Analysis Overview
SHA256
c89ac5cb4dbb4116ed1d3b9630aac5a927066938e5b4a24649cf09116882a146
Threat Level: Known bad
The file 1334bbd7e0d0d3bb073194939f7dada8.bin was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Stealc
Glupteba payload
Lumma Stealer
DcRat
Windows security bypass
Glupteba
Modifies Windows Firewall
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
UPX packed file
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Deletes itself
Windows security modification
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 01:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 01:08
Reported
2024-02-22 01:10
Platform
win7-20240220-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Stealc
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\7550.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1372 set thread context of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\742B.exe | C:\Users\Admin\AppData\Local\Temp\742B.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240222011007.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\F93F.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eewbigs | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eewbigs | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eewbigs | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eewbigs | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe
"C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7159.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7159.dll
C:\Users\Admin\AppData\Local\Temp\7550.exe
C:\Users\Admin\AppData\Local\Temp\7550.exe
C:\Users\Admin\AppData\Local\Temp\F93F.exe
C:\Users\Admin\AppData\Local\Temp\F93F.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 128
C:\Users\Admin\AppData\Local\Temp\5267.exe
C:\Users\Admin\AppData\Local\Temp\5267.exe
C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp" /SL5="$50178,3536428,54272,C:\Users\Admin\AppData\Local\Temp\5267.exe"
C:\Users\Admin\AppData\Local\Temp\742B.exe
C:\Users\Admin\AppData\Local\Temp\742B.exe
C:\Users\Admin\AppData\Local\Temp\742B.exe
C:\Users\Admin\AppData\Local\Temp\742B.exe
C:\Users\Admin\AppData\Local\Temp\82FA.exe
C:\Users\Admin\AppData\Local\Temp\82FA.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {A7302DB8-F729-4676-9955-4D2092735EF2} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\eewbigs
C:\Users\Admin\AppData\Roaming\eewbigs
C:\Users\Admin\AppData\Local\Temp\A470.exe
C:\Users\Admin\AppData\Local\Temp\A470.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\B34F.exe
C:\Users\Admin\AppData\Local\Temp\B34F.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222011007.log C:\Windows\Logs\CBS\CbsPersist_20240222011007.cab
C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp
C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp
C:\Users\Admin\AppData\Local\Temp\CBB0.exe
C:\Users\Admin\AppData\Local\Temp\CBB0.exe
C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp" /SL5="$2024C,3525380,54272,C:\Users\Admin\AppData\Local\Temp\CBB0.exe"
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| KR | 183.100.39.16:80 | trmpc.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | en.bestsup.su | udp |
| US | 172.67.171.112:80 | en.bestsup.su | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 79ea928f-8587-4c7e-84bd-d65a0bc4c8dc.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
Files
memory/2356-1-0x00000000008D0000-0x00000000009D0000-memory.dmp
memory/2356-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2356-3-0x0000000000400000-0x0000000000817000-memory.dmp
memory/2356-5-0x0000000000400000-0x0000000000817000-memory.dmp
memory/1224-4-0x0000000002D70000-0x0000000002D86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7159.dll
| MD5 | ec6878849a30cad1ddb5ab3ff4921124 |
| SHA1 | 0c1208b6d2e153352b8c4ccc345ff30281ab2af9 |
| SHA256 | 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639 |
| SHA512 | 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb |
memory/2712-14-0x0000000000130000-0x0000000000136000-memory.dmp
memory/2712-15-0x0000000010000000-0x00000000101A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7550.exe
| MD5 | 1996a23c7c764a77ccacf5808fec23b0 |
| SHA1 | 5a7141b167056bf8f01c067ebe12ed4ccc608dc7 |
| SHA256 | e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888 |
| SHA512 | 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23 |
memory/2712-21-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/2712-22-0x0000000002700000-0x0000000002824000-memory.dmp
memory/2712-23-0x0000000002830000-0x0000000002938000-memory.dmp
memory/2712-26-0x0000000002830000-0x0000000002938000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F93F.exe
| MD5 | 3e20597b095b7a9ec311e3b400b7de46 |
| SHA1 | b491811b3f8ba87355a5bd9f62f92a8d3ad38065 |
| SHA256 | 0ea117f712e73b4df98604e93f3f9996b83cee2a4691b3da4ac9db8f20ddd5dc |
| SHA512 | 9d9690bc075e8a569a6aa0fed91a14cdd2def622787eb533fd00c51018ba9d9e96d48409358f76490c839f2f731cb6f718ceb414b3e0de694640513065ced202 |
memory/2060-32-0x0000000000AD0000-0x00000000015A7000-memory.dmp
memory/2060-37-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2060-40-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2060-42-0x0000000000AD0000-0x00000000015A7000-memory.dmp
memory/2060-44-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-43-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2060-45-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2060-47-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2060-49-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2060-50-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2060-52-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2060-55-0x0000000077AA0000-0x0000000077AA1000-memory.dmp
