Malware Analysis Report

2024-11-30 04:48

Sample ID 240222-bhbzhsab77
Target 1334bbd7e0d0d3bb073194939f7dada8.bin
SHA256 c89ac5cb4dbb4116ed1d3b9630aac5a927066938e5b4a24649cf09116882a146
Tags
dcrat glupteba smokeloader stealc pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c89ac5cb4dbb4116ed1d3b9630aac5a927066938e5b4a24649cf09116882a146

Threat Level: Known bad

The file 1334bbd7e0d0d3bb073194939f7dada8.bin was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba smokeloader stealc pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx lumma

SmokeLoader

Stealc

Glupteba payload

Lumma Stealer

DcRat

Windows security bypass

Glupteba

Modifies Windows Firewall

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

UPX packed file

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Deletes itself

Windows security modification

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies system certificate store

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 01:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 01:08

Reported

2024-02-22 01:10

Platform

win7-20240220-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5267.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\742B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A470.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A470.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A470.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A470.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A470.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CBB0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\7550.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1372 set thread context of 1556 N/A C:\Users\Admin\AppData\Local\Temp\742B.exe C:\Users\Admin\AppData\Local\Temp\742B.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240222011007.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\F93F.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\eewbigs N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\eewbigs N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\eewbigs N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\eewbigs N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2700 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2700 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2700 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2700 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2700 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2700 wrote to memory of 2712 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2712 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2712 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2712 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2712 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2712 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2712 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1224 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 1224 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 1224 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 1224 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 1224 wrote to memory of 2060 N/A N/A C:\Users\Admin\AppData\Local\Temp\F93F.exe
PID 1224 wrote to memory of 2060 N/A N/A C:\Users\Admin\AppData\Local\Temp\F93F.exe
PID 1224 wrote to memory of 2060 N/A N/A C:\Users\Admin\AppData\Local\Temp\F93F.exe
PID 1224 wrote to memory of 2060 N/A N/A C:\Users\Admin\AppData\Local\Temp\F93F.exe
PID 2060 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\F93F.exe C:\Windows\SysWOW64\WerFault.exe
PID 2060 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\F93F.exe C:\Windows\SysWOW64\WerFault.exe
PID 2060 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\F93F.exe C:\Windows\SysWOW64\WerFault.exe
PID 2060 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\F93F.exe C:\Windows\SysWOW64\WerFault.exe
PID 1224 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\Temp\5267.exe
PID 1224 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\Temp\5267.exe
PID 1224 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\Temp\5267.exe
PID 1224 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\Temp\5267.exe
PID 1224 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\Temp\5267.exe
PID 1224 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\Temp\5267.exe
PID 1224 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\Temp\5267.exe
PID 1104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5267.exe C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp
PID 1104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5267.exe C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp
PID 1104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5267.exe C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp
PID 1104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5267.exe C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp
PID 1104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5267.exe C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp
PID 1104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5267.exe C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp
PID 1104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\5267.exe C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp
PID 1224 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1224 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1224 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1224 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1372 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\742B.exe C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1372 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\742B.exe C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1372 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\742B.exe C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1372 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\742B.exe C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1372 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\742B.exe C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1372 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\742B.exe C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1372 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\742B.exe C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1372 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\742B.exe C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1372 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\742B.exe C:\Users\Admin\AppData\Local\Temp\742B.exe
PID 1224 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\Temp\82FA.exe
PID 1224 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\Temp\82FA.exe
PID 1224 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\Temp\82FA.exe
PID 1224 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\Temp\82FA.exe
PID 1376 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\eewbigs
PID 1376 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\eewbigs
PID 1376 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\eewbigs
PID 1376 wrote to memory of 1700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\eewbigs
PID 1224 wrote to memory of 1604 N/A N/A C:\Users\Admin\AppData\Local\Temp\A470.exe
PID 1224 wrote to memory of 1604 N/A N/A C:\Users\Admin\AppData\Local\Temp\A470.exe
PID 1224 wrote to memory of 1604 N/A N/A C:\Users\Admin\AppData\Local\Temp\A470.exe
PID 1224 wrote to memory of 1604 N/A N/A C:\Users\Admin\AppData\Local\Temp\A470.exe
PID 1604 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\A470.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe

"C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7159.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7159.dll

C:\Users\Admin\AppData\Local\Temp\7550.exe

C:\Users\Admin\AppData\Local\Temp\7550.exe

C:\Users\Admin\AppData\Local\Temp\F93F.exe

C:\Users\Admin\AppData\Local\Temp\F93F.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 128

C:\Users\Admin\AppData\Local\Temp\5267.exe

C:\Users\Admin\AppData\Local\Temp\5267.exe

C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp" /SL5="$50178,3536428,54272,C:\Users\Admin\AppData\Local\Temp\5267.exe"

C:\Users\Admin\AppData\Local\Temp\742B.exe

C:\Users\Admin\AppData\Local\Temp\742B.exe

C:\Users\Admin\AppData\Local\Temp\742B.exe

C:\Users\Admin\AppData\Local\Temp\742B.exe

C:\Users\Admin\AppData\Local\Temp\82FA.exe

C:\Users\Admin\AppData\Local\Temp\82FA.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {A7302DB8-F729-4676-9955-4D2092735EF2} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\eewbigs

C:\Users\Admin\AppData\Roaming\eewbigs

C:\Users\Admin\AppData\Local\Temp\A470.exe

C:\Users\Admin\AppData\Local\Temp\A470.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\B34F.exe

C:\Users\Admin\AppData\Local\Temp\B34F.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222011007.log C:\Windows\Logs\CBS\CbsPersist_20240222011007.cab

C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp

C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp

C:\Users\Admin\AppData\Local\Temp\CBB0.exe

C:\Users\Admin\AppData\Local\Temp\CBB0.exe

C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp" /SL5="$2024C,3525380,54272,C:\Users\Admin\AppData\Local\Temp\CBB0.exe"

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
KR 183.100.39.16:80 trmpc.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 en.bestsup.su udp
US 172.67.171.112:80 en.bestsup.su tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 79ea928f-8587-4c7e-84bd-d65a0bc4c8dc.uuid.statsexplorer.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
AT 5.42.64.33:80 5.42.64.33 tcp

Files

memory/2356-1-0x00000000008D0000-0x00000000009D0000-memory.dmp

memory/2356-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2356-3-0x0000000000400000-0x0000000000817000-memory.dmp

memory/2356-5-0x0000000000400000-0x0000000000817000-memory.dmp

memory/1224-4-0x0000000002D70000-0x0000000002D86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7159.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

memory/2712-14-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2712-15-0x0000000010000000-0x00000000101A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7550.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/2712-21-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/2712-22-0x0000000002700000-0x0000000002824000-memory.dmp

memory/2712-23-0x0000000002830000-0x0000000002938000-memory.dmp

memory/2712-26-0x0000000002830000-0x0000000002938000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F93F.exe

