c8\epgtos.txt | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
Enumerates physical storage devices
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70427c9ce83cdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD4DF3F1-A8DB-11EF-80CF-C28ADB222BBA} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438446561" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000fabede692f1078d982771425538199acac6cd5298d2fcd15234379589b90e401000000000e8000000002000020000000fe901a83de7b3cf7c49cb6b4d1287fa83463d40fc968f1a212ac5aa2ed78432520000000225c48793f07b1f10a8f1bebcd32468073c4a5cf5ba7f5e2daf7fa03af4f7886400000003ec76856395dbb58f7a96acf17b85e295c5009450e74bf0479b46867a5fa09a3ec4d1d086db7174f4f39354a00ef40471567998848570a328f99da4b05b1ac25 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000a88339490afc8387e9220c9fb3320c82867a78d8685261b1c55296c4c0a48d06000000000e8000000002000020000000b8b24e347ba8a6ad3fcbd0404beb4404c51edbb65f094d4f36d4be847bd7906d9000000087905d2513c42c6925ecbb1df1aed86a2c0cfc77d710cfda0765bb9735cdd6a7c9fcc40cc191ebea197a598df22b8b54499aeaa943b3d6a5be29a5c0dfb07a2d012472f2497afd2e7686931dd3ed53f4b32afc0a62971401002a7f15c71d384fa6081182b31077a30378c111604a6560c5f64e5dced9df371ad21f8eb68e866ccecabec0f9eb3cdf47533a3e790086e5400000006c6d5736b3cdb3db42ccf975f6b34b33f25e81730f977165eb8768eec71744199d405d0ec830b7a7b2bbb37dd28bedbd247c9cb47d4574212a24b755a59b0902 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
"C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /Quiet /All
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://kqd2eml2kjib53oe.onion.link/vict?cust=9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581&guid=bf99bef1-312f-4726-8597-70228ef05e99
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /Quiet /All
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kqd2eml2kjib53oe.onion.link | udp |
| AU | 103.198.0.111:80 | kqd2eml2kjib53oe.onion.link | tcp |
| AU | 103.198.0.111:80 | kqd2eml2kjib53oe.onion.link | tcp |
| AU | 103.198.0.111:80 | kqd2eml2kjib53oe.onion.link | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2316-0-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2316-102-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2316-958-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2316-2803-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2316-3993-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Program Files\Common Files\Microsoft Shared\ink\readme_liesmich_encryptor_raas.txt
| MD5 | e05a483e9a949fcda524cb8b4ab8ba36 |
| SHA1 | 398774b20f4b26c51088d552dcceeaea55302be0 |
| SHA256 | f07bdef5a164e4484c0a3d9315bf94792503543877863ea0e57e955f9d9dae9d |
| SHA512 | d52bde031c3f7926afe042c85596246789b5817fde835f6309c5b5874477b109cd4d976209c28d469285a2b99b6ae5a0e4a3d6dc7ef2eee69e7dd1a579458368 |
memory/2316-4367-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2316-4599-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabAA92.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarAB72.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 722d8f52a4f387cffee97f9b2160b05b |
| SHA1 | f189a57167e9e526f1619b71f7cb77a730b3ee2c |
| SHA256 | 0cf31829390341fb0704d4a74c47c7ed47c3ed9e32045198644339670121481f |
| SHA512 | 9ffeeb065e46817e3571c7a3f1828f4a3decae320bf68ce7d8a81888c2709244a6092571edcda6e160dca57566f953adf757280914c63fb56f0f203287522f9e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6fc1ae52fbbb2c8c363f8d98ef668647 |
| SHA1 | 650cfe49244ef95b44c6ae698d229a263e339dd5 |
| SHA256 | ee471558df686d0a06ea8c7be012d16232d138e7ca02943c7b4b0c86ad94b61f |
| SHA512 | 3a020d17b21e182a121ad141768b4961df096824da860749ed908a005e8d0e88f3b308bf0cf45b521cf846a263d45553b539d20d144b0b0d88eab834841e2edd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a9bb4e1022c6fab16712f6fa74b50cca |
| SHA1 | 161f9f2f8f3c02ab0ded0578e753c3cff697a501 |
| SHA256 | ceca9d7d481cbd7120f5f950d94e93a2c62f584b86fdaf0b30fdd5266b1e49b1 |
| SHA512 | b4c34097773507ef2c1748dc30bc34fd4f88b2ab5cd5eabef035f30efad20425ec5e4a1f6c79ac1a9d84c8a7f0e978e214c96a5064d4291a2b618a4076043092 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f69932549e545781bd413734ad00274a |
| SHA1 | cd118e066b5e670543775521c8eded8bd4492ee8 |
| SHA256 | ba21c33595f78922828ddb7af0dd05a201641a78b8d6a8e9e1bd4f6dc8c741b0 |
| SHA512 | a3e0b7f8899374a018ae6a3b770d70c1f360dd31342bb1fc9208e1845fd47eca55666e16a0472d91935afca2b050fa5ffaa25832319681e0c364087a3a56fbc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d7ff920e2974c03510e1c981e82e6a44 |
| SHA1 | 27385d20adf2648d5a25d450cca5f25e956ab51e |
| SHA256 | f24d861298a887b29221de776b2fc8528e8fcbfa05615619035d8df861c29bd9 |
| SHA512 | 2f7b4eac34143035cca48ade0eded400d2d652f9f7514eadae7aacda2fb48d5ff278fe3d5991b8053d71040e25c9a188d3181825e31edf6faa5e972c375e6d36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5db9f6e33202891d538aa1a6f13319a2 |
| SHA1 | 8d76049503f9e665f0c2fc261af1cd0b1d74386d |
| SHA256 | e1ff9df5fdc2cc5bfffc19c567a4a213adb8c7380cbb3b329c9434ea06c012d8 |
| SHA512 | 2c395a21039af442672f4cb797506f9ac3799aafca8d159c961fcd08f6987eb7993553e4a288fa282cd1df5ce3109576cd101fc8185c1cc9d665cb3c27dbaa80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 470f737a652430a6b499b4aa1a2bcd5b |
| SHA1 | fd85578f0c3b7bab81f28c462287fdccba1d7c48 |
| SHA256 | db273bf642c98eb0f549bc7921db0a1a0ce465328c6a86166f022d55c3dfab51 |
| SHA512 | b50948ab52e084f3e45286700d396cc45d86f27e026c4ad93de75d864bd98d9ff60ac4d1b3210dec2d9f3ccfb79be38cf2954aba41bdc90d732881a4ca604233 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6263f9671e5146a1225d0fcb6d0c116 |
| SHA1 | 3ca9f2d3a715f88ee2012595ae4b2a7ce20d6017 |
| SHA256 | 91ff2a1ad88644c39c095c8bbbb590926bb3ba61ccf3b09b77a5ab4af8a99d6d |