memory/2060-54-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2060-56-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2060-60-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2060-58-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2060-62-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-61-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2060-64-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2060-67-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2060-66-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2060-68-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-73-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-72-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2060-70-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2060-74-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2060-76-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2060-78-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2060-80-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2060-79-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-82-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2060-84-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2060-85-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-86-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2060-88-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2060-90-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2060-91-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-97-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-106-0x0000000077AA0000-0x0000000077AA1000-memory.dmp
memory/2060-110-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-116-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-123-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-128-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-134-0x0000000077A9F000-0x0000000077AA0000-memory.dmp
memory/2060-136-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\F93F.exe
| MD5 | 7ac31ea0bb9eddf0ff88ccd4fab3496b |
| SHA1 | a0f4deb7b973cbff8b41cd8fd957cc6d706b7d69 |
| SHA256 | 73d9e6f9775c055b03c07ac1223fb4b8ea7722def3d4e0bf8d75779c2f2c35a3 |
| SHA512 | 28ca3b4d8f228080a4f8fa353ff4f48d6157f556d67c0425572f18b2144b869cd9fbc5cfc9b2bc24deabea33b9ff254ec9ba37f2478158f97cf069ea8e3fdb1f |
\Users\Admin\AppData\Local\Temp\F93F.exe
| MD5 | 479342d62078aaf31881972c7574f6f2 |
| SHA1 | 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4 |
| SHA256 | a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d |
| SHA512 | 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da |
\Users\Admin\AppData\Local\Temp\F93F.exe
| MD5 | 47a81177e545fed243b05499fcc59adb |
| SHA1 | 151377fe78ad52031c3095265378a3691d735846 |
| SHA256 | ccafaf7fb8f16c51e5846ff03b40b334715ec9f8663ced4fb2790741600c2baa |
| SHA512 | e7ee4069385f06cc82e4aa083b7e8d3a24359ad9af90ed2db9b90e22856d3e8f6d207f72c2ebaf7718b5496ac6148813573d45b44ff5d1acd08dc10bdf9409d0 |
memory/1104-148-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5267.exe
| MD5 | c836e1e341835ec964deacc3b20c7a2e |
| SHA1 | 1b6ffc277c2ad658878f71fc07a9de212530277f |
| SHA256 | fd018900a82a02b350bb3a71fb38e68054d813efba13ca16a93e1ef2012fe8b1 |
| SHA512 | af92e13587d7db0534723d6bc91a9d8011c012352713edbee01fb87e5f1ccd91a79012906e759276e8e3524388d19bbb2973b59602a28267e224387b7e78ab92 |
C:\Users\Admin\AppData\Local\Temp\5267.exe
| MD5 | 1b5cbc787026fe7eaf1e54d1aafdcc06 |
| SHA1 | f2e634922e1ac230fc409259f54d94c98b5ca577 |
| SHA256 | 941fe0ff18caff6afaa4454c34102dc6ac04ef2aa5535a525ab11d6d246f8de3 |
| SHA512 | 0af0eb234ba7a5087d2e14ec5ef999152035d3f80ee7c62fbe34a09e9a82aae958e1b7129074abccfae8eddd8af8fd5408036ccbfb0ee741b208d1a5aadc4f26 |
\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp
| MD5 | ebe053359c813af4a16486ab11e4fe1c |
| SHA1 | 659da1403674751bccefe708f87b4214259d8445 |
| SHA256 | e45305bab7308f51605436b715c667ca2de46156f8e28cc4bba105b5d200aa7c |
| SHA512 | 771250568e9a9f418ba69f80a27fd35e7cedbe0677c66245a62e195a2c68d78f7d5dfb4c4110541ee4422ea3828a0438b6ddfa2304008c8232d1f0d1f8d27e30 |
C:\Users\Admin\AppData\Local\Temp\is-CB58M.tmp\5267.tmp
| MD5 | 49becb0626a04b87221c00d30c3d14a2 |
| SHA1 | 96e2f9ea00aa118ce62a368ded287f6b888c0cd4 |
| SHA256 | 95480cadb85d9df813521fd2360328eafc500001fa487324d3ec571397382b3f |
| SHA512 | a1f4fef9d039fd42a704d68b68552e3932d258123a02a3c66c78b8b2d48623b1e305662b378e0024d9c8b419824d3fd1b91dec96c5149123d945e7707bd6eda2 |
memory/3052-166-0x0000000000240000-0x0000000000241000-memory.dmp
\??\c:\users\admin\appdata\local\temp\is-cb58m.tmp\5267.tmp
| MD5 | 1ba055823154222509be8b1cb57f0d49 |
| SHA1 | a11bdd1f4106f1de2dd075801987965f97c5c2b2 |
| SHA256 | c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841 |
| SHA512 | 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a |
\Users\Admin\AppData\Local\Temp\is-O65JM.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-O65JM.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\742B.exe
| MD5 | ed6e3e72abf6a1a19c269143092af11a |
| SHA1 | e33257a9ef5ff4640e9acd98486500d8a4bf4e71 |
| SHA256 | ea8819ef7ff190739df7f329843f64157c6d9aa9eb4a029b5e441d378ff78afb |
| SHA512 | 0d91337a9ae4357bf1b5c5b94024224e6b6f75270a2ed6545e3435d4311f59b4a0fd1319edaf37080de40b6b738f968061508a84456db9d5be358e1bc9924408 |
C:\Users\Admin\AppData\Local\Temp\742B.exe
| MD5 | 5e481d9cd54e5b71bf09c4b999f5b3a0 |
| SHA1 | f4ff6302eadba9c2e94ac12e0defc0eb7d136e2c |
| SHA256 | c4d8500b7ef3b483a09d09d2122119fcdcd461a3fb37f243abd8297699bdf632 |
| SHA512 | 761950f84231bb4211e163d018a370fab0dd7b01c53804071eae075b92d14404b3806846110b2893d8fffc9aec95d82711a73a267ef3124e2ddf2b75b3cb28aa |
memory/1372-185-0x00000000047F0000-0x00000000049A8000-memory.dmp
memory/1372-188-0x00000000049B0000-0x0000000004B67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\742B.exe
| MD5 | 718b0dcddc2bbaa0e243f8df12262b02 |
| SHA1 | f47e4c5cbe04b9435b8192b028ebfc42eda30bd0 |
| SHA256 | 8296fd54d27268a1efbc03f2087376f8bc2a9b5d3e11079ef8839e51554301d5 |
| SHA512 | a3e44253d36abee30b31e151bcb2c3ff356d7204aef235e32e075e7b406ed766a5ed97de8a36890780b76eae04b6a3ed3e0cc4220165c97a95aa39997f4a857f |
\Users\Admin\AppData\Local\Temp\742B.exe
| MD5 | 247c47483cf0e34f9e0cc0fbe4f62c5f |
| SHA1 | 37ab13e1b2a42f918471c0903e2eb0160f6bfe81 |
| SHA256 | 8f82ad96d1529c156b3770283661a0dbaa18bfb587d8055eff4de731e65b0ab7 |
| SHA512 | 4f52d45c85181290ba5f42a39f470a8817d060696b7a74e544bd133e1d88323dbdea9eccc8b89a1e42515f87d3c73913943fb836c276ebd10fbb043640adcac1 |
C:\Users\Admin\AppData\Local\Temp\742B.exe
| MD5 | ba596889eb548175469af702b3a22cd7 |
| SHA1 | 73871abcad36ebaa97368c4d73d8166cc94dc669 |
| SHA256 | 36f8a5365149510153da15602a8129d8b57804352687cf1be4da8614a36cff38 |