MD5 3e20597b095b7a9ec311e3b400b7de46
SHA1 b491811b3f8ba87355a5bd9f62f92a8d3ad38065
SHA256 0ea117f712e73b4df98604e93f3f9996b83cee2a4691b3da4ac9db8f20ddd5dc
SHA512 9d9690bc075e8a569a6aa0fed91a14cdd2def622787eb533fd00c51018ba9d9e96d48409358f76490c839f2f731cb6f718ceb414b3e0de694640513065ced202

memory/2060-32-0x0000000000AD0000-0x00000000015A7000-memory.dmp

memory/2060-37-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2060-40-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2060-42-0x0000000000AD0000-0x00000000015A7000-memory.dmp

memory/2060-44-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-43-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2060-45-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2060-47-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2060-49-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2060-50-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2060-52-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2060-55-0x0000000077AA0000-0x0000000077AA1000-memory.dmp

memory/2060-54-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2060-56-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2060-60-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2060-58-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2060-62-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-61-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2060-64-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2060-67-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2060-66-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2060-68-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-73-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-72-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2060-70-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2060-74-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2060-76-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2060-78-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2060-80-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2060-79-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-82-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2060-84-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2060-85-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-86-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2060-88-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2060-90-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2060-91-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-97-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-106-0x0000000077AA0000-0x0000000077AA1000-memory.dmp

memory/2060-110-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-116-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-123-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-128-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-134-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

memory/2060-136-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\F93F.exe

MD5 7ac31ea0bb9eddf0ff88ccd4fab3496b
SHA1 a0f4deb7b973cbff8b41cd8fd957cc6d706b7d69
SHA256 73d9e6f9775c055b03c07ac1223fb4b8ea7722def3d4e0bf8d75779c2f2c35a3
SHA512 28ca3b4d8f228080a4f8fa353ff4f48d6157f556d67c0425572f18b2144b869cd9fbc5cfc9b2bc24deabea33b9ff254ec9ba37f2478158f97cf069ea8e3fdb1f

\Users\Admin\AppData\Local\Temp\F93F.exe

MD5 479342d62078aaf31881972c7574f6f2
SHA1 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4
SHA256 a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d
SHA512 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da

\Users\Admin\AppData\Local\Temp\F93F.exe

MD5 47a81177e545fed243b05499fcc59adb
SHA1 151377fe78ad52031c3095265378a3691d735846
SHA256 ccafaf7fb8f16c51e5846ff03b40b334715ec9f8663ced4fb2790741600c2baa
SHA512 e7ee4069385f06cc82e4aa083b7e8d3a24359ad9af90ed2db9b90e22856d3e8f6d207f72c2ebaf7718b5496ac6148813573d45b44ff5d1acd08dc10bdf9409d0

memory/1104-148-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5267.exe

MD5 c836e1e341835ec964deacc3b20c7a2e
SHA1 1b6ffc277c2ad658878f71fc07a9de212530277f
SHA256 fd018900a82a02b350bb3a71fb38e68054d813efba13ca16a93e1ef2012fe8b1
SHA512 af92e13587d7db0534723d6bc91a9d8011c012352713edbee01fb87e5f1ccd91a79012906e759276e8e3524388d19bbb2973b59602a28267e224387b7e78ab92

C:\Users\Admin\AppData\Local\Temp\5267.exe

MD5 1b5cbc787026fe7eaf1e54d1aafdcc06
SHA1 f2e634922e1ac230fc409259f54d94c98b5ca577
SHA256 941fe0ff18caff6afaa4454c34102dc6ac04ef2aa5535a525ab11d6d246f8de3
SHA512 0af0eb234ba7a5087d2e14ec5ef999152035d3f80ee7c62fbe34a09e9a82aae958e1b7129074abccfae8eddd8af8fd5408036ccbfb0ee741b208d1a5aadc4f26

\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp

MD5 ebe053359c813af4a16486ab11e4fe1c
SHA1 659da1403674751bccefe708f87b4214259d8445
SHA256 e45305bab7308f51605436b715c667ca2de46156f8e28cc4bba105b5d200aa7c
SHA512 771250568e9a9f418ba69f80a27fd35e7cedbe0677c66245a62e195a2c68d78f7d5dfb4c4110541ee4422ea3828a0438b6ddfa2304008c8232d1f0d1f8d27e30

C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp

MD5 49becb0626a04b87221c00d30c3d14a2
SHA1 96e2f9ea00aa118ce62a368ded287f6b888c0cd4
SHA256 95480cadb85d9df813521fd2360328eafc500001fa487324d3ec571397382b3f
SHA512 a1f4fef9d039fd42a704d68b68552e3932d258123a02a3c66c78b8b2d48623b1e305662b378e0024d9c8b419824d3fd1b91dec96c5149123d945e7707bd6eda2

memory/3052-166-0x0000000000240000-0x0000000000241000-memory.dmp

\??\c:\users\admin\appdata\local\temp\is-cb58m.tmp\5267.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

\Users\Admin\AppData\Local\Temp\is-O65JM.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-O65JM.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\742B.exe

MD5 ed6e3e72abf6a1a19c269143092af11a
SHA1 e33257a9ef5ff4640e9acd98486500d8a4bf4e71
SHA256 ea8819ef7ff190739df7f329843f64157c6d9aa9eb4a029b5e441d378ff78afb
SHA512 0d91337a9ae4357bf1b5c5b94024224e6b6f75270a2ed6545e3435d4311f59b4a0fd1319edaf37080de40b6b738f968061508a84456db9d5be358e1bc9924408

C:\Users\Admin\AppData\Local\Temp\742B.exe

MD5 5e481d9cd54e5b71bf09c4b999f5b3a0
SHA1 f4ff6302eadba9c2e94ac12e0defc0eb7d136e2c
SHA256 c4d8500b7ef3b483a09d09d2122119fcdcd461a3fb37f243abd8297699bdf632
SHA512 761950f84231bb4211e163d018a370fab0dd7b01c53804071eae075b92d14404b3806846110b2893d8fffc9aec95d82711a73a267ef3124e2ddf2b75b3cb28aa

memory/1372-185-0x00000000047F0000-0x00000000049A8000-memory.dmp

memory/1372-188-0x00000000049B0000-0x0000000004B67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\742B.exe

MD5 718b0dcddc2bbaa0e243f8df12262b02
SHA1 f47e4c5cbe04b9435b8192b028ebfc42eda30bd0
SHA256 8296fd54d27268a1efbc03f2087376f8bc2a9b5d3e11079ef8839e51554301d5
SHA512 a3e44253d36abee30b31e151bcb2c3ff356d7204aef235e32e075e7b406ed766a5ed97de8a36890780b76eae04b6a3ed3e0cc4220165c97a95aa39997f4a857f

\Users\Admin\AppData\Local\Temp\742B.exe

MD5 247c47483cf0e34f9e0cc0fbe4f62c5f
SHA1 37ab13e1b2a42f918471c0903e2eb0160f6bfe81
SHA256 8f82ad96d1529c156b3770283661a0dbaa18bfb587d8055eff4de731e65b0ab7
SHA512 4f52d45c85181290ba5f42a39f470a8817d060696b7a74e544bd133e1d88323dbdea9eccc8b89a1e42515f87d3c73913943fb836c276ebd10fbb043640adcac1

C:\Users\Admin\AppData\Local\Temp\742B.exe

MD5 ba596889eb548175469af702b3a22cd7
SHA1 73871abcad36ebaa97368c4d73d8166cc94dc669
SHA256 36f8a5365149510153da15602a8129d8b57804352687cf1be4da8614a36cff38
SHA512 d2dcf18499f847435471c66fc276fcdae2fa5df1c1f79c1d2bd9885241ac2f1675b38fbc14cc62cbba6856670607ff3457d62773eb366f1ed4e0ad4601818546

memory/1556-194-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1556-197-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1556-203-0x00000000002D0000-0x00000000002D6000-memory.dmp