| SHA512 | bcc2457f2af69911ff22727779ca3d02e1995d57be6b648f1e527c56e59bb983628a827548345263da94588f863372d3eb785445f2f80ab6564e66757b78676e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2bfe5ef9cb9b115683ed54e7b697be95 |
| SHA1 | 41b3a4ac5e2ff6547d672d910c002286182372ac |
| SHA256 | ed9e20a48dad20c11b5eb4d9d7f9e9e92dabddb7e188862632eb9b71de1cdd9e |
| SHA512 | da483262952c4e9d35127403c789d7b85bf1ae86647e8d13d60d35e6949b69fef75f64671cab1e5a33f1d26390660326917371429d5bfaf217cccbbffd6375f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77d1b6ab9dce7d443094cc749fee6f97 |
| SHA1 | e5f1880a8f466c195d196ffcba9d00011f1b60e7 |
| SHA256 | d8dff5350b9e67b3e52da6304d6fe554ebf6bc64a3d2c25e2bceb1160b2d8bed |
| SHA512 | d63411252f9352bab679923a3b2011db31ce5986e7493f171ed0a4d9df9d650c440558d988fe51dd1e2aa45e147f063cc4099659ec7620749cccd5ffdb3ebe64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e32e99ae25948d82cdcd10ab15569df |
| SHA1 | 7b96e8efc1a454df23d043ec20845e2cff8abadc |
| SHA256 | 4533ef6c0cc26448652639ab8ad49f4b4498f99ae4eeba454d164a5374aa074f |
| SHA512 | d5a246fb1e1eea70bac98c01ce69a2027281a1808e07899612697f08f3d5473133dad065fb6d1cf0f78d7e8347167bef5c0fc0754b7b9355b988b1a7411815b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 92bf9d0b6bca10cf752525ef93d8d87c |
| SHA1 | 00aacb366be444ee497f0a9210eeed94451f5c63 |
| SHA256 | 9fa877b733ba1a902d4506a3c24e41cab643e52a3f6092376326ced353b084c2 |
| SHA512 | 27251121954342b9ef57c72c3f15f555a24261948fbed343e168d7e0a7af3c3c51ffb1510b782c4634daf13353daa2e44df1e97ad2f83e894d5704db1666f50a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ca4f35a4712ac405bafe29808643639 |
| SHA1 | 550515683e94a438bb6ea20250f0e16ad863634d |
| SHA256 | c474fb59c5839b0cdb4b68bfded7be5593c8b99f7aca6590b719d58d61077b98 |
| SHA512 | 040c1227e59607ee6c840f9e2e72b55414175b20adf5b3224a52241fd4c75e573cf5c8d713ecfff58ea97edef4f2a4399a923e3a3c7d0199e109e1b4d654b773 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 56f883c112e675626203815b82c6218a |
| SHA1 | 433764258ae1f57bc19029c6b790f7316b19901f |
| SHA256 | a012619a1675a072145ad30714990a2b60910e4a2a6aedfc1240ac4f1dbb8490 |
| SHA512 | 1952b191e5eff3246d7761ac91f5c00d1ab97243629b3e7c558508a7cd0d0ea9b9f74fc95b08ce5a308b3d0c0e964762ce899e2b58e8463e4dbb7cfc43e18a8f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ac274f84763e4dfc8b703a4eb92f441 |
| SHA1 | 07f62a694c54e8b58db4b1c2821b20894867ed13 |
| SHA256 | 5a73d962e4af6e847b0502c5e1d64f7e22e44daa9f5becbe8512e3a56ed6ac6a |
| SHA512 | 4c5b8260a2c1ba0a200137f88f7305ef65d22cf3c8094d1191484deb6562f702a498942e2487446d0a8d298afc76515638e019420d66e2479990e9b0ba4c6a0b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06ef914198d488c0bcbabc0fa4e583a1 |
| SHA1 | e4356386f1cd0ad51d63d33ef542ab3d0649183f |
| SHA256 | 386ba1cd756f1ea15e922eafe942ce8f7a7ac97029e5383b52f6c7443a30be18 |
| SHA512 | a020c2efefb1ba69dc83011dc21792dbbd8d34b64bb71ed2eae8b3e3506823b82223594d9ae1ab54ef6527671257a0df65206892cca0cf77d0d38ce73727e809 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab6d5d0bf6ca4de7dc7a682658c85235 |
| SHA1 | 9e9eb41b09fd7d94812329bccbc2f04f48335d56 |
| SHA256 | 5e2f0983036eb515f7d746c73e72c076f6172adfcf9966f88f9a22c77d93f045 |
| SHA512 | 4845f055cf76f801f9fc6d5eb09367b039779b0038745b9308ebf929b318d8816b8b23093857ae1b311af104a07b511ddefa5f6e5e2a8a8652ee384b0f3b3628 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d052f68eb2ab3ca932377e0e72252ca |
| SHA1 | 5cdb94ac70b777270b56babfd5614e419d701904 |
| SHA256 | 5ad6018e97eda29eaa6c4299ace648baa1b1084039dc5a44a5acde2de781145f |
| SHA512 | b01b49389601d5e3094d5b9d40d7d2753e9d9bf2fd18f548c66d86dbdb0223a2ce5d7e4f6159a88ba1cd89de4ce1e42ceb2a9c2db23dcd7341360f6298c84536 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16c5e5ab90e4981c78b4aa148e4fa770 |
| SHA1 | 813fd4d48d7a18003f822fd4b623ae9d6c7b9c67 |
| SHA256 | e396507ae838844433c0ef57a962df27ecedd3730695830013784acf689422d0 |
| SHA512 | 8aacc92db3118d4963d7a6859cda7ffd8a3ad7fc754e0c6619171cf365927c4f3b9db8a2ecf1d774a44cc8bf37fc7319fa602f44225b73b82a94b5db6af28fa5 |
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:20
Platform
win7-20241010-en
Max time kernel
363s
Max time network
368s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\f213e54c8520e7458751020edf15a5ea.exe
"C:\Users\Admin\AppData\Local\Temp\f213e54c8520e7458751020edf15a5ea.exe"
Network
Files
memory/2864-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp
memory/2864-1-0x0000000000970000-0x00000000009AA000-memory.dmp
memory/2864-2-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2864-3-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2864-4-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
memory/2864-5-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp
memory/2864-6-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:20
Platform
win7-20241023-en
Max time kernel
591s
Max time network
593s
Command Line
Signatures
WarzoneRat, AveMaria
Warzonerat family
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" | C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\images.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe | C:\ProgramData\images.exe |
| PID 2104 wrote to memory of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe | C:\ProgramData\images.exe |
| PID 2104 wrote to memory of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe | C:\ProgramData\images.exe |
| PID 2104 wrote to memory of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe | C:\ProgramData\images.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe
"C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp | |
| GB | 195.140.213.91:5200 | tcp |
Files
memory/2104-0-0x0000000001F20000-0x0000000001F5C000-memory.dmp