| SHA512 | d2dcf18499f847435471c66fc276fcdae2fa5df1c1f79c1d2bd9885241ac2f1675b38fbc14cc62cbba6856670607ff3457d62773eb366f1ed4e0ad4601818546 |
memory/1556-194-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1556-197-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1556-203-0x00000000002D0000-0x00000000002D6000-memory.dmp
C:\Users\Admin\AppData\Roaming\eewbigs
| MD5 | 1334bbd7e0d0d3bb073194939f7dada8 |
| SHA1 | 1b94edaf8a275a4c2e2ec6550a4567fd2048dcf4 |
| SHA256 | c89ac5cb4dbb4116ed1d3b9630aac5a927066938e5b4a24649cf09116882a146 |
| SHA512 | e960d3ea5bda9f39afb449fed300e9863dbbc7ee1c216cd8fa4b681316f78515316bb1fb1f7b4743d689b6a5896f2d4b6bb4a52052d2a298af210888cacf8336 |
memory/1700-231-0x0000000000250000-0x0000000000350000-memory.dmp
memory/1700-232-0x0000000000400000-0x0000000000817000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A470.exe
| MD5 | e6a0c31600adc9cbc2122f266740c6bd |
| SHA1 | 7f8ab813cd05965fe6ea3ca7430a31642c8f1bcb |
| SHA256 | 7211f3dc9dfca6922741e10fffd4a9edaa6345444a4f7c08420270efaeb1fb2d |
| SHA512 | 463349e59d66a894624f90488aa6f91454a913af2830688f0e956fcc1840a1a97cecc4a0893bf4c53286caf76705dad2c9f9c03a3c8635e0ed3c7c924115a7a0 |
C:\Users\Admin\AppData\Local\Temp\A470.exe
| MD5 | 3eb3a47ac3ccb90ead8ec9a6a394ff18 |
| SHA1 | 36584c7254f909e9a26b147e67394adf7978b75d |
| SHA256 | 3fbb77385ba74580e1fb42ecb8f709e53720dcb7269c60fa8976dbdf0b01c206 |
| SHA512 | cb6c39d46bf4ff2224b6a67a090d4bfed757db06d4eca8d6ea45c950a081dff98afd4bc07298c7daa7fa615170dda4962de62aac9ad1a3427dade34353aee1f5 |
memory/1604-238-0x0000000000FA0000-0x0000000001856000-memory.dmp
memory/1604-239-0x00000000737A0000-0x0000000073E8E000-memory.dmp
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | a486410370f5a463bf078d5f47877a14 |
| SHA1 | 924647b7ae1ec7afcfdf7cb2cf679f70479d2a8a |
| SHA256 | ccd896850a8ab91a46f9c6349c25ee5e0fcedf627bde50791c2b5db6c6027578 |
| SHA512 | aff2aa42dc5e570310e877d7d864eede54f245595c21bed1be24eb1477952d330be18d6b88844bacf00df90c93a38044fa009792e448218bca65bb94140c66d3 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | b9e83f5d06d65f1a132f55308bc72726 |
| SHA1 | 7738e1f34abf3568bcd38bed45d535f1ba8c6970 |
| SHA256 | 0b9222bc3e0db767e3fb419d7cec2303c882616f9c6ebdfa6eb3592fcce119fe |
| SHA512 | d7c7601f4c55e534c1a29d00398908958a89ef0e94359b9f509a0c08791e7155038a6fd33124f30b78844668e071574301f3017fe0c1016a4fd38a4f79866889 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 4fda302de5dbc796575a887375e61a3b |
| SHA1 | 05488e1eba9053f3c09062832d64652b30f4aedb |
| SHA256 | 8714e3d1c6a611e658b08721b38dbf5a371b590ec9d4dd8fcaa800ce692048a0 |
| SHA512 | 7488616f0d367a97b99d33bea8a18bfe0c7f740e104a6a6622031e1a46dc1d21bf495dd276f2a9fedf8950f3f37587ad90d2885be28e6dfa0d8ebb91e710f799 |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 798c22621ebef52bd51fe7fb8cbaaaaa |
| SHA1 | 4e3bd2ab8437e9883640c2e120cadf9da63f5ca8 |
| SHA256 | 61313cb6a5a5b47318a539d35004846c37c48247b81e0e3dd89cfb23797531e1 |
| SHA512 | 11607770258bea188df7a56222f697881546f1be14e3550dec5b4b85a9f98b1e67697e4d2d2c90966d53c428d35e496b310ebb78e9c7ddab87893fbfc0efd527 |
memory/2352-252-0x0000000002790000-0x0000000002B88000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 84c2a426a9c5508f54a3f58d355da401 |
| SHA1 | f0cfcedd79caee5b4a48390904e6b1ae6e23d6f6 |
| SHA256 | 94f70ac20af9250c5866a192bf3b87cb4d90fcfe12663f9d2df57e8e4b5f3fd0 |
| SHA512 | f542f5e6ff3cf8e93c326494fb23694bb4dbe2b6330f72d5c2f3fe75ca1f15d9142b13e335bf211236e0414bda9a82c813200c1cc92eeef81cc98e22d7167381 |
memory/1104-256-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2352-255-0x0000000002B90000-0x000000000347B000-memory.dmp
memory/2352-259-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | c3a261e56b6e319874069534de7bdb68 |
| SHA1 | 35583528bc7d1fe3cf1b087d912a9f25d3ba2a4f |
| SHA256 | 2d21a8c41233de40e5ae14fbbf6c2447ffcd688d80e49aee41d12d45a3557bfd |
| SHA512 | a22993cacf8f2defc2d4a5eeef9e8a8aec32363af278cec3055835e1c0da70ba841197c8a23673c3262c0650519b3da626d0e399e93735deab7008cda3c87bfc |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | f37545e69e6966ece6bf860bd2ae3e7e |
| SHA1 | 8bbc5c6487a1a4918cb8a4b1d4f6c23779a98989 |
| SHA256 | b83c8fb67e206c0d316705d070fca3e51e2356458c3eb3ebdda9d956e474db25 |
| SHA512 | be9bc35b19a61bbfafd7d423473ea1f44fb679985b538100a7ac37a5a4b508517fac953edcaae8ddd533e334ed63fd11c0db30d7562980c0ca7a1d3c36e64369 |
\Users\Admin\AppData\Local\Temp\nseAAD1.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 1288cc1eb11e86422709338555055aaf |
| SHA1 | ca9321bb0d87bb41e24e88535a2d56ba9ee418ed |
| SHA256 | ed8aaf9b082317abcc59c6f39c3cb7524ee7c50988657670d75a115c4fc77432 |
| SHA512 | fabcb0ec74fd6baac93a341e0337eeb1c5fd81f958a1f75cf67a8e49eb617b7def964936d5a21c24e76df6b2122868f84ec64cf37ad0107338222ce373b2693c |
memory/1604-279-0x00000000737A0000-0x0000000073E8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 878b583e6ebb6ef4dbd7ea4f09cb7b9d |
| SHA1 | b10171ed3355b5a6264ff0780c337fc54797c165 |
| SHA256 | c9e51f74264355c711734f434131d49465212d88cb3c3e9a268330e94e97c76e |
| SHA512 | 69e35f2ff9360bd620879065ebc6b80d14e0206f94afbb935b51c86679db5819b3968632ee8a84bf877e65a9d6da09241a2054082e167461880e5916d1186dc8 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | fbc61539cf79c584550feb6e32097375 |
| SHA1 | 5b1ad62930eb630d7a3f3cb37789d86017a3bb95 |
| SHA256 | fa52bb8552c4f4c4ff2c01963e0e31fe8f0dcb261af163fc3041e92aff2cbe45 |
| SHA512 | 65172a8b242c9ada1be8aa57bd29fb81e53fbec4917837d5f9c6bb68e13f0b3c8424522d583f738dc9bece951afd72fb1c711403f8784307115bbf1d9d4658cf |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 3e716dd2d7035b3385ae32ca101b0c04 |
| SHA1 | 5b2ceb8b857e6f4a1871e8aa85ca8e385f46d88a |
| SHA256 | d72941f91a3dc82f0c46069955228683dc95afec1719da9bd007a23f45043a97 |
| SHA512 | 4813eea3440344d8035573cb7e9c49b2748ffdf221695b6b2ae0f947266da460ec671ae0c208558013faf775c19bb09346057418f1ed6e69ad09f9ff40095edd |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 78d668aa5fa6346dcb355967a7079278 |
| SHA1 | 5b017af60a553b355442f7d5836b236dafd60b09 |
| SHA256 | e52e0827f09b43184994deb7780e6bced7c62cfb80b64a84a80fb3244750746a |