C:\Users\Admin\AppData\Roaming\eewbigs

MD5 1334bbd7e0d0d3bb073194939f7dada8
SHA1 1b94edaf8a275a4c2e2ec6550a4567fd2048dcf4
SHA256 c89ac5cb4dbb4116ed1d3b9630aac5a927066938e5b4a24649cf09116882a146
SHA512 e960d3ea5bda9f39afb449fed300e9863dbbc7ee1c216cd8fa4b681316f78515316bb1fb1f7b4743d689b6a5896f2d4b6bb4a52052d2a298af210888cacf8336

memory/1700-231-0x0000000000250000-0x0000000000350000-memory.dmp

memory/1700-232-0x0000000000400000-0x0000000000817000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A470.exe

MD5 e6a0c31600adc9cbc2122f266740c6bd
SHA1 7f8ab813cd05965fe6ea3ca7430a31642c8f1bcb
SHA256 7211f3dc9dfca6922741e10fffd4a9edaa6345444a4f7c08420270efaeb1fb2d
SHA512 463349e59d66a894624f90488aa6f91454a913af2830688f0e956fcc1840a1a97cecc4a0893bf4c53286caf76705dad2c9f9c03a3c8635e0ed3c7c924115a7a0

C:\Users\Admin\AppData\Local\Temp\A470.exe

MD5 3eb3a47ac3ccb90ead8ec9a6a394ff18
SHA1 36584c7254f909e9a26b147e67394adf7978b75d
SHA256 3fbb77385ba74580e1fb42ecb8f709e53720dcb7269c60fa8976dbdf0b01c206
SHA512 cb6c39d46bf4ff2224b6a67a090d4bfed757db06d4eca8d6ea45c950a081dff98afd4bc07298c7daa7fa615170dda4962de62aac9ad1a3427dade34353aee1f5

memory/1604-238-0x0000000000FA0000-0x0000000001856000-memory.dmp

memory/1604-239-0x00000000737A0000-0x0000000073E8E000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 a486410370f5a463bf078d5f47877a14
SHA1 924647b7ae1ec7afcfdf7cb2cf679f70479d2a8a
SHA256 ccd896850a8ab91a46f9c6349c25ee5e0fcedf627bde50791c2b5db6c6027578
SHA512 aff2aa42dc5e570310e877d7d864eede54f245595c21bed1be24eb1477952d330be18d6b88844bacf00df90c93a38044fa009792e448218bca65bb94140c66d3

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 b9e83f5d06d65f1a132f55308bc72726
SHA1 7738e1f34abf3568bcd38bed45d535f1ba8c6970
SHA256 0b9222bc3e0db767e3fb419d7cec2303c882616f9c6ebdfa6eb3592fcce119fe
SHA512 d7c7601f4c55e534c1a29d00398908958a89ef0e94359b9f509a0c08791e7155038a6fd33124f30b78844668e071574301f3017fe0c1016a4fd38a4f79866889

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 4fda302de5dbc796575a887375e61a3b
SHA1 05488e1eba9053f3c09062832d64652b30f4aedb
SHA256 8714e3d1c6a611e658b08721b38dbf5a371b590ec9d4dd8fcaa800ce692048a0
SHA512 7488616f0d367a97b99d33bea8a18bfe0c7f740e104a6a6622031e1a46dc1d21bf495dd276f2a9fedf8950f3f37587ad90d2885be28e6dfa0d8ebb91e710f799

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 798c22621ebef52bd51fe7fb8cbaaaaa
SHA1 4e3bd2ab8437e9883640c2e120cadf9da63f5ca8
SHA256 61313cb6a5a5b47318a539d35004846c37c48247b81e0e3dd89cfb23797531e1
SHA512 11607770258bea188df7a56222f697881546f1be14e3550dec5b4b85a9f98b1e67697e4d2d2c90966d53c428d35e496b310ebb78e9c7ddab87893fbfc0efd527

memory/2352-252-0x0000000002790000-0x0000000002B88000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 84c2a426a9c5508f54a3f58d355da401
SHA1 f0cfcedd79caee5b4a48390904e6b1ae6e23d6f6
SHA256 94f70ac20af9250c5866a192bf3b87cb4d90fcfe12663f9d2df57e8e4b5f3fd0
SHA512 f542f5e6ff3cf8e93c326494fb23694bb4dbe2b6330f72d5c2f3fe75ca1f15d9142b13e335bf211236e0414bda9a82c813200c1cc92eeef81cc98e22d7167381

memory/1104-256-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2352-255-0x0000000002B90000-0x000000000347B000-memory.dmp

memory/2352-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 c3a261e56b6e319874069534de7bdb68
SHA1 35583528bc7d1fe3cf1b087d912a9f25d3ba2a4f
SHA256 2d21a8c41233de40e5ae14fbbf6c2447ffcd688d80e49aee41d12d45a3557bfd
SHA512 a22993cacf8f2defc2d4a5eeef9e8a8aec32363af278cec3055835e1c0da70ba841197c8a23673c3262c0650519b3da626d0e399e93735deab7008cda3c87bfc

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 f37545e69e6966ece6bf860bd2ae3e7e
SHA1 8bbc5c6487a1a4918cb8a4b1d4f6c23779a98989
SHA256 b83c8fb67e206c0d316705d070fca3e51e2356458c3eb3ebdda9d956e474db25
SHA512 be9bc35b19a61bbfafd7d423473ea1f44fb679985b538100a7ac37a5a4b508517fac953edcaae8ddd533e334ed63fd11c0db30d7562980c0ca7a1d3c36e64369

\Users\Admin\AppData\Local\Temp\nseAAD1.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 1288cc1eb11e86422709338555055aaf
SHA1 ca9321bb0d87bb41e24e88535a2d56ba9ee418ed
SHA256 ed8aaf9b082317abcc59c6f39c3cb7524ee7c50988657670d75a115c4fc77432
SHA512 fabcb0ec74fd6baac93a341e0337eeb1c5fd81f958a1f75cf67a8e49eb617b7def964936d5a21c24e76df6b2122868f84ec64cf37ad0107338222ce373b2693c

memory/1604-279-0x00000000737A0000-0x0000000073E8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 878b583e6ebb6ef4dbd7ea4f09cb7b9d
SHA1 b10171ed3355b5a6264ff0780c337fc54797c165
SHA256 c9e51f74264355c711734f434131d49465212d88cb3c3e9a268330e94e97c76e
SHA512 69e35f2ff9360bd620879065ebc6b80d14e0206f94afbb935b51c86679db5819b3968632ee8a84bf877e65a9d6da09241a2054082e167461880e5916d1186dc8

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 fbc61539cf79c584550feb6e32097375
SHA1 5b1ad62930eb630d7a3f3cb37789d86017a3bb95
SHA256 fa52bb8552c4f4c4ff2c01963e0e31fe8f0dcb261af163fc3041e92aff2cbe45
SHA512 65172a8b242c9ada1be8aa57bd29fb81e53fbec4917837d5f9c6bb68e13f0b3c8424522d583f738dc9bece951afd72fb1c711403f8784307115bbf1d9d4658cf

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 3e716dd2d7035b3385ae32ca101b0c04
SHA1 5b2ceb8b857e6f4a1871e8aa85ca8e385f46d88a
SHA256 d72941f91a3dc82f0c46069955228683dc95afec1719da9bd007a23f45043a97
SHA512 4813eea3440344d8035573cb7e9c49b2748ffdf221695b6b2ae0f947266da460ec671ae0c208558013faf775c19bb09346057418f1ed6e69ad09f9ff40095edd