memory/2104-1-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2104-2-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2104-3-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2104-4-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2104-6-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2104-5-0x0000000001F20000-0x0000000001F5C000-memory.dmp
memory/2104-7-0x0000000000400000-0x0000000000483000-memory.dmp
\ProgramData\images.exe
| MD5 | f2c8eee2cd88b834e9d4c0eb4930f03f |
| SHA1 | a47b40f642bb78757b2de40344f555dc48a5a12f |
| SHA256 | 0cc95d376267ae78c309fd5f60f3083670b1c2616b6e3e2eec8810fa273c24be |
| SHA512 | 3be3760ff7b308017d820307af224bff1c5d49ae3ea71062792816477b071af9cb106e5f2ec970da022b7a055010b91b47d57e571e18643f808787538386831d |
memory/2104-13-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2836-14-0x0000000000290000-0x00000000002CC000-memory.dmp
memory/2836-15-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2836-16-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2836-17-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2836-18-0x0000000000400000-0x0000000000483000-memory.dmp
memory/2836-19-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2836-20-0x0000000000400000-0x0000000000483000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:06
Platform
win7-20240903-en
Max time kernel
52s
Max time network
360s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\DirectX.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe
"C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe"
C:\Users\Admin\AppData\Roaming\DirectX.exe
"C:\Users\Admin\AppData\Roaming\DirectX.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c aaa.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im DUMP_00A10000-00A1D000.exe.ViR.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | tangotangocash.com | udp |
Files
memory/800-0-0x0000000000400000-0x0000000000419000-memory.dmp
\Users\Admin\AppData\Roaming\DirectX.exe
| MD5 | 6152709e741c4d5a5d793d35817b4c3d |
| SHA1 | 05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e |
| SHA256 | 2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2 |
| SHA512 | 1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390 |
memory/2676-11-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aaa.bat
| MD5 | 3e59a76bf84cb9d1a8585c17cda9b949 |
| SHA1 | 60fdb9e6bf1154aad3a332ad5657a9d62a5be73a |
| SHA256 | 21060b57f9392d62259c274427c4bb6caf19b228716d691f44a26958b3620d5f |
| SHA512 | 01bd3726c30e304dd712d302a9081052b50a85a28c586458b691e748b1867e85fa679e58db304793a18f554b8a8c17af00bd38e795d3fdb6b0f5a873f80b5303 |
memory/800-21-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2676-24-0x0000000000400000-0x0000000000419000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:10
Platform
win7-20241010-en
Max time kernel
362s
Max time network
368s
Command Line
Signatures
CrypVault
Crypvault family
Pony family
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\vssadmin.exe |
Deletes shadow copies
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Windows\SysWOW64\svchost.exe | N/A |
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\svchost.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Fontcore = "C:\\Windows\\SysWOW64\\Fontcore\\Fontcore.lnk" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Fontcore = "C:\\Windows\\SysWOW64\\Fontcore\\Fontcore.lnk" | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Fontcore\ActionCenterCPL.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\bcryptprimitives.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\catsrv.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\AuxiliaryDisplayApi.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\Fontcore.cmd | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\ActionCenterCPL.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\activeds.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-crt-conio-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\appmgr.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\appidapi.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\bitsprx6.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\advpack.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-core-file-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-crt-private-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\apilogen.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-downlevel-version-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-service-management-l2-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\adsldpc.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-core-heap-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-downlevel-ole32-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fontcore | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-core-processthreads-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\btpanui.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\BWUnpairElevated.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\cabview.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\Fontcore.lnk | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-core-errorhandling-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-core-interlocked-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-core-localization-l1-2-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\avifil32.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fontcore\Fontcore.lnk | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-core-rtlsupport-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-core-synch-l1-2-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\authui.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\bitsprx4.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\catsrvut.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fontcore\Fontcore.cmd | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-core-datetime-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-core-namedpipe-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\api-ms-win-downlevel-normaliz-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\Fontcore\audiodev.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2536 set thread context of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