| SHA512 | 5f5d506dd7bb50450fc84f41839573693040480b90724ebb5191b2696d6029f532869e8f5304894c925cd0642c0aa08caad536f34239d89ea48c63f89f408db4 |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 57bb8084c1d4f6ecb5208996ce9f5735 |
| SHA1 | 57c58eb385d8d77350ca81072cb47acb3406ade5 |
| SHA256 | bca7ede0c71ea6eec7311c4cbb8fba154a77ad5149bc97f9ecc22654a67da454 |
| SHA512 | 772c711ba86978f09845700d43fd959c29f5f329c0bf87a37fcc00ad701b56f749b8b6b5d1db15c18f4b58c9c2cd9c76b4aad9ced4095b48bb78b9153df39020 |
memory/2596-280-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B34F.exe
| MD5 | 3dd02e3a7d6552f6312e29bc4189c06a |
| SHA1 | c52bb026df26445a1e4ccf66baf61d99ecd1ff8a |
| SHA256 | cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70 |
| SHA512 | 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485 |
memory/2640-290-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2640-289-0x0000000002E30000-0x0000000002F30000-memory.dmp
memory/2640-291-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/1700-296-0x0000000000400000-0x0000000000817000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 37bd3380e2dc5ed47b453915f177ab15 |
| SHA1 | 3d10f3ebc6df0df7c17a559c6b199be8f33aed7b |
| SHA256 | f20d482959d619e57359f139a987d46a9b7a4af6a4c50689ffba91c38649dd62 |
| SHA512 | 6e9fb9e54c0b0e0481231fe7949c5f32358e2fc82cca476811b8ae2e4a10fd26e45da18ecea7a146c69200eb59a8588e2509aed0dabdfa5290c7444b5887b10f |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\nsoBAE8.tmp
| MD5 | 4e947abc3916088f9aeb96ca58ae4b2a |
| SHA1 | ed78b516acdea1e79c242f585d4c1a2a3f45661e |
| SHA256 | ecc6907c2fdbab7c96faf570aa575097d1f151e157acea3a958f21adf6de6abe |
| SHA512 | 80a58e16729d8d14675123cdf28b5c86ffb24ebe244d5d6caedd5ccdf97db6f430e90fea7375213e57e46d74e8c5e3558a13677e330acee7d119b8c42069fa2e |
C:\Users\Admin\AppData\Local\Temp\CBB0.exe
| MD5 | 924961a55a148f673993c2a030705f55 |
| SHA1 | 4102c1955090cdc1e98dd81908a87f646c281bbe |
| SHA256 | 2629f29216a5ade8bc496abc00421578f0d20a426d0bc92a8e2a2588bf1bd387 |
| SHA512 | e236af25ed1940c952a0f6a7daa4e5747632463e0639538a75eab97085498313545c5a665583b7826bcf9224d185f03adb23d7623bc4e138d5293a9008a8d10a |
C:\Users\Admin\AppData\Local\Temp\CBB0.exe
| MD5 | 8eb0f03a13fcbdcaa98c7386f78fcf18 |
| SHA1 | 7effdb669cc14fbb4be22c7509ef5c418f8dbee5 |
| SHA256 | e1fa1a210c73c3d5f2c2e23ff9a0df777b0bbb206f2f6c688a1a6b25dc0895a3 |
| SHA512 | 9a17504d9285008d4c10997eec0cb44e9a6046fd4baa6410edd6a5a6008635002de1c2ec138f9bfeac65170325eca28e45825e2f457f9e97fa941897098815d2 |
C:\Users\Admin\AppData\Local\Temp\CBB0.exe
| MD5 | 406045df6eea45a7ccf305dd73d93174 |
| SHA1 | 9fee5b539390e703792070b23953277f215a42d1 |
| SHA256 | 9d4b6ac45865161c1858566c241dccf59fbb771832b30791cbc34bb87335ef71 |
| SHA512 | 4d3c078c9896593d80251836f6082efea4debdf8c17e01e21b61c29009ceaf161f4bd922a133e99ff3117b0aad66b0d3422e4b95fcced7fb826242b2e392a38d |
memory/1096-333-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BD0E2.tmp\CBB0.tmp
| MD5 | d33381c9542ef119f3e2c73822539b13 |
| SHA1 | 04c855c2a6a0052850a2781ba03d57eac8d1e344 |
| SHA256 | 679b09a828efb0b30e6ae3d95cf67903807848d87c99af5799a902d5b28901d1 |
| SHA512 | a30b153837fc00ce3cf56d62fcc15e9b9a2506fcb29383ed614d454fb742ac5945cecfcd5e389dc61e1b7198131cf04574a2d2fe97b8b0735939387de17b3daa |
memory/1556-349-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2280-360-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Audio DVD Copier\is-EK9C2.tmp
| MD5 | 6231b452e676ade27ca0ceb3a3cf874a |
| SHA1 | f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1 |
| SHA256 | 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf |
| SHA512 | f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 43ff0c8090b7222492667f4e6a84290a |
| SHA1 | 200428a87920d4b51f23cd696aa6258deea613ac |
| SHA256 | eaba9bed52a9d6a8bc0fa3d0634937a9350aec04ffefa818307f55c397302d4c |
| SHA512 | 962d140e0d09171352d823231479c29e519484ceea25b652a2927fc4581bd9ad7ef4e90e405f6c54e991fb8db09c62adfbdc99deac11fb2b4e3c575099868a32 |
memory/2352-375-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2416-377-0x0000000002760000-0x0000000002B58000-memory.dmp
memory/2416-378-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | cc15bd28b9297f0de54462d1f4151963 |
| SHA1 | 1e723fce28c94b777b821e4b1884a42d352d4f7f |
| SHA256 | e8d430ceb5cde61da0716fcef9c406537ac7997565e251f90b21ffa8b0152b21 |
| SHA512 | 2e50e53c119c70995337a296d3dddd08bcb8df7083a46b2133f0e8433e5efde5c6d3b924fac9e644c193855208d439ff3589e53be3d11a2d30f18470858aab4c |
memory/1536-397-0x0000000000220000-0x0000000000254000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | dd76b1ea2a8bf2f7e800e0a11f01f5e9 |
| SHA1 | d31c1ff5b3bfff45af20f5fce0579b80819c5390 |
| SHA256 | 98ddd0a4e39f3693a0bdda3844934a3211e119eee2d5155e17778b0af18e6b89 |
| SHA512 | 2b3118524ede04678a6306af55dff202a5dbd1a5443bd815dc6a7e3122518ca3593841b942b46b04c3053e553cf20c8baca39461f27cc7fe5d293e26050b2508 |
memory/1536-394-0x0000000002E60000-0x0000000002F60000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | fb8129e365391576bb219e9c32633d1e |
| SHA1 | 8bea7c52cfb0921c24446e00351d19c8a9cb8484 |
| SHA256 | 9e73f75e4b618189e5624f02c4cc5dfb810600181434ede34815a645cc4b24b1 |
| SHA512 | 941ab808da324d78f3aeef63e274994ff50d8d4270315fe9f3a4029ce86efe372c28b6ab6d39accb61f03eab27ae432fc11155d2dc2f74fe0fb621675016c93f |
memory/2416-400-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1536-401-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/1004-402-0x00000000027A0000-0x0000000002B98000-memory.dmp
memory/1004-403-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 1b80fb22665c5c506faadcc5f2a4cd7f |
| SHA1 | 80b615e0ae9ea791b521d802f3d1f8480af6380f |
| SHA256 | 02d595587af4a8fe7aa6c44f6b1cba48f21725b83de6ee5aa31e2a9f6ff85a93 |
| SHA512 | ded746797b1d0a80ab456024011bc4b0ca30d05959227b0baaca920e9504a92a11a4ab70fbd1b096b55673ea0941f7151708d1ca6595889a6e7666d405ba88a0 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/2596-411-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
memory/872-414-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 36faf3a793dbb6e80cd9ec2282ae4404 |
| SHA1 | 6118ce7d7e64040e97018d6d4383ddfb6f1394e5 |
| SHA256 | f8785b8eef542d5f08fdcb9d8d275aab8d8980dece2e4e5c7f26df3b02879cec |