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 78d668aa5fa6346dcb355967a7079278
SHA1 5b017af60a553b355442f7d5836b236dafd60b09
SHA256 e52e0827f09b43184994deb7780e6bced7c62cfb80b64a84a80fb3244750746a
SHA512 5f5d506dd7bb50450fc84f41839573693040480b90724ebb5191b2696d6029f532869e8f5304894c925cd0642c0aa08caad536f34239d89ea48c63f89f408db4

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 57bb8084c1d4f6ecb5208996ce9f5735
SHA1 57c58eb385d8d77350ca81072cb47acb3406ade5
SHA256 bca7ede0c71ea6eec7311c4cbb8fba154a77ad5149bc97f9ecc22654a67da454
SHA512 772c711ba86978f09845700d43fd959c29f5f329c0bf87a37fcc00ad701b56f749b8b6b5d1db15c18f4b58c9c2cd9c76b4aad9ced4095b48bb78b9153df39020

memory/2596-280-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B34F.exe

MD5 3dd02e3a7d6552f6312e29bc4189c06a
SHA1 c52bb026df26445a1e4ccf66baf61d99ecd1ff8a
SHA256 cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70
SHA512 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485

memory/2640-290-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2640-289-0x0000000002E30000-0x0000000002F30000-memory.dmp

memory/2640-291-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/1700-296-0x0000000000400000-0x0000000000817000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 37bd3380e2dc5ed47b453915f177ab15
SHA1 3d10f3ebc6df0df7c17a559c6b199be8f33aed7b
SHA256 f20d482959d619e57359f139a987d46a9b7a4af6a4c50689ffba91c38649dd62
SHA512 6e9fb9e54c0b0e0481231fe7949c5f32358e2fc82cca476811b8ae2e4a10fd26e45da18ecea7a146c69200eb59a8588e2509aed0dabdfa5290c7444b5887b10f

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp

MD5 4e947abc3916088f9aeb96ca58ae4b2a
SHA1 ed78b516acdea1e79c242f585d4c1a2a3f45661e
SHA256 ecc6907c2fdbab7c96faf570aa575097d1f151e157acea3a958f21adf6de6abe
SHA512 80a58e16729d8d14675123cdf28b5c86ffb24ebe244d5d6caedd5ccdf97db6f430e90fea7375213e57e46d74e8c5e3558a13677e330acee7d119b8c42069fa2e

C:\Users\Admin\AppData\Local\Temp\CBB0.exe

MD5 924961a55a148f673993c2a030705f55
SHA1 4102c1955090cdc1e98dd81908a87f646c281bbe
SHA256 2629f29216a5ade8bc496abc00421578f0d20a426d0bc92a8e2a2588bf1bd387
SHA512 e236af25ed1940c952a0f6a7daa4e5747632463e0639538a75eab97085498313545c5a665583b7826bcf9224d185f03adb23d7623bc4e138d5293a9008a8d10a

C:\Users\Admin\AppData\Local\Temp\CBB0.exe

MD5 8eb0f03a13fcbdcaa98c7386f78fcf18
SHA1 7effdb669cc14fbb4be22c7509ef5c418f8dbee5
SHA256 e1fa1a210c73c3d5f2c2e23ff9a0df777b0bbb206f2f6c688a1a6b25dc0895a3
SHA512 9a17504d9285008d4c10997eec0cb44e9a6046fd4baa6410edd6a5a6008635002de1c2ec138f9bfeac65170325eca28e45825e2f457f9e97fa941897098815d2

C:\Users\Admin\AppData\Local\Temp\CBB0.exe

MD5 406045df6eea45a7ccf305dd73d93174
SHA1 9fee5b539390e703792070b23953277f215a42d1
SHA256 9d4b6ac45865161c1858566c241dccf59fbb771832b30791cbc34bb87335ef71
SHA512 4d3c078c9896593d80251836f6082efea4debdf8c17e01e21b61c29009ceaf161f4bd922a133e99ff3117b0aad66b0d3422e4b95fcced7fb826242b2e392a38d

memory/1096-333-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp

MD5 d33381c9542ef119f3e2c73822539b13
SHA1 04c855c2a6a0052850a2781ba03d57eac8d1e344
SHA256 679b09a828efb0b30e6ae3d95cf67903807848d87c99af5799a902d5b28901d1
SHA512 a30b153837fc00ce3cf56d62fcc15e9b9a2506fcb29383ed614d454fb742ac5945cecfcd5e389dc61e1b7198131cf04574a2d2fe97b8b0735939387de17b3daa

memory/1556-349-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2280-360-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Audio DVD Copier\is-EK9C2.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 43ff0c8090b7222492667f4e6a84290a
SHA1 200428a87920d4b51f23cd696aa6258deea613ac
SHA256 eaba9bed52a9d6a8bc0fa3d0634937a9350aec04ffefa818307f55c397302d4c
SHA512 962d140e0d09171352d823231479c29e519484ceea25b652a2927fc4581bd9ad7ef4e90e405f6c54e991fb8db09c62adfbdc99deac11fb2b4e3c575099868a32

memory/2352-375-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2416-377-0x0000000002760000-0x0000000002B58000-memory.dmp

memory/2416-378-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 cc15bd28b9297f0de54462d1f4151963
SHA1 1e723fce28c94b777b821e4b1884a42d352d4f7f
SHA256 e8d430ceb5cde61da0716fcef9c406537ac7997565e251f90b21ffa8b0152b21
SHA512 2e50e53c119c70995337a296d3dddd08bcb8df7083a46b2133f0e8433e5efde5c6d3b924fac9e644c193855208d439ff3589e53be3d11a2d30f18470858aab4c

memory/1536-397-0x0000000000220000-0x0000000000254000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 dd76b1ea2a8bf2f7e800e0a11f01f5e9
SHA1 d31c1ff5b3bfff45af20f5fce0579b80819c5390
SHA256 98ddd0a4e39f3693a0bdda3844934a3211e119eee2d5155e17778b0af18e6b89
SHA512 2b3118524ede04678a6306af55dff202a5dbd1a5443bd815dc6a7e3122518ca3593841b942b46b04c3053e553cf20c8baca39461f27cc7fe5d293e26050b2508

memory/1536-394-0x0000000002E60000-0x0000000002F60000-memory.dmp

\Windows\rss\csrss.exe

MD5 fb8129e365391576bb219e9c32633d1e
SHA1 8bea7c52cfb0921c24446e00351d19c8a9cb8484
SHA256 9e73f75e4b618189e5624f02c4cc5dfb810600181434ede34815a645cc4b24b1
SHA512 941ab808da324d78f3aeef63e274994ff50d8d4270315fe9f3a4029ce86efe372c28b6ab6d39accb61f03eab27ae432fc11155d2dc2f74fe0fb621675016c93f

memory/2416-400-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1536-401-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/1004-402-0x00000000027A0000-0x0000000002B98000-memory.dmp

memory/1004-403-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1b80fb22665c5c506faadcc5f2a4cd7f
SHA1 80b615e0ae9ea791b521d802f3d1f8480af6380f
SHA256 02d595587af4a8fe7aa6c44f6b1cba48f21725b83de6ee5aa31e2a9f6ff85a93
SHA512 ded746797b1d0a80ab456024011bc4b0ca30d05959227b0baaca920e9504a92a11a4ab70fbd1b096b55673ea0941f7151708d1ca6595889a6e7666d405ba88a0