"C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe"
C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\tasklist.exe
C:\Windows\SysWOW64\tasklist.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process call create "vssadmin.exe delete shadows /all /quiet"
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\mshta.exe
mshta.exe C:\Users\Admin\Desktop\VAULT.hta
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\mshta.exe
mshta.exe C:\Users\Admin\Desktop\VAULT.hta
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 360
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hollandfintech.net | udp |
Files
memory/2536-0-0x00000000003C0000-0x00000000003C5000-memory.dmp
memory/2772-1-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2772-7-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2772-17-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2772-14-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2772-18-0x0000000000400000-0x000000000040F1F7-memory.dmp
memory/2772-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2772-11-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2772-5-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2772-13-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2772-10-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2772-3-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2772-19-0x0000000000400000-0x00000000009E9000-memory.dmp
memory/2796-21-0x0000000000CE0000-0x0000000000F61000-memory.dmp
memory/2796-22-0x0000000000CE0000-0x0000000000F61000-memory.dmp
memory/2760-68-0x0000000000610000-0x0000000000626000-memory.dmp
memory/2796-67-0x0000000000CE0000-0x0000000000F61000-memory.dmp
memory/2760-69-0x0000000000610000-0x0000000000626000-memory.dmp
C:\Windows\SysWOW64\Fontcore\Fontcore.cmd
| MD5 | 1105f1e5cd13fc30fde877432e27457d |
| SHA1 | 108f03f9c98c63506dd8b9f6581f37ae5c18de23 |
| SHA256 | dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d |
| SHA512 | 49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373 |
memory/2760-71-0x0000000000610000-0x0000000000626000-memory.dmp
memory/2576-73-0x0000000000CE0000-0x0000000000F61000-memory.dmp
memory/2576-72-0x0000000000CE0000-0x0000000000F61000-memory.dmp
memory/2576-74-0x0000000000CE0000-0x0000000000F61000-memory.dmp
memory/576-79-0x00000000000D0000-0x00000000000FE000-memory.dmp
memory/576-78-0x0000000000F30000-0x0000000000F38000-memory.dmp
memory/1840-82-0x0000000000CE0000-0x0000000000F61000-memory.dmp
memory/952-85-0x0000000000F30000-0x0000000000F38000-memory.dmp
memory/1672-88-0x0000000000CE0000-0x0000000000F61000-memory.dmp
memory/1672-87-0x0000000000CE0000-0x0000000000F61000-memory.dmp
memory/952-84-0x0000000000F30000-0x0000000000F38000-memory.dmp
C:\VAULT.KEY
| MD5 | b016dd85b94d4020c3b00c65e88da2e2 |
| SHA1 | 5bd57cb6b76db8b9aa421d915c0fd08583e5e94f |
| SHA256 | 910274869f619ebe2d6146453d08b6861c7770a0316c961ea51a07dec83e2e89 |
| SHA512 | 803d08df67fa3c67f81f586838a8389011896aebd12354fb4c0795f747bdcdb0876996939a7d31a5bc087d962efc48050784c58eaccedcdf09a612d0b17d209c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta
| MD5 | ca834cc56015bce8e010e356c69dc9f5 |
| SHA1 | b55ea373d3f5d583c33803d80059db5ddccf7038 |
| SHA256 | 1b5feb1b9bf79a857330fc891a65824953ad5d72ce38b4fb41755475775c65bd |
| SHA512 | 66c6370c538567286641e2ca3438d28572a78b4d2a15912f9d55cc65f9c7491d16e3f277c9f1385ee6773ef400e1a47e7abe5208aa4d7f75b8db5c816e6531a8 |
C:\VAULT.KEY
| MD5 | 0a76640b1de589bfa790d454b95a3827 |
| SHA1 | 6285d00315382fe81a9270dd3ea345a18bfbccc9 |
| SHA256 | bfb33881f161969d0d7982e6596016ad7ee3db61746bbb227ca9de5be8508ae4 |
| SHA512 | 97d95835bc2828111a7671849f741763e8e857cc2ef130c39295f8e78e796ad0c24ad5d0ce80341e039b79ff83782f48f02e45ef03707131a0224fac36829b67 |
C:\VAULT.KEY
| MD5 | 5dd572e3080fff1818b87382e6ead887 |
| SHA1 | dc758af74b6789700ec3fca49afe0397d5c53415 |
| SHA256 | 3b1c1d9154a1e10e689e8119fe3444aab37c40d63d7dab4cd78c8b8198aa6270 |
| SHA512 | f5c96169fc54c283623e47da1ffc6b414b937f344022e46f68164ae4027be4ca857ff7585a88baea8ed534b3341f8b6ae829de4c3e4aa6e24de8f079ca6b5e43 |
C:\VAULT.KEY
| MD5 | bc42e4fdf1cf03c333764adbabab2a0e |
| SHA1 | 71cf5a46e1a5cc86d4abfb7f0259930126e13b7f |
| SHA256 | 61ec94418f4f7e48c211652bea4766fa279c0af0acb2b1970be0e3c06bd28d09 |
| SHA512 | 3eaaa7aa484078d6b5c03d7ab2325d69c074a0b5e650cb75445add0a5778f145d118a61c9fd2ae6d4288e2eee25b9314427b164ad9dc7d92bf81a11dbdbc93a1 |
C:\VAULT.KEY
| MD5 | 49449553a16c8632f7bee68abab535e5 |
| SHA1 | d1c7a97df0d9ad711304a60e0c302947ffdcf635 |
| SHA256 | 2a254d1e455f463facc14f59fb0c1512e617304354bf7053c8e75db6581bb607 |
| SHA512 | 3b012b8c93b57b34e702aee2d8002e0f5bc34d576cc409c57cd0244e72e7bb5e9013f8f6e0b793b318faed99020ff584af99661e0a00e1571aa40a4139fd94af |
memory/576-180-0x0000000000260000-0x0000000000272000-memory.dmp
memory/576-184-0x0000000000F30000-0x0000000000F38000-memory.dmp
C:\VAULT.KEY
| MD5 | 0bf3c28b0982a4ed6fc9222e6cb4281a |
| SHA1 | d54d86e52ecebfcdee786e2b43ae6c75911f1369 |
| SHA256 | cd15cd3d3fe5435949c1d5040d553729dcfd7ecf99e1afd8f30a24ce11e4ab35 |
| SHA512 | f8f5aecb66dea9225f5e98d59b5103158502879c517725bdf720203a1027bf2bfcb508aada5d3c960871346ef4fdfc3323353f513227d006db371bf18f76bfb5 |