| SHA512 | f395e3d2c71117f5b8256ec25172f280ae74b99e4e7c3eec40e21ab14d486dfaeed3851437851deab9c7c54c3725b3c5a485e562cdd02e548ee9edd1df031e8e |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | a9a6778b7b83e913b9b55eb4d1476042 |
| SHA1 | 3256dede4bd1214ba19e0bc67900ffbae364f854 |
| SHA256 | f5872a7bab6d3dd42bb26aa43dcfc7ea54f18e91d315ab252f6737d1db41e01d |
| SHA512 | 5037711a23458f9deb618391d57b50a6a5e8dce52fd10415783540ed23ddb31dc823e2d4fecbcd607f38625eb6259d289eecee30c5eda50578df86ac042dae59 |
memory/2640-425-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/872-427-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab18B1.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar1950.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/1096-525-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1536-546-0x0000000002E60000-0x0000000002F60000-memory.dmp
memory/1536-547-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/2328-562-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
memory/2328-563-0x0000000002250000-0x0000000002258000-memory.dmp
memory/2328-564-0x0000000002CC4000-0x0000000002CC7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 01:08
Reported
2024-02-22 01:10
Platform
win10v2004-20240221-en
Max time kernel
135s
Max time network
146s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Stealc
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D65C.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B5B3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-F0MNE.tmp\F1C6.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\A2F8.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 644 set thread context of 4496 | N/A | C:\Users\Admin\AppData\Local\Temp\B5B3.exe | C:\Users\Admin\AppData\Local\Temp\B5B3.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\E532.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ujuhrhj | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ujuhrhj | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ujuhrhj | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ujuhrhj | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-F0MNE.tmp\F1C6.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe
"C:\Users\Admin\AppData\Local\Temp\1334bbd7e0d0d3bb073194939f7dada8.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9BE2.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9BE2.dll
C:\Users\Admin\AppData\Local\Temp\A2F8.exe
C:\Users\Admin\AppData\Local\Temp\A2F8.exe
C:\Users\Admin\AppData\Local\Temp\6212.exe
C:\Users\Admin\AppData\Local\Temp\6212.exe
C:\Users\Admin\AppData\Local\Temp\ABA0.exe
C:\Users\Admin\AppData\Local\Temp\ABA0.exe
C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp" /SL5="$1501BA,3536428,54272,C:\Users\Admin\AppData\Local\Temp\ABA0.exe"
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s
C:\Users\Admin\AppData\Local\Temp\B5B3.exe
C:\Users\Admin\AppData\Local\Temp\B5B3.exe
C:\Users\Admin\AppData\Local\Temp\B5B3.exe
C:\Users\Admin\AppData\Local\Temp\B5B3.exe
C:\Users\Admin\AppData\Local\Temp\B9CB.exe
C:\Users\Admin\AppData\Local\Temp\B9CB.exe
C:\Users\Admin\AppData\Roaming\ujuhrhj
C:\Users\Admin\AppData\Roaming\ujuhrhj
C:\Users\Admin\AppData\Local\Temp\D65C.exe
C:\Users\Admin\AppData\Local\Temp\D65C.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\E532.exe
C:\Users\Admin\AppData\Local\Temp\E532.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3852 -ip 3852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 340
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp
C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp
C:\Users\Admin\AppData\Local\Temp\F1C6.exe
C:\Users\Admin\AppData\Local\Temp\F1C6.exe
C:\Users\Admin\AppData\Local\Temp\is-F0MNE.tmp\F1C6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F0MNE.tmp\F1C6.tmp" /SL5="$20272,3525380,54272,C:\Users\Admin\AppData\Local\Temp\F1C6.exe"
C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe
"C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe" -i
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe
"C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe" -s
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 2344
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| KR | 183.100.39.16:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | 16.39.100.183.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | en.bestsup.su | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 172.67.171.112:80 | en.bestsup.su | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 112.171.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
Files
memory/4060-1-0x0000000000AC0000-0x0000000000BC0000-memory.dmp
memory/4060-2-0x00000000009A0000-0x00000000009AB000-memory.dmp
memory/4060-3-0x0000000000400000-0x0000000000817000-memory.dmp
memory/3448-4-0x0000000002BA0000-0x0000000002BB6000-memory.dmp
memory/4060-5-0x0000000000400000-0x0000000000817000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9BE2.dll
| MD5 | ec6878849a30cad1ddb5ab3ff4921124 |
| SHA1 | 0c1208b6d2e153352b8c4ccc345ff30281ab2af9 |
| SHA256 | 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639 |
| SHA512 | 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb |
memory/4948-15-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/4948-14-0x0000000001190000-0x0000000001196000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A2F8.exe
| MD5 | 1996a23c7c764a77ccacf5808fec23b0 |
| SHA1 | 5a7141b167056bf8f01c067ebe12ed4ccc608dc7 |
| SHA256 | e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888 |
| SHA512 | 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23 |
memory/4948-21-0x0000000002F30000-0x0000000003054000-memory.dmp
memory/4948-22-0x0000000003060000-0x0000000003168000-memory.dmp
memory/4948-25-0x0000000003060000-0x0000000003168000-memory.dmp
memory/4948-26-0x0000000010000000-0x00000000101A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6212.exe
| MD5 | 479342d62078aaf31881972c7574f6f2 |
| SHA1 | 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4 |
| SHA256 | a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d |
| SHA512 | 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da |
memory/2428-33-0x00000000007B0000-0x0000000001287000-memory.dmp
memory/2428-38-0x00000000013A0000-0x00000000013A1000-memory.dmp