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/2596-411-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

memory/872-414-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 36faf3a793dbb6e80cd9ec2282ae4404
SHA1 6118ce7d7e64040e97018d6d4383ddfb6f1394e5
SHA256 f8785b8eef542d5f08fdcb9d8d275aab8d8980dece2e4e5c7f26df3b02879cec
SHA512 f395e3d2c71117f5b8256ec25172f280ae74b99e4e7c3eec40e21ab14d486dfaeed3851437851deab9c7c54c3725b3c5a485e562cdd02e548ee9edd1df031e8e

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 a9a6778b7b83e913b9b55eb4d1476042
SHA1 3256dede4bd1214ba19e0bc67900ffbae364f854
SHA256 f5872a7bab6d3dd42bb26aa43dcfc7ea54f18e91d315ab252f6737d1db41e01d
SHA512 5037711a23458f9deb618391d57b50a6a5e8dce52fd10415783540ed23ddb31dc823e2d4fecbcd607f38625eb6259d289eecee30c5eda50578df86ac042dae59

memory/2640-425-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/872-427-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab18B1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1950.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/1096-525-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1536-546-0x0000000002E60000-0x0000000002F60000-memory.dmp

memory/1536-547-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/2328-562-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2328-563-0x0000000002250000-0x0000000002258000-memory.dmp

memory/2328-564-0x0000000002CC4000-0x0000000002CC7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 01:08

Reported

2024-02-22 01:10

Platform

win10v2004-20240221-en

Max time kernel

135s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D65C.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\A2F8.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 644 set thread context of 4496 N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe C:\Users\Admin\AppData\Local\Temp\B5B3.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ujuhrhj N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ujuhrhj N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ujuhrhj N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ujuhrhj N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-F0MNE.tmp\F1C6.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 3744 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3448 wrote to memory of 3744 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3744 wrote to memory of 4948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3744 wrote to memory of 4948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3744 wrote to memory of 4948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3448 wrote to memory of 3208 N/A N/A C:\Users\Admin\AppData\Local\Temp\A2F8.exe
PID 3448 wrote to memory of 3208 N/A N/A C:\Users\Admin\AppData\Local\Temp\A2F8.exe
PID 3448 wrote to memory of 3208 N/A N/A C:\Users\Admin\AppData\Local\Temp\A2F8.exe
PID 3448 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\6212.exe
PID 3448 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\6212.exe
PID 3448 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\6212.exe
PID 3448 wrote to memory of 2288 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABA0.exe
PID 3448 wrote to memory of 2288 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABA0.exe
PID 3448 wrote to memory of 2288 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABA0.exe
PID 2288 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ABA0.exe C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp
PID 2288 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ABA0.exe C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp
PID 2288 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ABA0.exe C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp
PID 2508 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2508 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2508 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2508 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2508 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2508 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3448 wrote to memory of 644 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 3448 wrote to memory of 644 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 3448 wrote to memory of 644 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 644 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 644 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 644 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 644 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 644 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 644 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 644 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 644 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\B5B3.exe C:\Users\Admin\AppData\Local\Temp\B5B3.exe
PID 3448 wrote to memory of 4348 N/A N/A C:\Users\Admin\AppData\Local\Temp\B9CB.exe
PID 3448 wrote to memory of 4348 N/A N/A C:\Users\Admin\AppData\Local\Temp\B9CB.exe
PID 3448 wrote to memory of 4348 N/A N/A C:\Users\Admin\AppData\Local\Temp\B9CB.exe
PID 3448 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe
PID 3448 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe
PID 3448 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe
PID 5096 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 5096 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 5096 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 5096 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 5096 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 5096 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 2956 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2956 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2956 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 5096 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 5096 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\D65C.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3448 wrote to memory of 3852 N/A N/A C:\Users\Admin\AppData\Local\Temp\E532.exe
PID 3448 wrote to memory of 3852 N/A N/A C:\Users\Admin\AppData\Local\Temp\E532.exe
PID 3448 wrote to memory of 3852 N/A N/A C:\Users\Admin\AppData\Local\Temp\E532.exe
PID 856 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp
PID 2956 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp
PID 2956 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp
PID 3448 wrote to memory of 1544 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1C6.exe
PID 3448 wrote to memory of 1544 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1C6.exe
PID 3448 wrote to memory of 1544 N/A N/A C:\Users\Admin\AppData\Local\Temp\F1C6.exe
PID 1544 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\F1C6.exe C:\Users\Admin\AppData\Local\Temp\is-F0MNE.tmp\F1C6.tmp

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe

"C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9BE2.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9BE2.dll

C:\Users\Admin\AppData\Local\Temp\A2F8.exe

C:\Users\Admin\AppData\Local\Temp\A2F8.exe

C:\Users\Admin\AppData\Local\Temp\6212.exe

C:\Users\Admin\AppData\Local\Temp\6212.exe

C:\Users\Admin\AppData\Local\Temp\ABA0.exe

C:\Users\Admin\AppData\Local\Temp\ABA0.exe

C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp" /SL5="$1501BA,3536428,54272,C:\Users\Admin\AppData\Local\Temp\ABA0.exe"

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\B5B3.exe

C:\Users\Admin\AppData\Local\Temp\B5B3.exe

C:\Users\Admin\AppData\Local\Temp\B5B3.exe

C:\Users\Admin\AppData\Local\Temp\B5B3.exe

C:\Users\Admin\AppData\Local\Temp\B9CB.exe

C:\Users\Admin\AppData\Local\Temp\B9CB.exe

C:\Users\Admin\AppData\Roaming\ujuhrhj

C:\Users\Admin\AppData\Roaming\ujuhrhj

C:\Users\Admin\AppData\Local\Temp\D65C.exe

C:\Users\Admin\AppData\Local\Temp\D65C.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\E532.exe

C:\Users\Admin\AppData\Local\Temp\E532.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3852 -ip 3852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 340

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp

C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp

C:\Users\Admin\AppData\Local\Temp\F1C6.exe

C:\Users\Admin\AppData\Local\Temp\F1C6.exe

C:\Users\Admin\AppData\Local\Temp\is-F0MNE.tmp\F1C6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-F0MNE.tmp\F1C6.tmp" /SL5="$20272,3525380,54272,C:\Users\Admin\AppData\Local\Temp\F1C6.exe"

C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe

"C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe" -i

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe

"C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe" -s

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4584 -ip 4584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 2344

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
KR 183.100.39.16:80 trmpc.com tcp
US 8.8.8.8:53 16.39.100.183.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 en.bestsup.su udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 172.67.171.112:80 en.bestsup.su tcp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp

Files

memory/4060-1-0x0000000000AC0000-0x0000000000BC0000-memory.dmp

memory/4060-2-0x00000000009A0000-0x00000000009AB000-memory.dmp

memory/4060-3-0x0000000000400000-0x0000000000817000-memory.dmp

memory/3448-4-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

memory/4060-5-0x0000000000400000-0x0000000000817000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9BE2.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

memory/4948-15-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/4948-14-0x0000000001190000-0x0000000001196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A2F8.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/4948-21-0x0000000002F30000-0x0000000003054000-memory.dmp

memory/4948-22-0x0000000003060000-0x0000000003168000-memory.dmp

memory/4948-25-0x0000000003060000-0x0000000003168000-memory.dmp

memory/4948-26-0x0000000010000000-0x00000000101A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6212.exe