memory/576-196-0x00000000000D0000-0x00000000000FE000-memory.dmp
memory/2876-199-0x0000000000720000-0x00000000009A1000-memory.dmp
memory/2876-200-0x0000000000720000-0x00000000009A1000-memory.dmp
memory/1748-202-0x0000000000D50000-0x0000000000D58000-memory.dmp
memory/1748-203-0x00000000001F0000-0x000000000021E000-memory.dmp
memory/2792-207-0x0000000000720000-0x00000000009A1000-memory.dmp
memory/2792-206-0x0000000000720000-0x00000000009A1000-memory.dmp
C:\Windows\SysWOW64\Fontcore\Fontcore.lnk
| MD5 | af2d46d20855f6cea0a291a819778b20 |
| SHA1 | f022a7d64f820f269aaa31839d03b42d9930f9b6 |
| SHA256 | d1807a78e2b610bfa27cb194d80ef533504f162fe0e3b745bc5e6d5ba1889dc0 |
| SHA512 | 35c531fd437f5fc8cfc1a8e3451e9187888acfe56b54fd11d3cfef49f5baee3784df8db6a343f9d3f57d517c4ae6c85dd78a8eac31d01e6b3b9ff9cc864a5aa4 |
memory/1748-228-0x0000000000D50000-0x0000000000D58000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:20
Platform
win7-20240729-en
Max time kernel
363s
Max time network
364s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2888 wrote to memory of 2756 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2888 wrote to memory of 2756 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2888 wrote to memory of 2756 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2756 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2756 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2756 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2756 wrote to memory of 2740 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 22d1c62500e9c4818901195acf82136c |
| SHA1 | b67b404c691517df7d7ec2e3b74298d548ae358f |
| SHA256 | d38b7a0bb68d724f80af4aefc40341535c047f42cce1e75d765d43a8ba003df3 |
| SHA512 | aa28c24214fda661e4a4a068eee1b8a9370e2ef23eaad7db1abdabe6445f71a00e912957d48985813aa49d4e5ef44005a06aa47aea842cdfde9936fac9140578 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:24
Platform
win7-20241010-en
Max time kernel
600s
Max time network
366s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\pacman.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\delta.exe" | C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\pacman.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\pacman.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe
"C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe"
C:\Users\Admin\AppData\Local\Microsoft\pacman.exe
C:\Users\Admin\AppData\Local\Microsoft\\pacman.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | myplacehome.comuv.com | udp |
| US | 8.8.8.8:53 | myplacehome.comuv.com | udp |
| US | 8.8.8.8:53 | myplacehome.comuv.com | udp |
Files
memory/2900-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2900-1-0x0000000001330000-0x00000000013E2000-memory.dmp
memory/2900-2-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2900-3-0x0000000074B20000-0x000000007520E000-memory.dmp
\Users\Admin\AppData\Local\Microsoft\pacman.exe
| MD5 | 6464e51a6ee9d8ee9fad33430c24ecab |
| SHA1 | fdca62379b1d54d85746cbb228a0d981376ec2f5 |
| SHA256 | 68931ef9cf810d5a69d8ebf33155db7845fffcc685b1ae9f0670803bb97228cc |
| SHA512 | 313dc913dd5b769954d8df68290a8b6b44a8a3f271aec9cb00b44fdcf78e6f1c50542fb755cec61ef5965406acea9cdfe5856fd5f64af6f0f05ff2cc84be0790 |
memory/2808-10-0x00000000000C0000-0x00000000000DC000-memory.dmp
memory/2808-11-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2808-14-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2900-15-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2900-57-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2900-58-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2900-59-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2808-60-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2808-61-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2900-62-0x0000000074B20000-0x000000007520E000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:19
Platform
win7-20240903-en
Max time kernel
359s
Max time network
360s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe
"C:\Users\Admin\AppData\Local\Temp\e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe"
Network
Files
memory/2384-0-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp
memory/2384-1-0x0000000000AB0000-0x0000000000AE6000-memory.dmp
memory/2384-2-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:30
Platform
win7-20240708-en
Max time kernel
360s
Max time network
361s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f9151107655aaa6db995888a7cb69ada.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f9151107655aaa6db995888a7cb69ada.exe
"C:\Users\Admin\AppData\Local\Temp\f9151107655aaa6db995888a7cb69ada.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Mozilla\EXTENS~1\B0B9TM~1.BAT
C:\Windows\SysWOW64\attrib.exe
attrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\f9151107655aaa6db995888a7cb69ada.exe"
C:\Windows\SysWOW64\attrib.exe
attrib -R -S -H "C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\B0B9.tmp.bat"
Network
Files
memory/3032-0-0x0000000000230000-0x000000000028E000-memory.dmp
memory/3032-2-0x0000000000400000-0x000000000045D000-memory.dmp
memory/3032-4-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\EXTENS~1\B0B9.tmp.bat
| MD5 | 7f6463b850974235d535591d85ef050d |
| SHA1 | 3f878c55c2bc75d2904e2bc4c99ff741bc4f1adf |
| SHA256 | 67ec6630dce786263c06f309f44dcb7658c19c53df365db7ae48e33100028491 |
| SHA512 | 690b95c127b07fd7e3c30440daf4f67b02a0632770f4229e47c1d633f2e2410d166b44795ef4a4582f7809c93139ed68debed21fda8e83db0168acc31ef4bafa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:06
Platform
win7-20240708-en
Max time kernel
600s
Max time network