memory/2428-41-0x00000000007B0000-0x0000000001287000-memory.dmp
memory/2428-43-0x00000000013D0000-0x00000000013D1000-memory.dmp
memory/2428-42-0x00000000013C0000-0x00000000013C1000-memory.dmp
memory/2428-44-0x00000000013E0000-0x00000000013E1000-memory.dmp
memory/2428-40-0x00000000013B0000-0x00000000013B1000-memory.dmp
memory/2428-45-0x00000000013F0000-0x00000000013F1000-memory.dmp
memory/2428-47-0x0000000001710000-0x0000000001711000-memory.dmp
memory/2428-46-0x0000000001700000-0x0000000001701000-memory.dmp
memory/2428-48-0x0000000001720000-0x0000000001721000-memory.dmp
memory/2428-49-0x0000000001730000-0x0000000001731000-memory.dmp
memory/2428-50-0x0000000001740000-0x0000000001741000-memory.dmp
memory/2428-51-0x0000000001750000-0x0000000001751000-memory.dmp
memory/2428-52-0x0000000001760000-0x0000000001761000-memory.dmp
memory/2428-53-0x0000000001770000-0x0000000001771000-memory.dmp
memory/2428-54-0x0000000001780000-0x0000000001781000-memory.dmp
memory/2428-55-0x0000000001790000-0x0000000001791000-memory.dmp
memory/2428-56-0x0000000001940000-0x0000000001941000-memory.dmp
memory/2428-57-0x0000000003260000-0x0000000003261000-memory.dmp
memory/2428-58-0x0000000003270000-0x0000000003271000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6212.exe
| MD5 | 6806dc55002084959537c1db11646c72 |
| SHA1 | baeb48ed42529a3f64c12ad62d4df1bd2e28d7a7 |
| SHA256 | 53ad359d95bbd203383d7b0bda7107dce106ede2eb827740cf1d3c6c9ce66c87 |
| SHA512 | cca877b088dbadc4fda8932cdbc7d8ee4e456c9e38273a6db4c7a547b3a8bdaac0946180795da807ebf11fccc82e0d47fb88b3616f18018e9673eb7f3b04bbf0 |
memory/2428-61-0x0000000003280000-0x00000000032B2000-memory.dmp
memory/2428-63-0x0000000003280000-0x00000000032B2000-memory.dmp
memory/2428-62-0x0000000003280000-0x00000000032B2000-memory.dmp
memory/2428-64-0x0000000003280000-0x00000000032B2000-memory.dmp
memory/2428-65-0x0000000003280000-0x00000000032B2000-memory.dmp
memory/2428-66-0x00000000007B0000-0x0000000001287000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABA0.exe
| MD5 | 5bf677843dc42bb266139b7ee252803f |
| SHA1 | 16d811fe8484b57c6e603beda94fb6095d821035 |
| SHA256 | 1e0bba2e76e3206ca6bc76a6f45e81cd951ea26770005ea17b44c37fb81ef0ea |
| SHA512 | 2ec9795a8b33a24a1eaed8d9c22c21309581bfeee5436884e3d8264d75209ed8f7767f786b4b9290c3e3fa67325d900d3359e3ffe0b262ec41b1c791361c7968 |
memory/2288-73-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABA0.exe
| MD5 | a725bdafbeed72ef8c2985feb59b5c1d |
| SHA1 | f15c838044ac71d181f247d8caad3de08c346670 |
| SHA256 | ae7fdc392bca4f09b1e8814c2c5321b1f558a752cd35ef348a29ddb199ea1209 |
| SHA512 | f2d429256b8fb2f501f14d10a01c3a5e76c45265fac4bf48ad975bac1f4ab560500835c33f0a6ba64d11f826b33efaecf498e126f4abbf9bb8837510b39ae047 |
C:\Users\Admin\AppData\Local\Temp\is-N1PU6.tmp\ABA0.tmp
| MD5 | 1ba055823154222509be8b1cb57f0d49 |
| SHA1 | a11bdd1f4106f1de2dd075801987965f97c5c2b2 |
| SHA256 | c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841 |
| SHA512 | 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a |
C:\Users\Admin\AppData\Local\Temp\is-VLQOD.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2508-89-0x0000000000530000-0x0000000000531000-memory.dmp
memory/2452-127-0x0000000000400000-0x0000000000736000-memory.dmp
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | 9a3bbfe3dd361d83282773ccb2f3d087 |
| SHA1 | 336e9c10f3ac4e8a7b98fe47bda1f5d93ff9336a |
| SHA256 | 74448ea6fd95e234d0a7d7086d42798063c87efa713063f66d6c6060c87aee98 |
| SHA512 | a234ee0e3324d60c43b9a08c86010caa7a2693766e633fb9d25c68021bcbd02b160676d012fcda131b62a6aef91f155fd8af4c83884113e5ac032e84717ac260 |
memory/2452-128-0x0000000000400000-0x0000000000736000-memory.dmp
C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe
| MD5 | 66c4b721e3fa64c794bf30fa0f5a1d6c |
| SHA1 | ab43b69e6c6de3a6c6e6e4a5a1c2840e8a56c386 |
| SHA256 | 3b3295e190fa7ae32d588ace0df7fb73acdc973668e60edc1e772e918d8d5a85 |
| SHA512 | f6c7f8a3af0147d2967af36aabe82b49494caba3d7373ff752d92bac1436979dd55d4972cc32d0fc892a3d3f5eeb6bbd95ec323b6772dd8935a58ac64648aeb5 |
memory/2452-131-0x0000000000400000-0x0000000000736000-memory.dmp
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | c54fdfa55980472a6e8b95cda49b57e8 |
| SHA1 | a50b1ae8133724b424e973f36040855f01385bf2 |
| SHA256 | dd3c0547f45d059d47fa060d4a01f06a7148c3c8255fbb8a37f70b9ec12b03eb |
| SHA512 | 01ff73810fce69273fc601ea5d21abab0e7e0ec649e38f41df0cc1682bf52a7ebaa9d46748813ba8561f66e2576ee73e0dd621be06331e0bd2e290a7b60abc1a |
memory/4748-134-0x0000000000400000-0x0000000000736000-memory.dmp
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | 4bf1795d7938fa40b340c4f5e157d42b |
| SHA1 | a4d97bdd507bd9c9207062ab42e58c7e65c9a6af |
| SHA256 | b250f51b1752616626329356a43a264cf8e9ff89232743a58bbe6576b81b2d12 |
| SHA512 | fb2a8edc311e77e961b995694afb713574d342c19a4efb0e460bb1394a970e9c9b0bf911ecf2c021107c5ee3557e88604c578c30354ad1b23af27bb3cfd0b7c6 |
memory/4748-136-0x0000000000400000-0x0000000000736000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B5B3.exe
| MD5 | b76b7fee4432c0d0f558c60e0e7bd7a7 |
| SHA1 | d9fa29e6b301b7753a3606fc2da38e6e3c4e0b43 |
| SHA256 | 3f949dc07285fa4cb5e3faf70fd8f0e2e09538f4a21eaeaa2c79eb2538b2ef39 |
| SHA512 | 3df2fc9e7518623a03021c5629f9a0097812587a70ccdf17092b36b9a5dd5333ee880fbde0c5dd14ad7fc6f16ac7c529b6e6c7fd2678b1b51cd274ea8ce832d6 |
C:\Users\Admin\AppData\Local\Temp\B5B3.exe
| MD5 | 79d0881a365f3d679c2f096a73f15965 |
| SHA1 | def3bd4b37365c9ab5acc923ac114125aba87238 |
| SHA256 | e538dc338b2dd6eaaba95b96094c1a95374af765a8234207c362ccf0bdb131b2 |
| SHA512 | 05c0b92966a10d97ce51280665aa0eb96bc824dccc5902da2808f9bd89348f5838c575f156cd1705c7bfb9ea5464070295405b3150505f13a9fcb00ebfb2a350 |
memory/644-142-0x0000000004B90000-0x0000000004D58000-memory.dmp
memory/644-143-0x0000000004E60000-0x0000000005017000-memory.dmp
memory/4496-144-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4496-146-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4496-147-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B5B3.exe
| MD5 | 1a0b1e3296221b9d0663b3f0b421a881 |
| SHA1 | adb6c975ee026624b62347366c3db66533042af5 |
| SHA256 | 43bb90f9921fe858ba220a0c08739389c25f8a44d06720a497eae2cdb6e91e5e |