MD5 479342d62078aaf31881972c7574f6f2
SHA1 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4
SHA256 a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d
SHA512 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da

memory/2428-33-0x00000000007B0000-0x0000000001287000-memory.dmp

memory/2428-38-0x00000000013A0000-0x00000000013A1000-memory.dmp

memory/2428-41-0x00000000007B0000-0x0000000001287000-memory.dmp

memory/2428-43-0x00000000013D0000-0x00000000013D1000-memory.dmp

memory/2428-42-0x00000000013C0000-0x00000000013C1000-memory.dmp

memory/2428-44-0x00000000013E0000-0x00000000013E1000-memory.dmp

memory/2428-40-0x00000000013B0000-0x00000000013B1000-memory.dmp

memory/2428-45-0x00000000013F0000-0x00000000013F1000-memory.dmp

memory/2428-47-0x0000000001710000-0x0000000001711000-memory.dmp

memory/2428-46-0x0000000001700000-0x0000000001701000-memory.dmp

memory/2428-48-0x0000000001720000-0x0000000001721000-memory.dmp

memory/2428-49-0x0000000001730000-0x0000000001731000-memory.dmp

memory/2428-50-0x0000000001740000-0x0000000001741000-memory.dmp

memory/2428-51-0x0000000001750000-0x0000000001751000-memory.dmp

memory/2428-52-0x0000000001760000-0x0000000001761000-memory.dmp

memory/2428-53-0x0000000001770000-0x0000000001771000-memory.dmp

memory/2428-54-0x0000000001780000-0x0000000001781000-memory.dmp

memory/2428-55-0x0000000001790000-0x0000000001791000-memory.dmp

memory/2428-56-0x0000000001940000-0x0000000001941000-memory.dmp

memory/2428-57-0x0000000003260000-0x0000000003261000-memory.dmp

memory/2428-58-0x0000000003270000-0x0000000003271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6212.exe

MD5 6806dc55002084959537c1db11646c72
SHA1 baeb48ed42529a3f64c12ad62d4df1bd2e28d7a7
SHA256 53ad359d95bbd203383d7b0bda7107dce106ede2eb827740cf1d3c6c9ce66c87
SHA512 cca877b088dbadc4fda8932cdbc7d8ee4e456c9e38273a6db4c7a547b3a8bdaac0946180795da807ebf11fccc82e0d47fb88b3616f18018e9673eb7f3b04bbf0

memory/2428-61-0x0000000003280000-0x00000000032B2000-memory.dmp

memory/2428-63-0x0000000003280000-0x00000000032B2000-memory.dmp

memory/2428-62-0x0000000003280000-0x00000000032B2000-memory.dmp

memory/2428-64-0x0000000003280000-0x00000000032B2000-memory.dmp

memory/2428-65-0x0000000003280000-0x00000000032B2000-memory.dmp

memory/2428-66-0x00000000007B0000-0x0000000001287000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABA0.exe

MD5 5bf677843dc42bb266139b7ee252803f
SHA1 16d811fe8484b57c6e603beda94fb6095d821035
SHA256 1e0bba2e76e3206ca6bc76a6f45e81cd951ea26770005ea17b44c37fb81ef0ea
SHA512 2ec9795a8b33a24a1eaed8d9c22c21309581bfeee5436884e3d8264d75209ed8f7767f786b4b9290c3e3fa67325d900d3359e3ffe0b262ec41b1c791361c7968

memory/2288-73-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABA0.exe

MD5 a725bdafbeed72ef8c2985feb59b5c1d
SHA1 f15c838044ac71d181f247d8caad3de08c346670
SHA256 ae7fdc392bca4f09b1e8814c2c5321b1f558a752cd35ef348a29ddb199ea1209
SHA512 f2d429256b8fb2f501f14d10a01c3a5e76c45265fac4bf48ad975bac1f4ab560500835c33f0a6ba64d11f826b33efaecf498e126f4abbf9bb8837510b39ae047

C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

C:\Users\Admin\AppData\Local\Temp\is-VLQOD.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2508-89-0x0000000000530000-0x0000000000531000-memory.dmp

memory/2452-127-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 9a3bbfe3dd361d83282773ccb2f3d087
SHA1 336e9c10f3ac4e8a7b98fe47bda1f5d93ff9336a
SHA256 74448ea6fd95e234d0a7d7086d42798063c87efa713063f66d6c6060c87aee98
SHA512 a234ee0e3324d60c43b9a08c86010caa7a2693766e633fb9d25c68021bcbd02b160676d012fcda131b62a6aef91f155fd8af4c83884113e5ac032e84717ac260

memory/2452-128-0x0000000000400000-0x0000000000736000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 66c4b721e3fa64c794bf30fa0f5a1d6c
SHA1 ab43b69e6c6de3a6c6e6e4a5a1c2840e8a56c386
SHA256 3b3295e190fa7ae32d588ace0df7fb73acdc973668e60edc1e772e918d8d5a85
SHA512 f6c7f8a3af0147d2967af36aabe82b49494caba3d7373ff752d92bac1436979dd55d4972cc32d0fc892a3d3f5eeb6bbd95ec323b6772dd8935a58ac64648aeb5

memory/2452-131-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 c54fdfa55980472a6e8b95cda49b57e8
SHA1 a50b1ae8133724b424e973f36040855f01385bf2
SHA256 dd3c0547f45d059d47fa060d4a01f06a7148c3c8255fbb8a37f70b9ec12b03eb
SHA512 01ff73810fce69273fc601ea5d21abab0e7e0ec649e38f41df0cc1682bf52a7ebaa9d46748813ba8561f66e2576ee73e0dd621be06331e0bd2e290a7b60abc1a

memory/4748-134-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 4bf1795d7938fa40b340c4f5e157d42b
SHA1 a4d97bdd507bd9c9207062ab42e58c7e65c9a6af
SHA256 b250f51b1752616626329356a43a264cf8e9ff89232743a58bbe6576b81b2d12
SHA512 fb2a8edc311e77e961b995694afb713574d342c19a4efb0e460bb1394a970e9c9b0bf911ecf2c021107c5ee3557e88604c578c30354ad1b23af27bb3cfd0b7c6

memory/4748-136-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5B3.exe

MD5 b76b7fee4432c0d0f558c60e0e7bd7a7
SHA1 d9fa29e6b301b7753a3606fc2da38e6e3c4e0b43
SHA256 3f949dc07285fa4cb5e3faf70fd8f0e2e09538f4a21eaeaa2c79eb2538b2ef39
SHA512 3df2fc9e7518623a03021c5629f9a0097812587a70ccdf17092b36b9a5dd5333ee880fbde0c5dd14ad7fc6f16ac7c529b6e6c7fd2678b1b51cd274ea8ce832d6

C:\Users\Admin\AppData\Local\Temp\B5B3.exe

MD5 79d0881a365f3d679c2f096a73f15965
SHA1 def3bd4b37365c9ab5acc923ac114125aba87238
SHA256 e538dc338b2dd6eaaba95b96094c1a95374af765a8234207c362ccf0bdb131b2
SHA512 05c0b92966a10d97ce51280665aa0eb96bc824dccc5902da2808f9bd89348f5838c575f156cd1705c7bfb9ea5464070295405b3150505f13a9fcb00ebfb2a350

memory/644-142-0x0000000004B90000-0x0000000004D58000-memory.dmp

memory/644-143-0x0000000004E60000-0x0000000005017000-memory.dmp

memory/4496-144-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4496-146-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4496-147-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5B3.exe