360s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\msconfig.dat" | C:\Windows\syswow64\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\syswow64\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2696 set thread context of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ctfmon.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
"C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe"
C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\syswow64\svchost.exe
"C:\Windows\syswow64\svchost.exe"
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fsbps.ru | udp |
| US | 8.8.8.8:53 | cwnlz.ru | udp |
Files
memory/2696-1-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2696-0-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2532-2-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2696-13-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2532-12-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2532-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2532-8-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2532-6-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2532-4-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2532-15-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2532-16-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2532-18-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2532-17-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2296-27-0x00000000FFB50000-0x00000000FFE10000-memory.dmp
memory/2296-25-0x0000000000030000-0x0000000000040000-memory.dmp
memory/1212-22-0x0000000002AB0000-0x0000000002AB9000-memory.dmp
memory/2532-21-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2760-28-0x00000000000C0000-0x00000000000C9000-memory.dmp
memory/2760-31-0x00000000000C0000-0x00000000000C9000-memory.dmp
memory/2760-34-0x00000000000C0000-0x00000000000C9000-memory.dmp
memory/2296-46-0x00000000FFB50000-0x00000000FFE10000-memory.dmp
memory/2760-48-0x00000000000C0000-0x00000000000C9000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:09
Platform
win7-20240903-en
Max time kernel
599s
Max time network
601s
Command Line
Signatures
Deletes shadow copies
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apoloqop = "\"C:\\Windows\\uricvwef.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2384 set thread context of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\uricvwef.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\uricvwef.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies Internet Explorer Phishing Filter
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe
"C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | money-waterfall.ru | udp |
Files
memory/2384-0-0x00000000022E0000-0x0000000002630000-memory.dmp
memory/2384-10-0x0000000000390000-0x0000000000391000-memory.dmp
memory/2384-9-0x0000000000390000-0x0000000000391000-memory.dmp
memory/2384-8-0x0000000000390000-0x0000000000391000-memory.dmp
memory/2384-7-0x0000000000390000-0x0000000000391000-memory.dmp
memory/2384-6-0x0000000000390000-0x0000000000391000-memory.dmp
memory/2384-5-0x0000000000390000-0x0000000000391000-memory.dmp
memory/2384-2-0x0000000000400000-0x0000000000445000-memory.dmp
memory/2384-1-0x0000000000390000-0x0000000000391000-memory.dmp
memory/2104-12-0x0000000000100000-0x000000000013C000-memory.dmp
memory/2104-13-0x0000000000100000-0x000000000013C000-memory.dmp
memory/2384-17-0x0000000000400000-0x0000000000445000-memory.dmp
C:\ProgramData\egynegorelydakuf\01000000
| MD5 | 344d179eff7427801b599847c63d232a |
| SHA1 | d363462418f38d8f75361469429a4143b2f803f4 |
| SHA256 | 99a0358cbbd42544801443e0d729cc1ac6d983da93d248c99170b57c66fd31bc |
| SHA512 | e2e5e6784fe9ff7fbebc118354b1989552b41a650413a2723a402d2f1badabebb72399ff9bfc405a3cedfd03dddf6a4e7144b319eca05dff726cc52369dacc03 |
memory/2104-21-0x0000000000100000-0x000000000013C000-memory.dmp
memory/2104-24-0x0000000000100000-0x000000000013C000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:10
Platform
win7-20241010-en
Max time kernel
599s
Max time network
604s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\f7879a3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7B19.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7D5D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Tasks\sys.job | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\f7879a3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7879a6.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI88F5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7DCB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7E88.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f7879a6.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI88E5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8A50.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8C45.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8DEC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7C42.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7CB1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8935.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8974.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe
"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 85C124E974A4815FD74652CF1F5EB6B7
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0DF24FCC7D9A7DE0396A15905B2F351 M Global\MSI0000
C:\Windows\system32\taskeng.exe
taskeng.exe {EDB707B6-9464-4A86-957E-8042D78A2628} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe
"C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | collect.installeranalytics.com | udp |
| US | 3.214.180.211:80 | collect.installeranalytics.com | tcp |
| US | 8.8.8.8:53 | recoverpcerror.com | udp |
| US | 8.8.8.8:53 | itsupport24by7.com | udp |
Files
\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