| SHA512 | 8495a8a653b4e8ea0b737b30bbf318f51849388048904f6af47076fb0a534efd9a658090a5579cebe56c812785153db7460bd2bfefca47073fcbc03dc0d0008f |
memory/4496-148-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4496-149-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4496-152-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9BE2.dll
| MD5 | 1ac35cadceded37e0c0384c0e5d794af |
| SHA1 | 4215607a5d39e925f153a2b0981c417c8ba7a413 |
| SHA256 | 522b7b03a58ca2a36186888226a7dd9e7b52a7bfaed490865d9257fdca8bf738 |
| SHA512 | c54bb774f812810caf58331e3467976e79b5530ea53064ee20ff35ce2900de8b2eb007d4f750e9ad05a3b1391562fd97e8c430e8f05591bd1059e7aa66427691 |
memory/4496-157-0x0000000000980000-0x0000000000986000-memory.dmp
memory/4948-160-0x0000000003170000-0x00000000049F8000-memory.dmp
memory/4948-159-0x0000000003060000-0x0000000003168000-memory.dmp
memory/4948-161-0x0000000001230000-0x000000000132B000-memory.dmp
memory/4948-162-0x0000000004A00000-0x0000000004AFB000-memory.dmp
memory/4948-165-0x0000000004A00000-0x0000000004AFB000-memory.dmp
memory/4948-167-0x000000006F390000-0x000000006F3DB000-memory.dmp
memory/4948-166-0x0000000000D80000-0x0000000000D92000-memory.dmp
C:\Users\Admin\AppData\Roaming\ujuhrhj
| MD5 | 1334bbd7e0d0d3bb073194939f7dada8 |
| SHA1 | 1b94edaf8a275a4c2e2ec6550a4567fd2048dcf4 |
| SHA256 | c89ac5cb4dbb4116ed1d3b9630aac5a927066938e5b4a24649cf09116882a146 |
| SHA512 | e960d3ea5bda9f39afb449fed300e9863dbbc7ee1c216cd8fa4b681316f78515316bb1fb1f7b4743d689b6a5896f2d4b6bb4a52052d2a298af210888cacf8336 |
memory/2288-175-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1092-176-0x0000000000910000-0x0000000000A10000-memory.dmp
memory/1092-178-0x0000000000400000-0x0000000000817000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D65C.exe
| MD5 | 39ebc5f3395064152b1f1cd4766c6f35 |
| SHA1 | fad87e45cdcb01fc8e4bcb0d96ad983d22c23f0d |
| SHA256 | bce03dcdbab5d6fda63e92ebaf3cda1247cc6a0391b00a9a241caeccf24239f8 |
| SHA512 | 7ada1a62606ed33b35dd07eed22ba411a5a594dbbe5aa91db2d96e6fedc5075f28e2085f0146769f613d20ce4efc1f100eebf172e91ff9f80c39e011bb5aef18 |
C:\Users\Admin\AppData\Local\Temp\D65C.exe
| MD5 | cb5dd212a324d2a07b75d3dfe998d198 |
| SHA1 | 009e6fd4cb3d18cdfbab00a02da70c5d478ea56a |
| SHA256 | d046eaade93a0c1453480ffe8aeb411b9801d636cf26c55d1c19ecfcc9dc4e83 |
| SHA512 | 768809bd6133f320789045b26e90a835a1130b20319535d3c8a9faf7bd952799a17cf76eb4c6f202544c18cfec3147b1edb35f4b5adf04fd6940e1355bdb5644 |
memory/5096-189-0x0000000000890000-0x0000000001146000-memory.dmp
memory/5096-190-0x00000000728F0000-0x00000000730A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | a5cc28d59b8709a33ce44c89443c0f34 |
| SHA1 | 845fc50743f64a353a191a89acd23420f4069fbf |
| SHA256 | 78b0d313c2261b476ecf373f31c487984ea136b86a3e0ad036f2db04cb9850ae |
| SHA512 | c722a996e8d28d37c9d812cde8810dd1bde005d25e8a52b7037da1e879ab9d193c59de1e2b11a63db1b864408042f266d08a51bdf43cf23021b88b4a081db999 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 6bdb234305778c39ec1121b20dbb5b46 |
| SHA1 | 9397990981227c7b06a4ad4d1a2b030d38fcd6e1 |
| SHA256 | 0e50b406c6cd99dda7328f15c6dad4c1bf4c5b0a12a2476ee69e58e7d544233b |
| SHA512 | 6a58cafa3ed7cbbd091da4f240ff88e517d40167d1f901352cdde871931636bcc934f69937b830851969dc15dc1b04c6ce9d7cd689f5a9f864c60a5ad198777a |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 69d8541afe9eb5d47b8a4ec080212d19 |
| SHA1 | 2bd9cda3c37de1569edc024935374ef90a8d186b |
| SHA256 | 5731567f5316e5c8535d8b9aa0ec8c2c839b89dbba2dd9aacbc76e46b26080b7 |
| SHA512 | 56aa8cc13b79695bf1c0e1ce51302d569411d22072dbfca1943e97a3d5fe5e6f7c66ce341f8f065de73a85c9d29c820570202aa6977d89e3e5a979ccceec0c95 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | f0ff5f372a958f41fa51da9c9f03c8b2 |
| SHA1 | 06d46a56e5bc97c19dd5fb7195e973121b641c55 |
| SHA256 | d2ed2c2940a1994e68fb473cf5e7c0ab0487d38ea141f35c0f6c07230e7e868b |
| SHA512 | 8ebc3a3acd0f9139707f0681f85457ffdaba8f6532bb7d28a196be05a0bf04692ffff4c0cf0a712897068c395e3f5aa64c799fd9cffc810b0139cb7d778e8424 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | f75b9beec810c7d22ac06871935465cc |
| SHA1 | 02a949c1e44035114022079454555c9c145bf8fb |
| SHA256 | edbe5331590b5dd47a67f9546820b96f3f2b4590cd4444ec6e6185762c6a2182 |
| SHA512 | e2e8b13f7e69d46fd1d3a08e08ef0bf661dc690df37583ea653321ac05ccc717a716ec9ac1670e574a87e70c8096bce538b976d7fbb4af9f46cf5c1ad598a37c |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 1844d76e7d4331107eeb8fc6274fa9b2 |
| SHA1 | 82ae81925c68a662af3b5243db9ae9d0b1721958 |
| SHA256 | 0fddf79ba668abf7a760e7076da3fdcca389e221c5005b10737a75b271da3aa1 |
| SHA512 | 2be6c7a7f25b12ee3082f122fd17ded3697dd97518e41765d49f5141e969b6e4d24f664a6aae29e647c2e8d7518d3a6b1216c8a460a7425ab4c60e5bd60dc947 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 029a5147d2f0d080800b095d06298a55 |
| SHA1 | 6d53b0c00f128318d23de9db082989e30369baad |
| SHA256 | cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566 |
| SHA512 | b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c |
memory/5096-229-0x00000000728F0000-0x00000000730A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsvDEA4.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 6e1c3da5e773acb3dfd13e38cd9c1898 |
| SHA1 | b9fb4c0bef05310d6528a1fb47dd702970302c56 |
| SHA256 | 7d5ba777ef0835d0a7f38587ac7f6ba1a96a1288114f6157b55ede2d35658ff0 |
| SHA512 | 814bfcac9800d5956fe2cd5dcf23f26fb6572386f829c58fd2a3eea3061a37d312e1766568595bf2e3bd33c3fababe220c8eac4d79712d2170cb3c6711e70ad5 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 147b6aa5bd0222e5d58af8984b073c56 |
| SHA1 | 399923e38ba252bffbe5c13b39bcbf41798e15f5 |
| SHA256 | 6a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9 |
| SHA512 | c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 107d51b63924f31b65dd7cf8f223fc8e |
| SHA1 | 30a1f85554f49cda1e887a5619333a0e1cae3b74 |
| SHA256 | b97e3e6fd9164d017db870ff64f66bc3ca6a9a8388d50043ef1e2e1c8a7e5f1e |
| SHA512 | 95d6eca043e4653bbd9ce9a8cd25a7fa66b33bb545b614529e220d4bb94943d17837b5786eff58e49620adae249e7711eef2e51910dcbafe1bc492a1316ac05f |
memory/856-234-0x0000000000A80000-0x0000000000A81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E532.exe
| MD5 | 3dd02e3a7d6552f6312e29bc4189c06a |
| SHA1 | c52bb026df26445a1e4ccf66baf61d99ecd1ff8a |