MD5 1a0b1e3296221b9d0663b3f0b421a881
SHA1 adb6c975ee026624b62347366c3db66533042af5
SHA256 43bb90f9921fe858ba220a0c08739389c25f8a44d06720a497eae2cdb6e91e5e
SHA512 8495a8a653b4e8ea0b737b30bbf318f51849388048904f6af47076fb0a534efd9a658090a5579cebe56c812785153db7460bd2bfefca47073fcbc03dc0d0008f

memory/4496-148-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4496-149-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4496-152-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9BE2.dll

MD5 1ac35cadceded37e0c0384c0e5d794af
SHA1 4215607a5d39e925f153a2b0981c417c8ba7a413
SHA256 522b7b03a58ca2a36186888226a7dd9e7b52a7bfaed490865d9257fdca8bf738
SHA512 c54bb774f812810caf58331e3467976e79b5530ea53064ee20ff35ce2900de8b2eb007d4f750e9ad05a3b1391562fd97e8c430e8f05591bd1059e7aa66427691

memory/4496-157-0x0000000000980000-0x0000000000986000-memory.dmp

memory/4948-160-0x0000000003170000-0x00000000049F8000-memory.dmp

memory/4948-159-0x0000000003060000-0x0000000003168000-memory.dmp

memory/4948-161-0x0000000001230000-0x000000000132B000-memory.dmp

memory/4948-162-0x0000000004A00000-0x0000000004AFB000-memory.dmp

memory/4948-165-0x0000000004A00000-0x0000000004AFB000-memory.dmp

memory/4948-167-0x000000006F390000-0x000000006F3DB000-memory.dmp

memory/4948-166-0x0000000000D80000-0x0000000000D92000-memory.dmp

C:\Users\Admin\AppData\Roaming\ujuhrhj

MD5 1334bbd7e0d0d3bb073194939f7dada8
SHA1 1b94edaf8a275a4c2e2ec6550a4567fd2048dcf4
SHA256 c89ac5cb4dbb4116ed1d3b9630aac5a927066938e5b4a24649cf09116882a146
SHA512 e960d3ea5bda9f39afb449fed300e9863dbbc7ee1c216cd8fa4b681316f78515316bb1fb1f7b4743d689b6a5896f2d4b6bb4a52052d2a298af210888cacf8336

memory/2288-175-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1092-176-0x0000000000910000-0x0000000000A10000-memory.dmp

memory/1092-178-0x0000000000400000-0x0000000000817000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D65C.exe

MD5 39ebc5f3395064152b1f1cd4766c6f35
SHA1 fad87e45cdcb01fc8e4bcb0d96ad983d22c23f0d
SHA256 bce03dcdbab5d6fda63e92ebaf3cda1247cc6a0391b00a9a241caeccf24239f8
SHA512 7ada1a62606ed33b35dd07eed22ba411a5a594dbbe5aa91db2d96e6fedc5075f28e2085f0146769f613d20ce4efc1f100eebf172e91ff9f80c39e011bb5aef18

C:\Users\Admin\AppData\Local\Temp\D65C.exe

MD5 cb5dd212a324d2a07b75d3dfe998d198
SHA1 009e6fd4cb3d18cdfbab00a02da70c5d478ea56a
SHA256 d046eaade93a0c1453480ffe8aeb411b9801d636cf26c55d1c19ecfcc9dc4e83
SHA512 768809bd6133f320789045b26e90a835a1130b20319535d3c8a9faf7bd952799a17cf76eb4c6f202544c18cfec3147b1edb35f4b5adf04fd6940e1355bdb5644

memory/5096-189-0x0000000000890000-0x0000000001146000-memory.dmp

memory/5096-190-0x00000000728F0000-0x00000000730A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 a5cc28d59b8709a33ce44c89443c0f34
SHA1 845fc50743f64a353a191a89acd23420f4069fbf
SHA256 78b0d313c2261b476ecf373f31c487984ea136b86a3e0ad036f2db04cb9850ae
SHA512 c722a996e8d28d37c9d812cde8810dd1bde005d25e8a52b7037da1e879ab9d193c59de1e2b11a63db1b864408042f266d08a51bdf43cf23021b88b4a081db999

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 6bdb234305778c39ec1121b20dbb5b46
SHA1 9397990981227c7b06a4ad4d1a2b030d38fcd6e1
SHA256 0e50b406c6cd99dda7328f15c6dad4c1bf4c5b0a12a2476ee69e58e7d544233b
SHA512 6a58cafa3ed7cbbd091da4f240ff88e517d40167d1f901352cdde871931636bcc934f69937b830851969dc15dc1b04c6ce9d7cd689f5a9f864c60a5ad198777a

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 69d8541afe9eb5d47b8a4ec080212d19
SHA1 2bd9cda3c37de1569edc024935374ef90a8d186b
SHA256 5731567f5316e5c8535d8b9aa0ec8c2c839b89dbba2dd9aacbc76e46b26080b7
SHA512 56aa8cc13b79695bf1c0e1ce51302d569411d22072dbfca1943e97a3d5fe5e6f7c66ce341f8f065de73a85c9d29c820570202aa6977d89e3e5a979ccceec0c95

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 f0ff5f372a958f41fa51da9c9f03c8b2
SHA1 06d46a56e5bc97c19dd5fb7195e973121b641c55
SHA256 d2ed2c2940a1994e68fb473cf5e7c0ab0487d38ea141f35c0f6c07230e7e868b
SHA512 8ebc3a3acd0f9139707f0681f85457ffdaba8f6532bb7d28a196be05a0bf04692ffff4c0cf0a712897068c395e3f5aa64c799fd9cffc810b0139cb7d778e8424

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 f75b9beec810c7d22ac06871935465cc
SHA1 02a949c1e44035114022079454555c9c145bf8fb
SHA256 edbe5331590b5dd47a67f9546820b96f3f2b4590cd4444ec6e6185762c6a2182
SHA512 e2e8b13f7e69d46fd1d3a08e08ef0bf661dc690df37583ea653321ac05ccc717a716ec9ac1670e574a87e70c8096bce538b976d7fbb4af9f46cf5c1ad598a37c

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 1844d76e7d4331107eeb8fc6274fa9b2
SHA1 82ae81925c68a662af3b5243db9ae9d0b1721958
SHA256 0fddf79ba668abf7a760e7076da3fdcca389e221c5005b10737a75b271da3aa1
SHA512 2be6c7a7f25b12ee3082f122fd17ded3697dd97518e41765d49f5141e969b6e4d24f664a6aae29e647c2e8d7518d3a6b1216c8a460a7425ab4c60e5bd60dc947

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 029a5147d2f0d080800b095d06298a55
SHA1 6d53b0c00f128318d23de9db082989e30369baad
SHA256 cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566
SHA512 b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c

memory/5096-229-0x00000000728F0000-0x00000000730A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsvDEA4.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 6e1c3da5e773acb3dfd13e38cd9c1898
SHA1 b9fb4c0bef05310d6528a1fb47dd702970302c56
SHA256 7d5ba777ef0835d0a7f38587ac7f6ba1a96a1288114f6157b55ede2d35658ff0
SHA512 814bfcac9800d5956fe2cd5dcf23f26fb6572386f829c58fd2a3eea3061a37d312e1766568595bf2e3bd33c3fababe220c8eac4d79712d2170cb3c6711e70ad5