| MD5 | 3531cf7755b16d38d5e9e3c43280e7d2 |
| SHA1 | 19981b17ae35b6e9a0007551e69d3e50aa1afffe |
| SHA256 | 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089 |
| SHA512 | 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
| MD5 | 27bc9540828c59e1ca1997cf04f6c467 |
| SHA1 | bfa6d1ce9d4df8beba2bedf59f86a698de0215f3 |
| SHA256 | 05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a |
| SHA512 | a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848 |
C:\Windows\Installer\MSI7B19.tmp
| MD5 | d552dd4108b5665d306b4a8bd6083dde |
| SHA1 | dae55ccba7adb6690b27fa9623eeeed7a57f8da1 |
| SHA256 | a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5 |
| SHA512 | e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{508A7E40-70C6-4BA4-B6A2-368AA3DBCC36}.session
| MD5 | 5c58ea5b80d8472bd7eacc63bbea861a |
| SHA1 | 9add817c0e59f3ea96f7a08336d9d223b218d98c |
| SHA256 | 013cef8fe16201e72f55fa503a98a6abd36f53e188d3e05536e6330a7a95d09d |
| SHA512 | 0b34fb75a9e50a3bfbeaa0c9db30f871dad98ef6325eefd782b266cfdd8396f37bec35e551a3604fe01d571a789f6810795da2fb661bc7020bb7b287b30aac41 |
C:\Windows\Installer\MSI7CB1.tmp
| MD5 | 4083cb0f45a747d8e8ab0d3e060616f2 |
| SHA1 | dcec8efa7a15fa432af2ea0445c4b346fef2a4d6 |
| SHA256 | 252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a |
| SHA512 | 26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133 |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
| MD5 | 7ab1355b8ae96751a8e6f3d6c953cd34 |
| SHA1 | 90e3fcb6fb0cc25cbfc602f8d9920adaa9986802 |
| SHA256 | abd27abe6af73b4e33b98f706250163f2fdbeaea452e900d108da5afb3283936 |
| SHA512 | af35de60b0e2cdfa8809aefd152918e549fc0ed2e5c672a0fff1811abff1ca6b837179c1fac73361b15f55f1f7b36709d61c89fe07848f5bb8a48d04d6ed9aac |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
| MD5 | a93f81025eb9327246712b7d13ae0ece |
| SHA1 | 791c3f4441b5a62b815d63d205c1c552690dbbe6 |
| SHA256 | 36f63277652d93a37a8fe93bc4a3533590ba92ca08eec97408ceac27978f3009 |
| SHA512 | 2cef3c4c26c6dad4064c62d11835a9fd6c202649608c66ad535276c25a6faa550235385f3e817785768977c9f4bb6e8747c371980a6262553f9f7d79c47581aa |
C:\Windows\Installer\MSI88F5.tmp
| MD5 | 3cab78d0dc84883be2335788d387601e |
| SHA1 | 14745df9595f190008c7e5c190660361f998d824 |
| SHA256 | 604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd |
| SHA512 | df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820 |
C:\Windows\Installer\MSI8935.tmp
| MD5 | 7e6b88f7bb59ec4573711255f60656b5 |
| SHA1 | 5e7a159825a2d2cb263a161e247e9db93454d4f6 |
| SHA256 | 59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f |
| SHA512 | 294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c |
C:\Windows\Installer\MSI8974.tmp
| MD5 | aa82345a8f360804ea1d8d935f0377aa |
| SHA1 | c09cf3b1666d9192fa524c801bb2e3542c0840e2 |
| SHA256 | 9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437 |
| SHA512 | c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe
| MD5 | e579c5b3c386262e3dd4150eb2b13898 |
| SHA1 | 5ab7b37956511ea618bf8552abc88f8e652827d3 |
| SHA256 | e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2 |
| SHA512 | 9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb |
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav
| MD5 | bab1293f4cf987216af8051acddaf97f |
| SHA1 | 00abe5cfb050b4276c3dd2426e883cd9e1cde683 |
| SHA256 | bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344 |
| SHA512 | 3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49 |
C:\Config.Msi\f7879a7.rbs
| MD5 | 0f35c0f15e91bf2533656b0129fff225 |
| SHA1 | 19dd9cfae6a1166a655d913aceee9bcbfd35991a |
| SHA256 | 7035ce433cd48a51a30c9599a65bfc4f86b94d37ddb1f3da5fd769976e111493 |
| SHA512 | 57a41522b513cbe8f73738df977664744d3f71d2783eab03881b031c70b741a70271e3087e06d320c9215a7c338e006583003773f86feea2cff18f0a0fa90ffa |
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
| MD5 | 68ff1ccfea788678e926d7d48f990cb8 |
| SHA1 | 9748174737bf2759ce864ceb0a888be971ab22f6 |
| SHA256 | ae8e2145e52732ef616bb81433171b9a7a5633eb1017cb3687a72f3e35c6699d |
| SHA512 | 9db7b35e28cc343c693ca92671680cad584ed30d540e02fe2a7259ea6950024a856dfa6b9289f6ef5b1f0b51b81236507c03846382be50b1a7d025e154e1d988 |
memory/1436-285-0x0000000003790000-0x00000000047F2000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:10
Platform
win7-20241010-en
Max time kernel
287s
Max time network
319s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Reads user/profile data of web browsers
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1736 wrote to memory of 2896 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\system32\cmd.exe |
| PID 1736 wrote to memory of 2896 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\system32\cmd.exe |
| PID 1736 wrote to memory of 2896 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\downloader.js
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd" "
C:\Windows\system32\notepad.exe
notepad.exe C:\Users\Admin\AppData\Local\Temp\360390_readme.txt
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WinHelp" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\360390_readme.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | locksmithspringfield.us | udp |
| US | 3.33.130.190:80 | locksmithspringfield.us | tcp |
| US | 8.8.8.8:53 | thecottagespsychotherapycenter.com | udp |
| US | 8.8.8.8:53 | kashfianlaw.com | udp |
| US | 104.16.108.239:80 | kashfianlaw.com | tcp |
| US | 8.8.8.8:53 | www.kashfianlaw.com | udp |
| US | 104.16.109.239:443 | www.kashfianlaw.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 23.219.240.231:80 | www.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd
| MD5 | d96f59d97099a6248989e828d766dd5b |
| SHA1 | 9322d296171970ce8a280a4c562f41b5f3689de0 |
| SHA256 | e534769d416412d6ea8e91faf108bd8f52838e854145eab052483c37b4add1e3 |