| SHA256 | cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70 |
| SHA512 | 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485 |
memory/4748-241-0x0000000000400000-0x0000000000736000-memory.dmp
memory/4728-237-0x0000000002A10000-0x0000000002E12000-memory.dmp
memory/4728-242-0x0000000002E20000-0x000000000370B000-memory.dmp
memory/3852-243-0x0000000002E90000-0x0000000002E9B000-memory.dmp
memory/4728-249-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3852-252-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/3852-255-0x0000000002ED0000-0x0000000002FD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsoE7DC.tmp
| MD5 | 4e947abc3916088f9aeb96ca58ae4b2a |
| SHA1 | ed78b516acdea1e79c242f585d4c1a2a3f45661e |
| SHA256 | ecc6907c2fdbab7c96faf570aa575097d1f151e157acea3a958f21adf6de6abe |
| SHA512 | 80a58e16729d8d14675123cdf28b5c86ffb24ebe244d5d6caedd5ccdf97db6f430e90fea7375213e57e46d74e8c5e3558a13677e330acee7d119b8c42069fa2e |
memory/4584-260-0x0000000002F90000-0x0000000003090000-memory.dmp
memory/4584-261-0x0000000002E80000-0x0000000002EB4000-memory.dmp
memory/4584-263-0x0000000000400000-0x0000000002D38000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\F1C6.exe
| MD5 | 9ed5add10faf2961bfd48152e46da5c5 |
| SHA1 | aa12af2b61a229eab05ea38c91fb7e7179cee846 |
| SHA256 | fa4f46e35b2931f6688630d3035aeee45ace3d28a658b86ace382736292c6f2f |
| SHA512 | c989a521352d2b56114320b6f718f1fac0d3dc7f761fe490dad88bdc3626955451dda12827feb870f237cca7b15e7959fab93129fc3708ec0031a624169706f1 |
C:\Users\Admin\AppData\Local\Temp\F1C6.exe
| MD5 | e387095d614440e0e33f5d4c8c6bcfd4 |
| SHA1 | ed78b68ec8b0cc0b639433c3b5569c6a5beed2d5 |
| SHA256 | f44769c70046af420efceb84209d0e4185b82edd85054dcb2dcc361915cf4cbe |
| SHA512 | 1a7368e105b08e8d9ef98985d2f398a00e59c34496ec9da8a3a2c56f825c6938826b086be90ccb86c5756ffc1077256b87bd28f44c86d52199d903fe613f92cc |
memory/1544-270-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-F0MNE.tmp\F1C6.tmp
| MD5 | d33381c9542ef119f3e2c73822539b13 |
| SHA1 | 04c855c2a6a0052850a2781ba03d57eac8d1e344 |
| SHA256 | 679b09a828efb0b30e6ae3d95cf67903807848d87c99af5799a902d5b28901d1 |
| SHA512 | a30b153837fc00ce3cf56d62fcc15e9b9a2506fcb29383ed614d454fb742ac5945cecfcd5e389dc61e1b7198131cf04574a2d2fe97b8b0735939387de17b3daa |
memory/5112-288-0x0000000000540000-0x0000000000541000-memory.dmp
C:\Users\Admin\AppData\Local\Audio DVD Copier\is-RFM5H.tmp
| MD5 | 6231b452e676ade27ca0ceb3a3cf874a |
| SHA1 | f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1 |
| SHA256 | 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf |
| SHA512 | f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c |
C:\Users\Admin\AppData\Local\Temp\is-MKJ9D.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe
| MD5 | e92fdb5a16306a4b94a65f6542f4d961 |
| SHA1 | bae49d925a5c744154b5cb585a8e316eb1000768 |
| SHA256 | 4713f895f243d395b0a394b7fb760260a18c7d3f747a941e0dbd838bf3db1422 |
| SHA512 | c78086eccac3a48be072f5cb78e078dabb61c65ed3e414f01baa5661f4c32aa74cbc6fd5e7131e6378340834a6303f70315e9fcfd80b4e6a0e485e64df60904b |
memory/4840-323-0x0000000000400000-0x0000000000734000-memory.dmp
memory/4840-325-0x0000000000400000-0x0000000000734000-memory.dmp
memory/1092-324-0x0000000000910000-0x0000000000A10000-memory.dmp
C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe
| MD5 | acbebea2f8ec2e035cacc9be62b117d1 |
| SHA1 | 1059bb3df016cd29494ed07142a00a5f74cfe4a9 |
| SHA256 | 46ac8bca95af3bd5a28d5b284ea3605264a9a9310e1971bbe03924250edb8fda |
| SHA512 | 4b648f4c5142b002346cd986d9bd2c45abf334927632d80d1ec78d8097a9e10ee4d66d962266202ee78374d2af0e2c0bd748f6431a01976b7e9658a50c609e7e |
C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe
| MD5 | 3b4ac2af9f29d7390397575562521b3a |
| SHA1 | 1cff02641012eea21570acfd72ee800f6322fa8f |
| SHA256 | 812d5e5f308c13ffbf23aec1f1cdc92903239c37e468c42c5c2af2403dfbd0d7 |
| SHA512 | 658d3243e63fb81922abf51e692beb5e45707c2c88944a1d62f01c018764d503bdf8eec2c258ed50075dd413177d4ab34ef7bb0f29f595800e82d59f1dfc07f3 |
C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe
| MD5 | d2648ac280f420087da2429cab0ffdac |
| SHA1 | 8329d0f2d80c42461999810b210e23d83092eed1 |
| SHA256 | 6b864b9be1108e2dadccf4cac06cecac41153dd1f44ce9b86e3b639bca3e0ec0 |
| SHA512 | 5ad98a76fec62cb880cb1fa46595bbc72913bf0ca4ffc2d7688df5ad8a3c630da74ab27d0735f29a538110a4d35cf5a3c04a65902e02062cf0d6bd704271a3c1 |
memory/4840-330-0x0000000000400000-0x0000000000734000-memory.dmp
C:\Users\Admin\AppData\Local\Audio DVD Copier\audiodvdcopier.exe
| MD5 | 17911c257f3d88a1ea6e0a5004d07f0b |
| SHA1 | 63170a972172f254e496fae7a118f00697f2e6ec |
| SHA256 | d5a64a08427ba61793fbb45e89e114b25071a688b397c23dc38ef94194c95d2d |
| SHA512 | d2c3496265af1e173f9625523b86bb9ee209d63c8a4ec0671d4bf2bb6c82b051fb4e514fe13c2d30af8f9d606aabde8ca4ab170f9d5c330fae825b5a8c16b508 |
memory/876-332-0x0000000000400000-0x0000000000734000-memory.dmp
memory/856-335-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/4728-336-0x0000000002A10000-0x0000000002E12000-memory.dmp
memory/876-339-0x0000000000400000-0x0000000000734000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1092-427-0x0000000000400000-0x0000000000817000-memory.dmp
memory/4728-436-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/4400-451-0x0000000005160000-0x0000000005196000-memory.dmp
memory/4400-456-0x0000000072090000-0x0000000072840000-memory.dmp
memory/4400-455-0x00000000058F0000-0x0000000005F18000-memory.dmp
memory/4400-458-0x00000000052B0000-0x00000000052C0000-memory.dmp
memory/4400-459-0x00000000052B0000-0x00000000052C0000-memory.dmp
memory/4584-465-0x0000000002F90000-0x0000000003090000-memory.dmp
memory/4584-464-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/4400-466-0x0000000005850000-0x0000000005872000-memory.dmp
memory/4400-472-0x0000000006090000-0x00000000060F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqfygu5x.pna.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4400-477-0x0000000006200000-0x0000000006266000-memory.dmp
memory/4400-478-0x0000000006270000-0x00000000065C4000-memory.dmp
memory/4584-480-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/1112-484-0x00007FFF850D0000-0x00007FFF85B91000-memory.dmp
memory/1544-485-0x0000000000400000-0x0000000000414000-memory.dmp