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 147b6aa5bd0222e5d58af8984b073c56
SHA1 399923e38ba252bffbe5c13b39bcbf41798e15f5
SHA256 6a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9
SHA512 c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 107d51b63924f31b65dd7cf8f223fc8e
SHA1 30a1f85554f49cda1e887a5619333a0e1cae3b74
SHA256 b97e3e6fd9164d017db870ff64f66bc3ca6a9a8388d50043ef1e2e1c8a7e5f1e
SHA512 95d6eca043e4653bbd9ce9a8cd25a7fa66b33bb545b614529e220d4bb94943d17837b5786eff58e49620adae249e7711eef2e51910dcbafe1bc492a1316ac05f

memory/856-234-0x0000000000A80000-0x0000000000A81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E532.exe

MD5 3dd02e3a7d6552f6312e29bc4189c06a
SHA1 c52bb026df26445a1e4ccf66baf61d99ecd1ff8a
SHA256 cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70
SHA512 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485

memory/4748-241-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4728-237-0x0000000002A10000-0x0000000002E12000-memory.dmp

memory/4728-242-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3852-243-0x0000000002E90000-0x0000000002E9B000-memory.dmp

memory/4728-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3852-252-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/3852-255-0x0000000002ED0000-0x0000000002FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp

MD5 4e947abc3916088f9aeb96ca58ae4b2a
SHA1 ed78b516acdea1e79c242f585d4c1a2a3f45661e
SHA256 ecc6907c2fdbab7c96faf570aa575097d1f151e157acea3a958f21adf6de6abe
SHA512 80a58e16729d8d14675123cdf28b5c86ffb24ebe244d5d6caedd5ccdf97db6f430e90fea7375213e57e46d74e8c5e3558a13677e330acee7d119b8c42069fa2e

memory/4584-260-0x0000000002F90000-0x0000000003090000-memory.dmp

memory/4584-261-0x0000000002E80000-0x0000000002EB4000-memory.dmp

memory/4584-263-0x0000000000400000-0x0000000002D38000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\F1C6.exe

MD5 9ed5add10faf2961bfd48152e46da5c5
SHA1 aa12af2b61a229eab05ea38c91fb7e7179cee846
SHA256 fa4f46e35b2931f6688630d3035aeee45ace3d28a658b86ace382736292c6f2f
SHA512 c989a521352d2b56114320b6f718f1fac0d3dc7f761fe490dad88bdc3626955451dda12827feb870f237cca7b15e7959fab93129fc3708ec0031a624169706f1

C:\Users\Admin\AppData\Local\Temp\F1C6.exe

MD5 e387095d614440e0e33f5d4c8c6bcfd4
SHA1 ed78b68ec8b0cc0b639433c3b5569c6a5beed2d5
SHA256 f44769c70046af420efceb84209d0e4185b82edd85054dcb2dcc361915cf4cbe
SHA512 1a7368e105b08e8d9ef98985d2f398a00e59c34496ec9da8a3a2c56f825c6938826b086be90ccb86c5756ffc1077256b87bd28f44c86d52199d903fe613f92cc

memory/1544-270-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-F0MNE.tmp\F1C6.tmp

MD5 d33381c9542ef119f3e2c73822539b13
SHA1 04c855c2a6a0052850a2781ba03d57eac8d1e344
SHA256 679b09a828efb0b30e6ae3d95cf67903807848d87c99af5799a902d5b28901d1
SHA512 a30b153837fc00ce3cf56d62fcc15e9b9a2506fcb29383ed614d454fb742ac5945cecfcd5e389dc61e1b7198131cf04574a2d2fe97b8b0735939387de17b3daa

memory/5112-288-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Local\Audio DVD Copier\is-RFM5H.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

C:\Users\Admin\AppData\Local\Temp\is-MKJ9D.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe

MD5 e92fdb5a16306a4b94a65f6542f4d961
SHA1 bae49d925a5c744154b5cb585a8e316eb1000768
SHA256 4713f895f243d395b0a394b7fb760260a18c7d3f747a941e0dbd838bf3db1422
SHA512 c78086eccac3a48be072f5cb78e078dabb61c65ed3e414f01baa5661f4c32aa74cbc6fd5e7131e6378340834a6303f70315e9fcfd80b4e6a0e485e64df60904b

memory/4840-323-0x0000000000400000-0x0000000000734000-memory.dmp

memory/4840-325-0x0000000000400000-0x0000000000734000-memory.dmp

memory/1092-324-0x0000000000910000-0x0000000000A10000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 acbebea2f8ec2e035cacc9be62b117d1
SHA1 1059bb3df016cd29494ed07142a00a5f74cfe4a9
SHA256 46ac8bca95af3bd5a28d5b284ea3605264a9a9310e1971bbe03924250edb8fda
SHA512 4b648f4c5142b002346cd986d9bd2c45abf334927632d80d1ec78d8097a9e10ee4d66d962266202ee78374d2af0e2c0bd748f6431a01976b7e9658a50c609e7e

C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe

MD5 3b4ac2af9f29d7390397575562521b3a
SHA1 1cff02641012eea21570acfd72ee800f6322fa8f
SHA256 812d5e5f308c13ffbf23aec1f1cdc92903239c37e468c42c5c2af2403dfbd0d7
SHA512 658d3243e63fb81922abf51e692beb5e45707c2c88944a1d62f01c018764d503bdf8eec2c258ed50075dd413177d4ab34ef7bb0f29f595800e82d59f1dfc07f3

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 d2648ac280f420087da2429cab0ffdac
SHA1 8329d0f2d80c42461999810b210e23d83092eed1
SHA256 6b864b9be1108e2dadccf4cac06cecac41153dd1f44ce9b86e3b639bca3e0ec0
SHA512 5ad98a76fec62cb880cb1fa46595bbc72913bf0ca4ffc2d7688df5ad8a3c630da74ab27d0735f29a538110a4d35cf5a3c04a65902e02062cf0d6bd704271a3c1

memory/4840-330-0x0000000000400000-0x0000000000734000-memory.dmp

C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe

MD5 17911c257f3d88a1ea6e0a5004d07f0b
SHA1 63170a972172f254e496fae7a118f00697f2e6ec
SHA256 d5a64a08427ba61793fbb45e89e114b25071a688b397c23dc38ef94194c95d2d
SHA512 d2c3496265af1e173f9625523b86bb9ee209d63c8a4ec0671d4bf2bb6c82b051fb4e514fe13c2d30af8f9d606aabde8ca4ab170f9d5c330fae825b5a8c16b508

memory/876-332-0x0000000000400000-0x0000000000734000-memory.dmp

memory/856-335-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/4728-336-0x0000000002A10000-0x0000000002E12000-memory.dmp

memory/876-339-0x0000000000400000-0x0000000000734000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1092-427-0x0000000000400000-0x0000000000817000-memory.dmp

memory/4728-436-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/4400-451-0x0000000005160000-0x0000000005196000-memory.dmp

memory/4400-456-0x0000000072090000-0x0000000072840000-memory.dmp

memory/4400-455-0x00000000058F0000-0x0000000005F18000-memory.dmp

memory/4400-458-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4400-459-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4584-465-0x0000000002F90000-0x0000000003090000-memory.dmp

memory/4584-464-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/4400-466-0x0000000005850000-0x0000000005872000-memory.dmp

memory/4400-472-0x0000000006090000-0x00000000060F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqfygu5x.pna.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4400-477-0x0000000006200000-0x0000000006266000-memory.dmp

memory/4400-478-0x0000000006270000-0x00000000065C4000-memory.dmp

memory/4584-480-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/1112-484-0x00007FFF850D0000-0x00007FFF85B91000-memory.dmp

memory/1544-485-0x0000000000400000-0x0000000000414000-memory.dmp