| SHA512 | 562c52a4dab31d9fc8983823561d181ddd0d0999baf3cbe8841afd3919ae020df573f41bd58fe6ecd090d47a1a1d2bad6abd68955e329cd541974c12d4ceca8c |
C:\Users\Admin\AppData\Local\Temp\360390_readme.txt
| MD5 | f6a2bb17bf99a4dab08f75504bf270b3 |
| SHA1 | d42b9acaa08e19e1708e0e00a7961b8dd3219102 |
| SHA256 | 34d5153eb38ee664fc03fcb7de7a75a76c1162fa83110d34e6b64c29424ed6ed |
| SHA512 | 037a713b6e8580adf6773992b29b75dcae8d0284dee228deddb41149d89aafefc9d8bf4374d8437d57f6a26afede42accb629988b5cd234430f53f5df2da0a96 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:19
Platform
win7-20240708-en
Max time kernel
570s
Max time network
362s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe
"C:\Users\Admin\AppData\Local\Temp\e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | police-center.in | udp |
Files
C:\ProgramData\fjpnrwuutgmtath
| MD5 | b0304db30d33117ec0b5c29e6318e28f |
| SHA1 | c1207d480e3fef671d2e4ca57a8bc5bd4deac7ac |
| SHA256 | 5e9c0c9ace2407ef793d68fbb8a46cca09c499a0a74309f397a2ecf15770c97b |
| SHA512 | 2976df7c9cb91770d4f652e78b3a3fca5f8729b942ccc82e1b0d7342333d5b635e417c440d4ada349001e90cd511e13779c7f25efa65773fe323853acd01c734 |
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:20
Platform
win7-20240903-en
Max time kernel
361s
Max time network
362s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\encrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\encrypter.exe
"C:\Users\Admin\AppData\Local\Temp\encrypter.exe"
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Network
Files
memory/2352-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2352-2-0x0000000000400000-0x000000000040A000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:10
Platform
win7-20240903-en
Max time kernel
593s
Max time network
595s
Command Line
Signatures
Deletes shadow copies
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" | C:\ProgramData\svchosd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" | C:\ProgramData\svchosd.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\T: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\V: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\M: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Q: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\N: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\O: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\P: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Y: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\P: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\F: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\I: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\S: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\T: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\L: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\R: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\W: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\D: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\N: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\R: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\D: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\G: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\A: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\U: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\K: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\M: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\S: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\J: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\K: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\L: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\J: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Q: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\Y: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\E: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\O: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\V: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\X: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\B: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\I: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\U: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\B: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\W: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\A: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\H: | C:\WINDOWS\system32\vssadmin.exe | N/A |
| File opened (read-only) | \??\X: | C:\WINDOWS\system32\vssadmin.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\svchosd.exe | N/A |
Interacts with shadow copies
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe
"C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
C:\ProgramData\svchosd.exe
"C:\ProgramData\svchosd.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
C:\WINDOWS\system32\vssadmin.exe
C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet
Network
| Country | Destination | Domain | Proto |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp | |
| US | 5.8.63.54:80 | tcp |
Files
memory/1892-0-0x0000000000350000-0x0000000000391000-memory.dmp
memory/1892-1-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1892-2-0x0000000000350000-0x0000000000391000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-22 03:25
Reported
2024-11-22 14:10
Platform
win7-20240903-en
Max time kernel
567s
Max time network
568s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\service.exe" | C:\Users\Admin\AppData\Local\Temp\dump.mem.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dump.mem.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dump.mem.exe
"C:\Users\Admin\AppData\Local\Temp\dump.mem.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | exodus99.ru | udp |